Support server-side column masking feature

[tiancaiamao]

Summary

Tracking issue for server-side column-level masking in TiDB.

Goal: support policy-based masking at query-result time, with optional operation restrictions and policy lifecycle management.

Scope

• New masking policy DDL / SHOW syntax
• Expression-based masking (CASE WHEN ..., current_user(), current_role())
• RESTRICT ON operation controls
• Supported masking functions and type coverage
• System table metadata (masking_type, policy state, binding metadata)
• Privilege model for policy management

Current Status (as of February 27, 2026)

• Parser phase is in progress and being iterated in dedicated PR(s)
  • Parser PR: parser,ast: support column masking grammar #66031
• Design doc
  • Docs PR: *: add column-level masking design doc #66563
• User Document
  • Docs PR: *: add document for column-level masking policy feature docs#22613
• Test Resport (internal)

Planned PR Breakdown

• phase1-parser: syntax / AST / parser tests
• phaseX-executor|planner|privilege|infoschema: incremental runtime implementation PRs
• docs PRs for design/spec alignment when needed
• Add system table mysq.tidb_masking_policy
  • meta,session: add mysql.tidb_masking_policy table #66033
• infoschema: add masking policy integration
  • infoschema: add masking policy integration #66034

Issue found

• BR compatibility, need special handling #67052
• batch point-get code path is not covered by masking policy

Notes

• This feature is TiDB-specific (not full MySQL parity).
• Current baseline follows the latest spec revision (no backward-compat layer for pre-merge drafts).