24#ifndef PARTIAL_REVOKES_INCLUDED
25#define PARTIAL_REVOKES_INCLUDED
30#include <unordered_map>
58 virtual size_t size()
const = 0;
102 size_t size()
const override;
103 void clear()
override;
188 static std::unique_ptr<Restrictions_aggregator>
create(
189 THD *thd,
const ACL_USER *acl_user,
const char *db,
192 static std::unique_ptr<Restrictions_aggregator>
create(
300 const std::string &
db_name)
noexcept;
uint32_t Access_bitmask
Definition: auth_acls.h:34
std::map< std::string, Access_bitmask > Db_access_map
Definition: auth_internal.h:66
Definition: sql_auth_cache.h:246
Abstract class for ACL restrictions.
Definition: partial_revokes.h:53
virtual bool is_empty() const =0
virtual ~Abstract_restrictions()
Abstract restriction destructor.
virtual size_t size() const =0
Abstract_restrictions()
Abstract restriction constructor.
Storage container for default auth ids.
Definition: auth_common.h:1073
Restriction aggregator for GRANT statement over database privileges.
Definition: partial_revokes.h:406
Status validate() override
Validation function for database level grant statement.
Definition: partial_revokes.cc:1314
const Access_bitmask m_grantee_db_access
Grantee's database privileges.
Definition: partial_revokes.h:428
const std::string m_db_name
Target database of GRANT.
Definition: partial_revokes.h:434
void aggregate(DB_restrictions &restrictions) override
Aggregate restriction lists.
Definition: partial_revokes.cc:1344
const Access_bitmask m_grantor_db_access
Grantor's database privileges.
Definition: partial_revokes.h:425
DB_restrictions_aggregator_db_grant(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const Access_bitmask grantor_db_access, const Access_bitmask grantee_db_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, bool is_grant_all, const std::string &db_name, const Security_context *sctx)
Constructor.
Definition: partial_revokes.cc:1293
const bool m_is_grant_all
Flag for GRANT ALL ON <db>.
Definition: partial_revokes.h:431
Restriction aggregator for REVOKE statement for database privileges.
Definition: partial_revokes.h:441
const Access_bitmask m_grantor_db_access
Grantor's database privileges.
Definition: partial_revokes.h:460
Status validate() override
Validation function for database level revoke statement.
Definition: partial_revokes.cc:1413
const std::string m_db_name
Target database of REVOKE.
Definition: partial_revokes.h:469
void aggregate(DB_restrictions &restrictions) override
Aggregate restriction lists.
Definition: partial_revokes.cc:1446
const Access_bitmask m_grantee_db_access
Grantee's database privileges.
Definition: partial_revokes.h:463
const bool m_is_revoke_all
Flag for GRANT ALL ON <db>.
Definition: partial_revokes.h:466
DB_restrictions_aggregator_db_revoke(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const Access_bitmask grantor_db_access, const Access_bitmask grantee_db_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, bool is_revoke_all, const std::string &db_name, const Security_context *sctx)
Constructor.
Definition: partial_revokes.cc:1392
Restriction aggregator for GRANT statement for GLOBAL privileges.
Definition: partial_revokes.h:353
void aggregate(DB_restrictions &restrictions) override
Generates DB_restrictions based on the requested access, grantor and grantee's DB_restrictions in the...
Definition: partial_revokes.cc:1083
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:1042
DB_restrictions_aggregator_global_grant(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_grant constructor.
Definition: partial_revokes.cc:1018
Restriction aggregator for REVOKE statement over GLOBAL privileges.
Definition: partial_revokes.h:389
void aggregate(DB_restrictions &restrictions) override
Clear all the restrictions and changes the status of object to aggregated.
Definition: partial_revokes.cc:1270
Status validate() override
Validate restriction list for REVOKE ALL.
Definition: partial_revokes.cc:1243
DB_restrictions_aggregator_global_revoke_all(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_revoke_all constructor.
Definition: partial_revokes.cc:1229
Definition: partial_revokes.h:368
Status validate_if_grantee_rl_not_empty()
If grantee restrictions_list is not empty then check the following.
Definition: partial_revokes.cc:1185
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:1126
DB_restrictions_aggregator_global_revoke(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_revoke constructor.
Definition: partial_revokes.cc:1103
void aggregate(DB_restrictions &restrictions) override
Definition: partial_revokes.cc:1161
Database restriction aggregator for SET ROLE statement.
Definition: partial_revokes.h:332
void aggregate(DB_restrictions &db_restrictions) override
Generates DB_restrictions based on the requested access, grantor and grantee's DB_restrictions in the...
Definition: partial_revokes.cc:971
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:946
DB_restrictions_aggregator_set_role(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, Db_access_map *db_map)
DB_restrictions_aggregator_set_role constructor.
Definition: partial_revokes.cc:921
Db_access_map * m_db_map
Definition: partial_revokes.h:346
Restriction aggregator for database restrictions.
Definition: partial_revokes.h:279
void aggregate_restrictions(SQL_OP sql_op, const Db_access_map *m_db_map, DB_restrictions &restrictions)
A helper method that aggregates the restrictions for global_grant and set_role operations since both ...
Definition: partial_revokes.cc:759
Access_bitmask get_grantee_db_access(const std::string &db_name) const
Fetches the grantee's DB access on the specified DB If security context of current user exists and ha...
Definition: partial_revokes.cc:877
virtual Status validate()=0
void set_if_db_level_operation(const Access_bitmask requested_access, const Access_bitmask restrictions_mask) noexcept
Set privileges that needs to be processed further.
Definition: partial_revokes.cc:720
DB_restrictions m_grantee_rl
Database restrictions for grantee.
Definition: partial_revokes.h:318
DB_restrictions m_grantor_rl
Database restrictions for grantor.
Definition: partial_revokes.h:315
bool find_if_require_next_level_operation(Access_bitmask &rights) const override
Get list of privileges that are not restricted through restriction list.
Definition: partial_revokes.cc:660
virtual void aggregate(DB_restrictions &restrictions)=0
const Security_context * m_sctx
Security context of the current user.
Definition: partial_revokes.h:321
SQL_OP
Definition: partial_revokes.h:304
DB_restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, const Security_context *sctx)
Constructor for database level restrictions aggregator.
Definition: partial_revokes.cc:608
bool check_db_access_and_restrictions_collision(const Access_bitmask grantee_db_access, const Access_bitmask grantee_restrictions, const std::string &db_name) noexcept
Check possible descrepancy between DB access being granted and existing restrictions.
Definition: partial_revokes.cc:694
bool generate(Abstract_restrictions &restrictions) override
Driver function to aggregate restriction lists.
Definition: partial_revokes.cc:637
Access_bitmask m_privs_not_processed
Privileges that needs to be checked further through DB grants.
Definition: partial_revokes.h:312
DB Restrictions representation in memory.
Definition: partial_revokes.h:82
const db_revocations & get() const
Definition: partial_revokes.h:125
void get_as_json(Json_array &restrictions_array) const
Serializer.
Definition: partial_revokes.cc:295
void clear() override
Clear restriction list.
Definition: partial_revokes.cc:285
size_t size() const override
Status function to get number of entries in restriction list.
Definition: partial_revokes.cc:279
bool find(const std::string &db_name, Access_bitmask &access) const
Get restricted access information for given database.
Definition: partial_revokes.cc:257
DB_restrictions & operator=(const DB_restrictions &restrictions)
Assignment operator.
Definition: partial_revokes.cc:77
bool is_empty() const override
Status function to check if restriction list is empty.
Definition: partial_revokes.cc:274
void copy_restrictions(const DB_restrictions &other)
Definition: partial_revokes.h:142
DB_restrictions()
DB Restrictions constructor.
Definition: partial_revokes.cc:58
db_revocations * m_restrictions
Database restrictions.
Definition: partial_revokes.h:122
db_revocations * create_restrictions_if_needed()
Definition: partial_revokes.h:130
void add(const std::string &db_name, const Access_bitmask revoke_privs)
Add given privileges as restricted for the database.
Definition: partial_revokes.cc:118
DB_restrictions(DB_restrictions &&restrictions)=delete
bool has_more_restrictions(const DB_restrictions &, Access_bitmask) const
Compare is two restriction list for given privileges.
Definition: partial_revokes.cc:322
db_revocations & db_restrictions()
Definition: partial_revokes.h:137
~DB_restrictions() override
Destructor.
Definition: partial_revokes.cc:70
db_revocations & operator()(void)
Definition: partial_revokes.h:87
bool operator==(const DB_restrictions &restrictions) const
Compare the two restrictions.
Definition: partial_revokes.cc:106
void remove(const std::string &db_name, const Access_bitmask revoke_privs)
Remove given set of privilegs for a database from restriction list.
Definition: partial_revokes.cc:203
Represents a JSON array container, i.e.
Definition: json_dom.h:520
Represents a JSON container value of type "object" (ECMA), type J_OBJECT here.
Definition: json_dom.h:373
Factory class that solely creates an object of type Restrictions_aggregator.
Definition: partial_revokes.h:186
static Access_bitmask fetch_grantor_db_access(THD *thd, const char *db)
Returns the privileges granted on the DB to the grantor.
Definition: partial_revokes.cc:515
static Access_bitmask fetch_grantee_db_access(THD *thd, const ACL_USER *acl_user, const char *db)
Returns the privileges granted on the DB to the grantee.
Definition: partial_revokes.cc:532
static void fetch_grantee_access(const ACL_USER *grantee, Access_bitmask &access, Restrictions &restrictions)
Definition: partial_revokes.cc:555
static std::unique_ptr< Restrictions_aggregator > create(THD *thd, const ACL_USER *acl_user, const char *db, const Access_bitmask rights, bool is_grant_revoke_all_on_db)
A factory method that creates objects from Restrictions_aggregator hierarchy.
Definition: partial_revokes.cc:376
static void fetch_grantor_access(const Security_context *sctx, const char *db, Access_bitmask &global_access, Restrictions &restrictions)
Returns the privileges and restrictions:
Definition: partial_revokes.cc:546
static Auth_id fetch_grantee(const ACL_USER *acl_user)
Returns the grantee's user name and host info.
Definition: partial_revokes.cc:497
static Auth_id fetch_grantor(const Security_context *sctx)
Returns the grantor user name and host id.
Definition: partial_revokes.cc:480
Base class to perform aggregation of two restriction lists.
Definition: partial_revokes.h:233
const Access_bitmask m_requested_access
Privileges that are being granted or revoked.
Definition: partial_revokes.h:267
Restrictions_aggregator(const Restrictions_aggregator &&)=delete
Restrictions_aggregator & operator=(const Restrictions_aggregator &)=delete
virtual ~Restrictions_aggregator()
Destructor.
const Access_bitmask m_grantor_global_access
Global static privileges of grantor.
Definition: partial_revokes.h:261
Restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const Access_bitmask requested_access)
Constructor.
Definition: partial_revokes.cc:573
Restrictions_aggregator(const Restrictions_aggregator &)=delete
const Access_bitmask m_grantee_global_access
Global static privileges of grantee.
Definition: partial_revokes.h:264
Status m_status
Internal status of aggregation process.
Definition: partial_revokes.h:270
Restrictions_aggregator & operator=(const Restrictions_aggregator &&)=delete
virtual bool generate(Abstract_restrictions &restrictions)=0
const Auth_id m_grantee
Grantee information.
Definition: partial_revokes.h:258
virtual bool find_if_require_next_level_operation(Access_bitmask &rights) const =0
const Auth_id m_grantor
Grantor information.
Definition: partial_revokes.h:255
Status
Definition: partial_revokes.h:252
Container of all restrictions for a given user.
Definition: partial_revokes.h:155
Restrictions & operator=(const Restrictions &)
Assignment operator for Restrictions.
Definition: partial_revokes.cc:1490
void set_db(const DB_restrictions &db_restrictions)
Set given database restrictions.
Definition: partial_revokes.cc:1515
~Restrictions()
Destructor.
Definition: partial_revokes.cc:1481
Restrictions()
Constructor for Restrictions.
Definition: partial_revokes.cc:1478
void clear_db()
Clear database restrictions.
Definition: partial_revokes.cc:1520
const DB_restrictions & db() const
Get database restrictions.
Definition: partial_revokes.cc:1512
Restrictions(const Restrictions &)=default
DB_restrictions m_db_restrictions
Database restrictions.
Definition: partial_revokes.h:174
bool has_more_db_restrictions(const Restrictions &, Access_bitmask)
Definition: partial_revokes.cc:1506
bool is_empty() const
Return if restrictions are empty or not.
Definition: partial_revokes.cc:1523
A set of THD members describing the current authenticated user.
Definition: sql_security_ctx.h:55
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:34
Various macros useful for communicating with memory debuggers, such as Valgrind.
Some integer typedefs for easier portability.
const char * db_name
Definition: rules_table_service.cc:55
std::unordered_map< std::string, Access_bitmask > db_revocations
Definition: partial_revokes.h:47