[docs]Add doc for workload group/grant/show processlist (apache#925)

wangbo · Gabriel39 · commit 0b655e1202ca · 2024-09-23T15:47:14.000+08:00
diff --git a/docs/admin-manual/resource-admin/workload-group.md b/docs/admin-manual/resource-admin/workload-group.md
@@ -197,3 +197,51 @@ ADMIN SET FRONTEND CONFIG ("enable_cpu_hard_limit" = "true");
 
 If user expects to switch back from cpu hard limit to cpu soft limit, then they only need to set ```enable_cpu_hard_limit=false```.
 CPU Soft Limit property ```cpu_share``` will be filled with a valid value of 1024 by default(If the user has never set the cpu_share before), and users can adjust cpu_share based on the priority of Workload Group.
+
+# Workload Group权限表
+You can view the Workload Groups that users or roles have access to through the Workload Group privilege table. Authorization related usage can refer to[grant statement](../../sql-manual/sql-statements/Account-Management-Statements/GRANT).
+
+This table currently has row level permission control. Root or admin accounts can view all data, while non root/admin accounts can only see data from Workload Groups that they have access to。
+
+Schema of Workload Group privilege table is as follow：
+```
+mysql [information_schema]>desc information_schema.workload_group_privileges;
++---------------------+--------------+------+-------+---------+-------+
+| Field               | Type         | Null | Key   | Default | Extra |
++---------------------+--------------+------+-------+---------+-------+
+| GRANTEE             | varchar(64)  | Yes  | false | NULL    |       |
+| WORKLOAD_GROUP_NAME | varchar(256) | Yes  | false | NULL    |       |
+| PRIVILEGE_TYPE      | varchar(64)  | Yes  | false | NULL    |       |
+| IS_GRANTABLE        | varchar(3)   | Yes  | false | NULL    |       |
++---------------------+--------------+------+-------+---------+-------+
+```
+
+Column Description：
+1. grantee, user or role.
+2. workload_group_name, value is the name of Workload Group or '%', where '%' represents all Workload Group.
+3. privilege_type，type of privilege, at present, the value of this column is only Usage_priv。
+4. is_grantable，value is YES or NO, it means whether the user can grant access privilege of Workload Group to other user.Only root/admin user has grant privilege.
+
+Basic usage：
+1. Search for Workload Group with authorized access based on username.
+```
+mysql [information_schema]>select * from workload_group_privileges where GRANTEE like '%test_wlg_user%';
++---------------------+---------------------+----------------+--------------+
+| GRANTEE             | WORKLOAD_GROUP_NAME | PRIVILEGE_TYPE | IS_GRANTABLE |
++---------------------+---------------------+----------------+--------------+
+| 'test_wlg_user'@'%' | normal              | Usage_priv     | NO           |
+| 'test_wlg_user'@'%' | test_group          | Usage_priv     | NO           |
++---------------------+---------------------+----------------+--------------+
+2 rows in set (0.04 sec)
+```
+
+2. Search for user which has access privilege by Workload Group name. 
+```
+mysql [information_schema]>select * from workload_group_privileges where WORKLOAD_GROUP_NAME='test_group';
++---------------------+---------------------+----------------+--------------+
+| GRANTEE             | WORKLOAD_GROUP_NAME | PRIVILEGE_TYPE | IS_GRANTABLE |
++---------------------+---------------------+----------------+--------------+
+| 'test_wlg_user'@'%' | test_group          | Usage_priv     | NO           |
++---------------------+---------------------+----------------+--------------+
+1 row in set (0.03 sec)
+```
diff --git a/docs/sql-manual/sql-statements/Account-Management-Statements/REVOKE.md b/docs/sql-manual/sql-statements/Account-Management-Statements/REVOKE.md
@@ -76,6 +76,24 @@ role_list is the list of roles to be revoked, separated by commas. The specified
     REVOKE 'role1','role2' FROM 'jack'@'192.%';
     ```
 
+4. Revoke user jack usage privilege on 'g1';
+
+    ```
+    REVOKE USAGE_PRIV ON WORKLOAD GROUP 'g1' FROM 'jack'@'%';
+    ```
+
+5. Revoke user jack usage privilege on all Workload Group;
+
+    ```
+    REVOKE USAGE_PRIV ON WORKLOAD GROUP '%' FROM 'jack'@'%';
+    ```
+
+6. Revoke role test_role usage privilege on Workload Group 'g1';
+
+    ```
+   REVOKE USAGE_PRIV ON WORKLOAD GROUP 'g1' FROM 'test_role';
+   ```
+
 ### Keywords
 
     REVOKE
diff --git a/docs/sql-manual/sql-statements/Show-Statements/SHOW-PROCESSLIST.md b/docs/sql-manual/sql-statements/Show-Statements/SHOW-PROCESSLIST.md
@@ -34,6 +34,8 @@ SHOW PROCESSLIST
 
 Display the running threads of the user. It should be noted that except the root user who can see all running threads, other users can only see their own running threads, and cannot see the running threads of other users.
 
+Only display current connected FE's connection list by default, you can set session variable ```set show_all_fe_connection = true``` to show all FE's connection.
+
 grammar:
 
 ```sql
diff --git a/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/resource-admin/workload-group.md b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/resource-admin/workload-group.md
@@ -194,4 +194,52 @@ ADMIN SET FRONTEND CONFIG ("enable_cpu_hard_limit" = "true");
 ```
 
 如果用户期望从 CPU 的硬限切换回 CPU 的软限，那么只需要在 FE 修改 enable_cpu_hard_limit 的值为 false 即可。
-CPU 软限的属性 cpu_share 默认会填充一个有效值 1024(如果之前未指定 cpu_share 的值)，用户可以根据 group 的优先级对 cpu_share 的值进行重新调整。
+CPU 软限的属性 cpu_share 默认会填充一个有效值 1024(如果之前未指定 cpu_share 的值)，用户可以根据 group 的优先级对 cpu_share 的值进行重新调整。
+
+# Workload Group权限表
+可以通过Workload Group权限表查看user或者role有权限访问的Workload Group，授权相关的用法可以参考[grant 语句](../../sql-manual/sql-statements/Account-Management-Statements/GRANT)。
+
+该表目前存在行级别的权限控制，root或者admin账户可以查看所有的数据，非root/admin账户只能看到自己有权限访问的Workload Group的数据。
+
+Workload Group权限表结构如下：
+```
+mysql [information_schema]>desc information_schema.workload_group_privileges;
++---------------------+--------------+------+-------+---------+-------+
+| Field               | Type         | Null | Key   | Default | Extra |
++---------------------+--------------+------+-------+---------+-------+
+| GRANTEE             | varchar(64)  | Yes  | false | NULL    |       |
+| WORKLOAD_GROUP_NAME | varchar(256) | Yes  | false | NULL    |       |
+| PRIVILEGE_TYPE      | varchar(64)  | Yes  | false | NULL    |       |
+| IS_GRANTABLE        | varchar(3)   | Yes  | false | NULL    |       |
++---------------------+--------------+------+-------+---------+-------+
+```
+
+字段说明：
+1. grantee，代表user或者role。
+2. workload_group_name，取值为Workload Group的名称或者%，%代表可以访问所有的Workload Group。
+3. privilege_type，权限的类型，目前该列的值只有Usage_priv。
+4. is_grantable，取值为YES或者NO，字段含义为是否可以给其他用户授予Workload Group的访问权限。目前只有root用户或者admin用户这个字段为YES，其他用户都为NO。
+
+基本用法：
+1. 根据用户名查找有权限访问的Workload Group
+```
+mysql [information_schema]>select * from workload_group_privileges where GRANTEE like '%test_wlg_user%';
++---------------------+---------------------+----------------+--------------+
+| GRANTEE             | WORKLOAD_GROUP_NAME | PRIVILEGE_TYPE | IS_GRANTABLE |
++---------------------+---------------------+----------------+--------------+
+| 'test_wlg_user'@'%' | normal              | Usage_priv     | NO           |
+| 'test_wlg_user'@'%' | test_group          | Usage_priv     | NO           |
++---------------------+---------------------+----------------+--------------+
+2 rows in set (0.04 sec)
+```
+
+2. 查看某个Workload Group可以有哪些用户访问
+```
+mysql [information_schema]>select * from workload_group_privileges where WORKLOAD_GROUP_NAME='test_group';
++---------------------+---------------------+----------------+--------------+
+| GRANTEE             | WORKLOAD_GROUP_NAME | PRIVILEGE_TYPE | IS_GRANTABLE |
++---------------------+---------------------+----------------+--------------+
+| 'test_wlg_user'@'%' | test_group          | Usage_priv     | NO           |
++---------------------+---------------------+----------------+--------------+
+1 row in set (0.03 sec)
+```
diff --git a/i18n/zh-CN/docusaurus-plugin-content-docs/current/sql-manual/sql-statements/Account-Management-Statements/REVOKE.md b/i18n/zh-CN/docusaurus-plugin-content-docs/current/sql-manual/sql-statements/Account-Management-Statements/REVOKE.md
@@ -77,6 +77,24 @@ role_list 是需要撤销的角色列表，以逗号分隔，指定的角色必
     REVOKE 'role1','role2' FROM 'jack'@'192.%';
     ```
 
+4. 撤销用户jack使用Workload Group 'g1'的权限
+
+    ```
+    REVOKE USAGE_PRIV ON WORKLOAD GROUP 'g1' FROM 'jack'@'%';
+    ```
+
+5. 撤销用户jack使用所有Workload Group的权限
+    
+    ```
+    REVOKE USAGE_PRIV ON WORKLOAD GROUP '%' FROM 'jack'@'%';
+    ```
+
+6. 撤销角色test_role使用Workload Group 'g1'的权限
+    
+    ```
+   REVOKE USAGE_PRIV ON WORKLOAD GROUP 'g1' FROM 'test_role';
+   ```
+
 ### Keywords
 
     REVOKE
diff --git a/i18n/zh-CN/docusaurus-plugin-content-docs/current/sql-manual/sql-statements/Show-Statements/SHOW-PROCESSLIST.md b/i18n/zh-CN/docusaurus-plugin-content-docs/current/sql-manual/sql-statements/Show-Statements/SHOW-PROCESSLIST.md
@@ -34,6 +34,8 @@ SHOW PROCESSLIST
 
 显示用户正在运行的线程，需要注意的是，除了 root 用户能看到所有正在运行的线程外，其他用户都只能看到自己正在运行的线程，看不到其它用户正在运行的线程
 
+默认只限制当前连接的FE的连接列表，可以通过设置session变量```set show_all_fe_connection = true```来查看所有FE的连接
+
 语法：
 
 ```sql
diff --git a/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/sql-manual/sql-statements/Account-Management-Statements/REVOKE.md b/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/sql-manual/sql-statements/Account-Management-Statements/REVOKE.md
@@ -77,6 +77,24 @@ role_list 是需要撤销的角色列表，以逗号分隔，指定的角色必
     REVOKE 'role1','role2' FROM 'jack'@'192.%';
     ```
 
+4. 撤销用户jack使用Workload Group 'g1'的权限
+
+    ```
+    REVOKE USAGE_PRIV ON WORKLOAD GROUP 'g1' FROM 'jack'@'%';
+    ```
+
+5. 撤销用户jack使用所有Workload Group的权限
+
+    ```
+    REVOKE USAGE_PRIV ON WORKLOAD GROUP '%' FROM 'jack'@'%';
+    ```
+
+6. 撤销角色test_role使用Workload Group 'g1'的权限
+
+    ```
+   REVOKE USAGE_PRIV ON WORKLOAD GROUP 'g1' FROM 'test_role';
+   ```
+
 ### Keywords
 
     REVOKE
diff --git a/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/sql-manual/sql-statements/Show-Statements/SHOW-PROCESSLIST.md b/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/sql-manual/sql-statements/Show-Statements/SHOW-PROCESSLIST.md
@@ -34,6 +34,8 @@ SHOW PROCESSLIST
 
 显示用户正在运行的线程，需要注意的是，除了 root 用户能看到所有正在运行的线程外，其他用户都只能看到自己正在运行的线程，看不到其它用户正在运行的线程
 
+默认只限制当前连接的FE的连接列表，可以通过设置session变量```set show_all_fe_connection = true```来查看所有FE的连接
+
 语法：
 
 ```sql
diff --git a/versioned_docs/version-2.1/sql-manual/sql-statements/Account-Management-Statements/REVOKE.md b/versioned_docs/version-2.1/sql-manual/sql-statements/Account-Management-Statements/REVOKE.md
@@ -76,6 +76,24 @@ role_list is the list of roles to be revoked, separated by commas. The specified
     REVOKE 'role1','role2' FROM 'jack'@'192.%';
     ```
 
+4. Revoke user jack usage privilege on 'g1';
+
+    ```
+    REVOKE USAGE_PRIV ON WORKLOAD GROUP 'g1' FROM 'jack'@'%';
+    ```
+
+5. Revoke user jack usage privilege on all Workload Group;
+
+    ```
+    REVOKE USAGE_PRIV ON WORKLOAD GROUP '%' FROM 'jack'@'%';
+    ```
+
+6. Revoke role test_role usage privilege on Workload Group 'g1';
+
+    ```
+   REVOKE USAGE_PRIV ON WORKLOAD GROUP 'g1' FROM 'test_role';
+   ```
+
 ### Keywords
 
     REVOKE
diff --git a/versioned_docs/version-2.1/sql-manual/sql-statements/Show-Statements/SHOW-PROCESSLIST.md b/versioned_docs/version-2.1/sql-manual/sql-statements/Show-Statements/SHOW-PROCESSLIST.md
@@ -34,6 +34,8 @@ SHOW PROCESSLIST
 
 Display the running threads of the user. It should be noted that except the root user who can see all running threads, other users can only see their own running threads, and cannot see the running threads of other users.
 
+Only display current connected FE's connection list by default, you can set session variable ```set show_all_fe_connection = true``` to show all FE's connection.
+
 grammar:
 
 ```sql
