diff options
| author | Alexander Barkov <bar@mariadb.com> | 2020-02-09 21:53:11 +0400 |
|---|---|---|
| committer | Alexander Barkov <bar@mariadb.com> | 2020-02-11 08:10:26 +0400 |
| commit | 83e75b39b3611d60ac59e851f742a13f2ee95393 (patch) | |
| tree | a1ab536573067a6578631d3e5e89da612f745ec8 /sql/sql_acl.h | |
| parent | f79f537f9facb5a050697ad3dbf6e4a617c3c128 (diff) | |
| download | mariadb-git-83e75b39b3611d60ac59e851f742a13f2ee95393.tar.gz | |
MDEV-21702 Add a data type for privileges
Diffstat (limited to 'sql/sql_acl.h')
| -rw-r--r-- | sql/sql_acl.h | 185 |
1 files changed, 24 insertions, 161 deletions
diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 4147981bb98..000228945f4 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -22,144 +22,6 @@ #include "grant.h" #include "sql_cmd.h" /* Sql_cmd */ -#define SELECT_ACL (1UL << 0) -#define INSERT_ACL (1UL << 1) -#define UPDATE_ACL (1UL << 2) -#define DELETE_ACL (1UL << 3) -#define CREATE_ACL (1UL << 4) -#define DROP_ACL (1UL << 5) -#define RELOAD_ACL (1UL << 6) -#define SHUTDOWN_ACL (1UL << 7) -#define PROCESS_ACL (1UL << 8) -#define FILE_ACL (1UL << 9) -#define GRANT_ACL (1UL << 10) -#define REFERENCES_ACL (1UL << 11) -#define INDEX_ACL (1UL << 12) -#define ALTER_ACL (1UL << 13) -#define SHOW_DB_ACL (1UL << 14) -#define SUPER_ACL (1UL << 15) -#define CREATE_TMP_ACL (1UL << 16) -#define LOCK_TABLES_ACL (1UL << 17) -#define EXECUTE_ACL (1UL << 18) -#define REPL_SLAVE_ACL (1UL << 19) -#define REPL_CLIENT_ACL (1UL << 20) -#define CREATE_VIEW_ACL (1UL << 21) -#define SHOW_VIEW_ACL (1UL << 22) -#define CREATE_PROC_ACL (1UL << 23) -#define ALTER_PROC_ACL (1UL << 24) -#define CREATE_USER_ACL (1UL << 25) -#define EVENT_ACL (1UL << 26) -#define TRIGGER_ACL (1UL << 27) -#define CREATE_TABLESPACE_ACL (1UL << 28) -#define DELETE_HISTORY_ACL (1UL << 29) -/* - don't forget to update - 1. static struct show_privileges_st sys_privileges[] - 2. static const char *command_array[] and static uint command_lengths[] - 3. mysql_system_tables.sql and mysql_system_tables_fix.sql - 4. acl_init() or whatever - to define behaviour for old privilege tables - 5. sql_yacc.yy - for GRANT/REVOKE to work -*/ -#define NO_ACCESS (1UL << 30) -#define DB_ACLS \ -(UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ - GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | \ - LOCK_TABLES_ACL | EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | \ - CREATE_PROC_ACL | ALTER_PROC_ACL | EVENT_ACL | TRIGGER_ACL | \ - DELETE_HISTORY_ACL) - -#define TABLE_ACLS \ -(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ - GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | \ - SHOW_VIEW_ACL | TRIGGER_ACL | DELETE_HISTORY_ACL) - -#define COL_ACLS \ -(SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL) - -#define PROC_ACLS \ -(ALTER_PROC_ACL | EXECUTE_ACL | GRANT_ACL) - -#define SHOW_PROC_ACLS \ -(ALTER_PROC_ACL | EXECUTE_ACL | CREATE_PROC_ACL) - -#define GLOBAL_ACLS \ -(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ - RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \ - REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \ - CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \ - EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \ - ALTER_PROC_ACL | CREATE_USER_ACL | EVENT_ACL | TRIGGER_ACL | \ - CREATE_TABLESPACE_ACL | DELETE_HISTORY_ACL) - -#define DEFAULT_CREATE_PROC_ACLS \ -(ALTER_PROC_ACL | EXECUTE_ACL) - -#define SHOW_CREATE_TABLE_ACLS \ -(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \ - CREATE_ACL | DROP_ACL | ALTER_ACL | INDEX_ACL | \ - TRIGGER_ACL | REFERENCES_ACL | GRANT_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL) - -/** - Table-level privileges which are automatically "granted" to everyone on - existing temporary tables (CREATE_ACL is necessary for ALTER ... RENAME). -*/ -#define TMP_TABLE_ACLS \ -(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ - INDEX_ACL | ALTER_ACL) - -/* - Defines to change the above bits to how things are stored in tables - This is needed as the 'host' and 'db' table is missing a few privileges -*/ - -/* Privileges that needs to be reallocated (in continous chunks) */ -#define DB_CHUNK0 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \ - CREATE_ACL | DROP_ACL) -#define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL) -#define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL) -#define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \ - CREATE_PROC_ACL | ALTER_PROC_ACL ) -#define DB_CHUNK4 (EXECUTE_ACL) -#define DB_CHUNK5 (EVENT_ACL | TRIGGER_ACL) -#define DB_CHUNK6 (DELETE_HISTORY_ACL) - -#define fix_rights_for_db(A) (((A) & DB_CHUNK0) | \ - (((A) << 4) & DB_CHUNK1) | \ - (((A) << 6) & DB_CHUNK2) | \ - (((A) << 9) & DB_CHUNK3) | \ - (((A) << 2) & DB_CHUNK4) | \ - (((A) << 9) & DB_CHUNK5) | \ - (((A) << 10) & DB_CHUNK6)) -#define get_rights_for_db(A) (((A) & DB_CHUNK0) | \ - (((A) & DB_CHUNK1) >> 4) | \ - (((A) & DB_CHUNK2) >> 6) | \ - (((A) & DB_CHUNK3) >> 9) | \ - (((A) & DB_CHUNK4) >> 2) | \ - (((A) & DB_CHUNK5) >> 9) | \ - (((A) & DB_CHUNK6) >> 10)) -#define TBL_CHUNK0 DB_CHUNK0 -#define TBL_CHUNK1 DB_CHUNK1 -#define TBL_CHUNK2 (CREATE_VIEW_ACL | SHOW_VIEW_ACL) -#define TBL_CHUNK3 TRIGGER_ACL -#define TBL_CHUNK4 (DELETE_HISTORY_ACL) -#define fix_rights_for_table(A) (((A) & TBL_CHUNK0) | \ - (((A) << 4) & TBL_CHUNK1) | \ - (((A) << 11) & TBL_CHUNK2) | \ - (((A) << 15) & TBL_CHUNK3) | \ - (((A) << 16) & TBL_CHUNK4)) -#define get_rights_for_table(A) (((A) & TBL_CHUNK0) | \ - (((A) & TBL_CHUNK1) >> 4) | \ - (((A) & TBL_CHUNK2) >> 11) | \ - (((A) & TBL_CHUNK3) >> 15) | \ - (((A) & TBL_CHUNK4) >> 16)) -#define fix_rights_for_column(A) (((A) & 7) | (((A) & ~7) << 8)) -#define get_rights_for_column(A) (((A) & 7) | ((A) >> 8)) -#define fix_rights_for_procedure(A) ((((A) << 18) & EXECUTE_ACL) | \ - (((A) << 23) & ALTER_PROC_ACL) | \ - (((A) << 8) & GRANT_ACL)) -#define get_rights_for_procedure(A) ((((A) & EXECUTE_ACL) >> 18) | \ - (((A) & ALTER_PROC_ACL) >> 23) | \ - (((A) & GRANT_ACL) >> 8)) enum mysql_db_table_field { @@ -214,8 +76,8 @@ bool hostname_requires_resolving(const char *hostname); bool acl_init(bool dont_read_acl_tables); bool acl_reload(THD *thd); void acl_free(bool end=0); -ulong acl_get(const char *host, const char *ip, - const char *user, const char *db, my_bool db_is_pattern); +privilege_t acl_get(const char *host, const char *ip, + const char *user, const char *db, my_bool db_is_pattern); bool acl_authenticate(THD *thd, uint com_change_user_pkt_len); bool acl_getroot(Security_context *sctx, const char *user, const char *host, const char *ip, const char *db); @@ -225,37 +87,38 @@ bool change_password(THD *thd, LEX_USER *user); bool mysql_grant_role(THD *thd, List<LEX_USER> &user_list, bool revoke); bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list, - ulong rights, bool revoke, bool is_proxy); + privilege_t rights, bool revoke, bool is_proxy); int mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list, - List <LEX_COLUMN> &column_list, ulong rights, + List <LEX_COLUMN> &column_list, privilege_t rights, bool revoke); bool mysql_routine_grant(THD *thd, TABLE_LIST *table, const Sp_handler *sph, - List <LEX_USER> &user_list, ulong rights, + List <LEX_USER> &user_list, privilege_t rights, bool revoke, bool write_to_binlog); bool grant_init(); void grant_free(void); bool grant_reload(THD *thd); -bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables, +bool check_grant(THD *thd, privilege_t want_access, TABLE_LIST *tables, bool any_combination_will_do, uint number, bool no_errors); bool check_grant_column (THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *name, size_t length, Security_context *sctx); bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST * table_ref, const char *name, size_t length, Field *fld); -bool check_grant_all_columns(THD *thd, ulong want_access, +bool check_grant_all_columns(THD *thd, privilege_t want_access, Field_iterator_table_ref *fields); -bool check_grant_routine(THD *thd, ulong want_access, +bool check_grant_routine(THD *thd, privilege_t want_access, TABLE_LIST *procs, const Sp_handler *sph, bool no_error); bool check_grant_db(THD *thd,const char *db); -bool check_global_access(THD *thd, ulong want_access, bool no_errors= false); -bool check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv, +bool check_global_access(THD *thd, const privilege_t want_access, bool no_errors= false); +bool check_access(THD *thd, privilege_t want_access, + const char *db, privilege_t *save_priv, GRANT_INTERNAL_INFO *grant_internal_info, bool dont_check_global_grants, bool no_errors); -ulong get_table_grant(THD *thd, TABLE_LIST *table); -ulong get_column_grant(THD *thd, GRANT_INFO *grant, - const char *db_name, const char *table_name, - const char *field_name); +privilege_t get_table_grant(THD *thd, TABLE_LIST *table); +privilege_t get_column_grant(THD *thd, GRANT_INFO *grant, + const char *db_name, const char *table_name, + const char *field_name); bool get_show_user(THD *thd, LEX_USER *lex_user, const char **username, const char **hostname, const char **rolename); void mysql_show_grants_get_fields(THD *thd, List<Item> *fields, @@ -264,7 +127,7 @@ bool mysql_show_grants(THD *thd, LEX_USER *user); bool mysql_show_create_user(THD *thd, LEX_USER *user); int fill_schema_enabled_roles(THD *thd, TABLE_LIST *tables, COND *cond); int fill_schema_applicable_roles(THD *thd, TABLE_LIST *tables, COND *cond); -void get_privilege_desc(char *to, uint max_length, ulong access); +void get_privilege_desc(char *to, uint max_length, privilege_t access); void get_mqh(const char *user, const char *host, USER_CONN *uc); bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role); bool mysql_drop_user(THD *thd, List <LEX_USER> &list, bool handle_as_role); @@ -345,8 +208,8 @@ public: privilege. Requested privileges that are granted, if any, are saved in save_priv. */ - virtual ACL_internal_access_result check(ulong want_access, - ulong *save_priv) const= 0; + virtual ACL_internal_access_result check(privilege_t want_access, + privilege_t *save_priv) const= 0; }; /** @@ -382,8 +245,8 @@ public: privilege. Requested privileges that are granted, if any, are saved in save_priv. */ - virtual ACL_internal_access_result check(ulong want_access, - ulong *save_priv) const= 0; + virtual ACL_internal_access_result check(privilege_t want_access, + privilege_t *save_priv) const= 0; /** Search for per table ACL access rules by table name. @@ -417,8 +280,8 @@ get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info, bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user, bool with_grant); -int acl_setrole(THD *thd, const char *rolename, ulonglong access); -int acl_check_setrole(THD *thd, const char *rolename, ulonglong *access); +int acl_setrole(THD *thd, const char *rolename, privilege_t access); +int acl_check_setrole(THD *thd, const char *rolename, privilege_t *access); int acl_check_set_default_role(THD *thd, const char *host, const char *user); int acl_set_default_role(THD *thd, const char *host, const char *user, const char *rolename); @@ -459,12 +322,12 @@ public: class Sql_cmd_grant_proxy: public Sql_cmd_grant { - uint m_grant_option; + privilege_t m_grant_option; #ifndef NO_EMBEDDED_ACCESS_CHECKS bool check_access_proxy(THD *thd, List<LEX_USER> &list); #endif public: - Sql_cmd_grant_proxy(enum_sql_command command, uint grant_option) + Sql_cmd_grant_proxy(enum_sql_command command, privilege_t grant_option) :Sql_cmd_grant(command), m_grant_option(grant_option) { } bool execute(THD *thd); |