MySQL 8.4.2
Source Code Documentation
|
#include <map>
#include <set>
#include <string>
#include <unordered_map>
#include <unordered_set>
#include "mysql_time.h"
#include "sql/auth/auth_common.h"
#include "sql/auth/dynamic_privilege_table.h"
#include "sql/auth/partitioned_rwlock.h"
#include "sql/auth/sql_mfa.h"
#include "sql/auth/user_table.h"
#include "sql/sql_audit.h"
#include "sql/table.h"
#include "violite.h"
Go to the source code of this file.
Classes | |
struct | Grant_table_aggregate |
class | Table_access_map |
struct | role_id_hash |
Typedefs | |
typedef struct user_resources | USER_RESOURCES |
typedef std::map< std::string, Access_bitmask > | Column_map |
typedef std::map< std::string, Access_bitmask > | SP_access_map |
typedef std::map< std::string, Access_bitmask > | Db_access_map |
typedef std::map< std::string, Grant_table_aggregate > | Table_access_map_storage |
typedef std::unordered_set< std::string > | Grant_acl_set |
typedef std::vector< std::pair< Role_id, bool > > | List_of_granted_roles |
typedef std::unordered_multimap< Role_id, Role_id, role_id_hash > | Default_roles |
typedef std::map< std::string, bool > | Dynamic_privileges |
typedef std::pair< std::string, bool > | Grant_privilege |
typedef std::unordered_multimap< Role_id, Grant_privilege, role_id_hash > | User_to_dynamic_privileges_map |
Functions | |
void | append_identifier (const THD *thd, String *packet, const char *name, size_t length) |
std::string | create_authid_str_from (const LEX_USER *user) |
Helper used for producing a key to a key-value-map. More... | |
std::string | create_authid_str_from (const ACL_USER *user) |
Helper used for producing a key to a key-value-map. More... | |
std::string | create_authid_str_from (const Auth_id_ref &user) |
Auth_id_ref | create_authid_from (const LEX_USER *user) |
Auth_id_ref | create_authid_from (const ACL_USER *user) |
std::string | get_one_priv (Access_bitmask &revoke_privs) |
Converts privilege represented by LSB to string. More... | |
void | optimize_plugin_compare_by_pointer (LEX_CSTRING *plugin_name) |
bool | auth_plugin_is_built_in (const char *plugin_name) |
bool | auth_plugin_supports_expiration (const char *plugin_name) |
Only the plugins that are known to use the mysql.user table to store their passwords support password expiration atm. More... | |
const ACL_internal_table_access * | get_cached_table_access (GRANT_INTERNAL_INFO *grant_internal_info, const char *schema_name, const char *table_name) |
Get a cached internal table access. More... | |
ulong | get_sort (uint count,...) |
bool | assert_acl_cache_read_lock (THD *thd) |
Assert that thread owns MDL_SHARED on partition specific to the thread. More... | |
bool | assert_acl_cache_write_lock (THD *thd) |
Assert that thread owns MDL_EXCLUSIVE on all partitions. More... | |
bool | sha256_rsa_auth_status () |
Check if server has valid public key/private key pair for RSA communication. More... | |
void | rebuild_check_host (void) |
ACL_USER * | find_acl_user (const char *host, const char *user, bool exact) |
ACL_PROXY_USER * | acl_find_proxy_user (const char *user, const char *host, const char *ip, char *authenticated_as, bool *proxy_used) |
Validate if a user can proxy as another user. More... | |
void | acl_insert_proxy_user (ACL_PROXY_USER *new_value) |
void | acl_update_user (const char *user, const char *host, enum SSL_type ssl_type, const char *ssl_cipher, const char *x509_issuer, const char *x509_subject, USER_RESOURCES *mqh, Access_bitmask privileges, const LEX_CSTRING &plugin, const LEX_CSTRING &auth, const std::string &second_auth, const MYSQL_TIME &password_change_time, const LEX_ALTER &password_life, Restrictions &restrictions, acl_table::Pod_user_what_to_update &what_to_update, uint failed_login_attempts, int password_lock_time, const I_multi_factor_auth *mfa) |
void | acl_users_add_one (const char *user, const char *host, enum SSL_type ssl_type, const char *ssl_cipher, const char *x509_issuer, const char *x509_subject, USER_RESOURCES *mqh, Access_bitmask privileges, const LEX_CSTRING &plugin, const LEX_CSTRING &auth, const LEX_CSTRING &second_auth, const MYSQL_TIME &password_change_time, const LEX_ALTER &password_life, bool add_role_vertex, Restrictions &restrictions, uint failed_login_attempts, int password_lock_time, const I_multi_factor_auth *mfa, THD *thd) |
void | acl_insert_user (THD *thd, const char *user, const char *host, enum SSL_type ssl_type, const char *ssl_cipher, const char *x509_issuer, const char *x509_subject, USER_RESOURCES *mqh, Access_bitmask privileges, const LEX_CSTRING &plugin, const LEX_CSTRING &auth, const MYSQL_TIME &password_change_time, const LEX_ALTER &password_life, Restrictions &restrictions, uint failed_login_attempts, int password_lock_time, const I_multi_factor_auth *mfa) |
void | acl_update_proxy_user (ACL_PROXY_USER *new_value, bool is_revoke) |
void | acl_update_db (const char *user, const char *host, const char *db, Access_bitmask privileges) |
void | acl_insert_db (const char *user, const char *host, const char *db, Access_bitmask privileges) |
bool | update_sctx_cache (Security_context *sctx, ACL_USER *acl_user_ptr, bool expired) |
Update the security context when updating the user. More... | |
bool | do_update_sctx (Security_context *sctx, LEX_USER *from_user) |
Checks if current user needs to be changed in case it is same as the LEX_USER. More... | |
void | update_sctx (Security_context *sctx, LEX_USER *to_user) |
void | clear_and_init_db_cache () |
bool | acl_reload (THD *thd, bool mdl_locked) |
bool | grant_reload (THD *thd, bool mdl_locked) |
Reload information about table and column level privileges if possible. More... | |
void | clean_user_cache () |
bool | set_user_salt (ACL_USER *acl_user) |
Convert scrambled password to binary form, according to scramble type, Binary form is stored in user.salt. More... | |
void | append_auth_id (const THD *thd, ACL_USER *acl_user, String *str) |
Append the authorization id for the user. More... | |
Access_bitmask | get_access (TABLE *form, uint fieldnr, uint *next_field) |
int | replace_db_table (THD *thd, TABLE *table, const char *db, const LEX_USER &combo, Access_bitmask rights, bool revoke_grant, bool all_current_privileges) |
change grants in the mysql.db table. More... | |
int | replace_proxies_priv_table (THD *thd, TABLE *table, const LEX_USER *user, const LEX_USER *proxied_user, bool with_grant_arg, bool revoke_grant) |
Insert, update or remove a record in the mysql.proxies_priv table. More... | |
int | replace_column_table (THD *thd, GRANT_TABLE *g_t, TABLE *table, const LEX_USER &combo, List< LEX_COLUMN > &columns, const char *db, const char *table_name, Access_bitmask rights, bool revoke_grant) |
Update record in the table mysql.columns_priv. More... | |
int | replace_table_table (THD *thd, GRANT_TABLE *grant_table, std::unique_ptr< GRANT_TABLE, Destroy_only< GRANT_TABLE > > *deleted_grant_table, TABLE *table, const LEX_USER &combo, const char *db, const char *table_name, Access_bitmask rights, Access_bitmask col_rights, bool revoke_grant, bool all_current_privileges) |
Search and create/update a record for requested table privileges. More... | |
int | replace_routine_table (THD *thd, GRANT_NAME *grant_name, TABLE *table, const LEX_USER &combo, const char *db, const char *routine_name, bool is_proc, Access_bitmask rights, bool revoke_grant, bool all_current_privileges) |
Search and create/update a record for the routine requested. More... | |
int | open_grant_tables (THD *thd, Table_ref *tables, bool *transactional_tables) |
Open the grant tables. More... | |
void | acl_tables_setup_for_read (Table_ref *tables) |
Setup ACL tables to be opened in read mode. More... | |
void | acl_print_ha_error (int handler_error) |
Take a handler error and generate the mysql error ER_ACL_OPERATION_FAILED containing original text of HA error. More... | |
bool | check_engine_type_for_acl_table (Table_ref *tables, bool report_error) |
Check that every ACL table has a supported storage engine (InnoDB). More... | |
bool | log_and_commit_acl_ddl (THD *thd, bool transactional_tables, std::set< LEX_USER * > *extra_users=nullptr, Rewrite_params *rewrite_params=nullptr, bool extra_error=false, bool log_to_binlog=true) |
void | acl_notify_htons (THD *thd, enum_sql_command operation, const List< LEX_USER > *users, std::set< LEX_USER * > *rewrite_users=nullptr, const List< LEX_CSTRING > *dynamic_privs=nullptr) |
bool | is_privileged_user_for_credential_change (THD *thd) |
void | rebuild_vertex_index (THD *thd) |
Since the gap in the vertex vector was removed all the vertex descriptors has changed. More... | |
void | default_roles_init (void) |
Initialize the default role map that keeps the content from the default_roles table. More... | |
void | default_roles_delete (void) |
Delete the default role instance. More... | |
void | roles_graph_init (void) |
Initialize the roles graph artifacts. More... | |
void | roles_graph_delete (void) |
Delete the ACL role graph artifacts. More... | |
void | roles_init (void) |
Initialize the roles caches that consist of the role graphs related artifacts and default role map. More... | |
void | roles_delete (void) |
Delete the role caches. More... | |
void | dynamic_privileges_init (void) |
void | dynamic_privileges_delete (void) |
bool | grant_dynamic_privilege (const LEX_CSTRING &str_priv, const LEX_CSTRING &str_user, const LEX_CSTRING &str_host, bool with_grant_option, Update_dynamic_privilege_table &func) |
Grant one privilege to one user. More... | |
bool | revoke_dynamic_privilege (const LEX_CSTRING &str_priv, const LEX_CSTRING &str_user, const LEX_CSTRING &str_host, Update_dynamic_privilege_table &update_table) |
Revoke one privilege from one user. More... | |
bool | revoke_all_dynamic_privileges (const LEX_CSTRING &user, const LEX_CSTRING &host, Update_dynamic_privilege_table &func) |
Revoke all dynamic global privileges. More... | |
bool | rename_dynamic_grant (const LEX_CSTRING &old_user, const LEX_CSTRING &old_host, const LEX_CSTRING &new_user, const LEX_CSTRING &new_host, Update_dynamic_privilege_table &update_table) |
bool | grant_grant_option_for_all_dynamic_privileges (const LEX_CSTRING &str_user, const LEX_CSTRING &str_host, Update_dynamic_privilege_table &func) |
Grant grant option to one user for all dynamic privileges. More... | |
bool | revoke_grant_option_for_all_dynamic_privileges (const LEX_CSTRING &str_user, const LEX_CSTRING &str_host, Update_dynamic_privilege_table &func) |
Revoke grant option to one user for all dynamic privileges. More... | |
bool | grant_dynamic_privileges_to_auth_id (const Role_id &id, const std::vector< std::string > &priv_list) |
Grant needed dynamic privielges to in memory internal auth id. More... | |
void | revoke_dynamic_privileges_from_auth_id (const Role_id &id, const std::vector< std::string > &priv_list) |
Revoke dynamic privielges from in memory internal auth id. More... | |
bool | operator== (const Role_id &a, const Auth_id_ref &b) |
bool | operator== (const Auth_id_ref &a, const Role_id &b) |
bool | operator== (const std::pair< const Role_id, Role_id > &a, const Auth_id_ref &b) |
bool | operator== (const Role_id &a, const Role_id &b) |
bool | operator== (std::pair< const Role_id, std::pair< std::string, bool > > &a, const std::string &b) |
void | get_privilege_access_maps (ACL_USER *acl_user, const List_of_auth_id_refs *using_roles, Access_bitmask *access, Db_access_map *db_map, Db_access_map *db_wild_map, Table_access_map *table_map, SP_access_map *sp_map, SP_access_map *func_map, List_of_granted_roles *granted_roles, Grant_acl_set *with_admin_acl, Dynamic_privileges *dynamic_acl, Restrictions &restrictions) |
bool | clear_default_roles (THD *thd, TABLE *table, const Auth_id_ref &user_auth_id, std::vector< Role_id > *default_roles) |
Removes all default role policies assigned to user. More... | |
void | get_granted_roles (LEX_USER *user, List_of_granted_roles *granted_roles) |
This is a convenience function. More... | |
bool | drop_default_role_policy (THD *thd, TABLE *table, const Auth_id_ref &default_role_policy, const Auth_id_ref &user) |
Drop a specific default role policy given the role- and user names. More... | |
void | revoke_role (THD *thd, ACL_USER *role, ACL_USER *user) |
Used by mysql_revoke_role() for revoking a specified role from a specified user. More... | |
bool | revoke_all_roles_from_user (THD *thd, TABLE *edge_table, TABLE *defaults_table, LEX_USER *user) |
Used by mysql_drop_user. More... | |
bool | drop_role (THD *thd, TABLE *edge_table, TABLE *defaults_table, const Auth_id_ref &authid_user) |
bool | modify_role_edges_in_table (THD *thd, TABLE *table, const Auth_id_ref &from_user, const Auth_id_ref &to_user, bool with_admin_option, bool delete_option) |
Auth_id_ref | create_authid_from (const Role_id &user) |
Auth_id_ref | create_authid_from (const LEX_CSTRING &user, const LEX_CSTRING &host) |
bool | roles_rename_authid (THD *thd, TABLE *edge_table, TABLE *defaults_table, LEX_USER *user_from, LEX_USER *user_to) |
Renames a user in the mysql.role_edge and the mysql.default_roles tables. More... | |
bool | set_and_validate_user_attributes (THD *thd, LEX_USER *Str, acl_table::Pod_user_what_to_update &what_to_set, bool is_privileged_user, bool is_role, Table_ref *history_table, bool *history_check_done, const char *cmd, Userhostpassword_list &, I_multi_factor_auth **mfa=nullptr, bool if_not_exists=false) |
This function does following: More... | |
User_to_dynamic_privileges_map * | get_dynamic_privileges_map () |
User_to_dynamic_privileges_map * | swap_dynamic_privileges_map (User_to_dynamic_privileges_map *map) |
bool | populate_roles_caches (THD *thd, Table_ref *tablelst) |
void | grant_role (ACL_USER *role, const ACL_USER *user, bool with_admin_opt) |
Grants a single role to a single user. More... | |
void | get_mandatory_roles (std::vector< Role_id > *mandatory_roles) |
void | create_role_vertex (ACL_USER *role_acl_user) |
Helper function for create_roles_vertices. More... | |
void | activate_all_granted_roles (const ACL_USER *acl_user, Security_context *sctx) |
Activates all roles granted to the auth_id. More... | |
void | activate_all_granted_and_mandatory_roles (const ACL_USER *acl_user, Security_context *sctx) |
bool | alter_user_set_default_roles (THD *thd, TABLE *table, LEX_USER *user, const List_of_auth_id_refs &new_auth_ids) |
Set the default roles for a particular user. More... | |
bool | alter_user_set_default_roles_all (THD *thd, TABLE *def_role_table, LEX_USER *user) |
Set all granted role as default roles. More... | |
bool | check_system_user_privilege (THD *thd, List< LEX_USER > list) |
Checks if any of the users has SYSTEM_USER privilege then current user must also have SYSTEM_USER privilege. More... | |
bool | read_user_application_user_metadata_from_table (LEX_CSTRING user, LEX_CSTRING host, String *metadata_str, TABLE *table, bool mode_no_backslash) |
Helper function for recreating the CREATE USER statement when an SHOW CREATE USER statement is issued. More... | |
bool | is_expected_or_transient_error (THD *thd) |
Small helper function which allows to determine if error which caused failure to open and lock privilege tables should not be reported to error log (because this is expected or temporary condition). More... | |
bool | report_missing_user_grant_message (THD *thd, bool user_exists, const char *user, const char *host, const char *object_name, int err_code) |
Helper method to check if warning or error should be reported based on: More... | |
Variables | |
Rsa_authentication_keys * | g_sha256_rsa_keys |
Rsa_authentication_keys * | g_caching_sha2_rsa_keys |
char * | caching_sha2_rsa_private_key_path |
char * | caching_sha2_rsa_public_key_path |
bool | caching_sha2_auto_generate_rsa_keys |
Map_with_rw_lock< Auth_id, uint > * | unknown_accounts |
Hash to map unknown accounts to an authentication plugin. More... | |
std::vector< Role_id > * | g_mandatory_roles |
typedef std::map<std::string, Access_bitmask> Column_map |
typedef std::map<std::string, Access_bitmask> Db_access_map |
typedef std::unordered_multimap<Role_id, Role_id, role_id_hash> Default_roles |
typedef std::map<std::string, bool> Dynamic_privileges |
typedef std::unordered_set<std::string> Grant_acl_set |
typedef std::pair<std::string, bool> Grant_privilege |
typedef std::vector<std::pair<Role_id, bool> > List_of_granted_roles |
typedef std::map<std::string, Access_bitmask> SP_access_map |
typedef std::map<std::string, Grant_table_aggregate> Table_access_map_storage |
typedef struct user_resources USER_RESOURCES |
typedef std::unordered_multimap<Role_id, Grant_privilege, role_id_hash> User_to_dynamic_privileges_map |
ACL_PROXY_USER * acl_find_proxy_user | ( | const char * | user, |
const char * | host, | ||
const char * | ip, | ||
char * | authenticated_as, | ||
bool * | proxy_used | ||
) |
Validate if a user can proxy as another user.
user | the logged in user (proxy user) | |
host | the hostname part of the logged in userid | |
ip | the ip of the logged in userid | |
authenticated_as | the effective user a plugin is trying to impersonate as (proxied user) | |
[out] | proxy_used | True if a proxy is found |
NULL | proxy user definition not found or not applicable |
non-null | the proxy user data |
void acl_insert_db | ( | const char * | user, |
const char * | host, | ||
const char * | db, | ||
Access_bitmask | privileges | ||
) |
void acl_insert_proxy_user | ( | ACL_PROXY_USER * | new_value | ) |
void acl_insert_user | ( | THD * | thd, |
const char * | user, | ||
const char * | host, | ||
enum SSL_type | ssl_type, | ||
const char * | ssl_cipher, | ||
const char * | x509_issuer, | ||
const char * | x509_subject, | ||
USER_RESOURCES * | mqh, | ||
Access_bitmask | privileges, | ||
const LEX_CSTRING & | plugin, | ||
const LEX_CSTRING & | auth, | ||
const MYSQL_TIME & | password_change_time, | ||
const LEX_ALTER & | password_life, | ||
Restrictions & | restrictions, | ||
uint | failed_login_attempts, | ||
int | password_lock_time, | ||
const I_multi_factor_auth * | mfa | ||
) |
void acl_notify_htons | ( | THD * | thd, |
enum_sql_command | operation, | ||
const List< LEX_USER > * | users, | ||
std::set< LEX_USER * > * | rewrite_users = nullptr , |
||
const List< LEX_CSTRING > * | dynamic_privs = nullptr |
||
) |
void acl_print_ha_error | ( | int | handler_error | ) |
Take a handler error and generate the mysql error ER_ACL_OPERATION_FAILED containing original text of HA error.
handler_error | an error number resulted from storage engine |
bool acl_reload | ( | THD * | thd, |
bool | mdl_locked | ||
) |
void acl_tables_setup_for_read | ( | Table_ref * | tables | ) |
Setup ACL tables to be opened in read mode.
Prepare references to all of the grant tables in the order of the ACL_TABLES enum.
[in,out] | tables | Table handles |
void acl_update_db | ( | const char * | user, |
const char * | host, | ||
const char * | db, | ||
Access_bitmask | privileges | ||
) |
void acl_update_proxy_user | ( | ACL_PROXY_USER * | new_value, |
bool | is_revoke | ||
) |
void acl_update_user | ( | const char * | user, |
const char * | host, | ||
enum SSL_type | ssl_type, | ||
const char * | ssl_cipher, | ||
const char * | x509_issuer, | ||
const char * | x509_subject, | ||
USER_RESOURCES * | mqh, | ||
Access_bitmask | privileges, | ||
const LEX_CSTRING & | plugin, | ||
const LEX_CSTRING & | auth, | ||
const std::string & | second_auth, | ||
const MYSQL_TIME & | password_change_time, | ||
const LEX_ALTER & | password_life, | ||
Restrictions & | restrictions, | ||
acl_table::Pod_user_what_to_update & | what_to_update, | ||
uint | failed_login_attempts, | ||
int | password_lock_time, | ||
const I_multi_factor_auth * | mfa | ||
) |
void acl_users_add_one | ( | const char * | user, |
const char * | host, | ||
enum SSL_type | ssl_type, | ||
const char * | ssl_cipher, | ||
const char * | x509_issuer, | ||
const char * | x509_subject, | ||
USER_RESOURCES * | mqh, | ||
Access_bitmask | privileges, | ||
const LEX_CSTRING & | plugin, | ||
const LEX_CSTRING & | auth, | ||
const LEX_CSTRING & | second_auth, | ||
const MYSQL_TIME & | password_change_time, | ||
const LEX_ALTER & | password_life, | ||
bool | add_role_vertex, | ||
Restrictions & | restrictions, | ||
uint | failed_login_attempts, | ||
int | password_lock_time, | ||
const I_multi_factor_auth * | mfa, | ||
THD * | thd | ||
) |
void activate_all_granted_and_mandatory_roles | ( | const ACL_USER * | acl_user, |
Security_context * | sctx | ||
) |
void activate_all_granted_roles | ( | const ACL_USER * | acl_user, |
Security_context * | sctx | ||
) |
Activates all roles granted to the auth_id.
[in] | acl_user | ACL_USER for which all granted roles to be activated. |
[in] | sctx | Push the activated role to security context |
bool alter_user_set_default_roles | ( | THD * | thd, |
TABLE * | table, | ||
LEX_USER * | user, | ||
const List_of_auth_id_refs & | new_auth_ids | ||
) |
Set the default roles for a particular user.
thd | Thread handle |
table | Table handle to an open table |
user | AST component for the user for which we set def roles |
new_auth_ids | Default roles to set |
true | Operation failed |
false | Operation was successful. |
Set all granted role as default roles.
Writes to table mysql.default_roles and binlog.
thd | Thread handler |
def_role_table | Default role table |
user | The user whose default roles are set. |
true | An error occurred and DA is set |
false | Successful |
Append the authorization id for the user.
[in] | thd | The THD to find the SQL mode |
[in] | acl_user | ACL User to retrieve the user information |
[in,out] | str | The string in which authID is suffixed |
bool assert_acl_cache_read_lock | ( | THD * | thd | ) |
Assert that thread owns MDL_SHARED on partition specific to the thread.
[in] | thd | Thread for which lock is to be checked |
true | Thread owns lock |
false | Thread does not own lock |
bool assert_acl_cache_write_lock | ( | THD * | thd | ) |
Assert that thread owns MDL_EXCLUSIVE on all partitions.
[in] | thd | Thread for which lock is to be checked |
true | Thread owns lock |
false | Thread does not own lock |
bool auth_plugin_is_built_in | ( | const char * | plugin_name | ) |
bool auth_plugin_supports_expiration | ( | const char * | plugin_name | ) |
Only the plugins that are known to use the mysql.user table to store their passwords support password expiration atm.
TODO: create a service and extend the plugin API to support password expiration for external plugins.
false | expiration not supported |
true | expiration supported |
bool check_engine_type_for_acl_table | ( | Table_ref * | tables, |
bool | report_error | ||
) |
Check that every ACL table has a supported storage engine (InnoDB).
Report error if table's engine type is not supported.
tables | Pointer to TABLES_LIST of ACL tables to check. |
report_error | If true report error to the client/diagnostic area, otherwise write a warning to the error log. |
false | OK |
true | some of ACL tables has an unsupported engine type. |
Checks if any of the users has SYSTEM_USER privilege then current user must also have SYSTEM_USER privilege.
It is a wrapper over the Privilege_checker class that does privilege checks for one user at a time.
[in] | thd | Thread handle for security context |
[in] | list | List of user being processed |
false | Either none of the users in list has SYSTEM_USER privilege or current user has SYSTEM_USER privilege |
true | Failed in get_current_user() OR one of the user in the list has SYSTEM_USER privilege but current user does not. |
void clean_user_cache | ( | ) |
void clear_and_init_db_cache | ( | ) |
bool clear_default_roles | ( | THD * | thd, |
TABLE * | table, | ||
const Auth_id_ref & | user_auth_id, | ||
std::vector< Role_id > * | default_roles | ||
) |
Removes all default role policies assigned to user.
If the user is used as a default role policy, this policy needs to be removed too. Removed policies are copied to the vector supplied in the arguments.
thd | Thread handler | |
table | Open table handler | |
user_auth_id | A reference to the authorization ID to clear | |
[out] | default_roles | The vector to which the removed roles are copied. |
true | An error occurred. |
false | Success |
Auth_id_ref create_authid_from | ( | const ACL_USER * | user | ) |
Auth_id_ref create_authid_from | ( | const LEX_CSTRING & | user, |
const LEX_CSTRING & | host | ||
) |
Auth_id_ref create_authid_from | ( | const LEX_USER * | user | ) |
Auth_id_ref create_authid_from | ( | const Role_id & | user | ) |
std::string create_authid_str_from | ( | const ACL_USER * | user | ) |
Helper used for producing a key to a key-value-map.
std::string create_authid_str_from | ( | const Auth_id_ref & | user | ) |
std::string create_authid_str_from | ( | const LEX_USER * | user | ) |
Helper used for producing a key to a key-value-map.
void create_role_vertex | ( | ACL_USER * | role_acl_user | ) |
Helper function for create_roles_vertices.
Creates a vertex in the role graph and associate it with an ACL_USER. If the ACL_USER already exists in the vertex-to-acl-user index then we ignore this request.
role_acl_user | The acial user to be mapped to a vertex. |
void default_roles_delete | ( | void | ) |
Delete the default role instance.
void default_roles_init | ( | void | ) |
Initialize the default role map that keeps the content from the default_roles table.
bool do_update_sctx | ( | Security_context * | sctx, |
LEX_USER * | from_user_ptr | ||
) |
Checks if current user needs to be changed in case it is same as the LEX_USER.
This check is useful to take backup of security context in case current user renames itself.
sctx | The security context to check |
from_user_ptr | User name to be renamed |
true | security context need to be updated |
false | otherwise |
bool drop_default_role_policy | ( | THD * | thd, |
TABLE * | table, | ||
const Auth_id_ref & | default_role_policy, | ||
const Auth_id_ref & | user | ||
) |
Drop a specific default role policy given the role- and user names.
thd | Thread handler |
table | An open table handler to the default_roles table |
default_role_policy | The role name |
user | The user name |
Error | state |
true | An error occurred |
false | Success |
bool drop_role | ( | THD * | thd, |
TABLE * | edge_table, | ||
TABLE * | defaults_table, | ||
const Auth_id_ref & | authid_user | ||
) |
void dynamic_privileges_delete | ( | void | ) |
void dynamic_privileges_init | ( | void | ) |
ACL_USER * find_acl_user | ( | const char * | host, |
const char * | user, | ||
bool | exact | ||
) |
Access_bitmask get_access | ( | TABLE * | form, |
uint | fieldnr, | ||
uint * | next_field | ||
) |
const ACL_internal_table_access * get_cached_table_access | ( | GRANT_INTERNAL_INFO * | grant_internal_info, |
const char * | schema_name, | ||
const char * | table_name | ||
) |
Get a cached internal table access.
grant_internal_info | the cache |
schema_name | the name of the internal schema |
table_name | the name of the internal table |
User_to_dynamic_privileges_map * get_dynamic_privileges_map | ( | ) |
void get_granted_roles | ( | LEX_USER * | user, |
List_of_granted_roles * | granted_roles | ||
) |
This is a convenience function.
user | The authid to check for granted roles | |
[out] | granted_roles | A list of granted authids |
void get_mandatory_roles | ( | std::vector< Role_id > * | mandatory_roles | ) |
std::string get_one_priv | ( | Access_bitmask & | revoke_privs | ) |
Converts privilege represented by LSB to string.
This is used while serializing in-memory data to JSON format.
[in,out] | revoke_privs | Privilege bitmask |
void get_privilege_access_maps | ( | ACL_USER * | acl_user, |
const List_of_auth_id_refs * | using_roles, | ||
Access_bitmask * | access, | ||
Db_access_map * | db_map, | ||
Db_access_map * | db_wild_map, | ||
Table_access_map * | table_map, | ||
SP_access_map * | sp_map, | ||
SP_access_map * | func_map, | ||
List_of_granted_roles * | granted_roles, | ||
Grant_acl_set * | with_admin_acl, | ||
Dynamic_privileges * | dynamic_acl, | ||
Restrictions & | restrictions | ||
) |
ulong get_sort | ( | uint | count, |
... | |||
) |
bool grant_dynamic_privilege | ( | const LEX_CSTRING & | str_priv, |
const LEX_CSTRING & | str_user, | ||
const LEX_CSTRING & | str_host, | ||
bool | with_grant_option, | ||
Update_dynamic_privilege_table & | update_table | ||
) |
Grant one privilege to one user.
str_priv | Dynamic privilege being granted |
str_user | Username part of the grantee |
str_host | Hostname part of the grantee |
with_grant_option | Flag that determines if grantee can manage the dynamic privilege |
update_table | Table update handler |
true | An error occurred. DA must be checked. |
false | Success |
bool grant_dynamic_privileges_to_auth_id | ( | const Role_id & | id, |
const std::vector< std::string > & | priv_list | ||
) |
Grant needed dynamic privielges to in memory internal auth id.
id | auth id to which privileges needs to be granted |
priv_list | List of privileges to be added to internal auth id |
True | In case privilege is not registered |
False | Success |
bool grant_grant_option_for_all_dynamic_privileges | ( | const LEX_CSTRING & | str_user, |
const LEX_CSTRING & | str_host, | ||
Update_dynamic_privilege_table & | update_table | ||
) |
Grant grant option to one user for all dynamic privileges.
str_user | Username part of the grantee |
str_host | Hostname part of the grantee |
update_table | Table update handler |
true | An error occurred. DA must be checked. |
false | Success |
bool grant_reload | ( | THD * | thd, |
bool | mdl_locked | ||
) |
Reload information about table and column level privileges if possible.
thd | Current thread |
mdl_locked | MDL lock status - affects open/close table operations |
Locked tables are checked by acl_reload() and doesn't have to be checked in this call. This function is also used for initialization of structures responsible for table/column-level privilege checking.
false | Success |
true | Error |
Grants a single role to a single user.
The change is made to the in-memory roles graph and not persistent.
role | A pointer to the role to be granted |
user | A pointer to the user which will be granted |
with_admin_opt | True if the user should have the ability to pass on the granted role to another authorization id. |
bool is_expected_or_transient_error | ( | THD * | thd | ) |
Small helper function which allows to determine if error which caused failure to open and lock privilege tables should not be reported to error log (because this is expected or temporary condition).
bool is_privileged_user_for_credential_change | ( | THD * | thd | ) |
bool log_and_commit_acl_ddl | ( | THD * | thd, |
bool | transactional_tables, | ||
std::set< LEX_USER * > * | extra_users = nullptr , |
||
Rewrite_params * | rewrite_params = nullptr , |
||
bool | extra_error = false , |
||
bool | log_to_binlog = true |
||
) |
bool modify_role_edges_in_table | ( | THD * | thd, |
TABLE * | table, | ||
const Auth_id_ref & | from_user, | ||
const Auth_id_ref & | to_user, | ||
bool | with_admin_option, | ||
bool | delete_option | ||
) |
Open the grant tables.
thd | The current thread. | |
[in,out] | tables | Array of ACL_TABLES::LAST_ENTRY table list elements which will be used for opening tables. |
[out] | transactional_tables | Set to true if one of grant tables is transactional, false otherwise. |
1 | Skip GRANT handling during replication. |
0 | OK. |
< | 0 Error. |
bool operator== | ( | const Auth_id_ref & | a, |
const Role_id & | b | ||
) |
bool operator== | ( | const Role_id & | a, |
const Auth_id_ref & | b | ||
) |
bool operator== | ( | const std::pair< const Role_id, Role_id > & | a, |
const Auth_id_ref & | b | ||
) |
bool operator== | ( | std::pair< const Role_id, std::pair< std::string, bool > > & | a, |
const std::string & | b | ||
) |
void optimize_plugin_compare_by_pointer | ( | LEX_CSTRING * | plugin_name | ) |
bool read_user_application_user_metadata_from_table | ( | const LEX_CSTRING | user, |
const LEX_CSTRING | host, | ||
String * | metadata_str, | ||
TABLE * | table, | ||
bool | mode_no_backslash_escapes | ||
) |
Helper function for recreating the CREATE USER statement when an SHOW CREATE USER statement is issued.
user | The user name from which to read the metadata | |
host | The host name part of the user from which to read the metadata | |
[out] | metadata_str | A buffer of text which will contain the CREATE USER .. ATTRIBUTE data. If the JSON object is null the metadata_str will be empty. |
table | An open TABLE handle to the mysql.user table. | |
mode_no_backslash_escapes | The SQL_MODE determines how JSON is quoted |
false | Success |
true | An error occurred and DA was set. |
void rebuild_check_host | ( | void | ) |
void rebuild_vertex_index | ( | THD * | thd | ) |
Since the gap in the vertex vector was removed all the vertex descriptors has changed.
As a consequence we now need to rebuild the authid_to_vertex index.
bool rename_dynamic_grant | ( | const LEX_CSTRING & | old_user, |
const LEX_CSTRING & | old_host, | ||
const LEX_CSTRING & | new_user, | ||
const LEX_CSTRING & | new_host, | ||
Update_dynamic_privilege_table & | update_table | ||
) |
int replace_column_table | ( | THD * | thd, |
GRANT_TABLE * | g_t, | ||
TABLE * | table, | ||
const LEX_USER & | combo, | ||
List< LEX_COLUMN > & | columns, | ||
const char * | db, | ||
const char * | table_name, | ||
Access_bitmask | rights, | ||
bool | revoke_grant | ||
) |
Update record in the table mysql.columns_priv.
thd | Current thread execution context. |
g_t | Pointer to a cached table grant object |
table | Pointer to a TABLE object for open mysql.columns_priv table |
combo | Pointer to a LEX_USER object containing info about a user being processed |
columns | List of columns to give/revoke grant |
db | Database name of table for which column privileges are modified |
table_name | Name of table for which column privileges are modified |
rights | Table level grant |
revoke_grant | Set to true if this is a REVOKE command |
0 | OK. |
< | 0 System error or storage engine error happen |
> | 0 Error in handling current user entry but still can continue processing subsequent user specified in the ACL statement. |
int replace_db_table | ( | THD * | thd, |
TABLE * | table, | ||
const char * | db, | ||
const LEX_USER & | combo, | ||
Access_bitmask | rights, | ||
bool | revoke_grant, | ||
bool | all_current_privileges | ||
) |
change grants in the mysql.db table.
thd | Current thread execution context. |
table | Pointer to a TABLE object for opened mysql.db table. |
db | Database name of table for which column privileges are modified. |
combo | Pointer to a LEX_USER object containing info about a user being processed. |
rights | Database level grant. |
revoke_grant | Set to true if this is a REVOKE command. |
all_current_privileges | Set to true if this is GRANT/REVOKE ALL |
0 | OK. |
1 | Error in handling current user entry but still can continue processing subsequent user specified in the ACL statement. |
< | 0 Error. |
int replace_proxies_priv_table | ( | THD * | thd, |
TABLE * | table, | ||
const LEX_USER * | user, | ||
const LEX_USER * | proxied_user, | ||
bool | with_grant_arg, | ||
bool | revoke_grant | ||
) |
Insert, update or remove a record in the mysql.proxies_priv table.
thd | The current thread. |
table | Pointer to a TABLE object for opened mysql.proxies_priv table. |
user | Information about user being handled. |
proxied_user | Information about proxied user being handled. |
with_grant_arg | True if a user is allowed to execute GRANT, else false. |
revoke_grant | Set to true if this is REVOKE command. |
0 | OK. |
1 | Error in handling current user entry but still can continue processing subsequent user specified in the ACL statement. |
< | 0 Error. |
int replace_routine_table | ( | THD * | thd, |
GRANT_NAME * | grant_name, | ||
TABLE * | table, | ||
const LEX_USER & | combo, | ||
const char * | db, | ||
const char * | routine_name, | ||
bool | is_proc, | ||
Access_bitmask | rights, | ||
bool | revoke_grant, | ||
bool | all_current_privileges | ||
) |
Search and create/update a record for the routine requested.
thd | The current thread. |
grant_name | Cached info about stored routine. |
table | Pointer to a TABLE object for open mysql.procs_priv table. |
combo | User information. |
db | Database name for stored routine. |
routine_name | Name for stored routine. |
is_proc | True for stored procedure, false for stored function. |
rights | Rights requested. |
revoke_grant | Set to true if a REVOKE command is executed. |
all_current_privileges | Set to true if this is GRANT/REVOKE ALL |
0 | OK. |
< | 0 System error or storage engine error happen |
> | 0 Error in handling current routine entry but still can continue processing subsequent user specified in the ACL statement. |
int replace_table_table | ( | THD * | thd, |
GRANT_TABLE * | grant_table, | ||
std::unique_ptr< GRANT_TABLE, Destroy_only< GRANT_TABLE > > * | deleted_grant_table, | ||
TABLE * | table, | ||
const LEX_USER & | combo, | ||
const char * | db, | ||
const char * | table_name, | ||
Access_bitmask | rights, | ||
Access_bitmask | col_rights, | ||
bool | revoke_grant, | ||
bool | all_current_privileges | ||
) |
Search and create/update a record for requested table privileges.
thd | The current thread. |
grant_table | Cached info about table/columns privileges. |
deleted_grant_table | If non-nullptr and grant is removed from column cache, it is returned here instead of being destroyed. |
table | Pointer to a TABLE object for open mysql.tables_priv table. |
combo | User information. |
db | Database name of table to give grant. |
table_name | Name of table to give grant. |
rights | Table privileges to set/update. |
col_rights | Column privileges to set/update. |
revoke_grant | Set to true if a REVOKE command is executed. |
all_current_privileges | Set to true if this is GRANT/REVOKE ALL |
0 | OK. |
< | 0 System error or storage engine error happen. |
1 | No entry for request. |
bool report_missing_user_grant_message | ( | THD * | thd, |
bool | user_exists, | ||
const char * | user, | ||
const char * | host, | ||
const char * | object_name, | ||
int | err_code | ||
) |
Helper method to check if warning or error should be reported based on:
If user does not exists and IGNORE UNKNOWN USER clause is specified then report a warning. If user exists, privilege being revoked is not granted to specified user and IF EXISTS clause is specified report a warning. In none of the above case report error.
thd | Current thread |
user_exists | True if user exists in memory structure else false |
user | user name |
host | host name |
object_name | object name on which privilege is being revoked |
err_code | error code |
false | for warning. |
true | for error. |
bool revoke_all_dynamic_privileges | ( | const LEX_CSTRING & | user, |
const LEX_CSTRING & | host, | ||
Update_dynamic_privilege_table & | update_table | ||
) |
Revoke all dynamic global privileges.
user | The target user name |
host | The target host name |
update_table | Functor for updating a table |
true | An error occurred. DA might not be set. |
false | Success |
bool revoke_all_roles_from_user | ( | THD * | thd, |
TABLE * | edge_table, | ||
TABLE * | defaults_table, | ||
LEX_USER * | user_name | ||
) |
Used by mysql_drop_user.
Will drop all
thd | THD handle |
edge_table | Handle to table that stores role grants |
defaults_table | Handle to table that stores default role information |
user_name | User being dropped |
true | An error occurred |
false | Success |
bool revoke_dynamic_privilege | ( | const LEX_CSTRING & | str_priv, |
const LEX_CSTRING & | str_user, | ||
const LEX_CSTRING & | str_host, | ||
Update_dynamic_privilege_table & | update_table | ||
) |
Revoke one privilege from one user.
str_priv | Privilege being revoked |
str_user | Username part of the grantee |
str_host | Hostname part of the grantee |
update_table | Table update handler |
true | An error occurred. DA must be checked. |
false | Success |
void revoke_dynamic_privileges_from_auth_id | ( | const Role_id & | id, |
const std::vector< std::string > & | priv_list | ||
) |
Revoke dynamic privielges from in memory internal auth id.
id | auth id from which privileges needs to be revoked |
priv_list | List of privileges to be removed for internal auth id |
bool revoke_grant_option_for_all_dynamic_privileges | ( | const LEX_CSTRING & | str_user, |
const LEX_CSTRING & | str_host, | ||
Update_dynamic_privilege_table & | update_table | ||
) |
Revoke grant option to one user for all dynamic privileges.
str_user | Username part of the grantee |
str_host | Hostname part of the grantee |
update_table | Table update handler |
true | An error occurred. DA must be checked. |
false | Success |
Used by mysql_revoke_role() for revoking a specified role from a specified user.
thd | Thread handler |
role | The role which will be revoked |
user | The user who will get its role revoked |
void roles_delete | ( | void | ) |
Delete the role caches.
void roles_graph_delete | ( | void | ) |
Delete the ACL role graph artifacts.
void roles_graph_init | ( | void | ) |
Initialize the roles graph artifacts.
void roles_init | ( | void | ) |
Initialize the roles caches that consist of the role graphs related artifacts and default role map.
In theory, default role map is supposed to be a policy which has to be kept in sync with role graphs.
bool roles_rename_authid | ( | THD * | thd, |
TABLE * | edge_table, | ||
TABLE * | defaults_table, | ||
LEX_USER * | user_from, | ||
LEX_USER * | user_to | ||
) |
Renames a user in the mysql.role_edge and the mysql.default_roles tables.
user_to must already exist in the acl_user cache, but user_from may not as long as it exist in the role graph.
thd | Thread handler |
edge_table | An open table handle for mysql.edge_mysql |
defaults_table | An open table handle for mysql.default_roles |
user_from | The user to rename |
user_to | The target user name |
true | An error occurred |
false | Success |
bool set_and_validate_user_attributes | ( | THD * | thd, |
LEX_USER * | Str, | ||
acl_table::Pod_user_what_to_update & | what_to_set, | ||
bool | is_privileged_user, | ||
bool | is_role, | ||
Table_ref * | history_table, | ||
bool * | history_check_done, | ||
const char * | cmd, | ||
Userhostpassword_list & | generated_passwords, | ||
I_multi_factor_auth ** | i_mfa, | ||
bool | if_not_exists | ||
) |
This function does following:
If the is_role flag is set, the password validation is not used.
The function perform some semantic parsing of the original statement by investigating the syntactic elements found in the LEX_USER object not-so-appropriately named Str.
The code fits the purpose as a helper function to mysql_create_user() but it is used from mysql_alter_user(), mysql_grant(), change_password() and mysql_routine_grant() with a slightly varying semantic meaning.
thd | Thread context | |
Str | user on which attributes has to be applied | |
what_to_set | User attributes | |
is_privileged_user | Whether caller has CREATE_USER_ACL or UPDATE_ACL over mysql.* | |
is_role | CREATE ROLE was used to create the authid. | |
history_table | The table to verify history against. | |
[out] | history_check_done | Set to on if the history table is updated |
cmd | Command information | |
[out] | generated_passwords | A list of generated random passwords. Depends on LEX_USER. |
[out] | i_mfa | Interface to Multi factor authentication methods. |
if_not_exists | True if this is a CREATE ... IF NOT EXISTS type of statement. Valid for CREATE USER/ROLE. |
0 | ok |
1 | ERROR; |
bool set_user_salt | ( | ACL_USER * | acl_user | ) |
Convert scrambled password to binary form, according to scramble type, Binary form is stored in user.salt.
acl_user | The object where to store the salt |
Despite the name of the function it is used when loading ACLs from disk to store the password hash in the ACL_USER object. Note that it works only for native and "old" mysql authentication built-in plugins.
Assumption : user's authentication plugin information is available.
false | Hash is of suitable length |
true | Hash is of wrong length or format |
bool sha256_rsa_auth_status | ( | ) |
Check if server has valid public key/private key pair for RSA communication.
false | RSA support is available |
true | RSA support is not available |
User_to_dynamic_privileges_map * swap_dynamic_privileges_map | ( | User_to_dynamic_privileges_map * | map | ) |
void update_sctx | ( | Security_context * | sctx, |
LEX_USER * | to_user | ||
) |
bool update_sctx_cache | ( | Security_context * | sctx, |
ACL_USER * | acl_user_ptr, | ||
bool | expired | ||
) |
Update the security context when updating the user.
Helper function. Update only if the security context is pointing to the same user and the user is not a proxied user for a different proxy user. And return true if the update happens (i.e. we're operating on the user account of the current user). Normalize the names for a safe compare.
sctx | The security context to update |
acl_user_ptr | User account being updated |
expired | new value of the expiration flag |
|
extern |
|
extern |
|
extern |
|
extern |
|
extern |
|
extern |
|
extern |
Hash to map unknown accounts to an authentication plugin.
If unknown accounts always map to default authentication plugin, server's reply to switch authentication plugin would indicate that user in question is indeed a valid user.
To counter this, one of the built-in authentication plugins is chosen at random. Thus, a request to switch authentication plugin is not and indicator of a valid user account.
For same unknown account, if different plugin is chosen every time, that again is an indicator. To resolve this, a hashmap is used to store information about unknown account => authentication plugin. This way, if same unknown account appears again, same authentication plugin is chosen again.
However, size of such a hash has to be kept under control. Hence, once MAX_UNKNOWN_ACCOUNTS lim