MySQL 8.0.40
Source Code Documentation
auth_internal.h
Go to the documentation of this file.
1/* Copyright (c) 2000, 2024, Oracle and/or its affiliates.
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6
7 This program is designed to work with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have either included with
13 the program or referenced in the documentation.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License, version 2.0, for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
23/* Internals */
24
25#ifndef AUTH_INTERNAL_INCLUDED
26#define AUTH_INTERNAL_INCLUDED
27
28#include <map>
29#include <set>
30#include <string>
31#include <unordered_map>
32#include <unordered_set>
33
34#include "mysql_time.h" /* MYSQL_TIME */
38#include "sql/auth/sql_mfa.h" /* I_multi_factor_auth */
39#include "sql/auth/user_table.h"
40#include "sql/sql_audit.h"
41#include "sql/table.h"
42#include "violite.h" /* SSL_type */
43
44class ACL_USER;
45class ACL_PROXY_USER;
46class GRANT_NAME;
47class GRANT_TABLE;
48class GRANT_COLUMN;
49class Json_object;
50class Json_wrapper;
51class Restrictions;
52struct TABLE;
53class Rewrite_params;
54
56void append_identifier(const THD *thd, String *packet, const char *name,
57 size_t length);
58typedef std::map<std::string, Access_bitmask> Column_map;
64};
65typedef std::map<std::string, Access_bitmask> SP_access_map;
66typedef std::map<std::string, Access_bitmask> Db_access_map;
67typedef std::map<std::string, Grant_table_aggregate> Table_access_map_storage;
69 public:
71
72 typedef Table_access_map_storage::iterator iterator;
74 typedef Table_access_map_storage::mapped_type mapped_type;
76 return m_values[key];
77 }
78 iterator begin() { return m_values.begin(); }
79 iterator end() { return m_values.end(); }
81 return m_values.find(key);
82 }
83 void set_thd(THD *thd) { m_thd = thd; }
84 THD *get_thd() { return m_thd; }
85
86 private:
89};
90typedef std::unordered_set<std::string> Grant_acl_set;
91
92std::string create_authid_str_from(const LEX_USER *user);
93std::string create_authid_str_from(const ACL_USER *user);
94std::string create_authid_str_from(const Auth_id_ref &user);
97
98std::string get_one_priv(Access_bitmask &revoke_privs);
99/* sql_authentication */
106class Auth_id;
107template <typename K, typename V>
108class Map_with_rw_lock;
110
112bool auth_plugin_is_built_in(const char *plugin_name);
114
116 GRANT_INTERNAL_INFO *grant_internal_info, const char *schema_name,
117 const char *table_name);
118
119/* sql_auth_cache */
120ulong get_sort(uint count, ...);
123
124/*sql_authentication */
126
127/* sql_auth_cache */
128void rebuild_check_host(void);
129ACL_USER *find_acl_user(const char *host, const char *user, bool exact);
130ACL_PROXY_USER *acl_find_proxy_user(const char *user, const char *host,
131 const char *ip, char *authenticated_as,
132 bool *proxy_used);
134
135void acl_update_user(const char *user, const char *host, enum SSL_type ssl_type,
136 const char *ssl_cipher, const char *x509_issuer,
137 const char *x509_subject, USER_RESOURCES *mqh,
138 Access_bitmask privileges, const LEX_CSTRING &plugin,
139 const LEX_CSTRING &auth, const std::string &second_auth,
140 const MYSQL_TIME &password_change_time,
141 const LEX_ALTER &password_life, Restrictions &restrictions,
143 uint failed_login_attempts, int password_lock_time,
144 const I_multi_factor_auth *mfa);
145void acl_users_add_one(const char *user, const char *host,
146 enum SSL_type ssl_type, const char *ssl_cipher,
147 const char *x509_issuer, const char *x509_subject,
148 USER_RESOURCES *mqh, Access_bitmask privileges,
149 const LEX_CSTRING &plugin, const LEX_CSTRING &auth,
150 const LEX_CSTRING &second_auth,
151 const MYSQL_TIME &password_change_time,
152 const LEX_ALTER &password_life, bool add_role_vertex,
154 int password_lock_time, const I_multi_factor_auth *mfa,
155 THD *thd [[maybe_unused]]);
156void acl_insert_user(THD *thd, const char *user, const char *host,
157 enum SSL_type ssl_type, const char *ssl_cipher,
158 const char *x509_issuer, const char *x509_subject,
159 USER_RESOURCES *mqh, Access_bitmask privileges,
160 const LEX_CSTRING &plugin, const LEX_CSTRING &auth,
161 const MYSQL_TIME &password_change_time,
162 const LEX_ALTER &password_life, Restrictions &restrictions,
163 uint failed_login_attempts, int password_lock_time,
164 const I_multi_factor_auth *mfa);
165void acl_update_proxy_user(ACL_PROXY_USER *new_value, bool is_revoke);
166void acl_update_db(const char *user, const char *host, const char *db,
167 Access_bitmask privileges);
168void acl_insert_db(const char *user, const char *host, const char *db,
169 Access_bitmask privileges);
170bool update_sctx_cache(Security_context *sctx, ACL_USER *acl_user_ptr,
171 bool expired);
172
173bool do_update_sctx(Security_context *sctx, LEX_USER *from_user);
174void update_sctx(Security_context *sctx, LEX_USER *to_user);
175
177bool acl_reload(THD *thd, bool mdl_locked);
178bool grant_reload(THD *thd, bool mdl_locked);
179void clean_user_cache();
180bool set_user_salt(ACL_USER *acl_user);
181void append_auth_id(const THD *thd, ACL_USER *acl_user, String *str);
182
183/* sql_user_table */
184Access_bitmask get_access(TABLE *form, uint fieldnr, uint *next_field);
185int replace_db_table(THD *thd, TABLE *table, const char *db,
186 const LEX_USER &combo, Access_bitmask rights,
187 bool revoke_grant);
188int replace_proxies_priv_table(THD *thd, TABLE *table, const LEX_USER *user,
189 const LEX_USER *proxied_user,
190 bool with_grant_arg, bool revoke_grant);
191int replace_column_table(THD *thd, GRANT_TABLE *g_t, TABLE *table,
192 const LEX_USER &combo, List<LEX_COLUMN> &columns,
193 const char *db, const char *table_name,
194 Access_bitmask rights, bool revoke_grant);
195int replace_table_table(THD *thd, GRANT_TABLE *grant_table,
197 *deleted_grant_table,
198 TABLE *table, const LEX_USER &combo, const char *db,
199 const char *table_name, Access_bitmask rights,
200 Access_bitmask col_rights, bool revoke_grant);
201int replace_routine_table(THD *thd, GRANT_NAME *grant_name, TABLE *table,
202 const LEX_USER &combo, const char *db,
203 const char *routine_name, bool is_proc,
204 Access_bitmask rights, bool revoke_grant);
205int open_grant_tables(THD *thd, Table_ref *tables, bool *transactional_tables);
207
208void acl_print_ha_error(int handler_error);
210bool log_and_commit_acl_ddl(THD *thd, bool transactional_tables,
211 std::set<LEX_USER *> *extra_users = nullptr,
212 Rewrite_params *rewrite_params = nullptr,
213 bool extra_error = false,
214 bool log_to_binlog = true);
215void acl_notify_htons(THD *thd, enum_sql_command operation,
216 const List<LEX_USER> *users,
217 std::set<LEX_USER *> *rewrite_users = nullptr,
218 const List<LEX_CSTRING> *dynamic_privs = nullptr);
219
220/* sql_authorization */
222void rebuild_vertex_index(THD *thd);
223void default_roles_init(void);
224void default_roles_delete(void);
225void roles_graph_init(void);
226void roles_graph_delete(void);
227void roles_init(void);
228void roles_delete(void);
229void dynamic_privileges_init(void);
231bool grant_dynamic_privilege(const LEX_CSTRING &str_priv,
232 const LEX_CSTRING &str_user,
233 const LEX_CSTRING &str_host,
234 bool with_grant_option,
236bool revoke_dynamic_privilege(const LEX_CSTRING &str_priv,
237 const LEX_CSTRING &str_user,
238 const LEX_CSTRING &str_host,
239 Update_dynamic_privilege_table &update_table);
241 const LEX_CSTRING &host,
243bool rename_dynamic_grant(const LEX_CSTRING &old_user,
244 const LEX_CSTRING &old_host,
245 const LEX_CSTRING &new_user,
246 const LEX_CSTRING &new_host,
247 Update_dynamic_privilege_table &update_table);
249 const LEX_CSTRING &str_user, const LEX_CSTRING &str_host,
252 const LEX_CSTRING &str_user, const LEX_CSTRING &str_host,
255 const Role_id &id, const std::vector<std::string> &priv_list);
257 const Role_id &id, const std::vector<std::string> &priv_list);
258bool operator==(const Role_id &a, const Auth_id_ref &b);
259bool operator==(const Auth_id_ref &a, const Role_id &b);
260bool operator==(const std::pair<const Role_id, Role_id> &a,
261 const Auth_id_ref &b);
262bool operator==(const Role_id &a, const Role_id &b);
263bool operator==(std::pair<const Role_id, std::pair<std::string, bool>> &a,
264 const std::string &b);
265typedef std::vector<std::pair<Role_id, bool>> List_of_granted_roles;
266
268 std::size_t operator()(const Role_id &k) const {
269 using std::hash;
270 using std::size_t;
271 using std::string;
272 return ((hash<string>()(k.user()) ^ (hash<string>()(k.host()) << 1)) >> 1);
273 }
274};
275
276typedef std::unordered_multimap<Role_id, Role_id, role_id_hash> Default_roles;
277typedef std::map<std::string, bool> Dynamic_privileges;
278
280 ACL_USER *acl_user, const List_of_auth_id_refs *using_roles,
281 Access_bitmask *access, Db_access_map *db_map, Db_access_map *db_wild_map,
283 List_of_granted_roles *granted_roles, Grant_acl_set *with_admin_acl,
284 Dynamic_privileges *dynamic_acl, Restrictions &restrictions);
285bool clear_default_roles(THD *thd, TABLE *table,
286 const Auth_id_ref &user_auth_id,
287 std::vector<Role_id> *default_roles);
289bool drop_default_role_policy(THD *thd, TABLE *table,
290 const Auth_id_ref &default_role_policy,
291 const Auth_id_ref &user);
292void revoke_role(THD *thd, ACL_USER *role, ACL_USER *user);
293bool revoke_all_roles_from_user(THD *thd, TABLE *edge_table,
294 TABLE *defaults_table, LEX_USER *user);
295bool drop_role(THD *thd, TABLE *edge_table, TABLE *defaults_table,
296 const Auth_id_ref &authid_user);
297bool modify_role_edges_in_table(THD *thd, TABLE *table,
298 const Auth_id_ref &from_user,
299 const Auth_id_ref &to_user,
300 bool with_admin_option, bool delete_option);
303 const LEX_CSTRING &host);
304bool roles_rename_authid(THD *thd, TABLE *edge_table, TABLE *defaults_table,
305 LEX_USER *user_from, LEX_USER *user_to);
307 THD *thd, LEX_USER *Str, acl_table::Pod_user_what_to_update &what_to_set,
308 bool is_privileged_user, bool is_role, Table_ref *history_table,
309 bool *history_check_done, const char *cmd, Userhostpassword_list &,
310 I_multi_factor_auth **mfa = nullptr, bool if_not_exists = false);
311typedef std::pair<std::string, bool> Grant_privilege;
312typedef std::unordered_multimap<Role_id, Grant_privilege, role_id_hash>
317bool populate_roles_caches(THD *thd, Table_ref *tablelst);
318void grant_role(ACL_USER *role, const ACL_USER *user, bool with_admin_opt);
319void get_mandatory_roles(std::vector<Role_id> *mandatory_roles);
320extern std::vector<Role_id> *g_mandatory_roles;
321void create_role_vertex(ACL_USER *role_acl_user);
322void activate_all_granted_roles(const ACL_USER *acl_user,
323 Security_context *sctx);
325 Security_context *sctx);
326
328 const List_of_auth_id_refs &new_auth_ids);
329
330bool alter_user_set_default_roles_all(THD *thd, TABLE *def_role_table,
331 LEX_USER *user);
332/*
333 Checks if any of the users has SYSTEM_USER privilege then current user
334 must also have SYSTEM_USER privilege.
335 It is a wrapper over the Privilege_checker class that does
336 privilege checks for one user at a time.
337*/
339
342 String *metadata_str,
343 TABLE *table,
344 bool mode_no_backslash);
346bool report_missing_user_grant_message(THD *thd, bool user_exists,
347 const char *user, const char *host,
348 const char *object_name, int err_code);
349#endif /* AUTH_INTERNAL_INCLUDED */
uint32_t Access_bitmask
Definition: auth_acls.h:34
std::pair< LEX_CSTRING, LEX_CSTRING > Auth_id_ref
user, host tuple which reference either acl_cache or g_default_roles
Definition: auth_common.h:80
std::vector< Auth_id_ref > List_of_auth_id_refs
Definition: auth_common.h:81
std::list< random_password_info > Userhostpassword_list
Definition: auth_common.h:1131
bool revoke_dynamic_privilege(const LEX_CSTRING &str_priv, const LEX_CSTRING &str_user, const LEX_CSTRING &str_host, Update_dynamic_privilege_table &update_table)
Revoke one privilege from one user.
Definition: sql_authorization.cc:7033
bool operator==(const Role_id &a, const Auth_id_ref &b)
Definition: sql_authorization.cc:7458
std::map< std::string, Access_bitmask > SP_access_map
Definition: auth_internal.h:65
void rebuild_check_host(void)
Definition: sql_auth_cache.cc:1471
bool assert_acl_cache_read_lock(THD *thd)
Assert that thread owns MDL_SHARED on partition specific to the thread.
Definition: sql_auth_cache.cc:3612
std::map< std::string, Access_bitmask > Db_access_map
Definition: auth_internal.h:66
void acl_update_user(const char *user, const char *host, enum SSL_type ssl_type, const char *ssl_cipher, const char *x509_issuer, const char *x509_subject, USER_RESOURCES *mqh, Access_bitmask privileges, const LEX_CSTRING &plugin, const LEX_CSTRING &auth, const std::string &second_auth, const MYSQL_TIME &password_change_time, const LEX_ALTER &password_life, Restrictions &restrictions, acl_table::Pod_user_what_to_update &what_to_update, uint failed_login_attempts, int password_lock_time, const I_multi_factor_auth *mfa)
Definition: sql_auth_cache.cc:2724
std::vector< Role_id > * g_mandatory_roles
Definition: sql_auth_cache.cc:136
std::map< std::string, bool > Dynamic_privileges
Definition: auth_internal.h:277
void revoke_role(THD *thd, ACL_USER *role, ACL_USER *user)
Used by mysql_revoke_role() for revoking a specified role from a specified user.
Definition: sql_authorization.cc:572
void clean_user_cache()
Definition: sql_auth_cache.cc:1808
void get_granted_roles(LEX_USER *user, List_of_granted_roles *granted_roles)
This is a convenience function.
Definition: sql_authorization.cc:6230
User_to_dynamic_privileges_map * get_dynamic_privileges_map()
Definition: sql_authorization.cc:7200
void acl_update_db(const char *user, const char *host, const char *db, Access_bitmask privileges)
Definition: sql_auth_cache.cc:3045
bool revoke_grant_option_for_all_dynamic_privileges(const LEX_CSTRING &str_user, const LEX_CSTRING &str_host, Update_dynamic_privilege_table &func)
Revoke grant option to one user for all dynamic privileges.
Definition: sql_authorization.cc:6939
bool drop_default_role_policy(THD *thd, TABLE *table, const Auth_id_ref &default_role_policy, const Auth_id_ref &user)
Drop a specific default role policy given the role- and user names.
Definition: sql_authorization.cc:6374
void roles_graph_delete(void)
Delete the ACL role graph artifacts.
Definition: sql_authorization.cc:7168
void acl_print_ha_error(int handler_error)
Take a handler error and generate the mysql error ER_ACL_OPERATION_FAILED containing original text of...
Definition: sql_user_table.cc:790
bool update_sctx_cache(Security_context *sctx, ACL_USER *acl_user_ptr, bool expired)
Update the security context when updating the user.
Definition: sql_auth_cache.cc:3124
void roles_init(void)
Initialize the roles caches that consist of the role graphs related artifacts and default role map.
Definition: sql_authorization.cc:7178
Rsa_authentication_keys * g_sha256_rsa_keys
Definition: sql_authentication.cc:1143
bool acl_reload(THD *thd, bool mdl_locked)
Definition: sql_auth_cache.cc:2154
int open_grant_tables(THD *thd, Table_ref *tables, bool *transactional_tables)
Open the grant tables.
Definition: sql_user_table.cc:1963
void grant_role(ACL_USER *role, const ACL_USER *user, bool with_admin_opt)
Grants a single role to a single user.
Definition: sql_authorization.cc:798
void acl_users_add_one(const char *user, const char *host, enum SSL_type ssl_type, const char *ssl_cipher, const char *x509_issuer, const char *x509_subject, USER_RESOURCES *mqh, Access_bitmask privileges, const LEX_CSTRING &plugin, const LEX_CSTRING &auth, const LEX_CSTRING &second_auth, const MYSQL_TIME &password_change_time, const LEX_ALTER &password_life, bool add_role_vertex, Restrictions &restrictions, uint failed_login_attempts, int password_lock_time, const I_multi_factor_auth *mfa, THD *thd)
Definition: sql_auth_cache.cc:2885
bool grant_reload(THD *thd, bool mdl_locked)
Reload information about table and column level privileges if possible.
Definition: sql_auth_cache.cc:2645
bool assert_acl_cache_write_lock(THD *thd)
Assert that thread owns MDL_EXCLUSIVE on all partitions.
Definition: sql_auth_cache.cc:3627
void rebuild_vertex_index(THD *thd)
Since the gap in the vertex vector was removed all the vertex descriptors has changed.
Definition: sql_authorization.cc:588
int replace_db_table(THD *thd, TABLE *table, const char *db, const LEX_USER &combo, Access_bitmask rights, bool revoke_grant)
change grants in the mysql.db table.
Definition: sql_user_table.cc:816
Auth_id_ref create_authid_from(const LEX_USER *user)
Definition: sql_authorization.cc:6640
std::map< std::string, Access_bitmask > Column_map
Definition: auth_internal.h:58
User_to_dynamic_privileges_map * swap_dynamic_privileges_map(User_to_dynamic_privileges_map *map)
Definition: sql_authorization.cc:7208
void get_mandatory_roles(std::vector< Role_id > *mandatory_roles)
Definition: sql_authorization.cc:7282
Map_with_rw_lock< Auth_id, uint > * unknown_accounts
Hash to map unknown accounts to an authentication plugin.
Definition: sql_authentication.cc:995
void clear_and_init_db_cache()
Definition: sql_auth_cache.cc:1299
void acl_update_proxy_user(ACL_PROXY_USER *new_value, bool is_revoke)
Definition: sql_auth_cache.cc:3027
const ACL_internal_table_access * get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info, const char *schema_name, const char *table_name)
Get a cached internal table access.
Definition: sql_authorization.cc:1646
bool modify_role_edges_in_table(THD *thd, TABLE *table, const Auth_id_ref &from_user, const Auth_id_ref &to_user, bool with_admin_option, bool delete_option)
Definition: role_tables.cc:76
std::unordered_multimap< Role_id, Grant_privilege, role_id_hash > User_to_dynamic_privileges_map
Definition: auth_internal.h:313
int replace_proxies_priv_table(THD *thd, TABLE *table, const LEX_USER *user, const LEX_USER *proxied_user, bool with_grant_arg, bool revoke_grant)
Insert, update or remove a record in the mysql.proxies_priv table.
Definition: sql_user_table.cc:957
void create_role_vertex(ACL_USER *role_acl_user)
Helper function for create_roles_vertices.
Definition: sql_authorization.cc:853
void roles_graph_init(void)
Initialize the roles graph artifacts.
Definition: sql_authorization.cc:7160
ACL_USER * find_acl_user(const char *host, const char *user, bool exact)
Definition: sql_auth_cache.cc:1170
std::vector< std::pair< Role_id, bool > > List_of_granted_roles
Definition: auth_internal.h:265
bool clear_default_roles(THD *thd, TABLE *table, const Auth_id_ref &user_auth_id, std::vector< Role_id > *default_roles)
Removes all default role policies assigned to user.
Definition: sql_authorization.cc:6338
bool set_and_validate_user_attributes(THD *thd, LEX_USER *Str, acl_table::Pod_user_what_to_update &what_to_set, bool is_privileged_user, bool is_role, Table_ref *history_table, bool *history_check_done, const char *cmd, Userhostpassword_list &, I_multi_factor_auth **mfa=nullptr, bool if_not_exists=false)
This function does following:
Definition: sql_user.cc:1269
bool alter_user_set_default_roles_all(THD *thd, TABLE *def_role_table, LEX_USER *user)
Set all granted role as default roles.
Definition: sql_authorization.cc:6543
int replace_column_table(THD *thd, GRANT_TABLE *g_t, TABLE *table, const LEX_USER &combo, List< LEX_COLUMN > &columns, const char *db, const char *table_name, Access_bitmask rights, bool revoke_grant)
Update record in the table mysql.columns_priv.
Definition: sql_user_table.cc:1113
char * caching_sha2_rsa_private_key_path
Definition: sha2_password.cc:75
void acl_insert_proxy_user(ACL_PROXY_USER *new_value)
Definition: sql_auth_cache.cc:2306
bool alter_user_set_default_roles(THD *thd, TABLE *table, LEX_USER *user, const List_of_auth_id_refs &new_auth_ids)
Set the default roles for a particular user.
Definition: sql_authorization.cc:6588
bool set_user_salt(ACL_USER *acl_user)
Convert scrambled password to binary form, according to scramble type, Binary form is stored in user....
Definition: sql_auth_cache.cc:1618
void get_privilege_access_maps(ACL_USER *acl_user, const List_of_auth_id_refs *using_roles, Access_bitmask *access, Db_access_map *db_map, Db_access_map *db_wild_map, Table_access_map *table_map, SP_access_map *sp_map, SP_access_map *func_map, List_of_granted_roles *granted_roles, Grant_acl_set *with_admin_acl, Dynamic_privileges *dynamic_acl, Restrictions &restrictions)
Definition: sql_authorization.cc:4645
bool caching_sha2_auto_generate_rsa_keys
Definition: sha2_password.cc:81
std::string create_authid_str_from(const LEX_USER *user)
Helper used for producing a key to a key-value-map.
Definition: sql_authorization.cc:6632
bool rename_dynamic_grant(const LEX_CSTRING &old_user, const LEX_CSTRING &old_host, const LEX_CSTRING &new_user, const LEX_CSTRING &new_host, Update_dynamic_privilege_table &update_table)
Definition: sql_authorization.cc:7095
void acl_tables_setup_for_read(Table_ref *tables)
Setup ACL tables to be opened in read mode.
Definition: sql_user_table.cc:1743
void activate_all_granted_and_mandatory_roles(const ACL_USER *acl_user, Security_context *sctx)
Definition: sql_authorization.cc:6216
void default_roles_init(void)
Initialize the default role map that keeps the content from the default_roles table.
Definition: sql_authorization.cc:7150
void acl_insert_db(const char *user, const char *host, const char *db, Access_bitmask privileges)
Definition: sql_auth_cache.cc:3084
int replace_routine_table(THD *thd, GRANT_NAME *grant_name, TABLE *table, const LEX_USER &combo, const char *db, const char *routine_name, bool is_proc, Access_bitmask rights, bool revoke_grant)
Search and create/update a record for the routine requested.
Definition: sql_user_table.cc:1558
std::string get_one_priv(Access_bitmask &revoke_privs)
Converts privilege represented by LSB to string.
Definition: auth_common.cc:136
Access_bitmask get_access(TABLE *form, uint fieldnr, uint *next_field)
Definition: sql_user_table.cc:550
bool check_engine_type_for_acl_table(Table_ref *tables, bool report_error)
Check that every ACL table has a supported storage engine (InnoDB).
Definition: sql_user_table.cc:2186
void activate_all_granted_roles(const ACL_USER *acl_user, Security_context *sctx)
Activates all roles granted to the auth_id.
Definition: sql_authorization.cc:6187
bool report_missing_user_grant_message(THD *thd, bool user_exists, const char *user, const char *host, const char *object_name, int err_code)
Helper method to check if warning or error should be reported based on:
Definition: sql_authorization.cc:2584
ulong get_sort(uint count,...)
Definition: sql_auth_cache.cc:808
void optimize_plugin_compare_by_pointer(LEX_CSTRING *plugin_name)
Definition: sql_authentication.cc:1382
void update_sctx(Security_context *sctx, LEX_USER *to_user)
Definition: sql_authorization.cc:7535
bool auth_plugin_supports_expiration(const char *plugin_name)
Only the plugins that are known to use the mysql.user table to store their passwords support password...
Definition: sql_authentication.cc:1442
void append_auth_id(const THD *thd, ACL_USER *acl_user, String *str)
Append the authorization id for the user.
Definition: sql_auth_cache.cc:694
bool do_update_sctx(Security_context *sctx, LEX_USER *from_user)
Checks if current user needs to be changed in case it is same as the LEX_USER.
Definition: sql_authorization.cc:7516
void revoke_dynamic_privileges_from_auth_id(const Role_id &id, const std::vector< std::string > &priv_list)
Revoke dynamic privielges from in memory internal auth id.
Definition: sql_authorization.cc:7007
ACL_PROXY_USER * acl_find_proxy_user(const char *user, const char *host, const char *ip, char *authenticated_as, bool *proxy_used)
Validate if a user can proxy as another user.
Definition: sql_auth_cache.cc:1243
std::pair< std::string, bool > Grant_privilege
Definition: auth_internal.h:311
std::map< std::string, Grant_table_aggregate > Table_access_map_storage
Definition: auth_internal.h:67
int replace_table_table(THD *thd, GRANT_TABLE *grant_table, std::unique_ptr< GRANT_TABLE, Destroy_only< GRANT_TABLE > > *deleted_grant_table, TABLE *table, const LEX_USER &combo, const char *db, const char *table_name, Access_bitmask rights, Access_bitmask col_rights, bool revoke_grant)
Search and create/update a record for requested table privileges.
Definition: sql_user_table.cc:1390
void dynamic_privileges_delete(void)
Definition: sql_authorization.cc:7195
bool drop_role(THD *thd, TABLE *edge_table, TABLE *defaults_table, const Auth_id_ref &authid_user)
Definition: sql_authorization.cc:609
bool revoke_all_roles_from_user(THD *thd, TABLE *edge_table, TABLE *defaults_table, LEX_USER *user)
Used by mysql_drop_user.
Definition: sql_authorization.cc:720
char * caching_sha2_rsa_public_key_path
Definition: sha2_password.cc:80
Rsa_authentication_keys * g_caching_sha2_rsa_keys
Definition: sha2_password.cc:82
bool revoke_all_dynamic_privileges(const LEX_CSTRING &user, const LEX_CSTRING &host, Update_dynamic_privilege_table &func)
Revoke all dynamic global privileges.
Definition: sql_authorization.cc:7074
bool log_and_commit_acl_ddl(THD *thd, bool transactional_tables, std::set< LEX_USER * > *extra_users=nullptr, Rewrite_params *rewrite_params=nullptr, bool extra_error=false, bool log_to_binlog=true)
Definition: sql_user_table.cc:684
std::unordered_set< std::string > Grant_acl_set
Definition: auth_internal.h:90
void roles_delete(void)
Delete the role caches.
Definition: sql_authorization.cc:7186
bool check_system_user_privilege(THD *thd, List< LEX_USER > list)
Checks if any of the users has SYSTEM_USER privilege then current user must also have SYSTEM_USER pri...
Definition: sql_authorization.cc:7575
bool grant_dynamic_privilege(const LEX_CSTRING &str_priv, const LEX_CSTRING &str_user, const LEX_CSTRING &str_host, bool with_grant_option, Update_dynamic_privilege_table &func)
Grant one privilege to one user.
Definition: sql_authorization.cc:6833
std::unordered_multimap< Role_id, Role_id, role_id_hash > Default_roles
Definition: auth_internal.h:276
bool populate_roles_caches(THD *thd, Table_ref *tablelst)
Definition: role_tables.cc:200
bool is_privileged_user_for_credential_change(THD *thd)
Definition: sql_authorization.cc:5874
bool read_user_application_user_metadata_from_table(LEX_CSTRING user, LEX_CSTRING host, String *metadata_str, TABLE *table, bool mode_no_backslash)
Helper function for recreating the CREATE USER statement when an SHOW CREATE USER statement is issued...
Definition: acl_table_user.cc:2354
void acl_insert_user(THD *thd, const char *user, const char *host, enum SSL_type ssl_type, const char *ssl_cipher, const char *x509_issuer, const char *x509_subject, USER_RESOURCES *mqh, Access_bitmask privileges, const LEX_CSTRING &plugin, const LEX_CSTRING &auth, const MYSQL_TIME &password_change_time, const LEX_ALTER &password_life, Restrictions &restrictions, uint failed_login_attempts, int password_lock_time, const I_multi_factor_auth *mfa)
Definition: sql_auth_cache.cc:2998
bool grant_dynamic_privileges_to_auth_id(const Role_id &id, const std::vector< std::string > &priv_list)
Grant needed dynamic privielges to in memory internal auth id.
Definition: sql_authorization.cc:6984
void dynamic_privileges_init(void)
Definition: sql_authorization.cc:7191
void default_roles_delete(void)
Delete the default role instance.
Definition: sql_authorization.cc:7155
bool roles_rename_authid(THD *thd, TABLE *edge_table, TABLE *defaults_table, LEX_USER *user_from, LEX_USER *user_to)
Renames a user in the mysql.role_edge and the mysql.default_roles tables.
Definition: sql_authorization.cc:888
bool is_expected_or_transient_error(THD *thd)
Small helper function which allows to determine if error which caused failure to open and lock privil...
Definition: sql_auth_cache.cc:2129
bool sha256_rsa_auth_status()
Check if server has valid public key/private key pair for RSA communication.
Definition: sql_authentication.cc:2395
void append_identifier(const THD *thd, String *packet, const char *name, size_t length)
Definition: sql_show.cc:1605
bool auth_plugin_is_built_in(const char *plugin_name)
Definition: sql_authentication.cc:1428
bool grant_grant_option_for_all_dynamic_privileges(const LEX_CSTRING &str_user, const LEX_CSTRING &str_host, Update_dynamic_privilege_table &func)
Grant grant option to one user for all dynamic privileges.
Definition: sql_authorization.cc:6889
void acl_notify_htons(THD *thd, enum_sql_command operation, const List< LEX_USER > *users, std::set< LEX_USER * > *rewrite_users=nullptr, const List< LEX_CSTRING > *dynamic_privs=nullptr)
Definition: sql_user_table.cc:585
Definition: sql_auth_cache.h:355
Definition: sql_auth_cache.h:247
Per internal table ACL access rules.
Definition: auth_common.h:107
Storage container for default auth ids.
Definition: auth_common.h:1073
const std::string & host() const
Definition: auth_common.cc:125
const std::string & user() const
Definition: auth_common.cc:124
Definition: my_alloc.h:482
Definition: sql_auth_cache.h:440
Definition: sql_auth_cache.h:447
Definition: sql_auth_cache.h:465
An interface to access information about Multi factor authentication methods.
Definition: sql_mfa.h:45
Represents a JSON container value of type "object" (ECMA), type J_OBJECT here.
Definition: json_dom.h:373
Abstraction for accessing JSON values irrespective of whether they are (started out as) binary JSON v...
Definition: json_dom.h:1161
Definition: sql_list.h:434
Map with RWLock protections.
Definition: auth_utility.h:37
Container of all restrictions for a given user.
Definition: partial_revokes.h:155
An interface to wrap the parameters required by specific Rewriter.
Definition: sql_rewrite.h:52
Definition: sql_authentication.h:104
A set of THD members describing the current authenticated user.
Definition: sql_security_ctx.h:55
Using this class is fraught with peril, and you need to be very careful when doing so.
Definition: sql_string.h:168
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:34
Definition: auth_internal.h:68
Table_access_map_storage m_values
Definition: auth_internal.h:88
THD * m_thd
Definition: auth_internal.h:87
mapped_type & operator[](const Table_access_map_storage::key_type &key)
Definition: auth_internal.h:75
iterator find(const Table_access_map_storage::key_type &key)
Definition: auth_internal.h:80
Table_access_map_storage::iterator iterator
Definition: auth_internal.h:72
void set_thd(THD *thd)
Definition: auth_internal.h:83
THD * get_thd()
Definition: auth_internal.h:84
Table_access_map_storage::mapped_type mapped_type
Definition: auth_internal.h:74
iterator begin()
Definition: auth_internal.h:78
Table_access_map_storage::value_type value_type
Definition: auth_internal.h:73
iterator end()
Definition: auth_internal.h:79
Table_access_map()
Definition: auth_internal.h:70
Definition: table.h:2791
Definition: dynamic_privilege_table.h:45
Definition: user_table.h:47
static bool report_error(THD *thd, int error_code, Sql_condition::enum_severity_level level, Args... args)
Definition: error_handler.cc:291
Fido Client Authentication nullptr
Definition: fido_client_plugin.cc:222
enum_sql_command
Definition: my_sqlcommand.h:46
uint64_t table_map
Definition: my_table_map.h:30
static int count
Definition: myisam_ftdump.cc:43
Time declarations shared between the server and client API: you should not add anything to this heade...
char * user
Definition: mysqladmin.cc:60
const char * host
Definition: mysqladmin.cc:59
int key_type
Definition: http_request.h:50
uint16_t value_type
Definition: vt100.h:184
std::string str(const mysqlrouter::ConfigGenerator::Options::Endpoint &ep)
Definition: config_generator.cc:1052
const std::string failed_login_attempts("failed_login_attempts")
underkeys of password locking
bool length(const dd::Spatial_reference_system *srs, const Geometry *g1, double *length, bool *null) noexcept
Computes the length of linestrings and multilinestrings.
Definition: length.cc:76
const char * table_name
Definition: rules_table_service.cc:56
std::map< Key, Value, Compare, ut::allocator< std::pair< const Key, Value > > > map
Specialization of map which uses ut_allocator.
Definition: ut0new.h:2893
std::conditional_t< !std::is_array< T >::value, std::unique_ptr< T, detail::Deleter< T > >, std::conditional_t< detail::is_unbounded_array_v< T >, std::unique_ptr< T, detail::Array_deleter< std::remove_extent_t< T > > >, void > > unique_ptr
The following is a common type that is returned by all the ut::make_unique (non-aligned) specializati...
Definition: ut0new.h:2439
std::list< T, ut::allocator< T > > list
Specialization of list which uses ut_allocator.
Definition: ut0new.h:2879
required string key
Definition: replication_asynchronous_connection_failover.proto:60
LEX_CSTRING * plugin_name(st_plugin_int **ref)
Definition: sql_plugin_ref.h:95
case opt name
Definition: sslopt-case.h:33
State information for internal tables grants.
Definition: table.h:335
Definition: auth_internal.h:59
Access_bitmask table_access
Definition: auth_internal.h:61
Grant_table_aggregate()
Definition: auth_internal.h:60
Column_map columns
Definition: auth_internal.h:63
Access_bitmask cols
Definition: auth_internal.h:62
Definition: table.h:2614
Definition: table.h:2658
Definition: mysql_lex_string.h:40
Definition: mysql_time.h:82
Definition: table.h:1399
Definition: auth_internal.h:267
std::size_t operator()(const Role_id &k) const
Definition: auth_internal.h:268
Definition: sql_connect.h:41
unsigned int uint
Definition: uca9-dump.cc:75
Vio Lite.
SSL_type
Definition: violite.h:305