ddl: support masking policy DDL

[tiancaiamao]

What problem does this PR solve?

Issue Number: ref #65744

Problem Summary:

• implement masking policy DDL execution and validation

What changed and how does it work?

• add DDL executor and worker handlers for create/alter/drop masking policies
• add validation and persist policy metadata to meta and mysql.tidb_masking_policy

Tests:

• go test -tags intest -run TestMaskingPolicy (pkg/ddl)

Stacked PRs

• Depends on: infoschema: add masking policy integration #66034
• Incremental diff: tiancaiamao/tidb@pr/phase4-infoschema...pr/phase5-ddl

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No need to test

  • I checked and no code files have been changed.

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Documentation

• Affects user behaviors
• Contains syntax changes
• Contains variable changes
• Contains experimental features
• Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

None

Summary by CodeRabbit

• New Features

  • Full masking policy DDL now supported end-to-end: CREATE, ADD/ENABLE/DISABLE, REPLACE, and DROP on table columns; executor and DDL jobs handle lifecycle.
  • Info schema exposes masking-policy lookups and lazy, thread-safe caching.

• Database

  • System table for persisted masking policy metadata updated to new column set and indexes.

• Tests

  • Added and extended tests covering lifecycle, IF NOT EXISTS, and expression persistence.

[tiprow]

Hi @tiancaiamao. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Implements end-to-end masking-policy DDL: model and sys-table schema changes, DDL executor dispatch and job submission, DDL worker handlers for create/alter/drop with sys-table persistence and validation, infoschema lazy caching and loader integration, builder/diff/init updates, and tests/BUILD changes.

Changes

Masking Policy DDL Support

Layer / File(s)	Summary
Data Model and System Table pkg/meta/model/masking_policy.go, pkg/meta/metadef/system_tables_def.go, pkg/session/test/bootstraptest/*	Status type converted to byte-backed enum with aliases; masking-type constants renamed with aliases; MaskingPolicyInfo extended with DBName/TableName/ColumnName; mysql.tidb_masking_policy CREATE TABLE SQL updated and bootstrap tests adjusted.
Executor Interface and DDL Dispatch pkg/ddl/executor.go, pkg/executor/ddl.go	Executor adds CreateMaskingPolicy; DDLExec.Next recognizes *ast.CreateMaskingPolicyStmt and dispatches to executeCreateMaskingPolicy.
Executor Job Submission Methods pkg/ddl/executor.go	Implements CreateMaskingPolicy, AddMaskingPolicy, AlterTableMaskingPolicyState, DropMaskingPolicy, and createMaskingPolicyWithInfo with schema resolution, uniqueness checks, and OnExist semantics.
Job Worker Routing and Handlers pkg/ddl/job_worker.go, pkg/ddl/masking_policy.go	runOneJobStep routes ActionCreateMaskingPolicy/ActionAlterMaskingPolicy/ActionDropMaskingPolicy to worker handlers; handlers validate targets via infoschema, perform sys-table insert/update/delete, update schema version, and finish jobs.
Worker Helpers: Validation & Persistence pkg/ddl/masking_policy.go	Target validation rules (reject views/sequences/temp/system schemas/generated columns/unsupported types), AST→model construction (expression restore/validation), masking-type/status/restrict-op parsing and serialization, and parameterized sys-table CRUD helpers and row decoding.
InfoSchema Interface Extension pkg/infoschema/context/infoschema.go	Misc interface extended with MaskingPolicyByName, MaskingPolicyByTableColumn, and AllMaskingPolicies.
InfoSchema Caching & Lazy Loader pkg/infoschema/infoschema.go	Adds masking-policy cache keyed by (tableID,columnID) with loaded flag, single-flight load coordination, accessors (ByID/ByName/ByTableColumn/All/Clone), LoadMaskingPolicies implementation, normalization helpers, and cache reset.
Builder Diff & Init Integration pkg/infoschema/builder.go, pkg/infoschema/builder_misc.go	Builder.ApplyDiff recognizes masking-policy diffs and calls applyMaskingPolicyChange to reset cache; InitWithOldInfoSchema clones masking-policy mapping and loaded flags; InitWithDBInfos signature extended to accept maskingPolicies and passes to initMisc (param currently unused).
Loader Integration & InfoSchemaV2 pkg/infoschema/issyncer/loader.go, pkg/infoschema/infoschema_v2.go	Loader.LoadWithTS fetches masking policies (fetchMaskingPolicies added) and forwards them to InitWithDBInfos; NewInfoSchemaV2 forwards factory to newInfoSchema.
Schema Tracker pkg/ddl/schematracker/checker.go, pkg/ddl/schematracker/dm_tracker.go	Checker.CreateMaskingPolicy delegates to real executor and tracker then validates affected table; SchemaTracker.CreateMaskingPolicy implemented as no-op for DM.
Build & Tests pkg/ddl/BUILD.bazel, pkg/ddl/masking_policy_test.go, pkg/infoschema/*, pkg/executor/*	pkg/ddl BUILD updated to include masking_policy.go and masking_policy_test.go; added tests for masking-policy lifecycle, CASE expression handling, and IF NOT EXISTS; many tests updated to pass maskingPolicies arg; pkg/infoschema/BUILD.bazel deps and test shard_count updated.

Sequence Diagram (high-level flow)

sequenceDiagram
  participant Client
  participant Executor
  participant DDLWorker
  participant InfoSchema
  participant MySQLMeta
  Client->>Executor: CREATE MASKING POLICY ...
  Executor->>DDLWorker: submit CreateMaskingPolicy job (policy args)
  DDLWorker->>InfoSchema: validate target table/column & load masking policies
  DDLWorker->>MySQLMeta: INSERT/UPDATE `mysql.tidb_masking_policy`
  MySQLMeta-->>DDLWorker: write result (policy_id)
  DDLWorker->>InfoSchema: reset/load masking-policy cache
  DDLWorker-->>Executor: job finished (schema version)

Loading

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly Related PRs

• pingcap/tidb#66033: Modifies mysql.tidb_masking_policy system table schema and bootstrap wiring affecting the same schema artifact.
• pingcap/tidb#66032: Related masking-policy metadata and job-arg types used by this PR.

Suggested labels

sig/planner, ok-to-test, approved, lgtm

Suggested reviewers

• wjhuang2016
• fzzf678
• yudongusa
• Leavrth

Poem

🐰 I hop through DDL fields bright and merry,
Policies tucked where columns tarry,
From executor's call to worker's hand,
Cached states spread across the land,
Tests and rows snug in schema's ferry.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 13.70% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ddl: support masking policy DDL' is clear, concise, and directly summarizes the main change—adding DDL support for masking policies—which aligns with the core changes across executor, worker, and policy implementation files.
Description check	✅ Passed	The PR description includes issue reference (#65744), problem summary, what changed, test coverage information, and dependency details. However, it lacks the 'Problem Summary' section header clarity and the description appears partially cut off or malformed in formatting.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tiprow]

@tiancaiamao: PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test.

Details

In response to this:

/test pull-br-integration-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tiancaiamao]

/ok-to-test

[tiancaiamao]

/retest

[tiancaiamao]

/retest

[tiancaiamao]

/retest

[tiancaiamao]

/retest

[tiancaiamao]

/retest

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign d3hunter, yudongusa for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS
• pkg/ddl/OWNERS
• pkg/infoschema/OWNERS
• pkg/meta/OWNERS
• pkg/meta/metadef/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tiancaiamao]

/retest

[tiancaiamao]

/retest

[tiancaiamao]

/retest

[wuhuizuo]

/test pull-integration-realcluster-test-next-gen

[tiprow]

@wuhuizuo: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test fast_test_tiprow

/test tidb_parser_test

Use /test all to run all jobs.

Details

In response to this:

/test pull-integration-realcluster-test-next-gen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tiancaiamao]

/retest

[tiancaiamao]

PTAL @bb7133 @wjhuang2016

[tiancaiamao]

/retest