Exclude users from rows_read counts

This introduces a command line option,
`--rows_read_exclude_users=name,name,...` that excludes specified
logged-in users from counting against rows read.  That excludes rows read
from both Insights tracking (i.e., sending a JSON info packet) and
server-wide tracking.

There is an equivalent `rows-read-exclude-users = name,name,...` key
supported in `my.cnf` as well.

Checking a user against the exclusion list is moderately expensive -- it
parses the string with a for loop and strtok -- so we only do it when
creating a new Security_context object, or changing the in an existing
Security_context object.  That check corresponds with new logins and, for
some reason, `USE` statements.

The per-row hot path just checks a boolean in the Security_context object,
so it's minimal added cost.

Author: piki

sql/auth/sql_security_ctx.cc

@@ -94,6 +94,7 @@ void Security_context::init() {
   m_has_drop_policy = false;
   m_executed_drop_policy = false;
   m_registration_sandbox_mode = false;
+  m_exclude_user_from_rows_read = false;
 }
 
 void Security_context::logout() {
@@ -816,6 +817,8 @@ void Security_context::set_user_ptr(const char *user_arg,
 
   // set new user value to m_user.
   m_user.set(user_arg, user_arg_length, system_charset_info);
+
+  recheck_exclude_rows_read();
 }
 
 /**
@@ -838,6 +841,30 @@ void Security_context::assign_user(const char *user_arg,
     m_user.copy(user_arg, user_arg_length, system_charset_info);
   else
     m_user.set((const char *)nullptr, 0, system_charset_info);
+
+  recheck_exclude_rows_read();
+}
+
+char *rows_read_exclude_users = nullptr;
+
+void Security_context::recheck_exclude_rows_read() {
+  printf("PIKI: recheck_exclude_rows_read: user=\"%s\"\n", m_user.ptr());
+
+  m_exclude_user_from_rows_read = false;
+  if (rows_read_exclude_users) {
+    printf("PIKI: rows_read_exclude_users=\"%s\"\n", rows_read_exclude_users);
+    char *copy = strdup(rows_read_exclude_users);
+    char *saveptr, *tok;
+    for (tok=my_strtok_r(copy, ",", &saveptr); tok; tok=my_strtok_r(NULL, ",", &saveptr)) {
+      printf("PIKI: tok=\"%s\"\n", tok);
+      if (!strcmp(tok, m_user.ptr())) {
+        printf("PIKI: yes, exclude them!\n");
+        m_exclude_user_from_rows_read = true;
+        break;
+      }
+    }
+    free(copy);
+  }
 }
 
 /**
@@ -881,7 +908,7 @@ void Security_context::set_host_ptr(const char *host_arg,
 /**
   Setter method for member m_host.
 
-  Copies host_arg value to the m_host if it is not null else m_user is set
+  Copies host_arg value to the m_host if it is not null else m_host is set
   to empty string.
 
 

sql/auth/sql_security_ctx.h

@@ -62,6 +62,7 @@ class Security_context {
   void skip_grants(const char *user = "skip-grants user",
                    const char *host = "skip-grants host");
   bool is_skip_grants_user();
+  bool exclude_user_from_rows_read() const { return m_exclude_user_from_rows_read; }
 
   /**
     Getter method for member m_user.
@@ -381,6 +382,9 @@ class Security_context {
   */
   bool m_is_skip_grants_user;
 
+  bool m_exclude_user_from_rows_read;
+  void recheck_exclude_rows_read();
+
   bool m_executed_drop_policy;
   bool m_has_drop_policy;
   std::unique_ptr<std::function<void(Security_context *)>> m_drop_policy;

sql/sys_vars.cc

@@ -1003,6 +1003,13 @@ static Sys_var_charptr Sys_my_bind_addr(
     READ_ONLY NON_PERSIST GLOBAL_VAR(my_bind_addr_str), CMD_LINE(REQUIRED_ARG),
     IN_FS_CHARSET, DEFAULT(MY_BIND_ALL_ADDRESSES));
 
+extern char *rows_read_exclude_users;
+static Sys_var_charptr Sys_my_rows_read_exclude_users(
+    "rows_read_exclude_users",
+    "Comma-separated list of users whose queries do not increment rows_read",
+    READ_ONLY NON_PERSIST GLOBAL_VAR(rows_read_exclude_users), CMD_LINE(REQUIRED_ARG),
+    IN_FS_CHARSET, DEFAULT(nullptr));
+
 static Sys_var_charptr Sys_admin_addr(
     "admin_address",
     "IP address to bind to for service connection. Address can be an IPv4"

storage/innobase/handler/ha_innodb.cc

@@ -10131,7 +10131,7 @@ int ha_innobase::index_read(
       if (m_prebuilt->table->is_system_table) {
         srv_stats.n_system_rows_read.add(
             thd_get_thread_id(m_prebuilt->trx->mysql_thd), 1);
-      } else {
+      } else if (!m_user_thd->security_context()->exclude_user_from_rows_read()) {
         srv_stats.n_rows_read.add(thd_get_thread_id(m_prebuilt->trx->mysql_thd),
                                   1);
         m_user_thd->get_stmt_da()->inc_rows_read();
@@ -10379,7 +10379,7 @@ int ha_innobase::general_fetch(
       if (m_prebuilt->table->is_system_table) {
         srv_stats.n_system_rows_read.add(
             thd_get_thread_id(m_prebuilt->trx->mysql_thd), 1);
-      } else {
+      } else if (!m_user_thd->security_context()->exclude_user_from_rows_read()) {
         srv_stats.n_rows_read.add(thd_get_thread_id(m_prebuilt->trx->mysql_thd),
                                   1);
         m_user_thd->get_stmt_da()->inc_rows_read();