MySQL 8.0.39
Source Code Documentation
acl_table_user.h
Go to the documentation of this file.
1/* Copyright (c) 2018, 2024, Oracle and/or its affiliates.
2
3This program is free software; you can redistribute it and/or modify
4it under the terms of the GNU General Public License, version 2.0,
5as published by the Free Software Foundation.
6
7This program is designed to work with certain software (including
8but not limited to OpenSSL) that is licensed under separate terms,
9as designated in a particular file or component or in included license
10documentation. The authors of MySQL hereby grant you an additional
11permission to link the program and your derivative works with the
12separately licensed software that they have either included with
13the program or referenced in the documentation.
14
15This program is distributed in the hope that it will be useful,
16but WITHOUT ANY WARRANTY; without even the implied warranty of
17MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18GNU General Public License, version 2.0, for more details.
19
20You should have received a copy of the GNU General Public License
21along with this program; if not, write to the Free Software
22Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
23
24#ifndef ACL_TABLE_USER_INCLUDED
25#define ACL_TABLE_USER_INCLUDED
26
27#include "my_config.h"
28
29#ifdef HAVE_SYS_TIME_H
30#include <sys/time.h>
31#endif
32
33#include <sys/types.h>
34#include <functional>
35#include <memory>
36#include <string>
37#include <utility>
38
39#include "my_alloc.h"
40#include "sql-common/json_dom.h"
43#include "sql/auth/sql_mfa.h" /* I_multi_factor_auth */
44#include "sql/auth/user_table.h"
45
46class ACL_USER;
47class RowIterator;
48class THD;
50struct LEX_USER;
51struct TABLE;
52
53namespace acl_table {
59 COMMENT,
61};
62
64 /**
65 read from the user config. The number of days to keep the account locked
66 */
68 /**
69 read from the user config. The number of failed login attempts before the
70 account is locked
71 */
73
75
77
79
80 Password_lock(const Password_lock &other);
81
83};
84
85/**
86 Class to handle information stored in mysql.user.user_attributes
87*/
89 public:
90 /**
91 Default constructor.
92 */
93 Acl_user_attributes(MEM_ROOT *mem_root, bool read_restrictions,
94 Auth_id &auth_id, Access_bitmask global_privs);
95
96 Acl_user_attributes(MEM_ROOT *mem_root, bool read_restrictions,
99
101
102 public:
103 /**
104 Obtain info from JSON representation of user attributes
105
106 @param [in] json_object JSON object that holds user attributes
107
108 @returns status of parsing json_object
109 @retval false Success
110 @retval true Error parsing the JSON object
111 */
112 bool deserialize(const Json_object &json_object);
113
114 /**
115 Create JSON object from user attributes
116
117 @param [out] json_object Object to store serialized user attributes
118
119 @returns status of serialization
120 @retval false Success
121 @retval true Error serializing user attributes
122 */
123 bool serialize(Json_object &json_object) const;
124
125 /**
126 Update second password for user. We replace existing one if any.
127
128 @param [in] credential Second password
129
130 @returns status of password update
131 @retval false Success
132 @retval true Error. Second password is empty
133 */
134 bool update_additional_password(std::string &credential);
135
136 /**
137 Discard second password.
138 */
140
141 /**
142 Get second password
143
144 @returns second password
145 */
146 const std::string get_additional_password() const;
147
148 /**
149 Get the restriction list for the user
150
151 @returns Restriction list
152 */
154
155 void update_restrictions(const Restrictions &restricitions);
156
159 }
162 }
163 auto get_password_lock() const { return m_password_lock; }
164 void set_password_lock(Password_lock password_lock) {
165 m_password_lock = password_lock;
166 }
167
169 void set_mfa(I_multi_factor_auth *mfa) { m_mfa = mfa; }
170
171 /**
172 Take over ownership of the json pointer.
173 @return Error state
174 @retval true An error occurred
175 @retval false Success
176 */
178
179 private:
181 DB_restrictions &db_restrictions, Access_bitmask mask,
182 enum loglevel level, ulonglong errcode);
183 bool deserialize_password_lock(const Json_object &json_object);
184 bool deserialize_multi_factor(const Json_object &json_object);
185
186 private:
187 /** Mem root */
189 /** Operation for restrictions */
191 /** Auth ID */
193 /** Second password for user */
195 /** Restrictions_list on certain databases for user */
197 /** Global static privileges */
199 /** password locking */
201 /** multi factor auth info */
203 /** Save the original json object */
205};
206
207// Forward and alias declarations
209 std::pair<Table_op_error_code, struct timeval>;
210
211/**
212 mysql.user table writer. It updates or drop a one single row from the table.
213*/
214
216 public:
220 my_timeval pwd_timestamp, std::string cred,
224 updated_rights(rights),
225 error(err),
226 password_change_timestamp(pwd_timestamp),
227 second_cred(cred),
228 restrictions(),
231
236 std::string second_cred;
240};
241
243 public:
244 Acl_table_user_writer(THD *thd, TABLE *table, LEX_USER *combo,
245 Access_bitmask rights, bool revoke_grant,
246 bool can_create_user,
247 Pod_user_what_to_update what_to_update,
248 Restrictions *restrictions, I_multi_factor_auth *mfa);
249 ~Acl_table_user_writer() override;
252
253 bool setup_table(int &error, bool &builtin_password);
254
255 /* Set of functions to set user table data */
265 bool update_user_attributes(std::string &current_password,
266 Acl_table_user_writer_status &return_value);
267
269 std::function<bool(TABLE *table)> const &update);
271 std::string get_current_credentials();
272
273 private:
275 bool write_user_attributes_column(const Acl_user_attributes &user_attributes);
285 std::function<bool(TABLE *table)> m_user_application_user_metadata;
286};
287
288/**
289 mysql.user table reader. It reads all raws from table and create in-memory
290 cache.
291*/
292
294 public:
295 Acl_table_user_reader(THD *thd, TABLE *table);
296 ~Acl_table_user_reader() override;
297 bool driver();
298 bool setup_table(bool &is_old_db_layout);
299 bool read_row(bool &is_old_db_layout, bool &super_users_with_empty_plugin);
301
302 /* Set of function to read user table data */
309 bool read_plugin_info(ACL_USER &user, bool &super_users_with_empty_plugin,
310 bool &is_old_db_layout);
311 bool read_password_expiry(ACL_USER &user, bool &password_expired);
320
321 private:
327};
328
329} // namespace acl_table
330#endif /* ACL_TABLE_USER_INCLUDED */
uint32_t Access_bitmask
Definition: auth_acls.h:34
Definition: sql_auth_cache.h:246
Storage container for default auth ids.
Definition: auth_common.h:1073
DB Restrictions representation in memory.
Definition: partial_revokes.h:82
An interface to access information about Multi factor authentication methods.
Definition: sql_mfa.h:45
Represents a JSON container value of type "object" (ECMA), type J_OBJECT here.
Definition: json_dom.h:373
Container of all restrictions for a given user.
Definition: partial_revokes.h:155
A context for reading through a single table using a chosen access method: index read,...
Definition: row_iterator.h:82
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:34
Definition: auth_common.h:376
mysql.user table reader.
Definition: acl_table_user.h:293
void read_password_last_changed(ACL_USER &user)
Get password change time.
Definition: acl_table_user.cc:1774
Restrictions * m_restrictions
Definition: acl_table_user.h:325
void read_password_reuse_time_fields(ACL_USER &user)
Get password reuse time restriction.
Definition: acl_table_user.cc:1841
void read_user_resources(ACL_USER &user)
Read user resource restrictions.
Definition: acl_table_user.cc:1590
void add_row_to_acl_users(ACL_USER &user)
Add a recently read row in acl_users.
Definition: acl_table_user.cc:1958
bool setup_table(bool &is_old_db_layout)
Make table ready to read.
Definition: acl_table_user.cc:1383
bool read_row(bool &is_old_db_layout, bool &super_users_with_empty_plugin)
Read a row from mysql.user table and add it to in-memory structure.
Definition: acl_table_user.cc:2011
bool read_plugin_info(ACL_USER &user, bool &super_users_with_empty_plugin, bool &is_old_db_layout)
Read plugin information.
Definition: acl_table_user.cc:1630
void read_privileges(ACL_USER &user)
Get global privilege information.
Definition: acl_table_user.cc:1483
void read_password_require_current(ACL_USER &user)
Get information about requiring current password while changing password.
Definition: acl_table_user.cc:1861
bool driver()
Driver function for mysql.user reader.
Definition: acl_table_user.cc:2052
void read_password_locked(ACL_USER &user)
Determine if user account is locked.
Definition: acl_table_user.cc:1758
bool read_user_attributes(ACL_USER &user)
Read user attributes.
Definition: acl_table_user.cc:1885
MEM_ROOT m_mem_root
Definition: acl_table_user.h:324
void reset_acl_user(ACL_USER &user)
Scrub ACL_USER.
Definition: acl_table_user.cc:1409
void read_ssl_fields(ACL_USER &user)
Read SSL restrictions.
Definition: acl_table_user.cc:1560
bool read_password_expiry(ACL_USER &user, bool &password_expired)
Read password expiry field.
Definition: acl_table_user.cc:1733
User_table_schema * m_table_schema
Definition: acl_table_user.h:322
bool read_authentication_string(ACL_USER &user)
Read authentication string for the account.
Definition: acl_table_user.cc:1458
Acl_table_user_reader(THD *thd, TABLE *table)
mysql.user table reader constructor.
Definition: acl_table_user.cc:1346
void read_account_name(ACL_USER &user)
Get user and host information for the account.
Definition: acl_table_user.cc:1434
Acl_table_op_status finish_operation(Table_op_error_code &error) override
Finish mysql.user table read operation.
Definition: acl_table_user.cc:1365
~Acl_table_user_reader() override
Free resources before we destroy.
Definition: acl_table_user.cc:1353
Json_object * m_user_application_user_metadata_json
Definition: acl_table_user.h:326
void read_password_lifetime(ACL_USER &user)
Get password expiry policy infomration.
Definition: acl_table_user.cc:1802
void read_password_history_fields(ACL_USER &user)
Get password history restriction.
Definition: acl_table_user.cc:1820
unique_ptr_destroy_only< RowIterator > m_iterator
Definition: acl_table_user.h:323
mysql.user table writer.
Definition: acl_table_user.h:215
std::string second_cred
Definition: acl_table_user.h:236
Restrictions restrictions
Definition: acl_table_user.h:237
Access_bitmask updated_rights
Definition: acl_table_user.h:233
my_timeval password_change_timestamp
Definition: acl_table_user.h:235
Acl_table_user_writer_status(bool skip, Access_bitmask rights, Table_op_error_code err, my_timeval pwd_timestamp, std::string cred, Password_lock &password_lock, I_multi_factor_auth *multi_factor)
Definition: acl_table_user.h:218
Password_lock password_lock
Definition: acl_table_user.h:238
Table_op_error_code error
Definition: acl_table_user.h:234
I_multi_factor_auth * multi_factor
Definition: acl_table_user.h:239
Acl_table_user_writer_status()
Definition: acl_table_user.cc:438
bool skip_cache_update
Definition: acl_table_user.h:232
Definition: acl_table_user.h:242
std::function< bool(TABLE *table)> m_user_application_user_metadata
Definition: acl_table_user.h:285
bool update_password_reuse()
Password reuse time updates.
Definition: acl_table_user.cc:1117
bool write_user_attributes_column(const Acl_user_attributes &user_attributes)
Helper function to write updated user_attributes in the column.
Definition: acl_table_user.cc:1282
bool update_privileges(Acl_table_user_writer_status &return_value)
Update global privileges for user.
Definition: acl_table_user.cc:857
Acl_table_user_writer(THD *thd, TABLE *table, LEX_USER *combo, Access_bitmask rights, bool revoke_grant, bool can_create_user, Pod_user_what_to_update what_to_update, Restrictions *restrictions, I_multi_factor_auth *mfa)
mysql.user table writer constructor
Definition: acl_table_user.cc:464
I_multi_factor_auth * m_mfa
Definition: acl_table_user.h:284
bool update_user_attributes(std::string &current_password, Acl_table_user_writer_status &return_value)
User_attributes updates.
Definition: acl_table_user.cc:1186
Access_bitmask get_user_privileges()
Helper function to get global privileges from mysql.user table.
Definition: acl_table_user.cc:1305
LEX_USER * m_combo
Definition: acl_table_user.h:277
bool update_password_expiry()
Update password expiration info.
Definition: acl_table_user.cc:1013
Acl_table_op_status finish_operation(Table_op_error_code &error) override
Finish the operation.
Definition: acl_table_user.cc:727
bool m_revoke_grant
Definition: acl_table_user.h:279
User_table_schema * m_table_schema
Definition: acl_table_user.h:282
bool update_password_history()
Password history updates.
Definition: acl_table_user.cc:1086
bool update_ssl_properties()
Update SSL properties.
Definition: acl_table_user.cc:904
Pod_user_what_to_update m_what_to_update
Definition: acl_table_user.h:281
~Acl_table_user_writer() override
Cleanup.
Definition: acl_table_user.cc:486
bool update_authentication_info(Acl_table_user_writer_status &return_value)
Update user's authentication information.
Definition: acl_table_user.cc:793
bool update_password_require_current()
Whether current password is required to update existing one.
Definition: acl_table_user.cc:1146
Acl_table_user_writer_status driver()
Perform add/update to mysql.user table.
Definition: acl_table_user.cc:496
Access_bitmask m_rights
Definition: acl_table_user.h:278
bool update_user_application_user_metadata()
Helper function for updating the user metadata JSON.
Definition: acl_table_user.cc:1274
std::string get_current_credentials()
Get current password from mysql.user.authentication_string.
Definition: acl_table_user.cc:1331
bool m_can_create_user
Definition: acl_table_user.h:280
bool update_account_locking()
Update account locking info.
Definition: acl_table_user.cc:1054
void replace_user_application_user_metadata(std::function< bool(TABLE *table)> const &update)
Send the function for updating the user metadata JSON code to the table processor.
Definition: acl_table_user.cc:1265
bool m_has_user_application_user_metadata
Definition: acl_table_user.h:276
Restrictions * m_restrictions
Definition: acl_table_user.h:283
bool setup_table(int &error, bool &builtin_password)
Position user table.
Definition: acl_table_user.cc:581
bool update_user_resources()
Update user resource restrictions.
Definition: acl_table_user.cc:981
Base class to handle ACL table manipulation.
Definition: acl_table_base.h:44
Class to handle information stored in mysql.user.user_attributes.
Definition: acl_table_user.h:88
bool deserialize_password_lock(const Json_object &json_object)
Definition: acl_table_user.cc:240
bool deserialize(const Json_object &json_object)
Obtain info from JSON representation of user attributes.
Definition: acl_table_user.cc:286
bool serialize(Json_object &json_object) const
Create JSON object from user attributes.
Definition: acl_table_user.cc:321
Password_lock m_password_lock
password locking
Definition: acl_table_user.h:200
void update_restrictions(const Restrictions &restricitions)
Definition: acl_table_user.cc:400
void set_mfa(I_multi_factor_auth *mfa)
Definition: acl_table_user.h:169
Auth_id m_auth_id
Auth ID.
Definition: acl_table_user.h:192
bool consume_user_attributes_json(Json_dom_ptr json)
Take over ownership of the json pointer.
Definition: acl_table_user.cc:160
void report_and_remove_invalid_db_restrictions(DB_restrictions &db_restrictions, Access_bitmask mask, enum loglevel level, ulonglong errcode)
Definition: acl_table_user.cc:179
bool update_additional_password(std::string &credential)
Update second password for user.
Definition: acl_table_user.cc:379
Acl_user_attributes(MEM_ROOT *mem_root, bool read_restrictions, Auth_id &auth_id, Access_bitmask global_privs)
Default constructor.
Definition: acl_table_user.cc:134
I_multi_factor_auth * m_mfa
multi factor auth info
Definition: acl_table_user.h:202
Json_dom_ptr m_user_attributes_json
Save the original json object.
Definition: acl_table_user.h:204
void set_password_lock(Password_lock password_lock)
Definition: acl_table_user.h:164
MEM_ROOT * m_mem_root
Mem root.
Definition: acl_table_user.h:188
auto get_failed_login_attempts() const
Definition: acl_table_user.h:157
Restrictions m_restrictions
Restrictions_list on certain databases for user.
Definition: acl_table_user.h:196
Restrictions get_restrictions() const
Get the restriction list for the user.
Definition: acl_table_user.cc:396
Access_bitmask m_global_privs
Global static privileges.
Definition: acl_table_user.h:198
const std::string get_additional_password() const
Get second password.
Definition: acl_table_user.cc:392
auto get_password_lock_time_days() const
Definition: acl_table_user.h:160
~Acl_user_attributes()
Definition: acl_table_user.cc:158
bool m_read_restrictions
Operation for restrictions.
Definition: acl_table_user.h:190
auto get_password_lock() const
Definition: acl_table_user.h:163
std::string m_additional_password
Second password for user.
Definition: acl_table_user.h:194
bool deserialize_multi_factor(const Json_object &json_object)
Definition: acl_table_user.cc:217
void discard_additional_password()
Discard second password.
Definition: acl_table_user.cc:388
I_multi_factor_auth * get_mfa()
Definition: acl_table_user.h:168
Definition: user_table.h:47
static MEM_ROOT mem_root
Definition: client_plugin.cc:110
JSON DOM.
std::unique_ptr< Json_dom > Json_dom_ptr
Definition: json_dom.h:65
static mi_bit_type mask[]
Definition: mi_packrec.cc:141
This file follows Google coding style, except for the name MEM_ROOT (which is kept for historical rea...
std::unique_ptr< T, Destroy_only< T > > unique_ptr_destroy_only
std::unique_ptr, but only destroying.
Definition: my_alloc.h:489
unsigned long long int ulonglong
Definition: my_inttypes.h:56
loglevel
Definition: my_loglevel.h:41
static uint update
Definition: myisamlog.cc:91
Log error(cerr, "ERROR")
char * user
Definition: mysqladmin.cc:60
Definition: acl_table_base.h:33
int Table_op_error_code
Definition: acl_table_base.h:35
Acl_table_op_status
Definition: acl_table_base.h:37
User_attribute_type
Definition: acl_table_user.h:54
std::pair< Table_op_error_code, struct timeval > acl_table_user_writer_status
Definition: acl_table_user.h:209
static Value err()
Create a Value object that represents an error condition.
Definition: json_binary.cc:910
static size_t skip(size_t pos_start, size_t match_len)
Definition: uri.cc:82
constexpr const size_t ACL_ALLOC_BLOCK_SIZE
Definition: sql_const.h:148
Definition: table.h:2658
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:83
Definition: table.h:1399
Definition: acl_table_user.h:63
int password_lock_time_days
read from the user config.
Definition: acl_table_user.h:67
Password_lock()
Definition: acl_table_user.cc:2076
Password_lock & operator=(const Password_lock &other)
Definition: acl_table_user.cc:2079
uint failed_login_attempts
read from the user config.
Definition: acl_table_user.h:72
Replacement of system's struct timeval to ensure we can carry 64 bit values even on a platform which ...
Definition: my_time_t.h:45
Include file for Sun RPC to compile out of the box.
unsigned int uint
Definition: uca9-dump.cc:75
#define PSI_NOT_INSTRUMENTED
Definition: validate_password_imp.cc:42