two things when receiving incoming requests: 1) It first authenticates the request, and 2) it then checks the authorization level for the user sending the request. In VTAdmin, authentication is the task VTAdmin-api does this in vitess/go/vt/vtadmin/api.go, when the routes are initialized: First VTAdmin-api checks if the user has registered an authentication plugin: And later, it gets added to the http mux layer: authorization checks whether an actor can perform an action against a given resource. The logic is implemented here: https://github.com/vitessio/vitess/tree/main/go/vt/vtadmin/rbac. VTAdmin checks RBAC rules

other validation procedures. You could do in-tablet integrity checks to verify foreign-key-like relationships or cross-shard integrity checks if, for example, an index table in one keyspace references data initial_wait Duration Time to wait for all tablets to check in retry_delay Duration Time to wait between two checks timeout Duration Timeout after which the command fails Arguments • – Required when there are no active streams (RPCs) -heartbeat_enable If true, vttablet records (if master) or checks (if replica) the current time of a replication heartbeat in the table _vt.heartbeat. The result is

ReservedConn eq_range_index_dive_limit ReservedConn explicit_defaults_for_timestamp ReservedConn foreign_key_checks ReservedConn group_concat_max_len ReservedConn max_heap_table_size ReservedConn max_seeks_for_key sql_warnings ReservedConn tmp_table_size ReservedConn transaction_prealloc_size ReservedConn unique_checks ReservedConn updatable_views_with_limit ReservedConn binlog_format CheckAndIgnore block_encryption_mode initial_wait Duration Time to wait for all tablets to check in retry_delay Duration Time to wait between two checks timeout Duration Timeout after which the command fails Arguments • – Required

ReservedConn eq_range_index_dive_limit ReservedConn explicit_defaults_for_timestamp ReservedConn foreign_key_checks ReservedConn group_concat_max_len ReservedConn max_heap_table_size ReservedConn max_seeks_for_key sql_warnings ReservedConn tmp_table_size ReservedConn transaction_prealloc_size ReservedConn unique_checks ReservedConn updatable_views_with_limit ReservedConn binlog_format CheckAndIgnore block_encryption_mode sampling of known migration states. Normally there’s a once per minute tick that kicks in a series of checks. You may imagine a state machine that advances once per minute. However, some steps: • Submission

ReservedConn 24 System variable Handled explicit_defaults_for_timestamp ReservedConn foreign_key_checks ReservedConn group_concat_max_len ReservedConn max_heap_table_size ReservedConn max_seeks_for_key sql_warnings ReservedConn tmp_table_size ReservedConn transaction_prealloc_size ReservedConn unique_checks ReservedConn updatable_views_with_limit ReservedConn binlog_format CheckAndIgnore block_encryption_mode tablet only presents mysql/self metric (measurement of its own backend MySQL’s lag). It does not serve checks for the shard in general. Resources • freno project page • Mitigating replication lag and reducing

ReservedConn eq_range_index_dive_limit ReservedConn explicit_defaults_for_timestamp ReservedConn foreign_key_checks ReservedConn group_concat_max_len ReservedConn max_heap_table_size ReservedConn max_seeks_for_key sql_warnings ReservedConn tmp_table_size ReservedConn transaction_prealloc_size ReservedConn unique_checks ReservedConn updatable_views_with_limit ReservedConn binlog_format CheckAndIgnore block_encryption_mode tablet only presents mysql/self metric (measurement of its own backend MySQL’s lag). It does not serve checks for the shard in general. Resources • freno project page • Mitigating replication lag and reducing

other validation procedures. You could do in-tablet integrity checks to verify foreign-key-like relationships or cross-shard integrity checks if, for example, an index table in one keyspace references data tables in sync with those in commerce. NOTE: In production, you would want to run multiple sanity checks on the replication by running SplitDiff jobs multiple times before starting the cutover: jobs: initial_wait Duration Time to wait for all tablets to check in retry_delay Duration Time to wait between two checks timeout Duration Timeout after which the command fails Arguments • – Required

ReservedConn eq_range_index_dive_limit ReservedConn explicit_defaults_for_timestamp ReservedConn foreign_key_checks ReservedConn group_concat_max_len ReservedConn max_heap_table_size ReservedConn max_seeks_for_key sql_warnings ReservedConn tmp_table_size ReservedConn transaction_prealloc_size ReservedConn unique_checks ReservedConn updatable_views_with_limit ReservedConn binlog_format CheckAndIgnore block_encryption_mode when there are no active streams (RPCs) -heartbeat_enable If true, vttablet records (if master) or checks (if replica) the current time of a replication heartbeat in the table _vt.heartbeat. The result is

other validation procedures. You could do in-tablet integrity checks to verify foreign-key-like relationships or cross-shard integrity checks if, for example, an index table in one keyspace references data initial_wait Duration Time to wait for all tablets to check in retry_delay Duration Time to wait between two checks timeout Duration Timeout after which the command fails Arguments • – Required command This error occurs if the command is not called with exactly 2 arguments. Ping Checks that the specified tablet is awake and responding to RPCs. This command can be blocked by other in-flight