MySQL 8.4.2
Source Code Documentation
Applier_security_context_guard Class Reference

Utility class to allow RAII pattern with Security_context class. More...

#include <rpl_rli.h>

Public Member Functions

 Applier_security_context_guard (Relay_log_info const *rli, THD const *thd)
 If needed, backs up the current thd security context and replaces it with a security context for PRIVILEGE_CHECKS_USER user. More...
 
virtual ~Applier_security_context_guard ()
 Destructor that restores the backed up security context, if needed. More...
 
 Applier_security_context_guard (const Applier_security_context_guard &)=delete
 
 Applier_security_context_guard (Applier_security_context_guard &&)=delete
 
Applier_security_context_guardoperator= (const Applier_security_context_guard &)=delete
 
Applier_security_context_guardoperator= (Applier_security_context_guard &&)=delete
 
bool skip_priv_checks () const
 Returns whether or not privilege checks may be skipped within the current context. More...
 
bool has_access (std::vector< std::tuple< Access_bitmask, TABLE const *, Rows_log_event * > > &extra_privileges) const
 Checks if the PRIVILEGE_CHECKS_USER user has access to the privilieges passed on by extra_privileges parameter as well as to the privileges passed on at initialization time. More...
 
bool has_access (std::initializer_list< std::string_view > extra_privileges) const
 Checks if the PRIVILEGE_CHECKS_USER user has access to the privilieges passed on by extra_privileges parameter as well as to the privileges passed on at initialization time. More...
 
bool has_access (std::initializer_list< Access_bitmask > extra_privileges) const
 Checks if the PRIVILEGE_CHECKS_USER user has access to the privilieges passed on by extra_privileges parameter as well as to the privileges passed on at initialization time. More...
 
std::string get_username () const
 Returns the username for the user for which the security context was initialized. More...
 
std::string get_hostname () const
 Returns the hostname for the user for which the security context was initialized. More...
 

Private Member Functions

void extract_columns_to_check (TABLE const *table, Rows_log_event *event, std::vector< std::string > &columns) const
 

Private Attributes

Relay_log_info const * m_target
 The Relay_log_info object holding the info required to initialize the context. More...
 
THD const * m_thd
 The THD object for which the security context will be initialized. More...
 
Security_context m_applier_security_ctx
 Applier security context based on PRIVILEGE_CHECK_USER user. More...
 
Security_contextm_current
 Currently in use security context. More...
 
Security_contextm_previous
 Backed up security context. More...
 
bool m_privilege_checks_none
 Flag that states if privilege check should be skipped. More...
 
bool m_logged_in_acl_user
 Flag that states if there is a logged user. More...
 

Detailed Description

Utility class to allow RAII pattern with Security_context class.

At initiliazation, if the THD main security context isn't already the appropriate one, it copies the Relay_log_info::info_thd::security_context and replaces it with the one initialized with the PRIVILEGE_CHECK_USER user. At deinitialization, it copies the backed up security context.

It also deals with the case where no privilege checks are required, meaning, PRIVILEGE_CHECKS_USER is NULL.

Usage examples:

(1)

Applier_security_context_guard security_context{rli, thd};
if (!security_context.has_access({SUPER_ACL})) {
return ER_NO_ACCESS;
}
Utility class to allow RAII pattern with Security_context class.
Definition: rpl_rli.h:2389

(4)

Applier_security_context_guard security_context{rli, thd};
if (!security_context.has_access(
{{CREATE_ACL | INSERT_ACL | UPDATE_ACL, table},
{SELECT_ACL, table}})) {
return ER_NO_ACCESS;
}

Constructor & Destructor Documentation

◆ Applier_security_context_guard() [1/3]

Applier_security_context_guard::Applier_security_context_guard ( Relay_log_info const *  rli,
THD const *  thd 
)

If needed, backs up the current thd security context and replaces it with a security context for PRIVILEGE_CHECKS_USER user.

Parameters
rlithe Relay_log_info object that holds the PRIVILEGE_CHECKS_USER info.
thdthe THD for which initialize the security context.

◆ ~Applier_security_context_guard()

Applier_security_context_guard::~Applier_security_context_guard ( )
virtual

Destructor that restores the backed up security context, if needed.

◆ Applier_security_context_guard() [2/3]

Applier_security_context_guard::Applier_security_context_guard ( const Applier_security_context_guard )
delete

◆ Applier_security_context_guard() [3/3]

Applier_security_context_guard::Applier_security_context_guard ( Applier_security_context_guard &&  )
delete

Member Function Documentation

◆ extract_columns_to_check()

void Applier_security_context_guard::extract_columns_to_check ( TABLE const *  table,
Rows_log_event event,
std::vector< std::string > &  columns 
) const
private

◆ get_hostname()

std::string Applier_security_context_guard::get_hostname ( ) const

Returns the hostname for the user for which the security context was initialized.

If PRIVILEGE_CHECKS_USER was configured for the target Relay_log_info object, that one is returned.

Otherwise, the hostname associated with the Security_context initialized for Relay_log_info::info_thd will be returned.

Returns
an std::string holding the hostname for the active security context.

◆ get_username()

std::string Applier_security_context_guard::get_username ( ) const

Returns the username for the user for which the security context was initialized.

If PRIVILEGE_CHECKS_USER was configured for the target Relay_log_info object, that one is returned.

Otherwise, the username associated with the Security_context initialized for Relay_log_info::info_thd will be returned.

Returns
an std::string holding the username for the active security context.

◆ has_access() [1/3]

bool Applier_security_context_guard::has_access ( std::initializer_list< Access_bitmask extra_privileges) const

Checks if the PRIVILEGE_CHECKS_USER user has access to the privilieges passed on by extra_privileges parameter as well as to the privileges passed on at initialization time.

Parameters
extra_privilegesset of privileges to check, additionally to those passed on at initialization. It's a list of privileges to be checked against any database.
Returns
true if the privileges are included in the security context and false, otherwise.

◆ has_access() [2/3]

bool Applier_security_context_guard::has_access ( std::initializer_list< std::string_view >  extra_privileges) const

Checks if the PRIVILEGE_CHECKS_USER user has access to the privilieges passed on by extra_privileges parameter as well as to the privileges passed on at initialization time.

Parameters
extra_privilegesset of privileges to check, additionally to those passed on at initialization. It's a list of privileges to be checked against any database.
Returns
true if the privileges are included in the security context and false, otherwise.

◆ has_access() [3/3]

bool Applier_security_context_guard::has_access ( std::vector< std::tuple< Access_bitmask, TABLE const *, Rows_log_event * > > &  extra_privileges) const

Checks if the PRIVILEGE_CHECKS_USER user has access to the privilieges passed on by extra_privileges parameter as well as to the privileges passed on at initialization time.

This particular method checks those privileges against a given table and against that table's columns - the ones that are used or changed in the event.

Parameters
extra_privilegesset of privileges to check, additionally to those passed on at initialization. It's a list of (privilege, TABLE*, Rows_log_event*) tuples.
Returns
true if the privileges are included in the security context and false, otherwise.

◆ operator=() [1/2]

Applier_security_context_guard & Applier_security_context_guard::operator= ( Applier_security_context_guard &&  )
delete

◆ operator=() [2/2]

Applier_security_context_guard & Applier_security_context_guard::operator= ( const Applier_security_context_guard )
delete

◆ skip_priv_checks()

bool Applier_security_context_guard::skip_priv_checks ( ) const

Returns whether or not privilege checks may be skipped within the current context.

Returns
true if privilege checks may be skipped and false otherwise.

Member Data Documentation

◆ m_applier_security_ctx

Security_context Applier_security_context_guard::m_applier_security_ctx
private

Applier security context based on PRIVILEGE_CHECK_USER user.

◆ m_current

Security_context* Applier_security_context_guard::m_current
private

Currently in use security context.

◆ m_logged_in_acl_user

bool Applier_security_context_guard::m_logged_in_acl_user
private

Flag that states if there is a logged user.

◆ m_previous

Security_context* Applier_security_context_guard::m_previous
private

Backed up security context.

◆ m_privilege_checks_none

bool Applier_security_context_guard::m_privilege_checks_none
private

Flag that states if privilege check should be skipped.

◆ m_target

Relay_log_info const* Applier_security_context_guard::m_target
private

The Relay_log_info object holding the info required to initialize the context.

◆ m_thd

THD const* Applier_security_context_guard::m_thd
private

The THD object for which the security context will be initialized.


The documentation for this class was generated from the following files: