MySQL 8.4.3
Source Code Documentation
auth_internal.h File Reference
#include <map>
#include <set>
#include <string>
#include <unordered_map>
#include <unordered_set>
#include "mysql_time.h"
#include "sql/auth/auth_common.h"
#include "sql/auth/dynamic_privilege_table.h"
#include "sql/auth/partitioned_rwlock.h"
#include "sql/auth/sql_mfa.h"
#include "sql/auth/user_table.h"
#include "sql/sql_audit.h"
#include "sql/table.h"
#include "violite.h"

Go to the source code of this file.

Classes

struct  Grant_table_aggregate
 
class  Table_access_map
 
struct  role_id_hash
 

Typedefs

typedef struct user_resources USER_RESOURCES
 
typedef std::map< std::string, Access_bitmaskColumn_map
 
typedef std::map< std::string, Access_bitmaskSP_access_map
 
typedef std::map< std::string, Access_bitmaskDb_access_map
 
typedef std::map< std::string, Grant_table_aggregateTable_access_map_storage
 
typedef std::unordered_set< std::string > Grant_acl_set
 
typedef std::vector< std::pair< Role_id, bool > > List_of_granted_roles
 
typedef std::unordered_multimap< Role_id, Role_id, role_id_hashDefault_roles
 
typedef std::map< std::string, bool > Dynamic_privileges
 
typedef std::pair< std::string, bool > Grant_privilege
 
typedef std::unordered_multimap< Role_id, Grant_privilege, role_id_hashUser_to_dynamic_privileges_map
 

Functions

void append_identifier (const THD *thd, String *packet, const char *name, size_t length)
 
std::string create_authid_str_from (const LEX_USER *user)
 Helper used for producing a key to a key-value-map. More...
 
std::string create_authid_str_from (const ACL_USER *user)
 Helper used for producing a key to a key-value-map. More...
 
std::string create_authid_str_from (const Auth_id_ref &user)
 
Auth_id_ref create_authid_from (const LEX_USER *user)
 
Auth_id_ref create_authid_from (const ACL_USER *user)
 
std::string get_one_priv (Access_bitmask &revoke_privs)
 Converts privilege represented by LSB to string. More...
 
void optimize_plugin_compare_by_pointer (LEX_CSTRING *plugin_name)
 
bool auth_plugin_is_built_in (const char *plugin_name)
 
bool auth_plugin_supports_expiration (const char *plugin_name)
 Only the plugins that are known to use the mysql.user table to store their passwords support password expiration atm. More...
 
const ACL_internal_table_accessget_cached_table_access (GRANT_INTERNAL_INFO *grant_internal_info, const char *schema_name, const char *table_name)
 Get a cached internal table access. More...
 
ulong get_sort (uint count,...)
 
bool assert_acl_cache_read_lock (THD *thd)
 Assert that thread owns MDL_SHARED on partition specific to the thread. More...
 
bool assert_acl_cache_write_lock (THD *thd)
 Assert that thread owns MDL_EXCLUSIVE on all partitions. More...
 
bool sha256_rsa_auth_status ()
 Check if server has valid public key/private key pair for RSA communication. More...
 
void rebuild_check_host (void)
 
ACL_USERfind_acl_user (const char *host, const char *user, bool exact)
 
ACL_PROXY_USERacl_find_proxy_user (const char *user, const char *host, const char *ip, char *authenticated_as, bool *proxy_used)
 Validate if a user can proxy as another user. More...
 
void acl_insert_proxy_user (ACL_PROXY_USER *new_value)
 
void acl_update_user (const char *user, const char *host, enum SSL_type ssl_type, const char *ssl_cipher, const char *x509_issuer, const char *x509_subject, USER_RESOURCES *mqh, Access_bitmask privileges, const LEX_CSTRING &plugin, const LEX_CSTRING &auth, const std::string &second_auth, const MYSQL_TIME &password_change_time, const LEX_ALTER &password_life, Restrictions &restrictions, acl_table::Pod_user_what_to_update &what_to_update, uint failed_login_attempts, int password_lock_time, const I_multi_factor_auth *mfa)
 
void acl_users_add_one (const char *user, const char *host, enum SSL_type ssl_type, const char *ssl_cipher, const char *x509_issuer, const char *x509_subject, USER_RESOURCES *mqh, Access_bitmask privileges, const LEX_CSTRING &plugin, const LEX_CSTRING &auth, const LEX_CSTRING &second_auth, const MYSQL_TIME &password_change_time, const LEX_ALTER &password_life, bool add_role_vertex, Restrictions &restrictions, uint failed_login_attempts, int password_lock_time, const I_multi_factor_auth *mfa, THD *thd)
 
void acl_insert_user (THD *thd, const char *user, const char *host, enum SSL_type ssl_type, const char *ssl_cipher, const char *x509_issuer, const char *x509_subject, USER_RESOURCES *mqh, Access_bitmask privileges, const LEX_CSTRING &plugin, const LEX_CSTRING &auth, const MYSQL_TIME &password_change_time, const LEX_ALTER &password_life, Restrictions &restrictions, uint failed_login_attempts, int password_lock_time, const I_multi_factor_auth *mfa)
 
void acl_update_proxy_user (ACL_PROXY_USER *new_value, bool is_revoke)
 
void acl_update_db (const char *user, const char *host, const char *db, Access_bitmask privileges)
 
void acl_insert_db (const char *user, const char *host, const char *db, Access_bitmask privileges)
 
bool update_sctx_cache (Security_context *sctx, ACL_USER *acl_user_ptr, bool expired)
 Update the security context when updating the user. More...
 
bool do_update_sctx (Security_context *sctx, LEX_USER *from_user)
 Checks if current user needs to be changed in case it is same as the LEX_USER. More...
 
void update_sctx (Security_context *sctx, LEX_USER *to_user)
 
void clear_and_init_db_cache ()
 
bool acl_reload (THD *thd, bool mdl_locked)
 
bool grant_reload (THD *thd, bool mdl_locked)
 Reload information about table and column level privileges if possible. More...
 
void clean_user_cache ()
 
bool set_user_salt (ACL_USER *acl_user)
 Convert scrambled password to binary form, according to scramble type, Binary form is stored in user.salt. More...
 
void append_auth_id (const THD *thd, ACL_USER *acl_user, String *str)
 Append the authorization id for the user. More...
 
Access_bitmask get_access (TABLE *form, uint fieldnr, uint *next_field)
 
int replace_db_table (THD *thd, TABLE *table, const char *db, const LEX_USER &combo, Access_bitmask rights, bool revoke_grant, bool all_current_privileges)
 change grants in the mysql.db table. More...
 
int replace_proxies_priv_table (THD *thd, TABLE *table, const LEX_USER *user, const LEX_USER *proxied_user, bool with_grant_arg, bool revoke_grant)
 Insert, update or remove a record in the mysql.proxies_priv table. More...
 
int replace_column_table (THD *thd, GRANT_TABLE *g_t, TABLE *table, const LEX_USER &combo, List< LEX_COLUMN > &columns, const char *db, const char *table_name, Access_bitmask rights, bool revoke_grant)
 Update record in the table mysql.columns_priv. More...
 
int replace_table_table (THD *thd, GRANT_TABLE *grant_table, std::unique_ptr< GRANT_TABLE, Destroy_only< GRANT_TABLE > > *deleted_grant_table, TABLE *table, const LEX_USER &combo, const char *db, const char *table_name, Access_bitmask rights, Access_bitmask col_rights, bool revoke_grant, bool all_current_privileges)
 Search and create/update a record for requested table privileges. More...
 
int replace_routine_table (THD *thd, GRANT_NAME *grant_name, TABLE *table, const LEX_USER &combo, const char *db, const char *routine_name, bool is_proc, Access_bitmask rights, bool revoke_grant, bool all_current_privileges)
 Search and create/update a record for the routine requested. More...
 
int open_grant_tables (THD *thd, Table_ref *tables, bool *transactional_tables)
 Open the grant tables. More...
 
void acl_tables_setup_for_read (Table_ref *tables)
 Setup ACL tables to be opened in read mode. More...
 
void acl_print_ha_error (int handler_error)
 Take a handler error and generate the mysql error ER_ACL_OPERATION_FAILED containing original text of HA error. More...
 
bool check_engine_type_for_acl_table (Table_ref *tables, bool report_error)
 Check that every ACL table has a supported storage engine (InnoDB). More...
 
bool log_and_commit_acl_ddl (THD *thd, bool transactional_tables, std::set< LEX_USER * > *extra_users=nullptr, Rewrite_params *rewrite_params=nullptr, bool extra_error=false, bool log_to_binlog=true)
 
void acl_notify_htons (THD *thd, enum_sql_command operation, const List< LEX_USER > *users, std::set< LEX_USER * > *rewrite_users=nullptr, const List< LEX_CSTRING > *dynamic_privs=nullptr)
 
bool is_privileged_user_for_credential_change (THD *thd)
 
void rebuild_vertex_index (THD *thd)
 Since the gap in the vertex vector was removed all the vertex descriptors has changed. More...
 
void default_roles_init (void)
 Initialize the default role map that keeps the content from the default_roles table. More...
 
void default_roles_delete (void)
 Delete the default role instance. More...
 
void roles_graph_init (void)
 Initialize the roles graph artifacts. More...
 
void roles_graph_delete (void)
 Delete the ACL role graph artifacts. More...
 
void roles_init (void)
 Initialize the roles caches that consist of the role graphs related artifacts and default role map. More...
 
void roles_delete (void)
 Delete the role caches. More...
 
void dynamic_privileges_init (void)
 
void dynamic_privileges_delete (void)
 
bool grant_dynamic_privilege (const LEX_CSTRING &str_priv, const LEX_CSTRING &str_user, const LEX_CSTRING &str_host, bool with_grant_option, Update_dynamic_privilege_table &func)
 Grant one privilege to one user. More...
 
bool revoke_dynamic_privilege (const LEX_CSTRING &str_priv, const LEX_CSTRING &str_user, const LEX_CSTRING &str_host, Update_dynamic_privilege_table &update_table)
 Revoke one privilege from one user. More...
 
bool revoke_all_dynamic_privileges (const LEX_CSTRING &user, const LEX_CSTRING &host, Update_dynamic_privilege_table &func)
 Revoke all dynamic global privileges. More...
 
bool rename_dynamic_grant (const LEX_CSTRING &old_user, const LEX_CSTRING &old_host, const LEX_CSTRING &new_user, const LEX_CSTRING &new_host, Update_dynamic_privilege_table &update_table)
 
bool grant_grant_option_for_all_dynamic_privileges (const LEX_CSTRING &str_user, const LEX_CSTRING &str_host, Update_dynamic_privilege_table &func)
 Grant grant option to one user for all dynamic privileges. More...
 
bool revoke_grant_option_for_all_dynamic_privileges (const LEX_CSTRING &str_user, const LEX_CSTRING &str_host, Update_dynamic_privilege_table &func)
 Revoke grant option to one user for all dynamic privileges. More...
 
bool grant_dynamic_privileges_to_auth_id (const Role_id &id, const std::vector< std::string > &priv_list)
 Grant needed dynamic privielges to in memory internal auth id. More...
 
void revoke_dynamic_privileges_from_auth_id (const Role_id &id, const std::vector< std::string > &priv_list)
 Revoke dynamic privielges from in memory internal auth id. More...
 
bool operator== (const Role_id &a, const Auth_id_ref &b)
 
bool operator== (const Auth_id_ref &a, const Role_id &b)
 
bool operator== (const std::pair< const Role_id, Role_id > &a, const Auth_id_ref &b)
 
bool operator== (const Role_id &a, const Role_id &b)
 
bool operator== (std::pair< const Role_id, std::pair< std::string, bool > > &a, const std::string &b)
 
void get_privilege_access_maps (ACL_USER *acl_user, const List_of_auth_id_refs *using_roles, Access_bitmask *access, Db_access_map *db_map, Db_access_map *db_wild_map, Table_access_map *table_map, SP_access_map *sp_map, SP_access_map *func_map, List_of_granted_roles *granted_roles, Grant_acl_set *with_admin_acl, Dynamic_privileges *dynamic_acl, Restrictions &restrictions)
 
bool clear_default_roles (THD *thd, TABLE *table, const Auth_id_ref &user_auth_id, std::vector< Role_id > *default_roles)
 Removes all default role policies assigned to user. More...
 
void get_granted_roles (LEX_USER *user, List_of_granted_roles *granted_roles)
 This is a convenience function. More...
 
bool drop_default_role_policy (THD *thd, TABLE *table, const Auth_id_ref &default_role_policy, const Auth_id_ref &user)
 Drop a specific default role policy given the role- and user names. More...
 
void revoke_role (THD *thd, ACL_USER *role, ACL_USER *user)
 Used by mysql_revoke_role() for revoking a specified role from a specified user. More...
 
bool revoke_all_roles_from_user (THD *thd, TABLE *edge_table, TABLE *defaults_table, LEX_USER *user)
 Used by mysql_drop_user. More...
 
bool drop_role (THD *thd, TABLE *edge_table, TABLE *defaults_table, const Auth_id_ref &authid_user)
 
bool modify_role_edges_in_table (THD *thd, TABLE *table, const Auth_id_ref &from_user, const Auth_id_ref &to_user, bool with_admin_option, bool delete_option)
 
Auth_id_ref create_authid_from (const Role_id &user)
 
Auth_id_ref create_authid_from (const LEX_CSTRING &user, const LEX_CSTRING &host)
 
bool roles_rename_authid (THD *thd, TABLE *edge_table, TABLE *defaults_table, LEX_USER *user_from, LEX_USER *user_to)
 Renames a user in the mysql.role_edge and the mysql.default_roles tables. More...
 
bool set_and_validate_user_attributes (THD *thd, LEX_USER *Str, acl_table::Pod_user_what_to_update &what_to_set, bool is_privileged_user, bool is_role, Table_ref *history_table, bool *history_check_done, const char *cmd, Userhostpassword_list &, I_multi_factor_auth **mfa=nullptr, bool if_not_exists=false)
 This function does following: More...
 
User_to_dynamic_privileges_mapget_dynamic_privileges_map ()
 
User_to_dynamic_privileges_mapswap_dynamic_privileges_map (User_to_dynamic_privileges_map *map)
 
bool populate_roles_caches (THD *thd, Table_ref *tablelst)
 
void grant_role (ACL_USER *role, const ACL_USER *user, bool with_admin_opt)
 Grants a single role to a single user. More...
 
void get_mandatory_roles (std::vector< Role_id > *mandatory_roles)
 
void create_role_vertex (ACL_USER *role_acl_user)
 Helper function for create_roles_vertices. More...
 
void activate_all_granted_roles (const ACL_USER *acl_user, Security_context *sctx)
 Activates all roles granted to the auth_id. More...
 
void activate_all_granted_and_mandatory_roles (const ACL_USER *acl_user, Security_context *sctx)
 
bool alter_user_set_default_roles (THD *thd, TABLE *table, LEX_USER *user, const List_of_auth_id_refs &new_auth_ids)
 Set the default roles for a particular user. More...
 
bool alter_user_set_default_roles_all (THD *thd, TABLE *def_role_table, LEX_USER *user)
 Set all granted role as default roles. More...
 
bool check_system_user_privilege (THD *thd, List< LEX_USER > list)
 Checks if any of the users has SYSTEM_USER privilege then current user must also have SYSTEM_USER privilege. More...
 
bool read_user_application_user_metadata_from_table (LEX_CSTRING user, LEX_CSTRING host, String *metadata_str, TABLE *table, bool mode_no_backslash)
 Helper function for recreating the CREATE USER statement when an SHOW CREATE USER statement is issued. More...
 
bool is_expected_or_transient_error (THD *thd)
 Small helper function which allows to determine if error which caused failure to open and lock privilege tables should not be reported to error log (because this is expected or temporary condition). More...
 
bool report_missing_user_grant_message (THD *thd, bool user_exists, const char *user, const char *host, const char *object_name, int err_code)
 Helper method to check if warning or error should be reported based on: More...
 

Variables

Rsa_authentication_keysg_sha256_rsa_keys
 
Rsa_authentication_keysg_caching_sha2_rsa_keys
 
char * caching_sha2_rsa_private_key_path
 
char * caching_sha2_rsa_public_key_path
 
bool caching_sha2_auto_generate_rsa_keys
 
Map_with_rw_lock< Auth_id, uint > * unknown_accounts
 Hash to map unknown accounts to an authentication plugin. More...
 
std::vector< Role_id > * g_mandatory_roles
 

Typedef Documentation

◆ Column_map

typedef std::map<std::string, Access_bitmask> Column_map

◆ Db_access_map

typedef std::map<std::string, Access_bitmask> Db_access_map

◆ Default_roles

typedef std::unordered_multimap<Role_id, Role_id, role_id_hash> Default_roles

◆ Dynamic_privileges

typedef std::map<std::string, bool> Dynamic_privileges

◆ Grant_acl_set

typedef std::unordered_set<std::string> Grant_acl_set

◆ Grant_privilege

typedef std::pair<std::string, bool> Grant_privilege

◆ List_of_granted_roles

typedef std::vector<std::pair<Role_id, bool> > List_of_granted_roles

◆ SP_access_map

typedef std::map<std::string, Access_bitmask> SP_access_map

◆ Table_access_map_storage

typedef std::map<std::string, Grant_table_aggregate> Table_access_map_storage

◆ USER_RESOURCES

◆ User_to_dynamic_privileges_map

Function Documentation

◆ acl_find_proxy_user()

ACL_PROXY_USER * acl_find_proxy_user ( const char *  user,
const char *  host,
const char *  ip,
char *  authenticated_as,
bool *  proxy_used 
)

Validate if a user can proxy as another user.

Parameters
userthe logged in user (proxy user)
hostthe hostname part of the logged in userid
ipthe ip of the logged in userid
authenticated_asthe effective user a plugin is trying to impersonate as (proxied user)
[out]proxy_usedTrue if a proxy is found
Returns
proxy user definition
Return values
NULLproxy user definition not found or not applicable
non-nullthe proxy user data

◆ acl_insert_db()

void acl_insert_db ( const char *  user,
const char *  host,
const char *  db,
Access_bitmask  privileges 
)

◆ acl_insert_proxy_user()

void acl_insert_proxy_user ( ACL_PROXY_USER new_value)

◆ acl_insert_user()

void acl_insert_user ( THD thd,
const char *  user,
const char *  host,
enum SSL_type  ssl_type,
const char *  ssl_cipher,
const char *  x509_issuer,
const char *  x509_subject,
USER_RESOURCES mqh,
Access_bitmask  privileges,
const LEX_CSTRING plugin,
const LEX_CSTRING auth,
const MYSQL_TIME password_change_time,
const LEX_ALTER password_life,
Restrictions restrictions,
uint  failed_login_attempts,
int  password_lock_time,
const I_multi_factor_auth mfa 
)

◆ acl_notify_htons()

void acl_notify_htons ( THD thd,
enum_sql_command  operation,
const List< LEX_USER > *  users,
std::set< LEX_USER * > *  rewrite_users = nullptr,
const List< LEX_CSTRING > *  dynamic_privs = nullptr 
)

◆ acl_print_ha_error()

void acl_print_ha_error ( int  handler_error)

Take a handler error and generate the mysql error ER_ACL_OPERATION_FAILED containing original text of HA error.

Parameters
handler_erroran error number resulted from storage engine

◆ acl_reload()

bool acl_reload ( THD thd,
bool  mdl_locked 
)

◆ acl_tables_setup_for_read()

void acl_tables_setup_for_read ( Table_ref tables)

Setup ACL tables to be opened in read mode.

Prepare references to all of the grant tables in the order of the ACL_TABLES enum.

Parameters
[in,out]tablesTable handles

◆ acl_update_db()

void acl_update_db ( const char *  user,
const char *  host,
const char *  db,
Access_bitmask  privileges 
)

◆ acl_update_proxy_user()

void acl_update_proxy_user ( ACL_PROXY_USER new_value,
bool  is_revoke 
)

◆ acl_update_user()

void acl_update_user ( const char *  user,
const char *  host,
enum SSL_type  ssl_type,
const char *  ssl_cipher,
const char *  x509_issuer,
const char *  x509_subject,
USER_RESOURCES mqh,
Access_bitmask  privileges,
const LEX_CSTRING plugin,
const LEX_CSTRING auth,
const std::string &  second_auth,
const MYSQL_TIME password_change_time,
const LEX_ALTER password_life,
Restrictions restrictions,
acl_table::Pod_user_what_to_update what_to_update,
uint  failed_login_attempts,
int  password_lock_time,
const I_multi_factor_auth mfa 
)

◆ acl_users_add_one()

void acl_users_add_one ( const char *  user,
const char *  host,
enum SSL_type  ssl_type,
const char *  ssl_cipher,
const char *  x509_issuer,
const char *  x509_subject,
USER_RESOURCES mqh,
Access_bitmask  privileges,
const LEX_CSTRING plugin,
const LEX_CSTRING auth,
const LEX_CSTRING second_auth,
const MYSQL_TIME password_change_time,
const LEX_ALTER password_life,
bool  add_role_vertex,
Restrictions restrictions,
uint  failed_login_attempts,
int  password_lock_time,
const I_multi_factor_auth mfa,
THD thd 
)

◆ activate_all_granted_and_mandatory_roles()

void activate_all_granted_and_mandatory_roles ( const ACL_USER acl_user,
Security_context sctx 
)

◆ activate_all_granted_roles()

void activate_all_granted_roles ( const ACL_USER acl_user,
Security_context sctx 
)

Activates all roles granted to the auth_id.

Parameters
[in]acl_userACL_USER for which all granted roles to be activated.
[in]sctxPush the activated role to security context

◆ alter_user_set_default_roles()

bool alter_user_set_default_roles ( THD thd,
TABLE table,
LEX_USER user,
const List_of_auth_id_refs new_auth_ids 
)

Set the default roles for a particular user.

Parameters
thdThread handle
tableTable handle to an open table
userAST component for the user for which we set def roles
new_auth_idsDefault roles to set
Return values
trueOperation failed
falseOperation was successful.

◆ alter_user_set_default_roles_all()

bool alter_user_set_default_roles_all ( THD thd,
TABLE def_role_table,
LEX_USER user 
)

Set all granted role as default roles.

Writes to table mysql.default_roles and binlog.

Parameters
thdThread handler
def_role_tableDefault role table
userThe user whose default roles are set.
Return values
trueAn error occurred and DA is set
falseSuccessful

◆ append_auth_id()

void append_auth_id ( const THD thd,
ACL_USER acl_user,
String str 
)

Append the authorization id for the user.

Parameters
[in]thdThe THD to find the SQL mode
[in]acl_userACL User to retrieve the user information
[in,out]strThe string in which authID is suffixed

◆ append_identifier()

void append_identifier ( const THD thd,
String packet,
const char *  name,
size_t  length 
)

◆ assert_acl_cache_read_lock()

bool assert_acl_cache_read_lock ( THD thd)

Assert that thread owns MDL_SHARED on partition specific to the thread.

Parameters
[in]thdThread for which lock is to be checked
Returns
thread owns required lock or not
Return values
trueThread owns lock
falseThread does not own lock

◆ assert_acl_cache_write_lock()

bool assert_acl_cache_write_lock ( THD thd)

Assert that thread owns MDL_EXCLUSIVE on all partitions.

Parameters
[in]thdThread for which lock is to be checked
Returns
thread owns required lock or not
Return values
trueThread owns lock
falseThread does not own lock

◆ auth_plugin_is_built_in()

bool auth_plugin_is_built_in ( const char *  plugin_name)

◆ auth_plugin_supports_expiration()

bool auth_plugin_supports_expiration ( const char *  plugin_name)

Only the plugins that are known to use the mysql.user table to store their passwords support password expiration atm.

TODO: create a service and extend the plugin API to support password expiration for external plugins.

Return values
falseexpiration not supported
trueexpiration supported

◆ check_engine_type_for_acl_table()

bool check_engine_type_for_acl_table ( Table_ref tables,
bool  report_error 
)

Check that every ACL table has a supported storage engine (InnoDB).

Report error if table's engine type is not supported.

Parameters
tablesPointer to TABLES_LIST of ACL tables to check.
report_errorIf true report error to the client/diagnostic area, otherwise write a warning to the error log.
Returns
bool
Return values
falseOK
truesome of ACL tables has an unsupported engine type.

◆ check_system_user_privilege()

bool check_system_user_privilege ( THD thd,
List< LEX_USER list 
)

Checks if any of the users has SYSTEM_USER privilege then current user must also have SYSTEM_USER privilege.

It is a wrapper over the Privilege_checker class that does privilege checks for one user at a time.

Parameters
[in]thdThread handle for security context
[in]listList of user being processed
Returns
If needed, whether current user has SYSTEM_USER privilege or not
Return values
falseEither none of the users in list has SYSTEM_USER privilege or current user has SYSTEM_USER privilege
trueFailed in get_current_user() OR one of the user in the list has SYSTEM_USER privilege but current user does not.

◆ clean_user_cache()

void clean_user_cache ( )

◆ clear_and_init_db_cache()

void clear_and_init_db_cache ( )

◆ clear_default_roles()

bool clear_default_roles ( THD thd,
TABLE table,
const Auth_id_ref user_auth_id,
std::vector< Role_id > *  default_roles 
)

Removes all default role policies assigned to user.

If the user is used as a default role policy, this policy needs to be removed too. Removed policies are copied to the vector supplied in the arguments.

Parameters
thdThread handler
tableOpen table handler
user_auth_idA reference to the authorization ID to clear
[out]default_rolesThe vector to which the removed roles are copied.
Return values
trueAn error occurred.
falseSuccess

◆ create_authid_from() [1/4]

Auth_id_ref create_authid_from ( const ACL_USER user)

◆ create_authid_from() [2/4]

Auth_id_ref create_authid_from ( const LEX_CSTRING user,
const LEX_CSTRING host 
)

◆ create_authid_from() [3/4]

Auth_id_ref create_authid_from ( const LEX_USER user)

◆ create_authid_from() [4/4]

Auth_id_ref create_authid_from ( const Role_id user)

◆ create_authid_str_from() [1/3]

std::string create_authid_str_from ( const ACL_USER user)

Helper used for producing a key to a key-value-map.

◆ create_authid_str_from() [2/3]

std::string create_authid_str_from ( const Auth_id_ref user)

◆ create_authid_str_from() [3/3]

std::string create_authid_str_from ( const LEX_USER user)

Helper used for producing a key to a key-value-map.

◆ create_role_vertex()

void create_role_vertex ( ACL_USER role_acl_user)

Helper function for create_roles_vertices.

Creates a vertex in the role graph and associate it with an ACL_USER. If the ACL_USER already exists in the vertex-to-acl-user index then we ignore this request.

Parameters
role_acl_userThe acial user to be mapped to a vertex.

◆ default_roles_delete()

void default_roles_delete ( void  )

Delete the default role instance.

◆ default_roles_init()

void default_roles_init ( void  )

Initialize the default role map that keeps the content from the default_roles table.

◆ do_update_sctx()

bool do_update_sctx ( Security_context sctx,
LEX_USER from_user_ptr 
)

Checks if current user needs to be changed in case it is same as the LEX_USER.

This check is useful to take backup of security context in case current user renames itself.

Parameters
sctxThe security context to check
from_user_ptrUser name to be renamed
Return values
truesecurity context need to be updated
falseotherwise

◆ drop_default_role_policy()

bool drop_default_role_policy ( THD thd,
TABLE table,
const Auth_id_ref default_role_policy,
const Auth_id_ref user 
)

Drop a specific default role policy given the role- and user names.

Parameters
thdThread handler
tableAn open table handler to the default_roles table
default_role_policyThe role name
userThe user name
Return values
Errorstate
trueAn error occurred
falseSuccess

◆ drop_role()

bool drop_role ( THD thd,
TABLE edge_table,
TABLE defaults_table,
const Auth_id_ref authid_user 
)

◆ dynamic_privileges_delete()

void dynamic_privileges_delete ( void  )

◆ dynamic_privileges_init()

void dynamic_privileges_init ( void  )

◆ find_acl_user()

ACL_USER * find_acl_user ( const char *  host,
const char *  user,
bool  exact 
)

◆ get_access()

Access_bitmask get_access ( TABLE form,
uint  fieldnr,
uint *  next_field 
)

◆ get_cached_table_access()

const ACL_internal_table_access * get_cached_table_access ( GRANT_INTERNAL_INFO grant_internal_info,
const char *  schema_name,
const char *  table_name 
)

Get a cached internal table access.

Parameters
grant_internal_infothe cache
schema_namethe name of the internal schema
table_namethe name of the internal table

◆ get_dynamic_privileges_map()

User_to_dynamic_privileges_map * get_dynamic_privileges_map ( )

◆ get_granted_roles()

void get_granted_roles ( LEX_USER user,
List_of_granted_roles granted_roles 
)

This is a convenience function.

See also
get_granted_roles(Role_vertex_descriptor &v, List_of_granted_roles *granted_roles)
Parameters
userThe authid to check for granted roles
[out]granted_rolesA list of granted authids

◆ get_mandatory_roles()

void get_mandatory_roles ( std::vector< Role_id > *  mandatory_roles)

◆ get_one_priv()

std::string get_one_priv ( Access_bitmask revoke_privs)

Converts privilege represented by LSB to string.

This is used while serializing in-memory data to JSON format.

Parameters
[in,out]revoke_privsPrivilege bitmask
Returns
Name for the privilege represented by LSB

◆ get_privilege_access_maps()

void get_privilege_access_maps ( ACL_USER acl_user,
const List_of_auth_id_refs using_roles,
Access_bitmask access,
Db_access_map db_map,
Db_access_map db_wild_map,
Table_access_map table_map,
SP_access_map sp_map,
SP_access_map func_map,
List_of_granted_roles granted_roles,
Grant_acl_set with_admin_acl,
Dynamic_privileges dynamic_acl,
Restrictions restrictions 
)

◆ get_sort()

ulong get_sort ( uint  count,
  ... 
)

◆ grant_dynamic_privilege()

bool grant_dynamic_privilege ( const LEX_CSTRING str_priv,
const LEX_CSTRING str_user,
const LEX_CSTRING str_host,
bool  with_grant_option,
Update_dynamic_privilege_table update_table 
)

Grant one privilege to one user.

Parameters
str_privDynamic privilege being granted
str_userUsername part of the grantee
str_hostHostname part of the grantee
with_grant_optionFlag that determines if grantee can manage the dynamic privilege
update_tableTable update handler
Returns
Error state
Return values
trueAn error occurred. DA must be checked.
falseSuccess

◆ grant_dynamic_privileges_to_auth_id()

bool grant_dynamic_privileges_to_auth_id ( const Role_id id,
const std::vector< std::string > &  priv_list 
)

Grant needed dynamic privielges to in memory internal auth id.

Parameters
idauth id to which privileges needs to be granted
priv_listList of privileges to be added to internal auth id
Return values
TrueIn case privilege is not registered
FalseSuccess

◆ grant_grant_option_for_all_dynamic_privileges()

bool grant_grant_option_for_all_dynamic_privileges ( const LEX_CSTRING str_user,
const LEX_CSTRING str_host,
Update_dynamic_privilege_table update_table 
)

Grant grant option to one user for all dynamic privileges.

Parameters
str_userUsername part of the grantee
str_hostHostname part of the grantee
update_tableTable update handler
Returns
Error state
Return values
trueAn error occurred. DA must be checked.
falseSuccess

◆ grant_reload()

bool grant_reload ( THD thd,
bool  mdl_locked 
)

Reload information about table and column level privileges if possible.

Parameters
thdCurrent thread
mdl_lockedMDL lock status - affects open/close table operations

Locked tables are checked by acl_reload() and doesn't have to be checked in this call. This function is also used for initialization of structures responsible for table/column-level privilege checking.

Returns
Error state
Return values
falseSuccess
trueError

◆ grant_role()

void grant_role ( ACL_USER role,
const ACL_USER user,
bool  with_admin_opt 
)

Grants a single role to a single user.

The change is made to the in-memory roles graph and not persistent.

See also
mysql_grant_role
Parameters
roleA pointer to the role to be granted
userA pointer to the user which will be granted
with_admin_optTrue if the user should have the ability to pass on the granted role to another authorization id.

◆ is_expected_or_transient_error()

bool is_expected_or_transient_error ( THD thd)

Small helper function which allows to determine if error which caused failure to open and lock privilege tables should not be reported to error log (because this is expected or temporary condition).

◆ is_privileged_user_for_credential_change()

bool is_privileged_user_for_credential_change ( THD thd)

◆ log_and_commit_acl_ddl()

bool log_and_commit_acl_ddl ( THD thd,
bool  transactional_tables,
std::set< LEX_USER * > *  extra_users = nullptr,
Rewrite_params rewrite_params = nullptr,
bool  extra_error = false,
bool  log_to_binlog = true 
)

◆ modify_role_edges_in_table()

bool modify_role_edges_in_table ( THD thd,
TABLE table,
const Auth_id_ref from_user,
const Auth_id_ref to_user,
bool  with_admin_option,
bool  delete_option 
)

◆ open_grant_tables()

int open_grant_tables ( THD thd,
Table_ref tables,
bool *  transactional_tables 
)

Open the grant tables.

Parameters
thdThe current thread.
[in,out]tablesArray of ACL_TABLES::LAST_ENTRY table list elements which will be used for opening tables.
[out]transactional_tablesSet to true if one of grant tables is transactional, false otherwise.
Return values
1Skip GRANT handling during replication.
0OK.
<0 Error.
Note
IX Backup Lock is implicitly acquired as side effect of calling this function.

◆ operator==() [1/5]

bool operator== ( const Auth_id_ref a,
const Role_id b 
)

◆ operator==() [2/5]

bool operator== ( const Role_id a,
const Auth_id_ref b 
)

◆ operator==() [3/5]

bool operator== ( const Role_id a,
const Role_id b 
)

◆ operator==() [4/5]

bool operator== ( const std::pair< const Role_id, Role_id > &  a,
const Auth_id_ref b 
)

◆ operator==() [5/5]

bool operator== ( std::pair< const Role_id, std::pair< std::string, bool > > &  a,
const std::string &  b 
)

◆ optimize_plugin_compare_by_pointer()

void optimize_plugin_compare_by_pointer ( LEX_CSTRING plugin_name)

◆ populate_roles_caches()

bool populate_roles_caches ( THD thd,
Table_ref tablelst 
)

◆ read_user_application_user_metadata_from_table()

bool read_user_application_user_metadata_from_table ( const LEX_CSTRING  user,
const LEX_CSTRING  host,
String metadata_str,
TABLE table,
bool  mode_no_backslash_escapes 
)

Helper function for recreating the CREATE USER statement when an SHOW CREATE USER statement is issued.

Parameters
userThe user name from which to read the metadata
hostThe host name part of the user from which to read the metadata
[out]metadata_strA buffer of text which will contain the CREATE USER .. ATTRIBUTE data. If the JSON object is null the metadata_str will be empty.
tableAn open TABLE handle to the mysql.user table.
mode_no_backslash_escapesThe SQL_MODE determines how JSON is quoted
See also
mysql_show_create_user
Returns
error state
Return values
falseSuccess
trueAn error occurred and DA was set.

◆ rebuild_check_host()

void rebuild_check_host ( void  )

◆ rebuild_vertex_index()

void rebuild_vertex_index ( THD thd)

Since the gap in the vertex vector was removed all the vertex descriptors has changed.

As a consequence we now need to rebuild the authid_to_vertex index.

◆ rename_dynamic_grant()

bool rename_dynamic_grant ( const LEX_CSTRING old_user,
const LEX_CSTRING old_host,
const LEX_CSTRING new_user,
const LEX_CSTRING new_host,
Update_dynamic_privilege_table update_table 
)

◆ replace_column_table()

int replace_column_table ( THD thd,
GRANT_TABLE g_t,
TABLE table,
const LEX_USER combo,
List< LEX_COLUMN > &  columns,
const char *  db,
const char *  table_name,
Access_bitmask  rights,
bool  revoke_grant 
)

Update record in the table mysql.columns_priv.

Parameters
thdCurrent thread execution context.
g_tPointer to a cached table grant object
tablePointer to a TABLE object for open mysql.columns_priv table
comboPointer to a LEX_USER object containing info about a user being processed
columnsList of columns to give/revoke grant
dbDatabase name of table for which column privileges are modified
table_nameName of table for which column privileges are modified
rightsTable level grant
revoke_grantSet to true if this is a REVOKE command
Returns
Operation result
Return values
0OK.
<0 System error or storage engine error happen
>0 Error in handling current user entry but still can continue processing subsequent user specified in the ACL statement.

◆ replace_db_table()

int replace_db_table ( THD thd,
TABLE table,
const char *  db,
const LEX_USER combo,
Access_bitmask  rights,
bool  revoke_grant,
bool  all_current_privileges 
)

change grants in the mysql.db table.

Parameters
thdCurrent thread execution context.
tablePointer to a TABLE object for opened mysql.db table.
dbDatabase name of table for which column privileges are modified.
comboPointer to a LEX_USER object containing info about a user being processed.
rightsDatabase level grant.
revoke_grantSet to true if this is a REVOKE command.
all_current_privilegesSet to true if this is GRANT/REVOKE ALL
Returns
Operation result
Return values
0OK.
1Error in handling current user entry but still can continue processing subsequent user specified in the ACL statement.
<0 Error.

◆ replace_proxies_priv_table()

int replace_proxies_priv_table ( THD thd,
TABLE table,
const LEX_USER user,
const LEX_USER proxied_user,
bool  with_grant_arg,
bool  revoke_grant 
)

Insert, update or remove a record in the mysql.proxies_priv table.

Parameters
thdThe current thread.
tablePointer to a TABLE object for opened mysql.proxies_priv table.
userInformation about user being handled.
proxied_userInformation about proxied user being handled.
with_grant_argTrue if a user is allowed to execute GRANT, else false.
revoke_grantSet to true if this is REVOKE command.
Returns
Operation result.
Return values
0OK.
1Error in handling current user entry but still can continue processing subsequent user specified in the ACL statement.
<0 Error.

◆ replace_routine_table()

int replace_routine_table ( THD thd,
GRANT_NAME grant_name,
TABLE table,
const LEX_USER combo,
const char *  db,
const char *  routine_name,
bool  is_proc,
Access_bitmask  rights,
bool  revoke_grant,
bool  all_current_privileges 
)

Search and create/update a record for the routine requested.

Parameters
thdThe current thread.
grant_nameCached info about stored routine.
tablePointer to a TABLE object for open mysql.procs_priv table.
comboUser information.
dbDatabase name for stored routine.
routine_nameName for stored routine.
is_procTrue for stored procedure, false for stored function.
rightsRights requested.
revoke_grantSet to true if a REVOKE command is executed.
all_current_privilegesSet to true if this is GRANT/REVOKE ALL
Returns
Operation result
Return values
0OK.
<0 System error or storage engine error happen
>0 Error in handling current routine entry but still can continue processing subsequent user specified in the ACL statement.

◆ replace_table_table()

int replace_table_table ( THD thd,
GRANT_TABLE grant_table,
std::unique_ptr< GRANT_TABLE, Destroy_only< GRANT_TABLE > > *  deleted_grant_table,
TABLE table,
const LEX_USER combo,
const char *  db,
const char *  table_name,
Access_bitmask  rights,
Access_bitmask  col_rights,
bool  revoke_grant,
bool  all_current_privileges 
)

Search and create/update a record for requested table privileges.

Parameters
thdThe current thread.
grant_tableCached info about table/columns privileges.
deleted_grant_tableIf non-nullptr and grant is removed from column cache, it is returned here instead of being destroyed.
tablePointer to a TABLE object for open mysql.tables_priv table.
comboUser information.
dbDatabase name of table to give grant.
table_nameName of table to give grant.
rightsTable privileges to set/update.
col_rightsColumn privileges to set/update.
revoke_grantSet to true if a REVOKE command is executed.
all_current_privilegesSet to true if this is GRANT/REVOKE ALL
Returns
Operation result
Return values
0OK.
<0 System error or storage engine error happen.
1No entry for request.

◆ report_missing_user_grant_message()

bool report_missing_user_grant_message ( THD thd,
bool  user_exists,
const char *  user,
const char *  host,
const char *  object_name,
int  err_code 
)

Helper method to check if warning or error should be reported based on:

  1. IF EXISTS clause specified or not
  2. IGNORE UNKNOWN USER clause is specified or not
  3. Privilege being revoked is granted or not.

If user does not exists and IGNORE UNKNOWN USER clause is specified then report a warning. If user exists, privilege being revoked is not granted to specified user and IF EXISTS clause is specified report a warning. In none of the above case report error.

Parameters
thdCurrent thread
user_existsTrue if user exists in memory structure else false
useruser name
hosthost name
object_nameobject name on which privilege is being revoked
err_codeerror code
Return values
falsefor warning.
truefor error.

◆ revoke_all_dynamic_privileges()

bool revoke_all_dynamic_privileges ( const LEX_CSTRING user,
const LEX_CSTRING host,
Update_dynamic_privilege_table update_table 
)

Revoke all dynamic global privileges.

Parameters
userThe target user name
hostThe target host name
update_tableFunctor for updating a table
Returns
Error state
Return values
trueAn error occurred. DA might not be set.
falseSuccess

◆ revoke_all_roles_from_user()

bool revoke_all_roles_from_user ( THD thd,
TABLE edge_table,
TABLE defaults_table,
LEX_USER user_name 
)

Used by mysql_drop_user.

Will drop all

Parameters
thdTHD handle
edge_tableHandle to table that stores role grants
defaults_tableHandle to table that stores default role information
user_nameUser being dropped
Return values
trueAn error occurred
falseSuccess

◆ revoke_dynamic_privilege()

bool revoke_dynamic_privilege ( const LEX_CSTRING str_priv,
const LEX_CSTRING str_user,
const LEX_CSTRING str_host,
Update_dynamic_privilege_table update_table 
)

Revoke one privilege from one user.

Parameters
str_privPrivilege being revoked
str_userUsername part of the grantee
str_hostHostname part of the grantee
update_tableTable update handler
Returns
Error state
Return values
trueAn error occurred. DA must be checked.
falseSuccess

◆ revoke_dynamic_privileges_from_auth_id()

void revoke_dynamic_privileges_from_auth_id ( const Role_id id,
const std::vector< std::string > &  priv_list 
)

Revoke dynamic privielges from in memory internal auth id.

Parameters
idauth id from which privileges needs to be revoked
priv_listList of privileges to be removed for internal auth id

◆ revoke_grant_option_for_all_dynamic_privileges()

bool revoke_grant_option_for_all_dynamic_privileges ( const LEX_CSTRING str_user,
const LEX_CSTRING str_host,
Update_dynamic_privilege_table update_table 
)

Revoke grant option to one user for all dynamic privileges.

Parameters
str_userUsername part of the grantee
str_hostHostname part of the grantee
update_tableTable update handler
Returns
Error state
Return values
trueAn error occurred. DA must be checked.
falseSuccess

◆ revoke_role()

void revoke_role ( THD thd,
ACL_USER role,
ACL_USER user 
)

Used by mysql_revoke_role() for revoking a specified role from a specified user.

Parameters
thdThread handler
roleThe role which will be revoked
userThe user who will get its role revoked

◆ roles_delete()

void roles_delete ( void  )

Delete the role caches.

◆ roles_graph_delete()

void roles_graph_delete ( void  )

Delete the ACL role graph artifacts.

◆ roles_graph_init()

void roles_graph_init ( void  )

Initialize the roles graph artifacts.

◆ roles_init()

void roles_init ( void  )

Initialize the roles caches that consist of the role graphs related artifacts and default role map.

In theory, default role map is supposed to be a policy which has to be kept in sync with role graphs.

◆ roles_rename_authid()

bool roles_rename_authid ( THD thd,
TABLE edge_table,
TABLE defaults_table,
LEX_USER user_from,
LEX_USER user_to 
)

Renames a user in the mysql.role_edge and the mysql.default_roles tables.

user_to must already exist in the acl_user cache, but user_from may not as long as it exist in the role graph.

Parameters
thdThread handler
edge_tableAn open table handle for mysql.edge_mysql
defaults_tableAn open table handle for mysql.default_roles
user_fromThe user to rename
user_toThe target user name
See also
mysql_rename_user
Return values
trueAn error occurred
falseSuccess

◆ set_and_validate_user_attributes()

bool set_and_validate_user_attributes ( THD thd,
LEX_USER Str,
acl_table::Pod_user_what_to_update what_to_set,
bool  is_privileged_user,
bool  is_role,
Table_ref history_table,
bool *  history_check_done,
const char *  cmd,
Userhostpassword_list generated_passwords,
I_multi_factor_auth **  i_mfa,
bool  if_not_exists 
)

This function does following:

  1. Convert plain text password to hash and update the same in user definition.
  2. Validate hash string if specified in user definition.
  3. Identify what all fields needs to be updated in mysql.user table based on user definition.

If the is_role flag is set, the password validation is not used.

The function perform some semantic parsing of the original statement by investigating the syntactic elements found in the LEX_USER object not-so-appropriately named Str.

The code fits the purpose as a helper function to mysql_create_user() but it is used from mysql_alter_user(), mysql_grant(), change_password() and mysql_routine_grant() with a slightly varying semantic meaning.

Parameters
thdThread context
Struser on which attributes has to be applied
what_to_setUser attributes
is_privileged_userWhether caller has CREATE_USER_ACL or UPDATE_ACL over mysql.*
is_roleCREATE ROLE was used to create the authid.
history_tableThe table to verify history against.
[out]history_check_doneSet to on if the history table is updated
cmdCommand information
[out]generated_passwordsA list of generated random passwords. Depends on LEX_USER.
[out]i_mfaInterface to Multi factor authentication methods.
if_not_existsTrue if this is a CREATE ... IF NOT EXISTS type of statement. Valid for CREATE USER/ROLE.
Return values
0ok
1ERROR;

◆ set_user_salt()

bool set_user_salt ( ACL_USER acl_user)

Convert scrambled password to binary form, according to scramble type, Binary form is stored in user.salt.

Parameters
acl_userThe object where to store the salt

Despite the name of the function it is used when loading ACLs from disk to store the password hash in the ACL_USER object. Note that it works only for native and "old" mysql authentication built-in plugins.

Assumption : user's authentication plugin information is available.

Returns
Password hash validation
Return values
falseHash is of suitable length
trueHash is of wrong length or format

◆ sha256_rsa_auth_status()

bool sha256_rsa_auth_status ( )

Check if server has valid public key/private key pair for RSA communication.

Return values
falseRSA support is available
trueRSA support is not available

◆ swap_dynamic_privileges_map()

User_to_dynamic_privileges_map * swap_dynamic_privileges_map ( User_to_dynamic_privileges_map map)

◆ update_sctx()

void update_sctx ( Security_context sctx,
LEX_USER to_user 
)

◆ update_sctx_cache()

bool update_sctx_cache ( Security_context sctx,
ACL_USER acl_user_ptr,
bool  expired 
)

Update the security context when updating the user.

Helper function. Update only if the security context is pointing to the same user and the user is not a proxied user for a different proxy user. And return true if the update happens (i.e. we're operating on the user account of the current user). Normalize the names for a safe compare.

Parameters
sctxThe security context to update
acl_user_ptrUser account being updated
expirednew value of the expiration flag
Returns
did the update happen ?

Variable Documentation

◆ caching_sha2_auto_generate_rsa_keys

bool caching_sha2_auto_generate_rsa_keys
extern

◆ caching_sha2_rsa_private_key_path

char* caching_sha2_rsa_private_key_path
extern

◆ caching_sha2_rsa_public_key_path

char* caching_sha2_rsa_public_key_path
extern

◆ g_caching_sha2_rsa_keys

Rsa_authentication_keys* g_caching_sha2_rsa_keys
extern

◆ g_mandatory_roles

std::vector<Role_id>* g_mandatory_roles
extern

◆ g_sha256_rsa_keys

Rsa_authentication_keys* g_sha256_rsa_keys
extern

◆ unknown_accounts

Map_with_rw_lock<Auth_id, uint>* unknown_accounts
extern

Hash to map unknown accounts to an authentication plugin.

If unknown accounts always map to default authentication plugin, server's reply to switch authentication plugin would indicate that user in question is indeed a valid user.

To counter this, one of the built-in authentication plugins is chosen at random. Thus, a request to switch authentication plugin is not and indicator of a valid user account.

For same unknown account, if different plugin is chosen every time, that again is an indicator. To resolve this, a hashmap is used to store information about unknown account => authentication plugin. This way, if same unknown account appears again, same authentication plugin is chosen again.

However, size of such a hash has to be kept under control. Hence, once MAX_UNKNOWN_ACCOUNTS lim