executor: introduce max_user_connections (#59197) | tidb-test=pr/2720

[bb7133]

This is an automated cherry-pick of #59197

What problem does this PR solve?

Issue Number: close #59203

Problem Summary:
TiDB supports max_user_connections to limit the number of user connections.

What changed and how does it work?

• cherry-pick executor: introduce max_user_connections | tidb-test=pr/2474 #59197 to release-8.5-20260323-v8.5.5
• adapt the port to the release-8.5 code layout and bootstrap chain
• remove the duplicate noop sysvar registration that shadowed the real max_user_connections sysvar

Conflict resolution for release-8.5

To make the cherry-pick work on release-8.5-20260323-v8.5.5, I made the following conflict-resolution / compatibility adjustments:

• adapted pkg/server/user_connections.go to the release-8.5 MatchIdentity signature
• kept the bootstrap upgrade chain aligned with release-8.5.x and appended version244 only, instead of referencing non-existent intermediate upgrade functions
• kept max_user_connections as a real sysvar and removed the duplicate noop registration that shadowed it, so SET GLOBAL and SHOW VARIABLES behave correctly on this branch
• adapted the sysvar.go / vardef/tidb_vars.go references to the release-8.5 code layout

These are porting-only changes to resolve branch drift; they are not intended to change the original feature behavior beyond making the cherry-pick work correctly on the target release branch.

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No need to test

  • I checked and no code files have been changed.

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Documentation

• Affects user behaviors
• Contains syntax changes
• Contains variable changes
• Contains experimental features
• Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

TiDB supports max_user_connections to limit the login count.

Summary by CodeRabbit

• New Features

  • Global system variable max_user_connections (0–100000) and per-user MAX_USER_CONNECTIONS support in CREATE/ALTER/SHOW USER; server enforces per-user limits and tracks active connections, returning a new "too many user connections" error.

• Bug Fixes

  • Standardized too-many-connections error wording and improved parser warning to only warn when unsupported options besides MAX_USER_CONNECTIONS are used.

• Migration

  • mysql.user schema and bootstrap upgraded to store per-user max connections.

• Tests

  • New tests for defaults, clamping, persistence, enforcement, identity tracking, and privilege checks.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds per-user connection limits: new Max_user_connections column and bootstrap migration/version bump, global max_user_connections sysvar, parser/executor support for MAX_USER_CONNECTIONS, privilege API/cache extensions, server-side per-user connection accounting and error, and related tests.

Changes

Cohort / File(s)	Summary
Bootstrap & Schema pkg/session/bootstrap.go, pkg/session/bootstrap_test.go	Add Max_user_connections to mysql.user, bump bootstrap version to 244, add upgradeToVer244, and update tests to expect the new column.
Sysvars & Vardef pkg/sessionctx/variable/sysvar.go, pkg/sessionctx/variable/noop.go, pkg/sessionctx/variable/BUILD.bazel, pkg/sessionctx/vardef/BUILD.bazel, pkg/sessionctx/vardef/tidb_vars.go	Add global max_user_connections sysvar backed by vardef; remove noop entry; add vardef build target and deps.
Errors & Errnames errors.toml, pkg/errno/errname.go, pkg/server/err/error.go	Add server:1203 error text for exceeded user connections, update errno mapping text, and expose ErrTooManyUserConnections.
Executor (CREATE/ALTER/SHOW USER) pkg/executor/simple.go, pkg/executor/show.go, pkg/executor/BUILD.bazel	Parse MAX_USER_CONNECTIONS, clamp via helper, persist Max_user_connections on CREATE/ALTER, enforce privilege for ALTER, and include WITH MAX_USER_CONNECTIONS in SHOW CREATE USER.
Parser / Grammar pkg/parser/parser.go, pkg/parser/parser.y	Suppress warning when WITH options contain only MAX_USER_CONNECTIONS; otherwise emit updated warning indicating only MAX_USER_CONNECTIONS is supported.
Privilege cache & API pkg/privilege/privilege.go, pkg/privilege/privileges/cache.go, pkg/privilege/privileges/privileges.go	Add Manager.GetUserResources(user, host string); extend UserRecord with MaxUserConnections; decode max_user_connections and implement lookup.
Server connection accounting pkg/server/user_connections.go, pkg/server/conn.go, pkg/server/server.go, pkg/server/BUILD.bazel, pkg/server/conn_test.go, pkg/server/user_connections_test.go	New per-user connection bookkeeping and enforcement, integrate into auth flow (reserve/increment/decrement), add countedUser, tests for counting and identity tracking, and update call sites to new auth signature.
Tests & small tweaks pkg/executor/test/simpletest/simple_test.go, br/pkg/restore/snap_client/systable_restore_test.go	Add tests for MAX_USER_CONNECTIONS behavior and ALTER/CREATE handling; update BR/system-table restore test expected bootstrap version/value and test expectations.
Misc build/test shards pkg/executor/test/simpletest/BUILD.bazel, pkg/sessionctx/variable/BUILD.bazel, pkg/sessionctx/vardef/BUILD.bazel	Adjust test shard count and add vardef as a dependency/target where required.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Client
    participant Server as Server (auth flow)
    participant Privilege as Privilege Manager
    participant DB as mysql.user (storage)

    Client->>Server: Connect (login)
    Server->>Server: determine user@host
    Server->>Privilege: GetUserResources(user, host)
    Privilege->>DB: SELECT Max_user_connections FROM mysql.user
    DB-->>Privilege: Max_user_connections
    Privilege-->>Server: user_limit
    Server->>Server: load globalLimit (vardef) and calculateConnectionLimit
    Server->>Server: check activeConnections vs effectiveLimit
    alt Limit exceeded
        Server-->>Client: ErrTooManyUserConnections (server:1203)
    else Allowed
        Server->>Server: increaseUserConnectionsCount()
        Server-->>Client: Accept connection
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• conn: fix the issue that the connection count for resource group is not correctly tracked for ComUserChange and ComReset (#65607) #66966: Modifies connection lifecycle/auth flows and per-entity connection accounting—overlaps server auth/reserve behavior.
• privilege: introduce 'partial update' for users and privileges cache (#62693) | tidb-test=pr/2700 #66541: Touches privilege and user/auth handling affecting executor-level user statements.

Suggested labels

ok-to-test, approved, lgtm, cherry-pick-approved, type/cherry-pick-for-release-8.5

Suggested reviewers

• hawkingrei
• wjhuang2016
• yudongusa
• winoros

Poem

🐰 I count each hop at the burrow gate,

Users lined up, I mark their state.
Per-user carrots and a global bunch,
I guard the door with a gentle crunch.
Hooray — fewer surprises at the login gate!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 35.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description comprehensively covers the problem statement (Issue #59203), detailed changes, conflict resolution for the cherry-pick, test coverage, and includes a release note as required.
Linked Issues check	✅ Passed	All code changes directly implement the requirement from Issue #59203: adding max_user_connections support to limit concurrent login connections per user@host, including sysvar, enforcement, tests, and documentation.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing max_user_connections functionality: sysvar support, user connection tracking, privilege checks, bootstrap schema updates, parser handling, and comprehensive testing.
Title check	✅ Passed	The title 'executor: introduce max_user_connections (#59197)' accurately reflects the main change—implementing max_user_connections support. It is concise, specific, and clearly conveys the primary feature being added.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 7

🧹 Nitpick comments (1)

pkg/parser/parser.go (1)

23291-23293: Consider clarifying the warning message grammar.

The warning text is grammatically awkward—using "but" to mean "except" is non-idiomatic, and "they" has an ambiguous antecedent. It could be misread as implying MAX_USER_CONNECTIONS is also ignored.

✏️ Suggested wording

 			if needWarning {
-				yylex.AppendError(yylex.Errorf("TiDB does not support WITH ConnectionOptions but MAX_USER_CONNECTIONS now, they would be parsed but ignored."))
+				yylex.AppendError(yylex.Errorf("TiDB only supports MAX_USER_CONNECTIONS in WITH ConnectionOptions; other options will be parsed but ignored."))
 				parser.lastErrorAsWarn()
 			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/parser/parser.go` around lines 23291 - 23293, The warning text emitted
via yylex.AppendError(yylex.Errorf(...)) when needWarning is true is
grammatically unclear and ambiguous; update the message passed to yylex.Errorf
to use clear wording (for example: "TiDB does not support WITH
ConnectionOptions; ConnectionOptions will be parsed but ignored.
MAX_USER_CONNECTIONS is unaffected.") so it clearly states that only
ConnectionOptions are ignored. Modify the string in the call that currently sits
alongside parser.lastErrorAsWarn() and keep the same error/warning flow
(yylex.AppendError and parser.lastErrorAsWarn) and the needWarning conditional.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/executor/simple.go`:
- Around line 829-830: The per-user MAX_USER_CONNECTIONS assignment in the
ast.MaxUserConnections case silently truncates values to math.MaxInt16; change
the clamp to use the same upper bound as the system variable/column contract
(the sysvar max_user_connections limit used elsewhere) when setting
info.maxUserConnections so values like 50000 are preserved (e.g., use the sysvar
constant or central limit value instead of math.MaxInt16), and add a
unit/integration test that CREATE/ALTER USER ... WITH MAX_USER_CONNECTIONS 50000
persists and is enforced at that higher limit.

In `@pkg/executor/test/simpletest/simple_test.go`:
- Around line 254-255: The test currently queries the entire mysql.user table
which is non-deterministic; change the tk.MustQuery call to only select the two
accounts under test and force a stable order — e.g. use "select user,
max_user_connections from mysql.user where user in ('root','test') order by
user" — then keep the Check assertion as testkit.Rows("root 0", "test 0") so the
comparison is deterministic regardless of other users or scan order.

In `@pkg/parser/parser.y`:
- Around line 13825-13827: The warning message emitted via
yylex.AppendError(yylex.Errorf(...)) and demoted with parser.lastErrorAsWarn()
is misleading because it says all ConnectionOptions "would be parsed but
ignored" even when MAX_USER_CONNECTIONS is supported; update the warning text to
only state that unsupported ConnectionOptions will be parsed but ignored (or
explicitly mention that MAX_USER_CONNECTIONS is supported) so the message scopes
to unsupported options only and does not imply MAX_USER_CONNECTIONS is ignored.

In `@pkg/server/conn.go`:
- Around line 811-814: The probe call cc.checkUserConnectionCount(host) in
openSessionAndDoAuth should be removed and replaced by performing the actual
locked reservation of a user connection (the same increment/lock used in
user_connections.go to claim a slot) during the initial-connect auth path—do the
reservation before sending the successful handshake/OK and release it on auth
failure; explicitly skip performing this locked reservation when the request is
a COM_CHANGE_USER (i.e., when openSessionAndDoAuth is invoked from
handleChangeUser), so connection ownership isn't transferred on change-user
while still enforcing limits on fresh handshakes.

In `@pkg/server/err/error.go`:
- Around line 35-36: Fix the exported comment for ErrTooManyUserConnections by
correcting the misspelled word “mang” to “many” so the comment reads
“ErrTooManyUserConnections is returned when too many user connections are
established.” Update the comment directly above the ErrTooManyUserConnections
declaration to ensure API docs and code navigation show the corrected text.

In `@pkg/server/server.go`:
- Around line 726-733: The current increment/decrement pair is racy for sessions
that call COM_CHANGE_USER because increaseUserConnectionsCount() uses the
current session user but decreaseUserConnectionCount() reads
ctx.GetSessionVars().User at close, possibly a different user; fix by capturing
the identity that was actually counted when the increment succeeds and using
that exact identity on close: modify conn.increaseUserConnectionsCount() (or its
caller around conn.increaseUserConnectionsCount()) to store the counted
username/identifier in a new conn field (e.g., conn.countedUser or
conn.countedUserKey) and update conn.decreaseUserConnectionCount() to use that
stored field instead of reading ctx.GetSessionVars().User; ensure the stored
field is set only on successful increment and cleared after decrement to avoid
double-decrement.

In `@pkg/server/user_connections.go`:
- Around line 37-41: increaseUserConnectionsCount currently computes and
increments a user key but decreaseUserConnectionCount recomputes the key from
SessionVars().User at close time (which breaks when COM_CHANGE_USER occurs);
modify clientConn to store the actual counted identity/key on the connection
object when increaseUserConnectionsCount() succeeds (e.g., a new field like
countedUserKey or countedIdentity on clientConn) and have
decreaseUserConnectionCount() always read and decrement that stored key (and
clear it after decrement) instead of rebuilding from SessionVars().User; update
both increaseUserConnectionsCount and decreaseUserConnectionCount to use this
stored key so the same identity that was incremented is always decremented.

---

Nitpick comments:
In `@pkg/parser/parser.go`:
- Around line 23291-23293: The warning text emitted via
yylex.AppendError(yylex.Errorf(...)) when needWarning is true is grammatically
unclear and ambiguous; update the message passed to yylex.Errorf to use clear
wording (for example: "TiDB does not support WITH ConnectionOptions;
ConnectionOptions will be parsed but ignored. MAX_USER_CONNECTIONS is
unaffected.") so it clearly states that only ConnectionOptions are ignored.
Modify the string in the call that currently sits alongside
parser.lastErrorAsWarn() and keep the same error/warning flow (yylex.AppendError
and parser.lastErrorAsWarn) and the needWarning conditional.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: c820046d-aeb5-4194-ae42-0a80b4550214

📥 Commits

Reviewing files that changed from the base of the PR and between 1fa258b and 4387885.

📒 Files selected for processing (22)

• br/pkg/restore/snap_client/systable_restore_test.go
• errors.toml
• pkg/errno/errname.go
• pkg/executor/show.go
• pkg/executor/simple.go
• pkg/executor/test/simpletest/simple_test.go
• pkg/parser/parser.go
• pkg/parser/parser.y
• pkg/privilege/privilege.go
• pkg/privilege/privileges/cache.go
• pkg/privilege/privileges/privileges.go
• pkg/server/BUILD.bazel
• pkg/server/conn.go
• pkg/server/err/error.go
• pkg/server/server.go
• pkg/server/user_connections.go
• pkg/server/user_connections_test.go
• pkg/session/bootstrap.go
• pkg/session/bootstrap_test.go
• pkg/sessionctx/vardef/tidb_vars.go
• pkg/sessionctx/variable/noop.go
• pkg/sessionctx/variable/sysvar.go

💤 Files with no reviewable changes (1)

• pkg/sessionctx/variable/noop.go

[codecov]

Codecov Report

❌ Patch coverage is 75.90361% with 40 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (release-8.5-20260323-v8.5.5@6f617cc). Learn more about missing BASE report.

Additional details and impacted files

@@                       Coverage Diff                        @@
##             release-8.5-20260323-v8.5.5     #67337   +/-   ##
================================================================
  Coverage                               ?   55.5244%           
================================================================
  Files                                  ?       1817           
  Lines                                  ?     651533           
  Branches                               ?          0           
================================================================
  Hits                                   ?     361760           
  Misses                                 ?     262908           
  Partials                               ?      26865           

Flag	Coverage Δ
integration	39.3340% <54.2168%> (?)
unit	64.9044% <75.9036%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
dumpling	52.9278% <0.0000%> (?)
parser	∅ <0.0000%> (?)
br	64.0590% <0.0000%> (?)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bb7133]

I found one concrete CI issue from the Jenkins build log and pushed a fix for it.

Latest commit: 2ceaef1db3

What was fixed:

• add missing Bazel strict dependency //pkg/sessionctx/vardef to pkg/sessionctx/variable/BUILD.bazel

Why:

• pkg/sessionctx/variable/sysvar.go now imports github.com/pingcap/tidb/pkg/sessionctx/vardef, but the Bazel target deps were not updated, which caused the strict-deps failure in build/check jobs.

Local verification:

• go test --tags=intest ./pkg/executor/test/simpletest -run TestMaxUserConnections
• go test --tags=intest ./pkg/server -run TestUserConnectionCount

I will continue watching this PR and fix the next actionable failures/comments.

[bb7133]

I found one concrete CI issue from the Jenkins build log and pushed a fix for it.\n\nLatest commit: 2ceaef1\n\nWhat was fixed:\n- add missing Bazel strict dependency to \n\nWhy:\n- now imports , but the Bazel target deps were not updated, which caused the strict-deps failure in build/check jobs.\n\nLocal verification:\n- panic: The hack package only supports go1.25, please confirm the correctness of the ABI before upgrading

goroutine 1 [running]:
github.com/pingcap/tidb/pkg/util/hack.checkMapABI()
/Users/bb7133/Repo/tidb/pkg/util/hack/map_abi.go:411 +0x5c
github.com/pingcap/tidb/pkg/util/hack.init.0()
/Users/bb7133/Repo/tidb/pkg/util/hack/hack.go:41 +0x1c
FAIL github.com/pingcap/tidb/pkg/executor/test/simpletest 0.885s
FAIL\n- FAIL github.com/pingcap/tidb/pkg/server [build failed]
FAIL\n\nI will continue watching this PR and fix the next actionable failures/comments.

[bb7133]

Addressed the current actionable review items in a follow-up commit:

• aligned per-user MAX_USER_CONNECTIONS handling with the sysvar/column upper bound (100000) and added coverage for 50000
• made the mysql.user assertion deterministic in simple_test
• clarified the parser warning so it explicitly says only unsupported connection options are ignored
• fixed user-connection accounting so the initially counted identity is stored on clientConn, decremented by the same key on close, and the real reservation now happens in the initial auth path (skipped for COM_CHANGE_USER)
• fixed the typo in ErrTooManyUserConnections comment

Local verification:

• GOTOOLCHAIN=go1.25.5 go test -tags=intest ./pkg/executor/test/simpletest -run TestMaxUserConnections -count=1
• GOTOOLCHAIN=go1.25.5 go test -tags=intest ./pkg/server -run 'TestUserConnectionCount|TestOpenSessionAndDoAuth' -count=1
• cd pkg/parser && GOTOOLCHAIN=go1.25.5 go test ./... -run TestParserDoesNotExist -count=0

Please take another look.

[coderabbitai]

🧹 Nitpick comments (1)

pkg/executor/simple.go (1)

100-109: Minor typo in comment.

"infomations" should be "information".

✏️ Suggested fix

-// resourceOptionsInfo represents the resource infomations to limit user.
+// resourceOptionsInfo represents the resource information to limit user.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/executor/simple.go` around lines 100 - 109, The top comment above the
resourceOptionsInfo struct has a typo: replace "infomations" with "information"
in the doc comment describing resourceOptionsInfo (the comment that lists
MAX_QUERIES_PER_HOUR, MAX_UPDATES_PER_HOUR, MAX_CONNECTIONS_PER_HOUR and
MAX_USER_CONNECTIONS) so the comment reads "resourceOptionsInfo represents the
resource information to limit user." and keep the rest of the sentence
unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/executor/simple.go`:
- Around line 100-109: The top comment above the resourceOptionsInfo struct has
a typo: replace "infomations" with "information" in the doc comment describing
resourceOptionsInfo (the comment that lists MAX_QUERIES_PER_HOUR,
MAX_UPDATES_PER_HOUR, MAX_CONNECTIONS_PER_HOUR and MAX_USER_CONNECTIONS) so the
comment reads "resourceOptionsInfo represents the resource information to limit
user." and keep the rest of the sentence unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: cae8c825-5fb6-408f-aad4-1a9c9d1b7047

📥 Commits

Reviewing files that changed from the base of the PR and between 2ceaef1 and 30eada1.

📒 Files selected for processing (11)

• pkg/executor/simple.go
• pkg/executor/test/simpletest/simple_test.go
• pkg/parser/parser.go
• pkg/parser/parser.y
• pkg/server/conn.go
• pkg/server/conn_test.go
• pkg/server/err/error.go
• pkg/server/user_connections.go
• pkg/server/user_connections_test.go
• pkg/sessionctx/vardef/tidb_vars.go
• pkg/sessionctx/variable/sysvar.go

✅ Files skipped from review due to trivial changes (1)

• pkg/server/user_connections_test.go

🚧 Files skipped from review as they are similar to previous changes (5)

• pkg/server/err/error.go
• pkg/parser/parser.go
• pkg/executor/test/simpletest/simple_test.go
• pkg/server/user_connections.go
• pkg/server/conn.go

[bb7133]

I found and fixed a deterministic Bazel packaging issue from the latest Jenkins failures.

Latest commit: da51e06c34

What was fixed:

• add the missing pkg/sessionctx/vardef/BUILD.bazel so the newly added //pkg/sessionctx/vardef dependency resolves in Bazel
• fix the remaining resourceOptionsInfo comment typo flagged by CodeRabbit

Why:

• build failed with no such package 'pkg/sessionctx/vardef': BUILD file not found\n- check_dev also failed because the generated Bazel manifest now expects pkg/sessionctx/vardef/BUILD.bazel to exist\n\nLocal note:\n- I verified the root cause from downloaded Jenkins logs and patched it locally\n- this machine does not have bazel installed, so full local Bazel re-validation is blocked; the pushed commit is intended to let CI confirm the fix\n\nI will continue watching the reruns and address the next actionable failure if there is one.

[bb7133]

Found another deterministic Bazel sync issue from the latest reruns and pushed a follow-up fix.

Latest commit: 2b0eef0247

What was fixed:

• sync pkg/executor/BUILD.bazel with the new pkg/sessionctx/vardef import used by pkg/executor/simple.go
• sync pkg/server/BUILD.bazel with the new pkg/sessionctx/vardef import
• update pkg/executor/test/simpletest/BUILD.bazel shard count to match generated Bazel output

Why:

• build failed with a strict-deps error because pkg/executor/simple.go imports pkg/sessionctx/vardef but pkg/executor/BUILD.bazel was not updated
• check_dev reported the generated Bazel diff for the same two deps plus the simpletest shard-count change

Local verification:

• GOTOOLCHAIN=go1.25.5 go test -tags=intest ./pkg/executor/test/simpletest -run TestMaxUserConnections -count=1
• GOTOOLCHAIN=go1.25.5 go test -tags=intest ./pkg/server -run 'TestUserConnectionCount|TestOpenSessionAndDoAuth' -count=1\n\nI will continue watching the reruns and only dig into mysql-test if it still reproduces after these Bazel sync fixes.

[bb7133]

Found a deterministic unit-test baseline mismatch from the latest reruns and pushed a small follow-up fix.

Latest commit: c963aaa19c

What was fixed:

• sync pkg/executor/infoschema_reader_test.go expected information_schema.tidb_index_usage row count from 81 to 82

Why:

• TestIndexUsageTable failed consistently in CI with expected: [81], actual: [82]
• I reproduced it locally multiple times; this is a stable baseline change rather than a flaky result

Local verification:

• GOTOOLCHAIN=go1.25.5 go test -tags=intest ./pkg/executor -run TestIndexUsageTable -count=3

I will keep watching the reruns. mysql-test is still failing separately, but I have not found a new deterministic failure there that clearly maps to this PR yet.

[bb7133]

Found another deterministic information_schema baseline mismatch from the latest unit-test reruns and pushed a follow-up fix.

Latest commit: 98a384735f

What was fixed:

• sync pkg/executor/infoschema_reader_test.go expected information_schema.columns row count from 5015 to 5016

Why:

• TestColumnTable failed consistently in CI with expected: [5015], actual: [5016]
• I reproduced it locally multiple times; this is another stable baseline change caused by the newly added mysql.user.Max_user_connections column being reflected in information_schema.columns

Local verification:

• GOTOOLCHAIN=go1.25.5 go test -tags=intest ./pkg/executor -run 'TestColumnTable|TestIndexUsageTable' -count=3\n\nI will keep watching the reruns. mysql-test is still failing separately, but I still have not found a new deterministic failure there that clearly maps to this PR.

[bb7133]

I found and fixed a deterministic BR system-table restore issue from the latest Jenkins failures.

Latest commit: c316110e44

What was fixed:

• when the target cluster has newer mysql.user columns than the backup, treat it as logically compatible but force BR to fall back from physical temp-table loading for mysql.user
• update the BR compatibility test to assert that this case is compatible but should not use physical loading

Why:

• pull-br-integration-test failed with a checksum mismatch on __TiDB_BR_Temporary_mysql.user
• direct physical loading into the newer temp-table schema can fail checksum validation when the backup snapshot does not contain the newly added mysql.user columns

Local verification:

• GOTOOLCHAIN=go1.25.5 go test ./br/pkg/restore/snap_client -run TestCheckSysTableCompatibility -count=1
• GOTOOLCHAIN=go1.25.5 go test -tags=intest ./pkg/executor/test/simpletest -run TestMaxUserConnections -count=1

I am still watching the remaining reruns. mysql-test also shows a separate actionable max_user_connections failure path, and I will keep digging there if it reproduces after this push.

[bb7133]

/retest

[EmmaDuDu]

/test mysql-test

[tiprow]

@EmmaDuDu: No presubmit jobs available for pingcap/tidb@release-8.5-20260323-v8.5.5

Details

In response to this:

/test mysql-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[EmmaDuDu]

/test mysql-test

[tiprow]

@EmmaDuDu: No presubmit jobs available for pingcap/tidb@release-8.5-20260323-v8.5.5

Details

In response to this:

/test mysql-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[EmmaDuDu]

/test mysql-test

[tiprow]

@EmmaDuDu: No presubmit jobs available for pingcap/tidb@release-8.5-20260323-v8.5.5

Details

In response to this:

/test mysql-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[EmmaDuDu]

/test mysql-test

[tiprow]

@EmmaDuDu: No presubmit jobs available for pingcap/tidb@release-8.5-20260323-v8.5.5

Details

In response to this:

/test mysql-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bb7133]

/retest

[EmmaDuDu]

/test mysql-test tidb-test=pr/2720

[tiprow]

@EmmaDuDu: No presubmit jobs available for pingcap/tidb@release-8.5-20260323-v8.5.5

Details

In response to this:

/test mysql-test tidb-test=pr/2720

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[EmmaDuDu]

/test mysql-test tidb-test=pr/2720

[tiprow]

@EmmaDuDu: No presubmit jobs available for pingcap/tidb@release-8.5-20260323-v8.5.5

Details

In response to this:

/test mysql-test tidb-test=pr/2720

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tiprow]

@EmmaDuDu: No presubmit jobs available for pingcap/tidb@release-8.5-20260323-v8.5.5

Details

In response to this:

/test mysql-test tidb-test=pr/2720

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bb7133]

/retest

[EmmaDuDu]

/test unit-test

[tiprow]

@EmmaDuDu: No presubmit jobs available for pingcap/tidb@release-8.5-20260323-v8.5.5

Details

In response to this:

/test unit-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hawkingrei]

/retest

[hawkingrei]

/retest

[tiancaiamao]

Unintened change?
KEY i_user is added by 1M user project, where we need to query by user name without host, so the primary key is not enough and this index is added.

Here we change the bootstrap.go, but upgrade.go doesn't have it, this would cause some problem. @bb7133

[bb7133]

Addressed, thanks.

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-04-02 01:58:30.153371684 +0000 UTC m=+403115.358731731: ☑️ agreed by D3Hunter.
• 2026-04-02 04:59:29.174793065 +0000 UTC m=+413974.380153112: ☑️ agreed by tiancaiamao.

[hawkingrei]

/retest

[YuJuncen]

LGTM for BR part. also cc @Leavrth

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: D3Hunter, tangenta, tiancaiamao, yudongusa, YuJuncen

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [D3Hunter,YuJuncen,tangenta,tiancaiamao]
• br/OWNERS [YuJuncen]
• pkg/parser/OWNERS [D3Hunter,tangenta,yudongusa]
• pkg/session/OWNERS [yudongusa]
• pkg/sessionctx/variable/OWNERS [yudongusa]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

@bb7133: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
idc-jenkins-ci-tidb/unit-test	60b547f	link	unknown	/test unit-test

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.