dm: add LOCK TABLES privilege note for managed MySQL sources

dm/dm-precheck.md

@@ -69,7 +69,11 @@ For the full data migration mode (`task-mode: full`), in addition to the [common
 
     - SELECT permission on INFORMATION_SCHEMA and dump tables
     - RELOAD permission if `consistency=flush`
-    - LOCK TABLES permission on the dump tables if `consistency=flush/lock`
+    - LOCK TABLES permission on the dump tables if `consistency=lock`
+
+    > **Note:**
+    >
+    > When `consistency=auto` (the default), DM first tries `FLUSH TABLES WITH READ LOCK` (FTWRL). If FTWRL is unavailable, DM falls back to `LOCK TABLES`. This fallback commonly occurs on managed MySQL services (such as Amazon RDS, Aurora, ApsaraDB RDS for MySQL, Azure Database for MySQL, and Google Cloud SQL), where FTWRL is not permitted. In this case, the `LOCK TABLES` privilege is required at runtime, but the precheck does not currently verify this privilege. For the full list of privileges, see [DM-worker privileges](/dm/dm-worker-intro.md#upstream-database-user-privileges).
 
 * (Mandatory) Consistency of upstream MySQL multi-instance sharding tables
 

dm/dm-worker-intro.md

@@ -52,13 +52,23 @@ The upstream database (MySQL/MariaDB) user must have the following privileges:
 | `REPLICATION SLAVE` | Global |
 | `REPLICATION CLIENT` | Global |
 
+> **Note:**
+>
+> If you migrate from a managed MySQL service (such as Amazon RDS, Aurora, ApsaraDB RDS for MySQL, Azure Database for MySQL, or Google Cloud SQL) where `FLUSH TABLES WITH READ LOCK` (FTWRL) is not permitted, also grant the `LOCK TABLES` privilege. With the default `consistency=auto` setting, DM falls back to `LOCK TABLES` when FTWRL is unavailable.
+
 If you need to migrate the data from `db1` to TiDB, execute the following `GRANT` statement:
 
 ```sql
 GRANT RELOAD,REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'your_user'@'your_wildcard_of_host';
 GRANT SELECT ON db1.* TO 'your_user'@'your_wildcard_of_host';
 ```
 
+For managed MySQL services where FTWRL is not permitted, also grant the `LOCK TABLES` privilege:
+
+```sql
+GRANT LOCK TABLES ON db1.* TO 'your_user'@'your_wildcard_of_host';
+```
+
 If you also need to migrate the data from other databases into TiDB, make sure the same privileges are granted to the user of the respective databases.
 
 ### Downstream database user privileges

dm/quick-start-with-dm.md

@@ -91,6 +91,10 @@ You can use Docker to quickly deploy a test MySQL 8.0 instance.
     GRANT PROCESS, BACKUP_ADMIN, RELOAD, REPLICATION SLAVE, REPLICATION CLIENT, SELECT ON *.* TO 'tidb-dm'@'%';
     ```
 
+    > **Note:**
+    >
+    > If your MySQL source is a managed MySQL service (such as Amazon RDS, Aurora, ApsaraDB RDS for MySQL, Azure Database for MySQL, or Google Cloud SQL), also grant the `LOCK TABLES` privilege. For more information, see [DM-worker privileges](/dm/dm-worker-intro.md#upstream-database-user-privileges).
+
 4. Create sample data:
 
     ```sql
@@ -148,6 +152,10 @@ On macOS, you can quickly install and start MySQL 8.0 locally using [Homebrew](h
     GRANT PROCESS, BACKUP_ADMIN, RELOAD, REPLICATION SLAVE, REPLICATION CLIENT, SELECT ON *.* TO 'tidb-dm'@'%';
     ```
 
+    > **Note:**
+    >
+    > If your MySQL source is a managed MySQL service (such as Amazon RDS, Aurora, ApsaraDB RDS for MySQL, Azure Database for MySQL, or Google Cloud SQL), also grant the `LOCK TABLES` privilege. For more information, see [DM-worker privileges](/dm/dm-worker-intro.md#upstream-database-user-privileges).
+
 6. Create sample data:
 
     ```sql