23#ifndef SQL_SECURITY_CTX_INCLUDED
24#define SQL_SECURITY_CTX_INCLUDED
64 const char *
host =
"skip-grants host");
75 void set_user_ptr(
const char *user_arg,
const size_t user_arg_length);
77 void assign_user(
const char *user_arg,
const size_t user_arg_length);
81 const std::string &privilege,
82 bool cumulative =
false);
84 bool cumulative =
false,
85 bool ignore_if_nonextant =
true,
86 bool throw_error =
true);
88 bool validate_access =
false);
97 const char *
host,
const char *
ip,
98 const char *
user,
const char *db,
100 bool db_is_pattern =
false);
102 bool db_is_pattern =
false)
const;
115 std::vector<std::string> column);
126 void set_host_ptr(
const char *host_arg,
const size_t host_arg_length);
128 void assign_host(
const char *host_arg,
const size_t host_arg_length);
138 void set_ip_ptr(
const char *ip_arg,
const int ip_arg_length);
140 void assign_ip(
const char *ip_arg,
const int ip_arg_length);
162 const int host_or_ip_arg_length);
173 const int ext_user_arg_length);
176 const int ext_user_arg_length);
187 const size_t priv_user_arg_length);
198 const size_t proxy_user_arg_length);
209 const size_t priv_host_arg_length);
258 bool match_any =
false);
308 const std::string &
db_name)
const;
324 const std::string &
db_name)
const;
327 const std::string &privilege,
328 bool cumulative =
false);
448 const char *host_or_ip_arg,
const int host_or_ip_arg_length) {
uint32_t Access_bitmask
Definition: auth_acls.h:34
std::vector< Auth_id_ref > List_of_auth_id_refs
Definition: auth_common.h:81
Definition: sql_auth_cache.h:246
Container for global, schema, table/view and routine ACL maps.
Definition: sql_auth_cache.h:637
Storage container for default auth ids.
Definition: auth_common.h:1070
Definition: sql_list.h:467
Container of all restrictions for a given user.
Definition: partial_revokes.h:155
void clear_db()
Clear database restrictions.
Definition: partial_revokes.cc:1515
A set of THD members describing the current authenticated user.
Definition: sql_security_ctx.h:54
bool user_matches(Security_context *)
Definition: sql_security_ctx.cc:313
String m_external_user
Definition: sql_security_ctx.h:349
void cache_current_db_access(Access_bitmask db_access)
Cache the schema level effective privileges (apply roles first!) for the currently active schema.
Definition: sql_security_ctx.h:497
THD * get_thd()
Definition: sql_security_ctx.h:528
Access_bitmask master_access() const
Getter method for member m_master_access.
Definition: sql_security_ctx.h:465
Grant_table_aggregate table_and_column_acls(LEX_CSTRING db, LEX_CSTRING table)
Definition: sql_security_ctx.cc:624
bool any_table_acl(const LEX_CSTRING &db)
Definition: sql_security_ctx.cc:672
String m_host
m_host - host of the client
Definition: sql_security_ctx.h:339
bool m_is_skip_grants_user
True if the skip_grants_user is set.
Definition: sql_security_ctx.h:392
bool check_in_local_temp_privs(const std::string &priv)
std::unique_ptr< std::function< void(Security_context *)> > m_drop_policy
Definition: sql_security_ctx.h:396
void add_as_local_temp_privs(const std::vector< std::string > &privs)
Access_bitmask db_acl(LEX_CSTRING db, bool use_pattern_scan=true) const
Get grant information for given database.
Definition: sql_security_ctx.cc:504
bool check_access(Access_bitmask want_access, const std::string &db_name="", bool match_any=false)
Check permission against m_master_access.
Definition: sql_security_ctx.cc:322
const char * priv_host_name() const
Definition: sql_security_ctx.h:485
Access_bitmask current_db_access() const
Returns the schema level effective privileges (with applied roles) for the currently active schema.
Definition: sql_security_ctx.h:493
void set_user_ptr(const char *user_arg, const size_t user_arg_length)
Setter method for member m_user.
Definition: sql_security_ctx.cc:868
void init()
Definition: sql_security_ctx.cc:80
LEX_CSTRING host() const
Getter method for member m_host.
Definition: sql_security_ctx.cc:906
LEX_CSTRING priv_user() const
Getter method for member m_priv_user.
Definition: sql_security_ctx.cc:834
void assign_user(const char *user_arg, const size_t user_arg_length)
Setter method for member m_user.
Definition: sql_security_ctx.cc:888
void copy_security_ctx(const Security_context &src_sctx)
Deep copy status of sctx object to this.
Definition: sql_security_ctx.cc:203
void set_password_expired(bool password_expired)
Definition: sql_security_ctx.h:506
void set_drop_policy(const std::function< void(Security_context *)> &func)
Definition: sql_security_ctx.cc:127
int activate_role(LEX_CSTRING user, LEX_CSTRING host, bool validate_access=false)
This method pushes a role to the list of active roles.
Definition: sql_security_ctx.cc:351
void set_registration_sandbox_mode(bool v)
Definition: sql_security_ctx.h:522
bool has_column_access(Access_bitmask priv, TABLE const *table, std::vector< std::string > column)
Check if required access to given table column is granted.
Definition: sql_security_ctx.cc:1324
Restrictions m_restrictions
Definition: sql_security_ctx.h:397
char m_priv_user[USERNAME_LENGTH]
m_priv_user - The user privilege we are using.
Definition: sql_security_ctx.h:354
static Access_bitmask check_db_level_access(THD *thd, const Security_context *sctx, const char *host, const char *ip, const char *user, const char *db, size_t db_len, bool db_is_pattern=false)
Checks if any database level privileges are granted to the current session either directly or through...
Definition: sql_security_ctx.cc:554
void assign_proxy_user(const char *proxy_user_arg, const size_t proxy_user_arg_length)
Setter method for member m_proxy_user.
Definition: sql_security_ctx.cc:1111
void skip_grants(const char *user="skip-grants user", const char *host="skip-grants host")
Grants all privilegs to user.
Definition: sql_security_ctx.cc:176
~Security_context()
Definition: sql_security_ctx.cc:61
void checkout_access_maps(void)
Subscribes to a cache entry of aggregated ACLs.
Definition: sql_security_ctx.cc:382
size_t get_num_active_roles() const
Definition: sql_security_ctx.cc:449
THD * m_thd
m_thd - Thread handle, set to nullptr if this does not belong to any THD yet
Definition: sql_security_ctx.h:414
char m_proxy_user[USERNAME_LENGTH+HOSTNAME_LENGTH+6]
Definition: sql_security_ctx.h:357
void set_master_access(Access_bitmask master_access)
Definition: sql_security_ctx.h:473
void set_external_user_ptr(const char *ext_user_arg, const int ext_user_arg_length)
Setter method for member m_external_user.
Definition: sql_security_ctx.cc:1033
String m_user
m_user - user of the client, set to NULL until the user has been read from the connection
Definition: sql_security_ctx.h:336
String m_ip
m_ip - client IP
Definition: sql_security_ctx.h:342
bool any_sp_acl(const LEX_CSTRING &db)
Definition: sql_security_ctx.cc:657
bool has_account_assigned() const
Check if a an account has been assigned to the security context.
Definition: sql_security_ctx.h:489
size_t m_proxy_user_length
Definition: sql_security_ctx.h:358
LEX_CSTRING external_user() const
Getter method for member m_external_user.
Definition: sql_security_ctx.h:454
void assign_host(const char *host_arg, const size_t host_arg_length)
Setter method for member m_host.
Definition: sql_security_ctx.cc:949
Access_bitmask m_db_access
Privileges for current db.
Definition: sql_security_ctx.h:374
void set_host_ptr(const char *host_arg, const size_t host_arg_length)
Setter method for member m_host.
Definition: sql_security_ctx.cc:926
bool m_is_locked
True if this account can't be logged into.
Definition: sql_security_ctx.h:388
bool is_table_blocked(Access_bitmask priv, TABLE const *table)
Check if required access to given table is not restricted.
Definition: sql_security_ctx.cc:1290
bool is_in_registration_sandbox_mode()
Definition: sql_security_ctx.h:518
Access_bitmask function_acl(LEX_CSTRING db, LEX_CSTRING procedure_name)
Definition: sql_security_ctx.cc:605
bool m_password_expired
password expiration flag.
Definition: sql_security_ctx.h:382
size_t m_priv_user_length
Definition: sql_security_ctx.h:355
bool account_is_locked()
Locked account can still be used as routine definers and when they are there shouldn't be any checks ...
Definition: sql_security_ctx.h:292
Access_bitmask filter_access(const Access_bitmask access, const std::string &db_name) const
If there is a restriction attached to an access on the given database then remove that access otherwi...
Definition: sql_security_ctx.cc:1182
bool is_access_restricted_on_db(Access_bitmask want_access, const std::string &db_name) const
Definition: sql_security_ctx.cc:1167
Security_context(THD *thd=nullptr)
Definition: sql_security_ctx.cc:56
void execute_drop_policy(void)
Definition: sql_security_ctx.cc:120
void assign_ip(const char *ip_arg, const int ip_arg_length)
Setter method for member m_ip.
Definition: sql_security_ctx.cc:1013
List_of_auth_id_refs * get_active_roles()
Definition: sql_security_ctx.cc:445
void init_restrictions(const Restrictions &restrictions)
Definition: sql_security_ctx.cc:1163
Acl_map * m_acl_map
Definition: sql_security_ctx.h:384
void assign_external_user(const char *ext_user_arg, const int ext_user_arg_length)
Setter method for member m_external_user.
Definition: sql_security_ctx.cc:1053
bool has_with_admin_acl(const LEX_CSTRING &role_name, const LEX_CSTRING &role_host)
Definition: sql_security_ctx.cc:643
Access_bitmask procedure_acl(LEX_CSTRING db, LEX_CSTRING procedure_name)
Definition: sql_security_ctx.cc:587
bool password_expired() const
Getter method for member m_password_expired.
Definition: sql_security_ctx.h:502
LEX_CSTRING ip() const
Getter method for member m_ip.
Definition: sql_security_ctx.cc:973
char m_priv_host[HOSTNAME_LENGTH+1]
The host privilege we are using.
Definition: sql_security_ctx.h:363
size_t m_priv_host_length
Definition: sql_security_ctx.h:364
LEX_CSTRING priv_host() const
Getter method for member m_priv_host.
Definition: sql_security_ctx.cc:1131
void set_host_or_ip_ptr()
Setter method for member m_host_or_ip.
Definition: sql_security_ctx.h:434
std::pair< bool, bool > fetch_global_grant(const ACL_USER &acl_user, const std::string &privilege, bool cumulative=false)
Checks if the acl_user does have the asked dynamic privilege.
Definition: sql_security_ctx.cc:1211
std::pair< bool, bool > has_global_grant(const char *priv, size_t priv_len)
Checks if the Current_user has the asked dynamic privilege.
Definition: sql_security_ctx.cc:702
void set_thd(THD *thd)
Definition: sql_security_ctx.h:526
void destroy()
Definition: sql_security_ctx.cc:134
String m_host_or_ip
m_host_or_ip - points to host if host is available, otherwise points to ip
Definition: sql_security_ctx.h:347
bool m_has_drop_policy
Definition: sql_security_ctx.h:395
LEX_CSTRING user() const
Getter method for member m_user.
Definition: sql_security_ctx.cc:848
void clear_db_restrictions()
Definition: sql_security_ctx.h:514
bool m_executed_drop_policy
Definition: sql_security_ctx.h:394
void logout()
Definition: sql_security_ctx.cc:101
void restore_security_context(THD *thd, Security_context *backup)
Definition: sql_security_ctx.cc:308
Access_bitmask m_master_access
Global privileges from mysql.user.
Definition: sql_security_ctx.h:369
const Restrictions restrictions() const
Definition: sql_security_ctx.h:469
bool m_registration_sandbox_mode
This flag tracks if server should be in sandbox mode or not.
Definition: sql_security_ctx.h:409
void lock_account(bool is_locked)
Definition: sql_security_ctx.h:294
LEX_CSTRING host_or_ip() const
Getter method for member m_host_or_ip.
Definition: sql_security_ctx.h:423
bool is_skip_grants_user()
Definition: sql_security_ctx.h:510
Access_bitmask table_acl(LEX_CSTRING db, LEX_CSTRING table)
Definition: sql_security_ctx.cc:637
List_of_auth_id_refs m_active_roles
Definition: sql_security_ctx.h:383
bool has_executed_drop_policy(void)
Definition: sql_security_ctx.cc:116
bool has_drop_policy(void)
Definition: sql_security_ctx.cc:114
bool change_security_context(THD *thd, const LEX_CSTRING &definer_user, const LEX_CSTRING &definer_host, const char *db, Security_context **backup, bool force=false)
Initialize this security context from the passed in credentials and activate it in the current thread...
Definition: sql_security_ctx.cc:281
void assign_priv_user(const char *priv_user_arg, const size_t priv_user_arg_length)
Setter method for member m_priv_user.
Definition: sql_security_ctx.cc:1073
bool has_table_access(Access_bitmask priv, Table_ref *table)
Check if required access to given table is granted.
Definition: sql_security_ctx.cc:1245
void set_ip_ptr(const char *ip_arg, const int ip_arg_length)
Setter method for member m_ip.
Definition: sql_security_ctx.cc:993
Security_context & operator=(const Security_context &src_sctx)
Definition: sql_security_ctx.cc:68
bool can_operate_with(const Auth_id &auth_id, const std::string &privilege, bool cumulative=false, bool ignore_if_nonextant=true, bool throw_error=true)
Checks if the specified auth_id with privilege can work with the current_user.
Definition: sql_security_ctx.cc:796
void clear_active_roles(void)
This helper method clears the active roles list and frees the allocated memory used for any previousl...
Definition: sql_security_ctx.cc:426
LEX_CSTRING proxy_user() const
Getter method for member m_proxy_user.
Definition: sql_security_ctx.cc:1093
void assign_priv_host(const char *priv_host_arg, const size_t priv_host_arg_length)
Setter method for member m_priv_host.
Definition: sql_security_ctx.cc:1149
Using this class is fraught with peril, and you need to be very careful when doing so.
Definition: sql_string.h:167
const char * ptr() const
Definition: sql_string.h:249
size_t length() const
Definition: sql_string.h:241
void set(String &str, size_t offset, size_t arg_length)
Definition: sql_string.h:302
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:36
MYSQL_PLUGIN_IMPORT CHARSET_INFO * system_charset_info
Definition: mysqld.cc:1542
#define DBUG_PRINT(keyword, arglist)
Definition: my_dbug.h:181
#define DBUG_TRACE
Definition: my_dbug.h:146
Common definition used by mysys, performance schema and server & client.
static constexpr int HOSTNAME_LENGTH
Definition: my_hostname.h:43
static bool backup
Definition: myisampack.cc:198
Common definition between mysql server & client.
#define USERNAME_LENGTH
Definition: mysql_com.h:69
static PFS_engine_table_share_proxy table
Definition: pfs.cc:61
const char * db_name
Definition: rules_table_service.cc:55
std::conditional_t< !std::is_array< T >::value, std::unique_ptr< T, detail::Deleter< T > >, std::conditional_t< detail::is_unbounded_array_v< T >, std::unique_ptr< T, detail::Array_deleter< std::remove_extent_t< T > > >, void > > unique_ptr
The following is a common type that is returned by all the ut::make_unique (non-aligned) specializati...
Definition: ut0new.h:2438
File containing constants that can be used throughout the server.
Our own string classes, used pervasively throughout the executor.
Definition: auth_internal.h:59
Definition: mysql_lex_string.h:40
const char * str
Definition: mysql_lex_string.h:41
size_t length
Definition: mysql_lex_string.h:42