taosdata · guanshengliang · Apr 27, 2026 · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
@@ -131,6 +131,8 @@ void getPerfDbMeta(const SSysTableMeta** pPerfsTableMeta, size_t* size);
 void getVisibleInfosTablesNum(bool sysInfo, size_t* size);
 bool invisibleColumn(bool sysInfo, int8_t tableType, int8_t flags);
 
+const SSysTableMeta* getSysTableMeta(const char* dbName, const char* tbName);
+
 #ifdef __cplusplus
 }
 #endif

@@ -443,7 +443,14 @@ typedef struct STUidTagInfo {
 #define NOTIFY_EVENT_STR_COLUMN_INDEX 0
 
 int32_t taosGenCrashJsonMsg(int signum, char** pMsg, int64_t clusterId, int64_t startTime);
-int32_t dumpConfToDataBlock(SSDataBlock* pBlock, int32_t startCol, char* likePattern);
+
+#define SHOW_VAR_PRIV_SYSTEM   0x01
+#define SHOW_VAR_PRIV_SECURITY 0x02
+#define SHOW_VAR_PRIV_AUDIT    0x04
+#define SHOW_VAR_PRIV_DEBUG    0x08
+#define SHOW_VAR_PRIV_ALL (SHOW_VAR_PRIV_SYSTEM | SHOW_VAR_PRIV_SECURITY | SHOW_VAR_PRIV_AUDIT | SHOW_VAR_PRIV_DEBUG)
+
+int32_t dumpConfToDataBlock(SSDataBlock* pBlock, int32_t startCol, char* likePattern, uint8_t showPrivMask);
 
 #define TSMA_RES_STB_POSTFIX          "_tsma_res_stb_"
 #define MD5_OUTPUT_LEN                32

@@ -23,7 +23,8 @@
 typedef struct SExplainCtx SExplainCtx;
 typedef struct SExplainPlanCtx SExplainPlanCtx;
 
-int32_t qExecCommand(int64_t* pConnId, bool sysInfoUser, SNode *pStmt, SRetrieveTableRsp **pRsp, int8_t biMode, void* charsetCxt);
+int32_t qExecCommand(int64_t *pConnId, bool sysInfoUser, uint8_t showVarPrivMask, SNode *pStmt,
+                     SRetrieveTableRsp **pRsp, int8_t biMode, void *charsetCxt);
 
 int32_t qExecStaticExplain(SQueryPlan *pDag, SRetrieveTableRsp **pRsp);
 int32_t qExecExplainBegin(SQueryPlan *pDag, SExplainCtx **pCtx, int64_t startTs);

@@ -140,6 +140,7 @@ typedef struct SParseContext {
   union {
     uint16_t privInfo;
     struct {
+      // N.B. keep the order of the bit definition unchanged
       uint16_t minSecLevel : 3;  // user min security level
       uint16_t privInfoBasic : 1;
       uint16_t privInfoPrivileged : 1;
@@ -148,7 +149,7 @@ typedef struct SParseContext {
       uint16_t privPerfBasic : 1;
       uint16_t privPerfPrivileged : 1;
       uint16_t maxSecLevel : 3;  // user max security level
-      uint16_t macMode   : 1;    // 1 = MAC mandatory (mirrors macActive, propagates to executor)
+      uint16_t macMode : 1;      // 1 = MAC mandatory (mirrors macActive, propagates to executor)
       uint16_t reserved1 : 3;
     };
   };

@@ -430,12 +430,43 @@ int32_t parseSql(SRequestObj* pRequest, bool topicQuery, SQuery** pQuery, SStmtC
 
   return code;
 }
+#ifdef TD_ENTERPRISE
+static uint8_t getShowVarPrivMask(SRequestObj* pRequest) {
+  SCatalog*        pCatalog = NULL;
+  SGetUserAuthRsp  authRsp = {0};
+  STscObj*         pTscObj = pRequest->pTscObj;
+  SRequestConnInfo conn = {.pTrans = pTscObj->pAppInfo->pTransporter,
+                           .requestId = pRequest->requestId,
+                           .requestObjRefId = pRequest->self,
+                           .mgmtEps = getEpSet_s(&pTscObj->pAppInfo->mgmtEp)};
+
+  if (TSDB_CODE_SUCCESS != catalogGetHandle(pTscObj->pAppInfo->clusterId, &pCatalog)) {
+    return 0;
+  }
+  if (TSDB_CODE_SUCCESS != catalogGetUserAuth(pCatalog, &conn, pTscObj->user, &authRsp)) {
+    return 0;
+  }
+
+  uint8_t mask = 0;
+  if (PRIV_HAS(&authRsp.sysPrivs, PRIV_VAR_SYSTEM_SHOW)) mask |= SHOW_VAR_PRIV_SYSTEM;
+  if (PRIV_HAS(&authRsp.sysPrivs, PRIV_VAR_SECURITY_SHOW)) mask |= SHOW_VAR_PRIV_SECURITY;
+  if (PRIV_HAS(&authRsp.sysPrivs, PRIV_VAR_AUDIT_SHOW)) mask |= SHOW_VAR_PRIV_AUDIT;
+  if (PRIV_HAS(&authRsp.sysPrivs, PRIV_VAR_DEBUG_SHOW)) mask |= SHOW_VAR_PRIV_DEBUG;
+  return mask;
+}
+#endif
 
 int32_t execLocalCmd(SRequestObj* pRequest, SQuery* pQuery) {
   SRetrieveTableRsp* pRsp = NULL;
   int8_t             biMode = atomic_load_8(&pRequest->pTscObj->biMode);
-  int32_t code = qExecCommand(&pRequest->pTscObj->id, pRequest->pTscObj->sysInfo, pQuery->pRoot, &pRsp, biMode,
-                              pRequest->pTscObj->optionInfo.charsetCxt);
+  uint8_t            showVarPrivMask = SHOW_VAR_PRIV_ALL;
+#ifdef TD_ENTERPRISE
+  if (pQuery->pRoot != NULL && nodeType(pQuery->pRoot) == QUERY_NODE_SHOW_LOCAL_VARIABLES_STMT) {
+    showVarPrivMask = getShowVarPrivMask(pRequest);
+  }
+#endif
+  int32_t code = qExecCommand(&pRequest->pTscObj->id, pRequest->pTscObj->sysInfo, showVarPrivMask, pQuery->pRoot, &pRsp,
+                              biMode, pRequest->pTscObj->optionInfo.charsetCxt);
   if (TSDB_CODE_SUCCESS == code && NULL != pRsp) {
     code = setQueryResultFromRsp(&pRequest->body.resInfo, pRsp, pRequest->body.resInfo.convertUcs4,
                                  pRequest->stmtBindVersion > 0);
@@ -473,7 +504,13 @@ void asyncExecLocalCmd(SRequestObj* pRequest, SQuery* pQuery) {
     return;
   }
 
-  int32_t code = qExecCommand(&pRequest->pTscObj->id, pRequest->pTscObj->sysInfo, pQuery->pRoot, &pRsp,
+  uint8_t showVarPrivMask = SHOW_VAR_PRIV_ALL;
+#ifdef TD_ENTERPRISE
+  if (pQuery->pRoot != NULL && nodeType(pQuery->pRoot) == QUERY_NODE_SHOW_LOCAL_VARIABLES_STMT) {
+    showVarPrivMask = getShowVarPrivMask(pRequest);
+  }
+#endif
+  int32_t code = qExecCommand(&pRequest->pTscObj->id, pRequest->pTscObj->sysInfo, showVarPrivMask, pQuery->pRoot, &pRsp,
                               atomic_load_8(&pRequest->pTscObj->biMode), pRequest->pTscObj->optionInfo.charsetCxt);
   if (TSDB_CODE_SUCCESS == code && NULL != pRsp) {
     code = setQueryResultFromRsp(&pRequest->body.resInfo, pRsp, pRequest->body.resInfo.convertUcs4,

@@ -972,3 +972,25 @@ bool invisibleColumn(bool sysInfo, int8_t tableType, int8_t flags) {
   }
   return 0 != (flags & COL_IS_SYSINFO);
 }
+
+/**
+ * information_schema or performance_schema
+ */
+const SSysTableMeta* getSysTableMeta(const char* dbName, const char* tbName) {
+  const SSysTableMeta* pMeta = NULL;
+  size_t               size = 0;
+  if (!dbName || !tbName) {
+    return NULL;
+  }
+  if (dbName[0] == 'i' || dbName[0] == 'I') {
+    getInfosDbMeta(&pMeta, &size);
+  } else {
+    getPerfDbMeta(&pMeta, &size);
+  }
+  for (size_t i = 0; i < size; ++i) {
+    if (strcasecmp(pMeta[i].name, tbName) == 0) {
+      return pMeta + i;
+    }
+  }
+  return NULL;
+}
@@ -336,7 +336,24 @@ int32_t taosGenCrashJsonMsg(int signum, char** pMsg, int64_t clusterId, int64_t
   TAOS_RETURN(code);
 }
 
-int32_t dumpConfToDataBlock(SSDataBlock* pBlock, int32_t startCol, char* likePattern) {
+#ifdef TD_ENTERPRISE
+static bool showVarPrivAllowed(uint8_t showPrivMask, int8_t cfgPrivType) {
+  switch (cfgPrivType) {
+    case CFG_PRIV_SYSTEM:
+      return (showPrivMask & SHOW_VAR_PRIV_SYSTEM) != 0;
+    case CFG_PRIV_SECURITY:
+      return (showPrivMask & SHOW_VAR_PRIV_SECURITY) != 0;
+    case CFG_PRIV_AUDIT:
+      return (showPrivMask & SHOW_VAR_PRIV_AUDIT) != 0;
+    case CFG_PRIV_DEBUG:
+      return (showPrivMask & SHOW_VAR_PRIV_DEBUG) != 0;
+    default:
+      return false;
+  }
+}
+#endif
+
+int32_t dumpConfToDataBlock(SSDataBlock* pBlock, int32_t startCol, char* likePattern, uint8_t showPrivMask) {
   int32_t  code = 0;
   SConfig* pConf = taosGetCfg();
   if (pConf == NULL) {
@@ -373,6 +390,11 @@ int32_t dumpConfToDataBlock(SSDataBlock* pBlock, int32_t startCol, char* likePat
     if (likePattern && rawStrPatternMatch(pItem->name, likePattern) != TSDB_PATTERN_MATCH) {
       continue;
     }
+#ifdef TD_ENTERPRISE
+    if (!showVarPrivAllowed(showPrivMask, pItem->privType)) {
+      continue;
+    }
+#endif
     STR_WITH_MAXSIZE_TO_VARSTR(name, pItem->name, TSDB_CONFIG_OPTION_LEN + VARSTR_HEADER_SIZE);
 
     SColumnInfoData* pColInfo = taosArrayGet(pBlock->pDataBlock, col++);

@@ -1683,7 +1683,7 @@ int32_t dmBuildVariablesBlock(SSDataBlock **ppBlock) {
 }
 
 int32_t dmAppendVariablesToBlock(SSDataBlock *pBlock, int32_t dnodeId) {
-  int32_t code = dumpConfToDataBlock(pBlock, 1, NULL);
+  int32_t code = dumpConfToDataBlock(pBlock, 1, NULL, SHOW_VAR_PRIV_ALL);
   if (code != 0) {
     return code;
   }

@@ -41,6 +41,8 @@ int32_t mndCheckTokenPrivilege(SMnode *pMnode, const char *opUser, const char *o
 
 int32_t mndCheckSysObjPrivilege(SMnode *pMnode, SUserObj *pUser, const char *token, EPrivType privType,
                                 EPrivObjType objType, int64_t ownerId, const char *objFName, const char *tbName);
+uint64_t mndBuildSysPrivBatchMask(SMnode *pMnode, SUserObj *pUser, const char *token,
+                                  const EPrivType *privTypes, int32_t numPrivTypes);
 int32_t mndCheckObjPrivilegeRec(SMnode *pMnode, SUserObj *pUser, EPrivType privType, EPrivObjType objType,
                                 int64_t ownerId, int32_t acctId, const char *objName, const char *tbName);
 int32_t mndCheckObjPrivilegeRecF(SMnode *pMnode, SUserObj *pUser, EPrivType privType, EPrivObjType objType,

@@ -1232,7 +1232,43 @@ static void cfgObjArrayCleanUp(SArray *array) {
   taosArrayDestroy(array);
 }
 
-static SArray *initVariablesFromItems(SArray *pItems, const char* likePattern) {
+#ifdef TD_ENTERPRISE
+static bool mndShowVarPrivAllowed(uint8_t showPrivMask, int8_t cfgPrivType) {
+  switch (cfgPrivType) {
+    case CFG_PRIV_SYSTEM:
+      return (showPrivMask & SHOW_VAR_PRIV_SYSTEM) != 0;
+    case CFG_PRIV_SECURITY:
+      return (showPrivMask & SHOW_VAR_PRIV_SECURITY) != 0;
+    case CFG_PRIV_AUDIT:
+      return (showPrivMask & SHOW_VAR_PRIV_AUDIT) != 0;
+    case CFG_PRIV_DEBUG:
+      return (showPrivMask & SHOW_VAR_PRIV_DEBUG) != 0;
+    default:
+      return false;
+  }
+}
+
+static uint8_t mndBuildShowVarPrivMask(SMnode *pMnode, SUserObj *pUser, const char *token) {
+  static const EPrivType kShowVarPrivTypes[] = {
+      PRIV_VAR_SYSTEM_SHOW,
+      PRIV_VAR_SECURITY_SHOW,
+      PRIV_VAR_AUDIT_SHOW,
+      PRIV_VAR_DEBUG_SHOW,
+  };
+
+  uint64_t rawMask =
+      mndBuildSysPrivBatchMask(pMnode, pUser, token, kShowVarPrivTypes, (int32_t)ARRAY_SIZE(kShowVarPrivTypes));
+
+  uint8_t mask = 0;
+  if (rawMask & (1ULL << 0)) mask |= SHOW_VAR_PRIV_SYSTEM;
+  if (rawMask & (1ULL << 1)) mask |= SHOW_VAR_PRIV_SECURITY;
+  if (rawMask & (1ULL << 2)) mask |= SHOW_VAR_PRIV_AUDIT;
+  if (rawMask & (1ULL << 3)) mask |= SHOW_VAR_PRIV_DEBUG;
+  return mask;
+}
+#endif
+
+static SArray *initVariablesFromItems(SArray *pItems, const char* likePattern, uint8_t showPrivMask) {
   if (pItems == NULL) {
     return NULL;
   }
@@ -1251,6 +1287,11 @@ static SArray *initVariablesFromItems(SArray *pItems, const char* likePattern) {
     if (likePattern != NULL && rawStrPatternMatch(pItem->name, likePattern) != TSDB_PATTERN_MATCH) {
       continue;
     }
+#ifdef TD_ENTERPRISE
+    if (!mndShowVarPrivAllowed(showPrivMask, pItem->privType)) {
+      continue;
+    }
+#endif
 
     // init info value
     switch (pItem->dtype) {
@@ -1319,21 +1360,29 @@ static int32_t mndProcessShowVariablesReq(SRpcMsg *pReq) {
   SShowVariablesRsp rsp = {0};
   int32_t           code = TSDB_CODE_SUCCESS;
   SShowVariablesReq req = {0};
-  SArray           *array = NULL;
+  SUserObj         *pUser = NULL;
+  uint8_t           showPrivMask = 0;
+  SMnode           *pMnode = pReq->info.node;
 
   code = tDeserializeSShowVariablesReq(pReq->pCont, pReq->contLen, &req);
   if (code != 0) {
     mError("failed to deserialize config req, since %s", terrstr());
     goto _OVER;
   }
 
-  if ((code = mndCheckOperPrivilege(pReq->info.node, RPC_MSG_USER(pReq), RPC_MSG_TOKEN(pReq), MND_OPER_SHOW_VARIABLES)) != 0) {
+  if ((code = mndCheckOperPrivilege(pMnode, RPC_MSG_USER(pReq), RPC_MSG_TOKEN(pReq), MND_OPER_SHOW_VARIABLES)) != 0) {
     goto _OVER;
   }
 
+  if ((code = mndAcquireUser(pMnode, RPC_MSG_USER(pReq), &pUser)) != 0) {
+    goto _OVER;
+  }
+#ifdef TD_ENTERPRISE
+  showPrivMask = mndBuildShowVarPrivMask(pMnode, pUser, RPC_MSG_TOKEN(pReq));
+#endif
   SVariablesInfo info = {0};
   char          *likePattern = req.opType == OP_TYPE_LIKE ? req.val : NULL;
-  rsp.variables = initVariablesFromItems(taosGetGlobalCfg(tsCfg), likePattern);
+  rsp.variables = initVariablesFromItems(taosGetGlobalCfg(tsCfg), likePattern, showPrivMask);
   if (rsp.variables == NULL) {
     code = terrno;
     goto _OVER;
@@ -1360,6 +1409,7 @@ static int32_t mndProcessShowVariablesReq(SRpcMsg *pReq) {
   if (code != 0) {
     mError("failed to get show variables info since %s", tstrerror(code));
   }
+  mndReleaseUser(pMnode, pUser);
-  mndReleaseUser(pMnode, pUser);
+  if (pUser != NULL) {
+    mndReleaseUser(pMnode, pUser);
+  }
-  mndReleaseUser(pMnode, pUser);
+  if (pUser != NULL) {
+    mndReleaseUser(pMnode, pUser);
+  }
   tFreeSShowVariablesReq(&req);
   tFreeSShowVariablesRsp(&rsp);
   TAOS_RETURN(code);

@@ -2857,7 +2857,9 @@ static int32_t mndProcessTrimDbReq(SRpcMsg *pReq) {
     TAOS_CHECK_EXIT(code);
   }
 
-  TAOS_CHECK_EXIT(mndCheckDbPrivilege(pMnode, RPC_MSG_USER(pReq), RPC_MSG_TOKEN(pReq), MND_OPER_TRIM_DB, pDb));
+  TAOS_CHECK_EXIT(mndCheckDbPrivilege(pMnode, RPC_MSG_USER(pReq), RPC_MSG_TOKEN(pReq),
+                                      trimReq.optrType == TSDB_OPTR_ROLLUP ? MND_OPER_ROLLUP_DB : MND_OPER_TRIM_DB,
+                                      pDb));
 
   if (pDb->cfg.isMount) {
     TAOS_CHECK_EXIT(TSDB_CODE_MND_MOUNT_OBJ_NOT_SUPPORT);

@@ -519,7 +519,7 @@ static int32_t mndProcessCreateMountReq(SRpcMsg *pReq) {
     }
   }
   // mount operation share the privileges of db
-  TAOS_CHECK_EXIT(mndCheckDbPrivilege(pMnode, RPC_MSG_USER(pReq), RPC_MSG_TOKEN(pReq), MND_OPER_CREATE_MOUNT, (SDbObj *)pObj));
+  TAOS_CHECK_EXIT(mndCheckOperPrivilege(pMnode, RPC_MSG_USER(pReq), RPC_MSG_TOKEN(pReq), MND_OPER_CREATE_MOUNT));
   TAOS_CHECK_EXIT(grantCheck(TSDB_GRANT_MOUNT));
   TAOS_CHECK_EXIT(mndAcquireUser(pMnode, RPC_MSG_USER(pReq), &pUser));
   char fullMountName[TSDB_MOUNT_NAME_LEN + 32] = {0};
@@ -690,7 +690,7 @@ static int32_t mndProcessDropMountReq(SRpcMsg *pReq) {
   }
 
   // mount operation share the privileges of db
-  TAOS_CHECK_GOTO(mndCheckDbPrivilege(pMnode, RPC_MSG_USER(pReq), RPC_MSG_TOKEN(pReq), MND_OPER_DROP_MOUNT, (SDbObj *)pObj), NULL, _exit);
+  TAOS_CHECK_GOTO(mndCheckOperPrivilege(pMnode, RPC_MSG_USER(pReq), RPC_MSG_TOKEN(pReq), MND_OPER_DROP_MOUNT), NULL, _exit);
 
   code = mndDropMount(pMnode, pReq, pObj);
   if (code == TSDB_CODE_SUCCESS) {

@@ -52,6 +52,13 @@ int32_t mndCheckSysObjPrivilege(SMnode *pMnode, SUserObj *pUser, const char *tok
                                 EPrivObjType objType, int64_t ownerId, const char *objFName, const char *tbName) {
   return 0;
 }
+uint64_t mndBuildSysPrivBatchMask(SMnode *pMnode, SUserObj *pUser, const char *token,
+                                  const EPrivType *privTypes, int32_t numPrivTypes) {
+  if (numPrivTypes <= 0) {
+    return 0;
+  }
+  return numPrivTypes >= 64 ? UINT64_MAX : ((1ULL << numPrivTypes) - 1);
+}
 int32_t mndCheckObjPrivilegeRec(SMnode *pMnode, SUserObj *pUser, EPrivType privType, EPrivObjType objType,
                                 int64_t ownerId, int32_t acctId, const char *objName, const char *tbName) {
   return 0;

@@ -1461,7 +1461,7 @@ static int32_t mndRetrieveTSMA(SRpcMsg *pReq, SShowObj *pShow, SSDataBlock *pBlo
   showAll = (0 == mndCheckSysObjPrivilege(pMnode, pUser, RPC_MSG_TOKEN(pReq), PRIV_CM_SHOW, PRIV_OBJ_TSMA, 0, objFName,
                                           objLevel == 0 ? NULL : "*"));
   if (!showAll && pShow->db[0] != 0) {
-    showAll = (0 == mndCheckSysObjPrivilege(pMnode, pUser, RPC_MSG_TOKEN(pReq), PRIV_CM_SHOW, PRIV_OBJ_TSMA, pUser->uid,
+    showAll = (0 == mndCheckSysObjPrivilege(pMnode, pUser, RPC_MSG_TOKEN(pReq), PRIV_CM_SHOW, PRIV_OBJ_TSMA, pDb->ownerId,
                                             pShow->db, objLevel == 0 ? NULL : "*"));
   }
 

@@ -1829,7 +1829,9 @@ static int32_t retrieveSub(SRpcMsg *pReq, SMqSubscribeObj *pSub, SUserObj *pOper
   varDataSetLen(cgroup, strlen(varDataVal(cgroup)));
 
   if (!showAll) {
-    (void)mndAcquireTopic(pMnode, topic, &pTopic);
+    char topicFName[TSDB_TOPIC_FNAME_LEN + 1] = {0};
+    (void)snprintf(topicFName, sizeof(topicFName), "%d.%s", pOperUser->acctId, varDataVal(topic));
+    (void)mndAcquireTopic(pMnode, topicFName, &pTopic);
     if (pTopic) {
       SName name = {0};  // 1.topic1
       if (0 == tNameFromString(&name, pTopic->name, T_NAME_ACCT | T_NAME_DB)) {

@@ -1254,7 +1254,7 @@ static int32_t buildLocalVariablesResultDataBlock(SSDataBlock** pOutput) {
   return terrno;
 }
 
-static int32_t execShowLocalVariables(SShowStmt* pStmt, SRetrieveTableRsp** pRsp) {
+static int32_t execShowLocalVariables(SShowStmt* pStmt, uint8_t showVarPrivMask, SRetrieveTableRsp** pRsp) {
   SSDataBlock* pBlock = NULL;
   char*        likePattern = NULL;
   int32_t      code = buildLocalVariablesResultDataBlock(&pBlock);
@@ -1264,7 +1264,7 @@ static int32_t execShowLocalVariables(SShowStmt* pStmt, SRetrieveTableRsp** pRsp
     }
   }
   if (TSDB_CODE_SUCCESS == code) {
-    code = dumpConfToDataBlock(pBlock, 0, likePattern);
+    code = dumpConfToDataBlock(pBlock, 0, likePattern, showVarPrivMask);
   }
   if (TSDB_CODE_SUCCESS == code) {
     code = buildRetrieveTableRsp(pBlock, SHOW_LOCAL_VARIABLES_RESULT_COLS, pRsp);
@@ -1363,8 +1363,8 @@ static int32_t execShowCreateRsma(SShowCreateRsmaStmt* pStmt, SRetrieveTableRsp*
   return code;
 }
 
-int32_t qExecCommand(int64_t* pConnId, bool sysInfoUser, SNode* pStmt, SRetrieveTableRsp** pRsp, int8_t biMode,
-                     void* charsetCxt) {
+int32_t qExecCommand(int64_t* pConnId, bool sysInfoUser, uint8_t showVarPrivMask, SNode* pStmt,
+                     SRetrieveTableRsp** pRsp, int8_t biMode, void* charsetCxt) {
   switch (nodeType(pStmt)) {
     case QUERY_NODE_DESCRIBE_STMT:
       return execDescribe(sysInfoUser, pStmt, pRsp, biMode);
@@ -1385,7 +1385,7 @@ int32_t qExecCommand(int64_t* pConnId, bool sysInfoUser, SNode* pStmt, SRetrieve
     case QUERY_NODE_ALTER_LOCAL_STMT:
       return execAlterLocal((SAlterLocalStmt*)pStmt);
     case QUERY_NODE_SHOW_LOCAL_VARIABLES_STMT:
-      return execShowLocalVariables((SShowStmt*)pStmt, pRsp);
+      return execShowLocalVariables((SShowStmt*)pStmt, showVarPrivMask, pRsp);
     case QUERY_NODE_SELECT_STMT:
       return execSelectWithoutFrom((SSelectStmt*)pStmt, pRsp);
     default: