MySQL 8.0.39
Source Code Documentation
|
Restriction aggregator for database restrictions. More...
#include <partial_revokes.h>
Public Member Functions | |
bool | generate (Abstract_restrictions &restrictions) override |
Driver function to aggregate restriction lists. More... | |
Public Member Functions inherited from Restrictions_aggregator | |
virtual | ~Restrictions_aggregator () |
Destructor. More... | |
Protected Types | |
enum class | SQL_OP { SET_ROLE , GLOBAL_GRANT } |
using | Status = Restrictions_aggregator::Status |
Protected Types inherited from Restrictions_aggregator | |
enum class | Status { Error , Warning , Validated , Aggregated , No_op } |
Protected Member Functions | |
DB_restrictions_aggregator (const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, const Security_context *sctx) | |
Constructor for database level restrictions aggregator. More... | |
bool | find_if_require_next_level_operation (Access_bitmask &rights) const override |
Get list of privileges that are not restricted through restriction list. More... | |
bool | check_db_access_and_restrictions_collision (const Access_bitmask grantee_db_access, const Access_bitmask grantee_restrictions, const std::string &db_name) noexcept |
Check possible descrepancy between DB access being granted and existing restrictions. More... | |
void | set_if_db_level_operation (const Access_bitmask requested_access, const Access_bitmask restrictions_mask) noexcept |
Set privileges that needs to be processed further. More... | |
void | aggregate_restrictions (SQL_OP sql_op, const Db_access_map *m_db_map, DB_restrictions &restrictions) |
A helper method that aggregates the restrictions for global_grant and set_role operations since both are similar in nature. More... | |
Access_bitmask | get_grantee_db_access (const std::string &db_name) const |
Fetches the grantee's DB access on the specified DB If security context of current user exists and has some active roles then probe the security context since current user must be grantee. More... | |
void | get_grantee_db_access (const std::string &db_name, Access_bitmask &access) const |
Fetches the grantee's DB access on the specified DB If security context of current user exists and has some active roles then probe the security context since current user must be grantee. More... | |
Protected Member Functions inherited from Restrictions_aggregator | |
Restrictions_aggregator (const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const Access_bitmask requested_access) | |
Constructor. More... | |
Restrictions_aggregator (const Restrictions_aggregator &)=delete | |
Restrictions_aggregator & | operator= (const Restrictions_aggregator &)=delete |
Restrictions_aggregator (const Restrictions_aggregator &&)=delete | |
Restrictions_aggregator & | operator= (const Restrictions_aggregator &&)=delete |
Protected Attributes | |
Access_bitmask | m_privs_not_processed = 0 |
Privileges that needs to be checked further through DB grants. More... | |
DB_restrictions | m_grantor_rl |
Database restrictions for grantor. More... | |
DB_restrictions | m_grantee_rl |
Database restrictions for grantee. More... | |
const Security_context * | m_sctx |
Security context of the current user. More... | |
Protected Attributes inherited from Restrictions_aggregator | |
const Auth_id | m_grantor |
Grantor information. More... | |
const Auth_id | m_grantee |
Grantee information. More... | |
const Access_bitmask | m_grantor_global_access |
Global static privileges of grantor. More... | |
const Access_bitmask | m_grantee_global_access |
Global static privileges of grantee. More... | |
const Access_bitmask | m_requested_access |
Privileges that are being granted or revoked. More... | |
Status | m_status |
Internal status of aggregation process. More... | |
Private Member Functions | |
virtual Status | validate ()=0 |
virtual void | aggregate (DB_restrictions &restrictions)=0 |
Restriction aggregator for database restrictions.
An umbrella class to cover common methods. This is ultimately used for privilege aggregation in case of GRANT/REVOKE of database level privileges.
|
protected |
|
strongprotected |
|
protected |
Constructor for database level restrictions aggregator.
Database restrictions will be fetched from global cache. Assumption: ACL cache is locked - at least in shared mode.
[in] | grantor | Grantor information |
[in] | grantee | Grantee information |
[in] | grantor_global_access | Static global privileges of grantor |
[in] | grantee_global_access | Static global privileges of grantee |
[in] | grantor_db_restrictions | DB_restrictions of grantor |
[in] | grantee_db_restrictions | DB_restrictions of grantee |
[in] | requested_access | Privileges being granted/revoked through current statement |
[in] | sctx | Security_context of current user. Default value is nullptr |
|
privatepure virtual |
|
protected |
A helper method that aggregates the restrictions for global_grant and set_role operations since both are similar in nature.
Generates DB_restrictions based on the requested access, grantor and grantee's DB_restrictions in the ACL cache.
[in] | sql_op | SQL statement type for which aggregation is to be done. |
[in] | db_map | DB_access_map used to fetch grantee's db access for SET ROLE |
[out] | restrictions | Fills the parameter with the generated DB_restrictions. |
|
protectednoexcept |
Check possible descrepancy between DB access being granted and existing restrictions.
For a given user account, if a privilege is present in:
[in] | grantee_db_access | Database access to be granted |
[in] | grantee_restrictions | Existing restriction |
[in] | db_name | Database information |
false | No collision detected |
true | Collision detected. Error raised. |
|
overrideprotectedvirtual |
Get list of privileges that are not restricted through restriction list.
[out] | rights | Bitmask of privileges to be processed further |
false | No privileges to be processed further |
true | Either restricted privileges were removed or nothing needs to be filtered |
Implements Restrictions_aggregator.
|
overridevirtual |
Driver function to aggregate restriction lists.
Validate first and then aggregate the restrictionss from combinations of grantor & grantee's restrictions, global access and grantee access.
We also perform dynamic cast here once and call method of respective derived classes. This way, derived classes do not have to override aggregate and perform similar dynamic casting before proceeding.
[out] | restrictions | Aggreatated restrictions for grantee |
false | Success |
true | Failure. Error would have been raised. |
Implements Restrictions_aggregator.
|
protected |
Fetches the grantee's DB access on the specified DB If security context of current user exists and has some active roles then probe the security context since current user must be grantee.
Otherwise, probe the usual ACL Cache.
[in] | db_name | Database name for which we need to fetch the DB level access. |
|
protected |
Fetches the grantee's DB access on the specified DB If security context of current user exists and has some active roles then probe the security context since current user must be grantee.
Otherwise, do not modify the access argument.
[in] | db_name | Database name for which we need to fetch the DB level access. |
[out] | access | Access on the specified DB. |
|
protectednoexcept |
Set privileges that needs to be processed further.
These privileges are not restricted through revocations. So caller can safely proceed with further operations
[in] | requested_access | Privilege bitmask to be checked |
[in] | restrictions_mask | Confirmed restrictions |
|
privatepure virtual |
|
protected |
Database restrictions for grantee.
|
protected |
Database restrictions for grantor.
|
protected |
Privileges that needs to be checked further through DB grants.
|
protected |
Security context of the current user.