mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-24 07:44:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
mariadb/sql/sql_acl.h
unknown 09ce0b330b WL#925 - Privileges for stored routines 
Implement fine-grained control over access to stored procedures
  Privileges are cached (same way as existing table/column privs)
  


mysql-test/include/system_db_struct.inc:
  WL#925 - Privileges for stored routines
    New system table: procs_priv
mysql-test/r/connect.result:
  WL#925 - Privileges for stored routines
    New system table: procs_priv
mysql-test/r/grant.result:
  WL#925 - Privileges for stored routines
    user table has additional privilege attributes
    SHOW PRIVILEGES amended
mysql-test/r/grant2.result:
  Fix result
mysql-test/r/information_schema.result:
  WL#925 - Privileges for stored routines
    New system table procs_priv
    New user privileges
mysql-test/r/show_check.result:
  Fix result
mysql-test/r/sp-security.result:
  WL#925 - Privileges for stored routines
    Fix existing tests to work with new privileges
    New tests for new privileges
mysql-test/r/sp.result:
  WL#925 - Privileges for stored routines
    Fix SHOW PRIVILEGES results
mysql-test/r/system_mysql_db.result:
  WL#925 - Privileges for stored routines
    New system table: procs_priv
    user and db tables have new privilege attributes
mysql-test/t/grant2.test:
  Fix test
mysql-test/t/show_check.test:
  Fix test
mysql-test/t/sp-security.test:
  WL#925 - Privileges for stored routines
    Allow existing tests to run with new privilege checks
    New tests for privileges
mysql-test/t/system_mysql_db_fix.test:
  WL#925 - Privileges for stored routines
    New system table: procs_priv
scripts/mysql_create_system_tables.sh:
  WL#925 - Privileges for stored routines
    db and user has new privilege attributes
    new system table: procs_priv
scripts/mysql_fix_privilege_tables.sql:
  WL#925 - Privileges for stored routines
    new system table: procs_priv
scripts/mysql_install_db.sh:
  WL#925 - Privileges for stored routines
    Amend comment
sql/item_func.cc:
  WL#925 - Privileges for stored routines
    Privilege check for stored FUNCTION routine
sql/lex.h:
  WL#925 - Privileges for stored routines
    new token ROUTINE
sql/mysql_priv.h:
  WL#925 - Privileges for stored routines
    New function: check_procedure_access()
sql/mysqld.cc:
  WL#925 - Privileges for stored routines
    system option automatic-sp-privileges
sql/set_var.cc:
  WL#925 - Privileges for stored routines
    system option automatic-sp-privileges
sql/share/errmsg.txt:
  WL#925 - Privileges for stored routines
    rename errormessage to conform:
      ER_SP_ACCESS_DENIED_ERROR -> ER_PROCACCESS_DENIED_ERROR
    New error messages
      ER_NONEXISTING_PROC_GRANT, ER_PROC_AUTO_GRANT_FAIL, ER_PROC_AUTO_REVOKE_FAIL
sql/sp.cc:
  WL#925 - Privileges for stored routines
    new function: sp_exists_routine()
sql/sp.h:
  WL#925 - Privileges for stored routines
    new function: sp_exists_routine()
sql/sql_acl.cc:
  WL#925 - Privileges for stored routines
    Implementation for SP privileges.
    Privileges are cached in memory hash.
    New functions:
      mysql_procedure_grant()
      check_grant_procedure()
      sp_revoke_privileges()
      sp_grant_privileges()
sql/sql_acl.h:
  WL#925 - Privileges for stored routines
    New privilege bits: CREATE_PROC_ACL, ALTER_PROC_ACL
    Alter confusing bit-segments to be shifted
    New macros: fix_rights_for_procedure() get_rights_for_procedure()
    New functions:
      mysql_procedure_grant()
      check_grant_procedure()
      sp_grant_privileges()
      sp_revoke_privileges()
sql/sql_lex.h:
  WL#925 - Privileges for stored routines
    new all_privileges attribute in LEX
sql/sql_parse.cc:
  WL#925 - Privileges for stored routines
    Remove function: check_sp_definer_access()
    Add handling for SP grants/revokes
    Add privilege checks for stored procedure invocation
sql/sql_show.cc:
  WL#925 - Privileges for stored routines
    update result for SHOW PRIVILEGES
sql/sql_yacc.yy:
  WL#925 - Privileges for stored routines
    New token ROUTINE
    rename some rules
    handle CREATE ROUTINE / ALTER ROUTINE privileges
2004-12-23 10:46:24 +00:00

223 lines
7.9 KiB
C++
Raw Blame History

/* Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
#define SELECT_ACL (1L << 0)
#define INSERT_ACL (1L << 1)
#define UPDATE_ACL (1L << 2)
#define DELETE_ACL (1L << 3)
#define CREATE_ACL (1L << 4)
#define DROP_ACL (1L << 5)
#define RELOAD_ACL (1L << 6)
#define SHUTDOWN_ACL (1L << 7)
#define PROCESS_ACL (1L << 8)
#define FILE_ACL (1L << 9)
#define GRANT_ACL (1L << 10)
#define REFERENCES_ACL (1L << 11)
#define INDEX_ACL (1L << 12)
#define ALTER_ACL (1L << 13)
#define SHOW_DB_ACL (1L << 14)
#define SUPER_ACL (1L << 15)
#define CREATE_TMP_ACL (1L << 16)
#define LOCK_TABLES_ACL (1L << 17)
#define EXECUTE_ACL (1L << 18)
#define REPL_SLAVE_ACL (1L << 19)
#define REPL_CLIENT_ACL (1L << 20)
#define CREATE_VIEW_ACL (1L << 21)
#define SHOW_VIEW_ACL (1L << 22)
#define CREATE_PROC_ACL (1L << 23)
#define ALTER_PROC_ACL (1L << 24)
/*
don't forget to update
static struct show_privileges_st sys_privileges[]
in sql_show.cc when adding new privileges!
*/
#define DB_ACLS \
(UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | \
LOCK_TABLES_ACL | EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
CREATE_PROC_ACL | ALTER_PROC_ACL)
#define TABLE_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | \
SHOW_VIEW_ACL)
#define COL_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL)
#define PROC_ACLS \
(ALTER_PROC_ACL | EXECUTE_ACL | GRANT_ACL)
#define GLOBAL_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \
REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \
CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \
EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \
ALTER_PROC_ACL )
#define EXTRA_ACL (1L << 29)
#define NO_ACCESS (1L << 30)
#define DEFAULT_CREATE_PROC_ACLS \
(ALTER_PROC_ACL | EXECUTE_ACL)
/*
Defines to change the above bits to how things are stored in tables
This is needed as the 'host' and 'db' table is missing a few privileges
*/
/* Continius bit-segments that needs to be shifted */
#define DB_REL1 ((1L << 6) | (1L << 7) | (1L << 8) | (1L << 9))
#define DB_REL2 ((1L << 10) | (1L << 11))
#define DB_REL3 ((1L << 12) | (1L << 13) | (1L << 14) | (1L << 15))
#define DB_REL4 ((1L << 16))
/* Privileges that needs to be reallocated (in continous chunks) */
#define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL)
#define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL)
#define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
CREATE_PROC_ACL | ALTER_PROC_ACL )
#define DB_CHUNK4 (EXECUTE_ACL)
#define fix_rights_for_db(A) (((A) & 63) | \
(((A) & DB_REL1) << 4) | \
(((A) & DB_REL2) << 6) | \
(((A) & DB_REL3) << 9) | \
(((A) & DB_REL4) << 2))
#define get_rights_for_db(A) (((A) & 63) | \
(((A) & DB_CHUNK1) >> 4) | \
(((A) & DB_CHUNK2) >> 6) | \
(((A) & DB_CHUNK3) >> 9) | \
(((A) & DB_CHUNK4) >> 2))
#define fix_rights_for_table(A) (((A) & 63) | (((A) & ~63) << 4))
#define get_rights_for_table(A) (((A) & 63) | (((A) & ~63) >> 4))
#define fix_rights_for_column(A) (((A) & 7) | (((A) & ~7) << 8))
#define get_rights_for_column(A) (((A) & 7) | ((A) >> 8))
#define fix_rights_for_procedure(A) ((((A) << 18) & EXECUTE_ACL) | \
(((A) << 23) & ALTER_PROC_ACL) | \
(((A) << 8) & GRANT_ACL))
#define get_rights_for_procedure(A) ((((A) & EXECUTE_ACL) >> 18) | \
(((A) & ALTER_PROC_ACL) >> 23) | \
(((A) & GRANT_ACL) >> 8))
/* Classes */
struct acl_host_and_ip
{
char *hostname;
long ip,ip_mask; // Used with masked ip:s
};
class ACL_ACCESS {
public:
ulong sort;
ulong access;
};
/* ACL_HOST is used if no host is specified */
class ACL_HOST :public ACL_ACCESS
{
public:
acl_host_and_ip host;
char *db;
};
class ACL_USER :public ACL_ACCESS
{
public:
acl_host_and_ip host;
uint hostname_length;
USER_RESOURCES user_resource;
char *user;
uint8 salt[SCRAMBLE_LENGTH+1]; // scrambled password in binary form
uint8 salt_len; // 0 - no password, 4 - 3.20, 8 - 3.23, 20 - 4.1.1
enum SSL_type ssl_type;
const char *ssl_cipher, *x509_issuer, *x509_subject;
};
class ACL_DB :public ACL_ACCESS
{
public:
acl_host_and_ip host;
char *user,*db;
};
/* prototypes */
bool hostname_requires_resolving(const char *hostname);
my_bool acl_init(THD *thd, bool dont_read_acl_tables);
void acl_reload(THD *thd);
void acl_free(bool end=0);
ulong acl_get(const char *host, const char *ip,
const char *user, const char *db, my_bool db_is_pattern);
int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd,
uint passwd_len);
int acl_getroot_no_password(THD *thd);
bool acl_check_host(const char *host, const char *ip);
bool check_change_password(THD *thd, const char *host, const char *user,
char *password);
bool change_password(THD *thd, const char *host, const char *user,
char *password);
bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list,
ulong rights, bool revoke);
bool mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list,
List <LEX_COLUMN> &column_list, ulong rights,
bool revoke);
bool mysql_procedure_grant(THD *thd, TABLE_LIST *table,
List <LEX_USER> &user_list, ulong rights,
bool revoke, bool no_error);
my_bool grant_init(THD *thd);
void grant_free(void);
void grant_reload(THD *thd);
bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
uint show_command, uint number, bool dont_print_error);
bool check_grant_column (THD *thd, GRANT_INFO *grant,
char *db_name, char *table_name,
const char *name, uint length, uint show_command=0);
bool check_grant_all_columns(THD *thd, ulong want_access, GRANT_INFO *grant,
char* db_name, char *table_name,
Field_iterator *fields);
bool check_grant_procedure(THD *thd, ulong want_access,
TABLE_LIST *procs, bool no_error);
bool check_grant_db(THD *thd,const char *db);
ulong get_table_grant(THD *thd, TABLE_LIST *table);
ulong get_column_grant(THD *thd, GRANT_INFO *grant,
const char *db_name, const char *table_name,
const char *field_name);
bool mysql_show_grants(THD *thd, LEX_USER *user);
void get_privilege_desc(char *to, uint max_length, ulong access);
void get_mqh(const char *user, const char *host, USER_CONN *uc);
bool mysql_create_user(THD *thd, List <LEX_USER> &list);
bool mysql_drop_user(THD *thd, List <LEX_USER> &list);
bool mysql_rename_user(THD *thd, List <LEX_USER> &list);
bool mysql_revoke_all(THD *thd, List <LEX_USER> &list);
void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant,
const char *db, const char *table);
bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name);
bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name);
#ifdef NO_EMBEDDED_ACCESS_CHECKS
#define check_grant(A,B,C,D,E,F) 0
#define check_grant_db(A,B) 0
#endif
Reference in a new issue View git blame Copy permalink