diff options
Diffstat (limited to 'sql/sql_acl.h')
-rw-r--r-- | sql/sql_acl.h | 259 |
1 files changed, 98 insertions, 161 deletions
diff --git a/sql/sql_acl.h b/sql/sql_acl.h index dc8a085c96c..570da144b46 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -19,145 +19,9 @@ #include "violite.h" /* SSL_type */ #include "sql_class.h" /* LEX_COLUMN */ +#include "grant.h" +#include "sql_cmd.h" /* Sql_cmd */ -#define SELECT_ACL (1UL << 0) -#define INSERT_ACL (1UL << 1) -#define UPDATE_ACL (1UL << 2) -#define DELETE_ACL (1UL << 3) -#define CREATE_ACL (1UL << 4) -#define DROP_ACL (1UL << 5) -#define RELOAD_ACL (1UL << 6) -#define SHUTDOWN_ACL (1UL << 7) -#define PROCESS_ACL (1UL << 8) -#define FILE_ACL (1UL << 9) -#define GRANT_ACL (1UL << 10) -#define REFERENCES_ACL (1UL << 11) -#define INDEX_ACL (1UL << 12) -#define ALTER_ACL (1UL << 13) -#define SHOW_DB_ACL (1UL << 14) -#define SUPER_ACL (1UL << 15) -#define CREATE_TMP_ACL (1UL << 16) -#define LOCK_TABLES_ACL (1UL << 17) -#define EXECUTE_ACL (1UL << 18) -#define REPL_SLAVE_ACL (1UL << 19) -#define REPL_CLIENT_ACL (1UL << 20) -#define CREATE_VIEW_ACL (1UL << 21) -#define SHOW_VIEW_ACL (1UL << 22) -#define CREATE_PROC_ACL (1UL << 23) -#define ALTER_PROC_ACL (1UL << 24) -#define CREATE_USER_ACL (1UL << 25) -#define EVENT_ACL (1UL << 26) -#define TRIGGER_ACL (1UL << 27) -#define CREATE_TABLESPACE_ACL (1UL << 28) -#define DELETE_HISTORY_ACL (1UL << 29) -/* - don't forget to update - 1. static struct show_privileges_st sys_privileges[] - 2. static const char *command_array[] and static uint command_lengths[] - 3. mysql_system_tables.sql and mysql_system_tables_fix.sql - 4. acl_init() or whatever - to define behaviour for old privilege tables - 5. sql_yacc.yy - for GRANT/REVOKE to work -*/ -#define NO_ACCESS (1UL << 30) -#define DB_ACLS \ -(UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ - GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | \ - LOCK_TABLES_ACL | EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | \ - CREATE_PROC_ACL | ALTER_PROC_ACL | EVENT_ACL | TRIGGER_ACL | \ - DELETE_HISTORY_ACL) - -#define TABLE_ACLS \ -(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ - GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | \ - SHOW_VIEW_ACL | TRIGGER_ACL | DELETE_HISTORY_ACL) - -#define COL_ACLS \ -(SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL) - -#define PROC_ACLS \ -(ALTER_PROC_ACL | EXECUTE_ACL | GRANT_ACL) - -#define SHOW_PROC_ACLS \ -(ALTER_PROC_ACL | EXECUTE_ACL | CREATE_PROC_ACL) - -#define GLOBAL_ACLS \ -(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ - RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \ - REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \ - CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \ - EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \ - ALTER_PROC_ACL | CREATE_USER_ACL | EVENT_ACL | TRIGGER_ACL | \ - CREATE_TABLESPACE_ACL | DELETE_HISTORY_ACL) - -#define DEFAULT_CREATE_PROC_ACLS \ -(ALTER_PROC_ACL | EXECUTE_ACL) - -#define SHOW_CREATE_TABLE_ACLS \ -(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \ - CREATE_ACL | DROP_ACL | ALTER_ACL | INDEX_ACL | \ - TRIGGER_ACL | REFERENCES_ACL | GRANT_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL) - -/** - Table-level privileges which are automatically "granted" to everyone on - existing temporary tables (CREATE_ACL is necessary for ALTER ... RENAME). -*/ -#define TMP_TABLE_ACLS \ -(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ - INDEX_ACL | ALTER_ACL) - -/* - Defines to change the above bits to how things are stored in tables - This is needed as the 'host' and 'db' table is missing a few privileges -*/ - -/* Privileges that needs to be reallocated (in continous chunks) */ -#define DB_CHUNK0 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \ - CREATE_ACL | DROP_ACL) -#define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL) -#define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL) -#define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \ - CREATE_PROC_ACL | ALTER_PROC_ACL ) -#define DB_CHUNK4 (EXECUTE_ACL) -#define DB_CHUNK5 (EVENT_ACL | TRIGGER_ACL) -#define DB_CHUNK6 (DELETE_HISTORY_ACL) - -#define fix_rights_for_db(A) (((A) & DB_CHUNK0) | \ - (((A) << 4) & DB_CHUNK1) | \ - (((A) << 6) & DB_CHUNK2) | \ - (((A) << 9) & DB_CHUNK3) | \ - (((A) << 2) & DB_CHUNK4) | \ - (((A) << 9) & DB_CHUNK5) | \ - (((A) << 10) & DB_CHUNK6)) -#define get_rights_for_db(A) (((A) & DB_CHUNK0) | \ - (((A) & DB_CHUNK1) >> 4) | \ - (((A) & DB_CHUNK2) >> 6) | \ - (((A) & DB_CHUNK3) >> 9) | \ - (((A) & DB_CHUNK4) >> 2) | \ - (((A) & DB_CHUNK5) >> 9) | \ - (((A) & DB_CHUNK6) >> 10)) -#define TBL_CHUNK0 DB_CHUNK0 -#define TBL_CHUNK1 DB_CHUNK1 -#define TBL_CHUNK2 (CREATE_VIEW_ACL | SHOW_VIEW_ACL) -#define TBL_CHUNK3 TRIGGER_ACL -#define TBL_CHUNK4 (DELETE_HISTORY_ACL) -#define fix_rights_for_table(A) (((A) & TBL_CHUNK0) | \ - (((A) << 4) & TBL_CHUNK1) | \ - (((A) << 11) & TBL_CHUNK2) | \ - (((A) << 15) & TBL_CHUNK3) | \ - (((A) << 16) & TBL_CHUNK4)) -#define get_rights_for_table(A) (((A) & TBL_CHUNK0) | \ - (((A) & TBL_CHUNK1) >> 4) | \ - (((A) & TBL_CHUNK2) >> 11) | \ - (((A) & TBL_CHUNK3) >> 15) | \ - (((A) & TBL_CHUNK4) >> 16)) -#define fix_rights_for_column(A) (((A) & 7) | (((A) & ~7) << 8)) -#define get_rights_for_column(A) (((A) & 7) | ((A) >> 8)) -#define fix_rights_for_procedure(A) ((((A) << 18) & EXECUTE_ACL) | \ - (((A) << 23) & ALTER_PROC_ACL) | \ - (((A) << 8) & GRANT_ACL)) -#define get_rights_for_procedure(A) ((((A) & EXECUTE_ACL) >> 18) | \ - (((A) & ALTER_PROC_ACL) >> 23) | \ - (((A) & GRANT_ACL) >> 8)) enum mysql_db_table_field { @@ -212,8 +76,8 @@ bool hostname_requires_resolving(const char *hostname); bool acl_init(bool dont_read_acl_tables); bool acl_reload(THD *thd); void acl_free(bool end=0); -ulong acl_get(const char *host, const char *ip, - const char *user, const char *db, my_bool db_is_pattern); +privilege_t acl_get(const char *host, const char *ip, + const char *user, const char *db, my_bool db_is_pattern); bool acl_authenticate(THD *thd, uint com_change_user_pkt_len); bool acl_getroot(Security_context *sctx, const char *user, const char *host, const char *ip, const char *db); @@ -223,37 +87,38 @@ bool change_password(THD *thd, LEX_USER *user); bool mysql_grant_role(THD *thd, List<LEX_USER> &user_list, bool revoke); bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list, - ulong rights, bool revoke, bool is_proxy); + privilege_t rights, bool revoke, bool is_proxy); int mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list, - List <LEX_COLUMN> &column_list, ulong rights, + List <LEX_COLUMN> &column_list, privilege_t rights, bool revoke); bool mysql_routine_grant(THD *thd, TABLE_LIST *table, const Sp_handler *sph, - List <LEX_USER> &user_list, ulong rights, + List <LEX_USER> &user_list, privilege_t rights, bool revoke, bool write_to_binlog); bool grant_init(); void grant_free(void); bool grant_reload(THD *thd); -bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables, +bool check_grant(THD *thd, privilege_t want_access, TABLE_LIST *tables, bool any_combination_will_do, uint number, bool no_errors); bool check_grant_column (THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *name, size_t length, Security_context *sctx); bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST * table_ref, const char *name, size_t length, Field *fld); -bool check_grant_all_columns(THD *thd, ulong want_access, +bool check_grant_all_columns(THD *thd, privilege_t want_access, Field_iterator_table_ref *fields); -bool check_grant_routine(THD *thd, ulong want_access, +bool check_grant_routine(THD *thd, privilege_t want_access, TABLE_LIST *procs, const Sp_handler *sph, bool no_error); bool check_grant_db(THD *thd,const char *db); -bool check_global_access(THD *thd, ulong want_access, bool no_errors= false); -bool check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv, +bool check_global_access(THD *thd, const privilege_t want_access, bool no_errors= false); +bool check_access(THD *thd, privilege_t want_access, + const char *db, privilege_t *save_priv, GRANT_INTERNAL_INFO *grant_internal_info, bool dont_check_global_grants, bool no_errors); -ulong get_table_grant(THD *thd, TABLE_LIST *table); -ulong get_column_grant(THD *thd, GRANT_INFO *grant, - const char *db_name, const char *table_name, - const char *field_name); +privilege_t get_table_grant(THD *thd, TABLE_LIST *table); +privilege_t get_column_grant(THD *thd, GRANT_INFO *grant, + const char *db_name, const char *table_name, + const char *field_name); bool get_show_user(THD *thd, LEX_USER *lex_user, const char **username, const char **hostname, const char **rolename); void mysql_show_grants_get_fields(THD *thd, List<Item> *fields, @@ -262,7 +127,7 @@ bool mysql_show_grants(THD *thd, LEX_USER *user); bool mysql_show_create_user(THD *thd, LEX_USER *user); int fill_schema_enabled_roles(THD *thd, TABLE_LIST *tables, COND *cond); int fill_schema_applicable_roles(THD *thd, TABLE_LIST *tables, COND *cond); -void get_privilege_desc(char *to, uint max_length, ulong access); +void get_privilege_desc(char *to, uint max_length, privilege_t access); void get_mqh(const char *user, const char *host, USER_CONN *uc); bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role); bool mysql_drop_user(THD *thd, List <LEX_USER> &list, bool handle_as_role); @@ -302,8 +167,6 @@ enum ACL_internal_access_result /** Access granted for all the requested privileges, do not use the grant tables. - This flag is used only for the INFORMATION_SCHEMA privileges, - for compatibility reasons. */ ACL_INTERNAL_ACCESS_GRANTED, /** Access denied, do not use the grant tables. */ @@ -343,8 +206,8 @@ public: privilege. Requested privileges that are granted, if any, are saved in save_priv. */ - virtual ACL_internal_access_result check(ulong want_access, - ulong *save_priv) const= 0; + virtual ACL_internal_access_result check(privilege_t want_access, + privilege_t *save_priv) const= 0; }; /** @@ -380,8 +243,8 @@ public: privilege. Requested privileges that are granted, if any, are saved in save_priv. */ - virtual ACL_internal_access_result check(ulong want_access, - ulong *save_priv) const= 0; + virtual ACL_internal_access_result check(privilege_t want_access, + privilege_t *save_priv) const= 0; /** Search for per table ACL access rules by table name. @@ -415,8 +278,8 @@ get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info, bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user, bool with_grant); -int acl_setrole(THD *thd, const char *rolename, ulonglong access); -int acl_check_setrole(THD *thd, const char *rolename, ulonglong *access); +int acl_setrole(THD *thd, const char *rolename, privilege_t access); +int acl_check_setrole(THD *thd, const char *rolename, privilege_t *access); int acl_check_set_default_role(THD *thd, const char *host, const char *user, const char *role); int acl_set_default_role(THD *thd, const char *host, const char *user, @@ -436,4 +299,78 @@ bool check_role_is_granted(const char *username, extern ulong role_global_merges, role_db_merges, role_table_merges, role_column_merges, role_routine_merges; #endif + + +class Sql_cmd_grant: public Sql_cmd +{ +protected: + enum_sql_command m_command; +#ifndef NO_EMBEDDED_ACCESS_CHECKS + void warn_hostname_requires_resolving(THD *thd, List<LEX_USER> &list); + bool user_list_reset_mqh(THD *thd, List<LEX_USER> &list); + void grant_stage0(THD *thd); +#endif +public: + Sql_cmd_grant(enum_sql_command command) + :m_command(command) + { } + bool is_revoke() const { return m_command == SQLCOM_REVOKE; } + enum_sql_command sql_command_code() const { return m_command; } +}; + + +class Sql_cmd_grant_proxy: public Sql_cmd_grant +{ + privilege_t m_grant_option; +#ifndef NO_EMBEDDED_ACCESS_CHECKS + bool check_access_proxy(THD *thd, List<LEX_USER> &list); +#endif +public: + Sql_cmd_grant_proxy(enum_sql_command command, privilege_t grant_option) + :Sql_cmd_grant(command), m_grant_option(grant_option) + { } + bool execute(THD *thd); +}; + + +class Sql_cmd_grant_object: public Sql_cmd_grant, public Grant_privilege +{ +protected: +#ifndef NO_EMBEDDED_ACCESS_CHECKS + bool grant_stage0_exact_object(THD *thd, TABLE_LIST *table); +#endif +public: + Sql_cmd_grant_object(enum_sql_command command, const Grant_privilege &grant) + :Sql_cmd_grant(command), Grant_privilege(grant) + { } +}; + + +class Sql_cmd_grant_table: public Sql_cmd_grant_object +{ +#ifndef NO_EMBEDDED_ACCESS_CHECKS + bool execute_table_mask(THD *thd); + bool execute_exact_table(THD *thd, TABLE_LIST *table); +#endif +public: + Sql_cmd_grant_table(enum_sql_command command, const Grant_privilege &grant) + :Sql_cmd_grant_object(command, grant) + { } + bool execute(THD *thd); +}; + + + +class Sql_cmd_grant_sp: public Sql_cmd_grant_object +{ + const Sp_handler &m_sph; +public: + Sql_cmd_grant_sp(enum_sql_command command, const Grant_privilege &grant, + const Sp_handler &sph) + :Sql_cmd_grant_object(command, grant), + m_sph(sph) + { } + bool execute(THD *thd); +}; + #endif /* SQL_ACL_INCLUDED */ |