mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-20 05:52:27 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
87237 commits 2784 branches 343 tags 1.6 GiB
Commit graph

1261 commits

Author SHA1 Message Date
Sergei Golubchik
ff485d2dc4 MDEV-5438 A view can mask a table that supports discovery 2013-12-13 14:26:10 +01:00
Sergei Golubchik
cec76b3861 correct old assert in add_role_user_mapping_action to match changed function prototypes. 
fix the element deleting logic for roles_mappings_hash
 2013-12-09 12:39:31 +01:00
Sergei Golubchik
517b1f4fb4 cleanups: 
* comments from WL#5602 in sql_acl.cc
* rename global memroots in sql_acl.cc
* remove the second empty lex string constant
 2013-12-09 12:38:30 +01:00
Sergei Golubchik
e252af7b7e reuse new safe_net_field_length_ll function where appropriate 2013-12-09 12:38:09 +01:00
Sergei Golubchik
bec1d903d9 Do the partial merge of WL#5602 correctly: 
Remove unused code (that should not have been merged)
  Add protocol extension (that should have been merged)
  Fix bugs (see pack.c)
 2013-12-09 12:38:02 +01:00
Sergei Golubchik
5290811c5c MDEV-5367 Server crashes in acl_authenticate on concurrent thread connection, FLUSH PRIVILEGES 
fix a copy-paste error, introduced in role refactoring
 2013-12-01 12:16:24 +01:00
Sergei Golubchik
09b63917be MDEV-5238 Server crashes in find_role_grant_pair on SHOW GRANTS for an anonymous user 2013-11-10 17:50:52 +01:00
Sergei Golubchik
0150dc6ed9 10.0-base merge 2013-11-04 21:47:54 +01:00
Sergei Golubchik
79d2e6c82f MDEV-5232 SET ROLE checks privileges differently from check_access() 
use the same inconsistent priv_user@host pair for SET ROLE privilege checks,
just as check_access() does
 2013-11-04 13:37:39 +01:00
Sergei Golubchik
ed4a31e8d5 10.0-base merge 2013-11-02 17:59:16 +01:00
Sergei Golubchik
1f0368658b MDEV-5225 Server crashes on CREATE USER|ROLE CURRENT_ROLE or DROP ROLE CURRENT_ROLE 2013-11-02 16:26:01 +01:00
Sergei Golubchik
0fdb3bcfdb 10.0-base merge (roles) 2013-10-29 15:08:44 +01:00
Sergei Golubchik
fef4166990 Don't allow authentication clauses for roles, in particular: 
GRANT ... IDENTIFIED BY [ PASSWORD ] ...
  GRANT ... IDENTIFIED VIA ... [ USING ... ]
  GRANT ... REQUIRE ...
  GRANT ... MAX_xxx ...
  SET PASSWORD FOR ... = ...
 2013-10-28 07:46:17 +01:00
Sergei Golubchik
d5c9712225 post-review cleanup 2013-10-27 08:19:21 +01:00
Sergei Golubchik
e46eea8660 remove inherited routine grants when a routine is dropped 2013-10-26 15:52:29 +02:00
Vicențiu Ciorbaru
2eed3b7d07 Implemented REVOKE ALL FROM for Roles and role grants. 2013-10-26 15:38:48 +02:00
Sergei Golubchik
65eee0be5f MDEV-5176 Server crashes in fill_schema_applicable_roles on select from APPLICABLE_ROLES after a suicide 
Don't assume that thd->security_ctx->priv_user is an actually existing user account
 2013-10-23 09:54:10 -07:00
Sergei Golubchik
7761a278f6 MDEV-5170 Assertion `(&(&acl_cache->lock)->m_mutex)->count > 0 && pthread_equal(pthread_self(), (&(&acl_cache->lock)->m_mutex)->thread)' fails after restarting server with a pre-created role grants 
lock acl_cache->lock mutex for the duration of acl_load
 2013-10-23 09:49:47 -07:00
Sergei Golubchik
f6b8f6d156 reset the db privilege cache when revoking db priviges on DROP ROLE 2013-10-23 05:09:17 -07:00
Sergei Golubchik
614478921f MDEV-5172 safe_mutex: Trying to lock mutex when the mutex was already locked on using a role and I_S role tables 
don't forget to unlock if the current role isn't found
 2013-10-23 03:28:41 -07:00
Sergei Golubchik
fd826cc3bd properly propagate privilege changes on DROP ROLE 2013-10-23 03:26:09 -07:00
Sergei Golubchik
82037f9c0e don't rebuild all parent_grantees/role_grants arrays when a role is dropped, 
only remove this role from the arrays where it is present.
 2013-10-23 03:25:24 -07:00
Sergei Golubchik
779693f409 fixes for builbot 1 2013-10-20 16:39:51 -07:00
Sergei Golubchik
c1c0a83772 ACL_USER methods for comparing ACL_USER objects 2013-10-20 08:51:49 +02:00
Sergei Golubchik
ce68878947 fixes for embedded 2013-10-18 18:56:28 -07:00
Sergei Golubchik
cb9d3bec46 post-review changes 2013-10-18 15:54:41 -07:00
Sergei Golubchik
40c43c395b remove old incorrect bugfix that moved reading of procs_priv table into a separate function. 
FLUSH PRIVILEGES no longer returns an error, when it was successful.
LOCK_grant is no longed unlocked/relocked between tables_priv and procs_priv
 2013-10-18 15:52:33 -07:00
Sergei Golubchik
f74b9eca6e remove ER_RESERVED_ROLE. 
Only allow NONE instead of a role name in SET ROLE.
Don't allow PUBLIC as a role name anywhere (to be fixed later)
Fix db_access calculations on SET ROLE
Reduce the size of role_grants and parent_grantee per-user/role arrays.
Fix the wording and specify the correct sqlstate for ER_INVALID_ROLE
 2013-10-18 15:52:26 -07:00
Sergei Golubchik
4ec26a7c2d replication of GRANT role statement 2013-10-18 13:18:03 -07:00
Sergei Golubchik
4d3e4c2984 make functions static, remove unused constructors, other small cleanups 2013-10-18 13:17:42 -07:00
Sergei Golubchik
d2c683527f recursive privilege propagation for roles. 
functions for traversing the role graph in either direction.
merging of global, database, table, column, routine privileges.
debug status variables for counting number of privilege merges.
tests.
 2013-10-18 13:06:41 -07:00
Sergei Golubchik
b221ec6529 enforce privileges for GRANT role 2013-10-18 12:34:59 -07:00
Sergei Golubchik
2f2699f97b cleanup. 
mainly to avoid the pattern of
* get username/hostname/rolename
* optionally find the corresponding ACL_USER and ACL_ROLE
* allocate memory, concatenate username/hostname/rolename
* call a function passing only this memory as an argument
** use concatenated username/etc to find ACL_USER and ACL_ROLE again
** do something
* free the object

Also to undo push_dynamic we use pop_dynamic now,
not a linear search/scan through the dynamic array.

as a bonus, role@ is now an invalid way to refer to a role.
 2013-10-18 12:34:44 -07:00
Sergei Golubchik
f1a71b6815 bugfix: missing restore_record when modifying roles_mapping() table. 
(and an assert in myisam to catch these bugs easier in the future)
update tests/results
 2013-10-18 12:27:07 -07:00
Sergei Golubchik
e5211e0cde information_schema.applicable_roles.is_grantable column 2013-10-18 12:26:43 -07:00
Sergei Golubchik
67985b283a require SUPER to specify an arbitrary admin 2013-10-18 12:26:29 -07:00
Sergei Golubchik
7fb978c793 auto-grant a role to its admin on CREATE ROLE 2013-10-18 12:26:05 -07:00
Sergei Golubchik
46622dbea2 load with_admin flag from the mysql.roles_mapping table 2013-10-18 12:25:52 -07:00
Sergei Golubchik
9d6e9c242e store ADMIN OPTION in the roles_mapping hash and table 2013-10-18 12:25:39 -07:00
Sergei Golubchik
66f0c2e308 small cleanup 2013-10-18 12:25:23 -07:00
Sergei Golubchik
c28bf2a344 bugfix: propagate grant changes through the role graph after table/column/routine grants 2013-10-18 12:21:37 -07:00
Sergei Golubchik
d0db4f2261 add Admin_option column to mysql.roles_mapping. update tests/results 2013-10-18 12:21:10 -07:00
Sergei Golubchik
7dda698734 rename columns in mysql.roles_mapping to be consistent with other privilege tables 2013-10-18 12:19:37 -07:00
Sergei Golubchik
b2f16628cf support DEFINER=role and DEFINER=current_role 2013-10-18 12:17:49 -07:00
Sergei Golubchik
b054700619 speed up fill_effective_table_privileges() - avoid calling expensive acl_get() 2013-10-18 11:46:43 -07:00
Sergei Golubchik
02a7291954 cleanup 
sql/sp.cc:
  don't split "user@host" string in db_load_routine, because the caller needs to
  generate it from user and host. instead pass user and host directly into db_load_routine
sql/sql_parse.cc:
  1. REVOKE ALL doesn't need invoker.
  2. make sp_process_definer() reusable
sql/sql_trigger.cc:
  don't duplicate the code from sp_process_definer(), reuse it
sql/sql_view.cc:
  don't duplicate the code from sp_process_definer(), reuse it
 2013-10-18 11:46:30 -07:00
Sergei Golubchik
ac6877d420 SET PASSWORD bugfixes: 
* work as documented, use CURRENT_USER()
* move the check for ER_PASSWORD_ANONYMOUS_USER where it can actually work
 2013-10-18 11:41:40 -07:00
Sergei Golubchik
4cc8cda346 Remove the very old historical but never documented behavior, 
than an empty host '' is the same as any-host wildcard '%'.

Replace '' with '%' in the parser (for GRANT ... foo@'') and when loading grant tables.

Side effect: one cannot have foo@'' and foo@'%' both at the same time
(but one can have foo@'%' and foo@'%%')
 2013-10-18 11:38:13 -07:00
Vicențiu Ciorbaru
5630967dd5 Fixed GRANT ROLE TO ROLE not updating acl_roles_mappings hash. 
Also fixed possible memory exploit by repeteadly calling:
GRANT role to user; where role was already granted to user.
 2013-10-18 09:26:02 -07:00
Vicențiu Ciorbaru
a34dff8825 Removed redundant code in update_acl_user. User related functions 
should deal with users, while role related functions should deal
with roles.
 2013-10-18 09:25:53 -07:00