From 887a1ac862abd28256ae251a40c5eb00dca0d4c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= Date: Thu, 17 Oct 2013 15:03:21 -0700 Subject: Implemented Roles Mappings association between users and roles. No more memory leaks in the code. --- sql/sql_acl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 3169746419c..3bc1b1eae45 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -215,7 +215,7 @@ bool check_grant_column (THD *thd, GRANT_INFO *grant, const char *name, uint length, Security_context *sctx); bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST * table_ref, const char *name, uint length); -bool check_grant_all_columns(THD *thd, ulong want_access, +bool check_grant_all_columns(THD *thd, ulong want_access, Field_iterator_table_ref *fields); bool check_grant_routine(THD *thd, ulong want_access, TABLE_LIST *procs, bool is_proc, bool no_error); -- cgit v1.2.1 From 22ca077ac44bca73394133b9fae001e7caa815c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= Date: Thu, 17 Oct 2013 15:10:32 -0700 Subject: Removed all tabs from sql_acl.h. Replaced with spaces --- sql/sql_acl.h | 90 +++++++++++++++++++++++++++++------------------------------ 1 file changed, 45 insertions(+), 45 deletions(-) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 3bc1b1eae45..b45b70ad069 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -20,30 +20,30 @@ #include "violite.h" /* SSL_type */ #include "sql_class.h" /* LEX_COLUMN */ -#define SELECT_ACL (1L << 0) -#define INSERT_ACL (1L << 1) -#define UPDATE_ACL (1L << 2) -#define DELETE_ACL (1L << 3) -#define CREATE_ACL (1L << 4) -#define DROP_ACL (1L << 5) -#define RELOAD_ACL (1L << 6) -#define SHUTDOWN_ACL (1L << 7) -#define PROCESS_ACL (1L << 8) -#define FILE_ACL (1L << 9) -#define GRANT_ACL (1L << 10) -#define REFERENCES_ACL (1L << 11) -#define INDEX_ACL (1L << 12) -#define ALTER_ACL (1L << 13) -#define SHOW_DB_ACL (1L << 14) -#define SUPER_ACL (1L << 15) -#define CREATE_TMP_ACL (1L << 16) -#define LOCK_TABLES_ACL (1L << 17) -#define EXECUTE_ACL (1L << 18) -#define REPL_SLAVE_ACL (1L << 19) -#define REPL_CLIENT_ACL (1L << 20) -#define CREATE_VIEW_ACL (1L << 21) -#define SHOW_VIEW_ACL (1L << 22) -#define CREATE_PROC_ACL (1L << 23) +#define SELECT_ACL (1L << 0) +#define INSERT_ACL (1L << 1) +#define UPDATE_ACL (1L << 2) +#define DELETE_ACL (1L << 3) +#define CREATE_ACL (1L << 4) +#define DROP_ACL (1L << 5) +#define RELOAD_ACL (1L << 6) +#define SHUTDOWN_ACL (1L << 7) +#define PROCESS_ACL (1L << 8) +#define FILE_ACL (1L << 9) +#define GRANT_ACL (1L << 10) +#define REFERENCES_ACL (1L << 11) +#define INDEX_ACL (1L << 12) +#define ALTER_ACL (1L << 13) +#define SHOW_DB_ACL (1L << 14) +#define SUPER_ACL (1L << 15) +#define CREATE_TMP_ACL (1L << 16) +#define LOCK_TABLES_ACL (1L << 17) +#define EXECUTE_ACL (1L << 18) +#define REPL_SLAVE_ACL (1L << 19) +#define REPL_CLIENT_ACL (1L << 20) +#define CREATE_VIEW_ACL (1L << 21) +#define SHOW_VIEW_ACL (1L << 22) +#define CREATE_PROC_ACL (1L << 23) #define ALTER_PROC_ACL (1L << 24) #define CREATE_USER_ACL (1L << 25) #define EVENT_ACL (1L << 26) @@ -57,7 +57,7 @@ 4. acl_init() or whatever - to define behaviour for old privilege tables 5. sql_yacc.yy - for GRANT/REVOKE to work */ -#define NO_ACCESS (1L << 30) +#define NO_ACCESS (1L << 30) #define DB_ACLS \ (UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | \ @@ -106,21 +106,21 @@ #define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL) #define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL) #define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \ - CREATE_PROC_ACL | ALTER_PROC_ACL ) + CREATE_PROC_ACL | ALTER_PROC_ACL ) #define DB_CHUNK4 (EXECUTE_ACL) #define DB_CHUNK5 (EVENT_ACL | TRIGGER_ACL) #define fix_rights_for_db(A) (((A) & DB_CHUNK0) | \ - (((A) << 4) & DB_CHUNK1) | \ - (((A) << 6) & DB_CHUNK2) | \ - (((A) << 9) & DB_CHUNK3) | \ - (((A) << 2) & DB_CHUNK4))| \ + (((A) << 4) & DB_CHUNK1) | \ + (((A) << 6) & DB_CHUNK2) | \ + (((A) << 9) & DB_CHUNK3) | \ + (((A) << 2) & DB_CHUNK4))| \ (((A) << 9) & DB_CHUNK5) #define get_rights_for_db(A) (((A) & DB_CHUNK0) | \ - (((A) & DB_CHUNK1) >> 4) | \ - (((A) & DB_CHUNK2) >> 6) | \ - (((A) & DB_CHUNK3) >> 9) | \ - (((A) & DB_CHUNK4) >> 2))| \ + (((A) & DB_CHUNK1) >> 4) | \ + (((A) & DB_CHUNK2) >> 6) | \ + (((A) & DB_CHUNK3) >> 9) | \ + (((A) & DB_CHUNK4) >> 2))| \ (((A) & DB_CHUNK5) >> 9) #define TBL_CHUNK0 DB_CHUNK0 #define TBL_CHUNK1 DB_CHUNK1 @@ -137,11 +137,11 @@ #define fix_rights_for_column(A) (((A) & 7) | (((A) & ~7) << 8)) #define get_rights_for_column(A) (((A) & 7) | ((A) >> 8)) #define fix_rights_for_procedure(A) ((((A) << 18) & EXECUTE_ACL) | \ - (((A) << 23) & ALTER_PROC_ACL) | \ - (((A) << 8) & GRANT_ACL)) + (((A) << 23) & ALTER_PROC_ACL) | \ + (((A) << 8) & GRANT_ACL)) #define get_rights_for_procedure(A) ((((A) & EXECUTE_ACL) >> 18) | \ - (((A) & ALTER_PROC_ACL) >> 23) | \ - (((A) & GRANT_ACL) >> 8)) + (((A) & ALTER_PROC_ACL) >> 23) | \ + (((A) & GRANT_ACL) >> 8)) enum mysql_db_table_field { @@ -188,7 +188,7 @@ my_bool acl_init(bool dont_read_acl_tables); my_bool acl_reload(THD *thd); void acl_free(bool end=0); ulong acl_get(const char *host, const char *ip, - const char *user, const char *db, my_bool db_is_pattern); + const char *user, const char *db, my_bool db_is_pattern); bool acl_authenticate(THD *thd, uint connect_errors, uint com_change_user_pkt_len); bool acl_getroot(Security_context *sctx, char *user, char *host, char *ip, char *db); @@ -196,29 +196,29 @@ bool acl_check_host(const char *host, const char *ip); int check_change_password(THD *thd, const char *host, const char *user, char *password, uint password_len); bool change_password(THD *thd, const char *host, const char *user, - char *password); + char *password); bool mysql_grant(THD *thd, const char *db, List &user_list, ulong rights, bool revoke, bool is_proxy); int mysql_table_grant(THD *thd, TABLE_LIST *table, List &user_list, List &column_list, ulong rights, bool revoke); bool mysql_routine_grant(THD *thd, TABLE_LIST *table, bool is_proc, - List &user_list, ulong rights, - bool revoke, bool write_to_binlog); + List &user_list, ulong rights, + bool revoke, bool write_to_binlog); my_bool grant_init(); void grant_free(void); my_bool grant_reload(THD *thd); bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables, bool any_combination_will_do, uint number, bool no_errors); bool check_grant_column (THD *thd, GRANT_INFO *grant, - const char *db_name, const char *table_name, - const char *name, uint length, Security_context *sctx); + const char *db_name, const char *table_name, + const char *name, uint length, Security_context *sctx); bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST * table_ref, const char *name, uint length); bool check_grant_all_columns(THD *thd, ulong want_access, Field_iterator_table_ref *fields); bool check_grant_routine(THD *thd, ulong want_access, - TABLE_LIST *procs, bool is_proc, bool no_error); + TABLE_LIST *procs, bool is_proc, bool no_error); bool check_grant_db(THD *thd,const char *db); ulong get_table_grant(THD *thd, TABLE_LIST *table); ulong get_column_grant(THD *thd, GRANT_INFO *grant, -- cgit v1.2.1 From 7ec24435b324c27412a94cbd71b707c9fd06b8ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= Date: Thu, 17 Oct 2013 15:11:13 -0700 Subject: Added acl_setrole function. The function enables/disables role privileges to the current user via the current security_context --- sql/sql_acl.h | 1 + 1 file changed, 1 insertion(+) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index b45b70ad069..abc5e8ac25c 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -382,4 +382,5 @@ get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info, bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user, bool with_grant); +bool acl_setrole(THD *thd, char *rolename); #endif /* SQL_ACL_INCLUDED */ -- cgit v1.2.1 From db25d8f97713e3a4ade8284c57f65c63605c5b25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= Date: Thu, 17 Oct 2013 20:39:23 -0700 Subject: Modified set_role_var to implement both a role check in the check() function, as well as only set privileges in the update() function. --- sql/sql_acl.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index abc5e8ac25c..0e04d8f86d6 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -382,5 +382,6 @@ get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info, bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user, bool with_grant); -bool acl_setrole(THD *thd, char *rolename); +int acl_setrole(THD *thd, char *rolename, ulonglong access); +int acl_check_setrole(THD *thd, char *rolename, ulonglong *access); #endif /* SQL_ACL_INCLUDED */ -- cgit v1.2.1 From 81b2856e10a837183b3639d09d8f531a424dabd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= Date: Fri, 18 Oct 2013 05:16:38 -0700 Subject: Refactored yacc grammar to make use of named constants. --- sql/sql_acl.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 0e04d8f86d6..7f3ee296de8 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -173,6 +173,9 @@ enum mysql_db_table_field extern const TABLE_FIELD_DEF mysql_db_table_def; extern bool mysql_user_table_is_in_short_password_format; +extern const char *HOST_NOT_SPECIFIED; +extern const char *NONE_ROLE; + static inline int access_denied_error_code(int passwd_used) { -- cgit v1.2.1 From db850c525fdd7a2bcb24fd08a9d2c44824be788f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= Date: Fri, 18 Oct 2013 05:41:13 -0700 Subject: Added CREATE ROLE support as well as DROP ROLE support. --- sql/sql_acl.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 7f3ee296de8..20d03211fa1 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -234,6 +234,8 @@ bool mysql_create_user(THD *thd, List &list); bool mysql_drop_user(THD *thd, List &list); bool mysql_rename_user(THD *thd, List &list); bool mysql_revoke_all(THD *thd, List &list); +bool mysql_create_role(THD *thd, List &list); +bool mysql_drop_role(THD *thd, List &list); void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant, const char *db, const char *table); bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name, -- cgit v1.2.1 From ce4851c3d0de5c7e59b65d3472c6574eb850a90e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= Date: Fri, 18 Oct 2013 05:41:25 -0700 Subject: Reworked the implementation of create role and drop role. Also fixed issue with drop role not clearing internal memory entry for that role. The issue was due to a condition introduced in handle_grant_data Updated testsuite to also check the possible error conditions. --- sql/sql_acl.h | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 20d03211fa1..cace79cb441 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -230,12 +230,10 @@ ulong get_column_grant(THD *thd, GRANT_INFO *grant, bool mysql_show_grants(THD *thd, LEX_USER *user); void get_privilege_desc(char *to, uint max_length, ulong access); void get_mqh(const char *user, const char *host, USER_CONN *uc); -bool mysql_create_user(THD *thd, List &list); -bool mysql_drop_user(THD *thd, List &list); +bool mysql_create_user(THD *thd, List &list, bool handle_as_role); +bool mysql_drop_user(THD *thd, List &list, bool handle_as_role); bool mysql_rename_user(THD *thd, List &list); bool mysql_revoke_all(THD *thd, List &list); -bool mysql_create_role(THD *thd, List &list); -bool mysql_drop_role(THD *thd, List &list); void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant, const char *db, const char *table); bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name, -- cgit v1.2.1 From f2ab661999005310cb71c43e9bfa6b57ab5875de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= Date: Fri, 18 Oct 2013 06:34:07 -0700 Subject: Added SHOW GRANTS recursive role print. The output is not completely correct due to recursive role grants not being completly implemented. However, this will help with testing the implementation of set role with recursive grants. --- sql/sql_acl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index cace79cb441..4a7e83f12df 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -227,7 +227,7 @@ ulong get_table_grant(THD *thd, TABLE_LIST *table); ulong get_column_grant(THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *field_name); -bool mysql_show_grants(THD *thd, LEX_USER *user); +bool mysql_show_grants(THD *thd, LEX_USER *user, bool print_current_role); void get_privilege_desc(char *to, uint max_length, ulong access); void get_mqh(const char *user, const char *host, USER_CONN *uc); bool mysql_create_user(THD *thd, List &list, bool handle_as_role); -- cgit v1.2.1 From 4a58599930f5b8b3f000af92800fbe91052ed761 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= Date: Fri, 18 Oct 2013 06:40:25 -0700 Subject: Implemented SHOW GRANTS functionality --- sql/sql_acl.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 4a7e83f12df..1340d6fc2e7 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -175,6 +175,9 @@ extern bool mysql_user_table_is_in_short_password_format; extern const char *HOST_NOT_SPECIFIED; extern const char *NONE_ROLE; +extern LEX_USER current_user; +extern LEX_USER current_role; +extern LEX_USER current_user_and_current_role; static inline int access_denied_error_code(int passwd_used) @@ -227,7 +230,7 @@ ulong get_table_grant(THD *thd, TABLE_LIST *table); ulong get_column_grant(THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *field_name); -bool mysql_show_grants(THD *thd, LEX_USER *user, bool print_current_role); +bool mysql_show_grants(THD *thd, LEX_USER *user); void get_privilege_desc(char *to, uint max_length, ulong access); void get_mqh(const char *user, const char *host, USER_CONN *uc); bool mysql_create_user(THD *thd, List &list, bool handle_as_role); -- cgit v1.2.1 From 1ac0b920d572ec393a2b482b6fa0686a6708abdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= Date: Fri, 18 Oct 2013 06:49:53 -0700 Subject: Added GRANT ROLE TO ROLE | USER functionality. The command only currenty affects in memory data structures. Writing to the roles_mapping table needs to be implemented. --- sql/sql_acl.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 1340d6fc2e7..8a2054cee90 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -203,6 +203,8 @@ int check_change_password(THD *thd, const char *host, const char *user, char *password, uint password_len); bool change_password(THD *thd, const char *host, const char *user, char *password); + +bool mysql_grant_role(THD *thd, List &user_list); bool mysql_grant(THD *thd, const char *db, List &user_list, ulong rights, bool revoke, bool is_proxy); int mysql_table_grant(THD *thd, TABLE_LIST *table, List &user_list, -- cgit v1.2.1 From 06e16b8c97209ea3c913d0de9e956fe89b09ebd7 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Fri, 18 Oct 2013 08:17:56 -0700 Subject: cannot use lex->grant_user= ¤t_user, where LEX_USER current_user is a global constant, because parser might modify the lex->user (e.g. set lex->user-password). switch to use LEX_STRING current_user string, and also change other similar constants to be LEX_STRING's for consistency. --- sql/sql_acl.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 8a2054cee90..8a6c6cba307 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -173,11 +173,11 @@ enum mysql_db_table_field extern const TABLE_FIELD_DEF mysql_db_table_def; extern bool mysql_user_table_is_in_short_password_format; -extern const char *HOST_NOT_SPECIFIED; -extern const char *NONE_ROLE; -extern LEX_USER current_user; -extern LEX_USER current_role; -extern LEX_USER current_user_and_current_role; +extern LEX_STRING host_not_specified; +extern LEX_STRING none_role; +extern LEX_STRING current_user; +extern LEX_STRING current_role; +extern LEX_STRING current_user_and_current_role; static inline int access_denied_error_code(int passwd_used) -- cgit v1.2.1 From 7f0965f490163528a99ebc2f085087ea1c125ce2 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Fri, 18 Oct 2013 09:15:46 -0700 Subject: information_schema.enabled_roles table --- sql/sql_acl.h | 1 + 1 file changed, 1 insertion(+) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 8a6c6cba307..64370f8705f 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -233,6 +233,7 @@ ulong get_column_grant(THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *field_name); bool mysql_show_grants(THD *thd, LEX_USER *user); +int fill_schema_enabled_roles(THD *thd, TABLE_LIST *tables, COND *cond); void get_privilege_desc(char *to, uint max_length, ulong access); void get_mqh(const char *user, const char *host, USER_CONN *uc); bool mysql_create_user(THD *thd, List &list, bool handle_as_role); -- cgit v1.2.1 From fe2d26570495c1f484b3f22fe7dfc38dd9d48193 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Fri, 18 Oct 2013 09:15:55 -0700 Subject: INFORMATION_SCHEMA.APPLICABLE_ROLES table --- sql/sql_acl.h | 1 + 1 file changed, 1 insertion(+) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 64370f8705f..506a1fe4d40 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -234,6 +234,7 @@ ulong get_column_grant(THD *thd, GRANT_INFO *grant, const char *field_name); bool mysql_show_grants(THD *thd, LEX_USER *user); int fill_schema_enabled_roles(THD *thd, TABLE_LIST *tables, COND *cond); +int fill_schema_applicable_roles(THD *thd, TABLE_LIST *tables, COND *cond); void get_privilege_desc(char *to, uint max_length, ulong access); void get_mqh(const char *user, const char *host, USER_CONN *uc); bool mysql_create_user(THD *thd, List &list, bool handle_as_role); -- cgit v1.2.1 From 60f19cbc9aa425ab5606383f81829d54643f4fd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= Date: Fri, 18 Oct 2013 09:25:42 -0700 Subject: Added GRANT ROLE TO ... and REVOKE ROLE FROM ... functionality. TODO: Privilege checks are not done upon executing the command. --- sql/sql_acl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 506a1fe4d40..91add84a066 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -204,7 +204,7 @@ int check_change_password(THD *thd, const char *host, const char *user, bool change_password(THD *thd, const char *host, const char *user, char *password); -bool mysql_grant_role(THD *thd, List &user_list); +bool mysql_grant_role(THD *thd, List &user_list, bool revoke); bool mysql_grant(THD *thd, const char *db, List &user_list, ulong rights, bool revoke, bool is_proxy); int mysql_table_grant(THD *thd, TABLE_LIST *table, List &user_list, -- cgit v1.2.1 From d2c683527fec45873011f69d460d60c78fe4f199 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Fri, 18 Oct 2013 13:06:41 -0700 Subject: recursive privilege propagation for roles. functions for traversing the role graph in either direction. merging of global, database, table, column, routine privileges. debug status variables for counting number of privilege merges. tests. --- sql/sql_acl.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 91add84a066..8766f78ecee 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -394,4 +394,9 @@ bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user, bool with_grant); int acl_setrole(THD *thd, char *rolename, ulonglong access); int acl_check_setrole(THD *thd, char *rolename, ulonglong *access); + +#ifndef DBUG_OFF +extern ulong role_global_merges, role_db_merges, role_table_merges, + role_column_merges, role_routine_merges; +#endif #endif /* SQL_ACL_INCLUDED */ -- cgit v1.2.1 From f74b9eca6ebe83367fd742f6f537814dcdd6cc2f Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Fri, 18 Oct 2013 15:52:26 -0700 Subject: remove ER_RESERVED_ROLE. Only allow NONE instead of a role name in SET ROLE. Don't allow PUBLIC as a role name anywhere (to be fixed later) Fix db_access calculations on SET ROLE Reduce the size of role_grants and parent_grantee per-user/role arrays. Fix the wording and specify the correct sqlstate for ER_INVALID_ROLE --- sql/sql_acl.h | 1 - 1 file changed, 1 deletion(-) (limited to 'sql/sql_acl.h') diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 8766f78ecee..1b09b4bbdd4 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -174,7 +174,6 @@ extern const TABLE_FIELD_DEF mysql_db_table_def; extern bool mysql_user_table_is_in_short_password_format; extern LEX_STRING host_not_specified; -extern LEX_STRING none_role; extern LEX_STRING current_user; extern LEX_STRING current_role; extern LEX_STRING current_user_and_current_role; -- cgit v1.2.1