MySQL 8.0.39
Source Code Documentation
DB_restrictions_aggregator Class Referenceabstract

Restriction aggregator for database restrictions. More...

#include <partial_revokes.h>

Inheritance diagram for DB_restrictions_aggregator:
[legend]

Public Member Functions

bool generate (Abstract_restrictions &restrictions) override
 Driver function to aggregate restriction lists. More...
 
- Public Member Functions inherited from Restrictions_aggregator
virtual ~Restrictions_aggregator ()
 Destructor. More...
 

Protected Types

enum class  SQL_OP { SET_ROLE , GLOBAL_GRANT }
 
using Status = Restrictions_aggregator::Status
 
- Protected Types inherited from Restrictions_aggregator
enum class  Status {
  Error , Warning , Validated , Aggregated ,
  No_op
}
 

Protected Member Functions

 DB_restrictions_aggregator (const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, const Security_context *sctx)
 Constructor for database level restrictions aggregator. More...
 
bool find_if_require_next_level_operation (Access_bitmask &rights) const override
 Get list of privileges that are not restricted through restriction list. More...
 
bool check_db_access_and_restrictions_collision (const Access_bitmask grantee_db_access, const Access_bitmask grantee_restrictions, const std::string &db_name) noexcept
 Check possible descrepancy between DB access being granted and existing restrictions. More...
 
void set_if_db_level_operation (const Access_bitmask requested_access, const Access_bitmask restrictions_mask) noexcept
 Set privileges that needs to be processed further. More...
 
void aggregate_restrictions (SQL_OP sql_op, const Db_access_map *m_db_map, DB_restrictions &restrictions)
 A helper method that aggregates the restrictions for global_grant and set_role operations since both are similar in nature. More...
 
Access_bitmask get_grantee_db_access (const std::string &db_name) const
 Fetches the grantee's DB access on the specified DB If security context of current user exists and has some active roles then probe the security context since current user must be grantee. More...
 
void get_grantee_db_access (const std::string &db_name, Access_bitmask &access) const
 Fetches the grantee's DB access on the specified DB If security context of current user exists and has some active roles then probe the security context since current user must be grantee. More...
 
- Protected Member Functions inherited from Restrictions_aggregator
 Restrictions_aggregator (const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const Access_bitmask requested_access)
 Constructor. More...
 
 Restrictions_aggregator (const Restrictions_aggregator &)=delete
 
Restrictions_aggregatoroperator= (const Restrictions_aggregator &)=delete
 
 Restrictions_aggregator (const Restrictions_aggregator &&)=delete
 
Restrictions_aggregatoroperator= (const Restrictions_aggregator &&)=delete
 

Protected Attributes

Access_bitmask m_privs_not_processed = 0
 Privileges that needs to be checked further through DB grants. More...
 
DB_restrictions m_grantor_rl
 Database restrictions for grantor. More...
 
DB_restrictions m_grantee_rl
 Database restrictions for grantee. More...
 
const Security_contextm_sctx
 Security context of the current user. More...
 
- Protected Attributes inherited from Restrictions_aggregator
const Auth_id m_grantor
 Grantor information. More...
 
const Auth_id m_grantee
 Grantee information. More...
 
const Access_bitmask m_grantor_global_access
 Global static privileges of grantor. More...
 
const Access_bitmask m_grantee_global_access
 Global static privileges of grantee. More...
 
const Access_bitmask m_requested_access
 Privileges that are being granted or revoked. More...
 
Status m_status
 Internal status of aggregation process. More...
 

Private Member Functions

virtual Status validate ()=0
 
virtual void aggregate (DB_restrictions &restrictions)=0
 

Detailed Description

Restriction aggregator for database restrictions.

An umbrella class to cover common methods. This is ultimately used for privilege aggregation in case of GRANT/REVOKE of database level privileges.

Member Typedef Documentation

◆ Status

Member Enumeration Documentation

◆ SQL_OP

enum class DB_restrictions_aggregator::SQL_OP
strongprotected
Enumerator
SET_ROLE 
GLOBAL_GRANT 

Constructor & Destructor Documentation

◆ DB_restrictions_aggregator()

DB_restrictions_aggregator::DB_restrictions_aggregator ( const Auth_id grantor,
const Auth_id  grantee,
const Access_bitmask  grantor_global_access,
const Access_bitmask  grantee_global_access,
const DB_restrictions grantor_db_restrictions,
const DB_restrictions grantee_db_restrictions,
const Access_bitmask  requested_access,
const Security_context sctx 
)
protected

Constructor for database level restrictions aggregator.

Database restrictions will be fetched from global cache. Assumption: ACL cache is locked - at least in shared mode.

Parameters
[in]grantorGrantor information
[in]granteeGrantee information
[in]grantor_global_accessStatic global privileges of grantor
[in]grantee_global_accessStatic global privileges of grantee
[in]grantor_db_restrictionsDB_restrictions of grantor
[in]grantee_db_restrictionsDB_restrictions of grantee
[in]requested_accessPrivileges being granted/revoked through current statement
[in]sctxSecurity_context of current user. Default value is nullptr

Member Function Documentation

◆ aggregate()

◆ aggregate_restrictions()

void DB_restrictions_aggregator::aggregate_restrictions ( SQL_OP  sql_op,
const Db_access_map db_map,
DB_restrictions restrictions 
)
protected

A helper method that aggregates the restrictions for global_grant and set_role operations since both are similar in nature.

Generates DB_restrictions based on the requested access, grantor and grantee's DB_restrictions in the ACL cache.

  • If grantor has restrictions
    • Retain Grantee's restrictions if it has more privileges than grantor
    • If grantee has restrictions than aggregate them
    • If grantee does not have restrictions keep only those restrictions of grantor for which there is no DB level access to grantee.
  • else if grantee has restrictions
    • Remove the restrictions on which global grant is requested.
Parameters
[in]sql_opSQL statement type for which aggregation is to be done.
[in]db_mapDB_access_map used to fetch grantee's db access for SET ROLE
[out]restrictionsFills the parameter with the generated DB_restrictions.

◆ check_db_access_and_restrictions_collision()

bool DB_restrictions_aggregator::check_db_access_and_restrictions_collision ( const Access_bitmask  grantee_db_access,
const Access_bitmask  grantee_restrictions,
const std::string &  db_name 
)
protectednoexcept

Check possible descrepancy between DB access being granted and existing restrictions.

For a given user account, if a privilege is present in:

  1. Restriction list
  2. List of DB privileges AND if server is running with –partial_revokes option, any further attempt to modify user's grant should be prevented. Such a case can occur in one of the following cases: A. DB Restriction is created, –partial_revokes is set to OFF, DB grant is created, –partial_revokes is set to ON again. B. DB Restriction is created, mysql.db table is modified with INSERT query.
Parameters
[in]grantee_db_accessDatabase access to be granted
[in]grantee_restrictionsExisting restriction
[in]db_nameDatabase information
Returns
Collision exists or not
Return values
falseNo collision detected
trueCollision detected. Error raised.

◆ find_if_require_next_level_operation()

bool DB_restrictions_aggregator::find_if_require_next_level_operation ( Access_bitmask rights) const
overrideprotectedvirtual

Get list of privileges that are not restricted through restriction list.

Parameters
[out]rightsBitmask of privileges to be processed further
Returns
Any more privilegs remaining?
Return values
falseNo privileges to be processed further
trueEither restricted privileges were removed or nothing needs to be filtered

Implements Restrictions_aggregator.

◆ generate()

bool DB_restrictions_aggregator::generate ( Abstract_restrictions restrictions)
overridevirtual

Driver function to aggregate restriction lists.

Validate first and then aggregate the restrictionss from combinations of grantor & grantee's restrictions, global access and grantee access.

We also perform dynamic cast here once and call method of respective derived classes. This way, derived classes do not have to override aggregate and perform similar dynamic casting before proceeding.

Parameters
[out]restrictionsAggreatated restrictions for grantee
Returns
status of aggregation process
Return values
falseSuccess
trueFailure. Error would have been raised.

Implements Restrictions_aggregator.

◆ get_grantee_db_access() [1/2]

Access_bitmask DB_restrictions_aggregator::get_grantee_db_access ( const std::string &  db_name) const
protected

Fetches the grantee's DB access on the specified DB If security context of current user exists and has some active roles then probe the security context since current user must be grantee.

Otherwise, probe the usual ACL Cache.

Parameters
[in]db_nameDatabase name for which we need to fetch the DB level access.
Returns
DB level access.

◆ get_grantee_db_access() [2/2]

void DB_restrictions_aggregator::get_grantee_db_access ( const std::string &  db_name,
Access_bitmask access 
) const
protected

Fetches the grantee's DB access on the specified DB If security context of current user exists and has some active roles then probe the security context since current user must be grantee.

Otherwise, do not modify the access argument.

Parameters
[in]db_nameDatabase name for which we need to fetch the DB level access.
[out]accessAccess on the specified DB.

◆ set_if_db_level_operation()

void DB_restrictions_aggregator::set_if_db_level_operation ( const Access_bitmask  requested_access,
const Access_bitmask  restrictions_mask 
)
protectednoexcept

Set privileges that needs to be processed further.

These privileges are not restricted through revocations. So caller can safely proceed with further operations

Parameters
[in]requested_accessPrivilege bitmask to be checked
[in]restrictions_maskConfirmed restrictions

◆ validate()

Member Data Documentation

◆ m_grantee_rl

DB_restrictions DB_restrictions_aggregator::m_grantee_rl
protected

Database restrictions for grantee.

◆ m_grantor_rl

DB_restrictions DB_restrictions_aggregator::m_grantor_rl
protected

Database restrictions for grantor.

◆ m_privs_not_processed

Access_bitmask DB_restrictions_aggregator::m_privs_not_processed = 0
protected

Privileges that needs to be checked further through DB grants.

◆ m_sctx

const Security_context* DB_restrictions_aggregator::m_sctx
protected

Security context of the current user.


The documentation for this class was generated from the following files: