mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2026-05-15 03:17:20 +02:00
Code Issues Projects Releases Packages Wiki Activity

misc cleanups

Browse source 
* remove dead code (from .yy)
* remove redundant commands from the test
* extract common code into a reusable function
  (get_auth_plugin, push_new_user)
* rename update_user_table->update_user_table_password
* simplify acl_update_user
* don't strdup a string that's already in a memroot
  (in ACL_ROLE::ACL_ROLE(ACL_USER*))
* create parent_grantee and role_grants dynamic arrays with size 0.
  to avoid any memory allocations when roles aren't used.
This commit is contained in:
Sergei Golubchik 2018-10-15 01:39:03 +02:00
commit 14e181a434
5 changed files with 70 additions and 111 deletions
Download patch file Download diff file Expand all files Collapse all files

8
mysql-test/main/connect.result
View file

@ -102,7 +102,6 @@ update mysql.user set plugin="", authentication_string="", password=old_password
flush privileges;
connect con10,localhost,test,gambling2,;
connect con5,localhost,test,gambling2,mysql;
connection con5;
set password="";
set password='gambling3';
ERROR HY000: Password hash should be a 41-digit hexadecimal number
@ -161,7 +160,6 @@ ERROR 28000: Access denied for user 'test'@'localhost' (using password: YES)
delete from mysql.user where user=_binary"test";
flush privileges;
connect con7,localhost,root,,test;
connection con7;
create table t1 (id integer not null auto_increment primary key);
create temporary table t2(id integer not null auto_increment primary key);
set @id := 1;
@ -302,12 +300,10 @@ SET GLOBAL event_scheduler = OFF;
# -- End of Bug#35074.
connect extracon,127.0.0.1,root,,test,$MASTER_EXTRA_PORT,;
connection extracon;
SELECT 'Connection on extra port ok';
Connection on extra port ok
Connection on extra port ok
connect extracon2,127.0.0.1,root,,test,$MASTER_EXTRA_PORT,;
connection extracon2;
SELECT 'Connection on extra port 2 ok';
Connection on extra port 2 ok
Connection on extra port 2 ok
@ -338,7 +334,6 @@ connect(localhost,mysqltest_up1,foo,test,MASTER_PORT,MASTER_SOCKET);
connect pcon1,localhost,mysqltest_up1,foo,,$MASTER_MYPORT,;
ERROR 28000: Access denied for user 'mysqltest_up1'@'localhost' (using password: YES)
connect pcon2,localhost,mysqltest_up1,bar,,$MASTER_MYPORT,;
connection pcon2;
select user(), current_user();
user() current_user()
mysqltest_up1@localhost mysqltest_up1@%
@ -347,7 +342,6 @@ connect(localhost,mysqltest_up2,newpw,test,MASTER_PORT,MASTER_SOCKET);
connect pcon3,localhost,mysqltest_up2,newpw,,$MASTER_MYPORT,;
ERROR 28000: Access denied for user 'mysqltest_up2'@'localhost' (using password: YES)
connect pcon4,localhost,mysqltest_up2,oldpw,,$MASTER_MYPORT,;
connection pcon4;
select user(), current_user();
user() current_user()
mysqltest_up2@localhost mysqltest_up2@%
@ -368,13 +362,11 @@ mysqltest_up1 mysql_native_password *E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB
mysqltest_up2 mysql_old_password 09301740536db389
flush privileges;
connect pcon6,localhost,mysqltest_up1,bar,,$MASTER_MYPORT,;
connection pcon6;
select user(), current_user();
user() current_user()
mysqltest_up1@localhost mysqltest_up1@%
disconnect pcon6;
connect pcon7,localhost,mysqltest_up2,oldpw,,$MASTER_MYPORT,;
connection pcon7;
select user(), current_user();
user() current_user()
mysqltest_up2@localhost mysqltest_up2@%

13
mysql-test/main/connect.test
View file

@ -71,7 +71,6 @@ flush privileges;
connect (con10,localhost,test,gambling2,);
connect (con5,localhost,test,gambling2,mysql);
connection con5;
set password="";
--error ER_PASSWD_LENGTH
set password='gambling3';
@ -108,7 +107,6 @@ flush privileges;
# Bug#12517 Clear user variables and replication events before
# closing temp tables in thread cleanup.
connect (con7,localhost,root,,test);
connection con7;
let $connection_id= `select connection_id()`;
create table t1 (id integer not null auto_increment primary key);
create temporary table t2(id integer not null auto_increment primary key);
@ -314,11 +312,9 @@ SET GLOBAL event_scheduler = OFF;
# Test connections to the extra port.
connect(extracon,127.0.0.1,root,,test,$MASTER_EXTRA_PORT,);
connection extracon;
SELECT 'Connection on extra port ok';
connect(extracon2,127.0.0.1,root,,test,$MASTER_EXTRA_PORT,);
connection extracon2;
SELECT 'Connection on extra port 2 ok';
--disable_abort_on_error
@ -349,7 +345,6 @@ GRANT ALL ON test.* TO 'O1234567890123456789012345678901234567890123456789012345
FLUSH PRIVILEGES;
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
connect (con1,localhost,O1234567890123456789012345678901234567890123456789012345678901234567890123456789x,test123,test);
disconnect con1;
@ -380,18 +375,14 @@ CREATE USER mysqltest_up2 IDENTIFIED VIA mysql_old_password using '09301740536db
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect(pcon1,localhost,mysqltest_up1,foo,,$MASTER_MYPORT,);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
connect(pcon2,localhost,mysqltest_up1,bar,,$MASTER_MYPORT,);
connection pcon2;
select user(), current_user();
disconnect pcon2;
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect(pcon3,localhost,mysqltest_up2,newpw,,$MASTER_MYPORT,);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
connect(pcon4,localhost,mysqltest_up2,oldpw,,$MASTER_MYPORT,);
connection pcon4;
select user(), current_user();
disconnect pcon4;
@ -421,15 +412,11 @@ select user, password, plugin, authentication_string from mysql.user
where user like 'mysqltest_up_';
flush privileges;
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
connect(pcon6,localhost,mysqltest_up1,bar,,$MASTER_MYPORT,);
connection pcon6;
select user(), current_user();
disconnect pcon6;
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
connect(pcon7,localhost,mysqltest_up2,oldpw,,$MASTER_MYPORT,);
connection pcon7;
select user(), current_user();
disconnect pcon7;
connection default;

156
sql/sql_acl.cc
View file

@ -85,11 +85,19 @@ LEX_CSTRING current_role= { STRING_WITH_LEN("*current_role") };
LEX_CSTRING current_user_and_current_role= { STRING_WITH_LEN("*current_user_and_current_role") };
#ifndef NO_EMBEDDED_ACCESS_CHECKS
static plugin_ref old_password_plugin;
#endif
static plugin_ref native_password_plugin;
static plugin_ref get_auth_plugin(THD *thd, const LEX_CSTRING &name, bool *locked)
{
if (name.str == native_password_plugin_name.str)
return native_password_plugin;
else if (name.str == old_password_plugin_name.str)
return old_password_plugin;
*locked=true;
return my_plugin_lock_by_name(thd, &name, MYSQL_AUTHENTICATION_PLUGIN);
}
/* Classes */
struct acl_host_and_ip
@ -610,8 +618,8 @@ static ACL_USER *find_user_wild(const char *host, const char *user, const char *
static ACL_ROLE *find_acl_role(const char *user);
static ROLE_GRANT_PAIR *find_role_grant_pair(const LEX_CSTRING *u, const LEX_CSTRING *h, const LEX_CSTRING *r);
static ACL_USER_BASE *find_acl_user_base(const char *user, const char *host);
static bool update_user_table(THD *, const User_table &, const char *,
const char *, const LEX_CSTRING &);
static bool update_user_table_password(THD *, const User_table &, const char *,
const char *, const LEX_CSTRING &);
static bool acl_load(THD *thd, const Grant_tables& grant_tables);
static inline void get_grantor(THD *thd, char* grantor);
static bool add_role_user_mapping(const char *uname, const char *hname, const char *rname);
@ -1325,7 +1333,7 @@ ACL_ROLE::ACL_ROLE(ACL_USER *user, MEM_ROOT *root) : counter(0)
access= user->access;
/* set initial role access the same as the table row privileges */
initial_role_access= user->access;
this->user= safe_lexcstrdup_root(root, user->user);
this->user= user->user;
bzero(&role_grants, sizeof(role_grants));
bzero(&parent_grantee, sizeof(parent_grantee));
flags= IS_ROLE;
@ -1645,6 +1653,15 @@ static bool set_user_plugin (ACL_USER *user, size_t password_len)
}
static void push_new_user(const ACL_USER &user)
{
push_dynamic(&acl_users, &user);
if (!user.host.hostname ||
(user.host.hostname[0] == wild_many && !user.host.hostname[1]))
allow_all_hosts=1; // Anyone can connect
}
/*
Initialize structures responsible for user/db-level privilege checking
and load information about grants from open privilege tables.
@ -1964,8 +1981,7 @@ static bool acl_load(THD *thd, const Grant_tables& tables)
#endif
}
(void) my_init_dynamic_array(&user.role_grants,sizeof(ACL_ROLE *),
8, 8, MYF(0));
my_init_dynamic_array(&user.role_grants, sizeof(ACL_ROLE *), 0, 8, MYF(0));
/* check default role, if any */
if (!is_role && user_table.default_role())
@ -1980,20 +1996,14 @@ static bool acl_load(THD *thd, const Grant_tables& tables)
DBUG_PRINT("info", ("Found role %s", user.user.str));
ACL_ROLE *entry= new (&acl_memroot) ACL_ROLE(&user, &acl_memroot);
entry->role_grants = user.role_grants;
(void) my_init_dynamic_array(&entry->parent_grantee,
sizeof(ACL_USER_BASE *), 8, 8, MYF(0));
my_init_dynamic_array(&entry->parent_grantee,
sizeof(ACL_USER_BASE *), 0, 8, MYF(0));
my_hash_insert(&acl_roles, (uchar *)entry);
continue;
}
else
{
DBUG_PRINT("info", ("Found user %s", user.user.str));
(void) push_dynamic(&acl_users,(uchar*) &user);
}
if (!user.host.hostname ||
(user.host.hostname[0] == wild_many && !user.host.hostname[1]))
allow_all_hosts=1; // Anyone can connect
DBUG_PRINT("info", ("Found user %s", user.user.str));
push_new_user(user);
}
my_qsort((uchar*) dynamic_element(&acl_users,0,ACL_USER*),acl_users.elements,
sizeof(ACL_USER),(qsort_cmp) acl_compare);
@ -2576,44 +2586,33 @@ static void acl_update_user(const LEX_USER &combo, enum SSL_type ssl_type,
const char *x509_subject, USER_RESOURCES *mqh,
ulong privileges)
{
mysql_mutex_assert_owner(&acl_cache->lock);
for (uint i=0 ; i < acl_users.elements ; i++)
ACL_USER *acl_user= find_user_exact(combo.host.str, combo.user.str);
if (!acl_user)
return;
if (combo.plugin.length)
{
ACL_USER *acl_user=dynamic_element(&acl_users,i,ACL_USER*);
if (acl_user->eq(combo.user.str, combo.host.str))
{
if (combo.plugin.length)
{
acl_user->plugin= combo.plugin;
acl_user->auth_string= safe_lexcstrdup_root(&acl_memroot, combo.auth);
if (fix_user_plugin_ptr(acl_user))
acl_user->plugin= safe_lexcstrdup_root(&acl_memroot, combo.plugin);
}
acl_user->access=privileges;
if (mqh->specified_limits & USER_RESOURCES::QUERIES_PER_HOUR)
acl_user->user_resource.questions=mqh->questions;
if (mqh->specified_limits & USER_RESOURCES::UPDATES_PER_HOUR)
acl_user->user_resource.updates=mqh->updates;
if (mqh->specified_limits & USER_RESOURCES::CONNECTIONS_PER_HOUR)
acl_user->user_resource.conn_per_hour= mqh->conn_per_hour;
if (mqh->specified_limits & USER_RESOURCES::USER_CONNECTIONS)
acl_user->user_resource.user_conn= mqh->user_conn;
if (mqh->specified_limits & USER_RESOURCES::MAX_STATEMENT_TIME)
acl_user->user_resource.max_statement_time= mqh->max_statement_time;
if (ssl_type != SSL_TYPE_NOT_SPECIFIED)
{
acl_user->ssl_type= ssl_type;
acl_user->ssl_cipher= (ssl_cipher ? strdup_root(&acl_memroot,ssl_cipher) :
0);
acl_user->x509_issuer= (x509_issuer ? strdup_root(&acl_memroot,x509_issuer) :
0);
acl_user->x509_subject= (x509_subject ?
strdup_root(&acl_memroot,x509_subject) : 0);
}
/* search complete: */
break;
}
acl_user->plugin= combo.plugin;
acl_user->auth_string= safe_lexcstrdup_root(&acl_memroot, combo.auth);
if (fix_user_plugin_ptr(acl_user))
acl_user->plugin= safe_lexcstrdup_root(&acl_memroot, combo.plugin);
}
acl_user->access=privileges;
if (mqh->specified_limits & USER_RESOURCES::QUERIES_PER_HOUR)
acl_user->user_resource.questions=mqh->questions;
if (mqh->specified_limits & USER_RESOURCES::UPDATES_PER_HOUR)
acl_user->user_resource.updates=mqh->updates;
if (mqh->specified_limits & USER_RESOURCES::CONNECTIONS_PER_HOUR)
acl_user->user_resource.conn_per_hour= mqh->conn_per_hour;
if (mqh->specified_limits & USER_RESOURCES::USER_CONNECTIONS)
acl_user->user_resource.user_conn= mqh->user_conn;
if (mqh->specified_limits & USER_RESOURCES::MAX_STATEMENT_TIME)
acl_user->user_resource.max_statement_time= mqh->max_statement_time;
if (ssl_type != SSL_TYPE_NOT_SPECIFIED)
{
acl_user->ssl_type= ssl_type;
acl_user->ssl_cipher= safe_strdup_root(&acl_memroot,ssl_cipher);
acl_user->x509_issuer= safe_strdup_root(&acl_memroot,x509_issuer);
acl_user->x509_subject= safe_strdup_root(&acl_memroot,x509_subject);
}
}
@ -2624,10 +2623,9 @@ static void acl_insert_role(const char *rolename, ulong privileges)
mysql_mutex_assert_owner(&acl_cache->lock);
entry= new (&acl_memroot) ACL_ROLE(rolename, privileges, &acl_memroot);
(void) my_init_dynamic_array(&entry->parent_grantee,
sizeof(ACL_USER_BASE *), 8, 8, MYF(0));
(void) my_init_dynamic_array(&entry->role_grants,sizeof(ACL_ROLE *),
8, 8, MYF(0));
my_init_dynamic_array(&entry->parent_grantee,
sizeof(ACL_USER_BASE *), 0, 8, MYF(0));
my_init_dynamic_array(&entry->role_grants, sizeof(ACL_ROLE *), 0, 8, MYF(0));
my_hash_insert(&acl_roles, (uchar *)entry);
}
@ -2669,14 +2667,10 @@ static void acl_insert_user(const LEX_USER &combo, enum SSL_type ssl_type,
acl_user.ssl_cipher= ssl_cipher ? strdup_root(&acl_memroot,ssl_cipher) : 0;
acl_user.x509_issuer= x509_issuer ? strdup_root(&acl_memroot,x509_issuer) : 0;
acl_user.x509_subject=x509_subject ? strdup_root(&acl_memroot,x509_subject) : 0;
(void) my_init_dynamic_array(&acl_user.role_grants, sizeof(ACL_USER *),
8, 8, MYF(0));
my_init_dynamic_array(&acl_user.role_grants, sizeof(ACL_USER *), 0, 8, MYF(0));
(void) push_dynamic(&acl_users,(uchar*) &acl_user);
if (!acl_user.host.hostname ||
(acl_user.host.hostname[0] == wild_many && !acl_user.host.hostname[1]))
allow_all_hosts=1; // Anyone can connect /* purecov: tested */
my_qsort((uchar*) dynamic_element(&acl_users,0,ACL_USER*),acl_users.elements,
push_new_user(acl_user);
my_qsort(dynamic_element(&acl_users, 0, ACL_USER*), acl_users.elements,
sizeof(ACL_USER),(qsort_cmp) acl_compare);
/* Rebuild 'acl_check_hosts' since 'acl_users' has been modified */
@ -3242,9 +3236,9 @@ bool change_password(THD *thd, LEX_USER *user)
ER_SET_PASSWORD_AUTH_PLUGIN,
ER_THD(thd, ER_SET_PASSWORD_AUTH_PLUGIN));
if (update_user_table(thd, tables.user_table(),
safe_str(acl_user->host.hostname),
acl_user->user.str, user->auth))
if (update_user_table_password(thd, tables.user_table(),
safe_str(acl_user->host.hostname),
acl_user->user.str, user->auth))
{
mysql_mutex_unlock(&acl_cache->lock); /* purecov: deadcode */
goto end;
@ -3502,13 +3496,13 @@ static ACL_USER *find_user_or_anon(const char *host, const char *user, const cha
/*
Find first entry that matches the specified user@host pair
*/
static ACL_USER * find_user_exact(const char *host, const char *user)
static ACL_USER *find_user_exact(const char *host, const char *user)
{
mysql_mutex_assert_owner(&acl_cache->lock);
for (uint i=0 ; i < acl_users.elements ; i++)
{
ACL_USER *acl_user=dynamic_element(&acl_users,i,ACL_USER*);
ACL_USER *acl_user=dynamic_element(&acl_users, i, ACL_USER*);
if (acl_user->eq(user, host))
return acl_user;
}
@ -3730,13 +3724,13 @@ static void set_plugin_from_password(const User_table& user_table,
@see change_password
*/
static bool update_user_table(THD *thd, const User_table& user_table,
const char *host, const char *user,
const LEX_CSTRING &new_password)
static bool update_user_table_password(THD *thd, const User_table& user_table,
const char *host, const char *user,
const LEX_CSTRING &new_password)
{
char user_key[MAX_KEY_LENGTH];
int error;
DBUG_ENTER("update_user_table");
DBUG_ENTER("update_user_table_password");
DBUG_PRINT("enter",("user: %s host: %s",user,host));
TABLE *table= user_table.table();
@ -11198,7 +11192,7 @@ bool check_role_is_granted(const char *username,
ACL_USER_BASE *root;
mysql_mutex_lock(&acl_cache->lock);
if (hostname)
root= find_user_exact(username, hostname);
root= find_user_exact(hostname, username);
else
root= find_acl_role(username);
@ -13027,17 +13021,7 @@ static int do_auth_once(THD *thd, const LEX_CSTRING *auth_plugin_name,
{
int res= CR_OK, old_status= MPVIO_EXT::FAILURE;
bool unlock_plugin= false;
plugin_ref plugin= NULL;
if (auth_plugin_name->str == native_password_plugin_name.str)
plugin= native_password_plugin;
#ifndef EMBEDDED_LIBRARY
else if (auth_plugin_name->str == old_password_plugin_name.str)
plugin= old_password_plugin;
else if ((plugin= my_plugin_lock_by_name(thd, auth_plugin_name,
MYSQL_AUTHENTICATION_PLUGIN)))
unlock_plugin= true;
#endif
plugin_ref plugin= get_auth_plugin(thd, *auth_plugin_name, &unlock_plugin);
mpvio->plugin= plugin;
old_status= mpvio->status;

2
sql/sql_yacc.yy
View file

@ -16819,8 +16819,6 @@ grant_user:
{
$$= $1;
$1->pwtext= $4;
if (unlikely(Lex->sql_command == SQLCOM_REVOKE))
MYSQL_YYABORT;
}
| user IDENTIFIED_SYM BY PASSWORD_SYM TEXT_STRING
{

2
sql/sql_yacc_ora.yy
View file

@ -17172,8 +17172,6 @@ grant_user:
{
$$= $1;
$1->pwtext= $4;
if (unlikely(Lex->sql_command == SQLCOM_REVOKE))
MYSQL_YYABORT;
}
| user IDENTIFIED_SYM BY PASSWORD_SYM TEXT_STRING
{