MySQL 9.0.1
Source Code Documentation
Security_context Class Reference

A set of THD members describing the current authenticated user. More...

#include <sql_security_ctx.h>

Public Member Functions

 Security_context (THD *thd=nullptr)
 
 ~Security_context ()
 
 Security_context (const Security_context &src_sctx)
 
Security_contextoperator= (const Security_context &src_sctx)
 
void skip_grants (const char *user="skip-grants user", const char *host="skip-grants host")
 Grants all privilegs to user. More...
 
bool is_skip_grants_user ()
 
LEX_CSTRING user () const
 Getter method for member m_user. More...
 
void set_user_ptr (const char *user_arg, const size_t user_arg_length)
 Setter method for member m_user. More...
 
void assign_user (const char *user_arg, const size_t user_arg_length)
 Setter method for member m_user. More...
 
std::pair< bool, bool > has_global_grant (const char *priv, size_t priv_len)
 Checks if the Current_user has the asked dynamic privilege. More...
 
std::pair< bool, bool > has_global_grant (const Auth_id &auth_id, const std::string &privilege, bool cumulative=false)
 Checks if the Auth_id have the asked dynamic privilege. More...
 
bool can_operate_with (const Auth_id &auth_id, const std::string &privilege, bool cumulative=false, bool ignore_if_nonextant=true, bool throw_error=true)
 Checks if the specified auth_id with privilege can work with the current_user. More...
 
int activate_role (LEX_CSTRING user, LEX_CSTRING host, bool validate_access=false)
 This method pushes a role to the list of active roles. More...
 
void clear_active_roles (void)
 This helper method clears the active roles list and frees the allocated memory used for any previously activated roles. More...
 
List_of_auth_id_refsget_active_roles ()
 
size_t get_num_active_roles () const
 
void get_active_roles (THD *, List< LEX_USER > &)
 Get sorted list of roles in LEX_USER format. More...
 
void checkout_access_maps (void)
 Subscribes to a cache entry of aggregated ACLs. More...
 
Access_bitmask db_acl (LEX_CSTRING db, bool use_pattern_scan=true) const
 Get grant information for given database. More...
 
Access_bitmask check_db_level_access (THD *thd, const char *db, size_t db_len, bool db_is_pattern=false) const
 Checks if any database level privileges are granted to the current session either directly or through active roles. More...
 
Access_bitmask procedure_acl (LEX_CSTRING db, LEX_CSTRING procedure_name)
 
Access_bitmask function_acl (LEX_CSTRING db, LEX_CSTRING procedure_name)
 
Access_bitmask table_acl (LEX_CSTRING db, LEX_CSTRING table)
 
Grant_table_aggregate table_and_column_acls (LEX_CSTRING db, LEX_CSTRING table)
 
bool has_with_admin_acl (const LEX_CSTRING &role_name, const LEX_CSTRING &role_host)
 
bool any_sp_acl (const LEX_CSTRING &db)
 
bool any_table_acl (const LEX_CSTRING &db)
 
bool is_table_blocked (Access_bitmask priv, TABLE const *table)
 Check if required access to given table is not restricted. More...
 
bool has_column_access (Access_bitmask priv, TABLE const *table, std::vector< std::string > column)
 Check if required access to given table column is granted. More...
 
LEX_CSTRING host () const
 Getter method for member m_host. More...
 
void set_host_ptr (const char *host_arg, const size_t host_arg_length)
 Setter method for member m_host. More...
 
void assign_host (const char *host_arg, const size_t host_arg_length)
 Setter method for member m_host. More...
 
LEX_CSTRING ip () const
 Getter method for member m_ip. More...
 
void set_ip_ptr (const char *ip_arg, const int ip_arg_length)
 Setter method for member m_ip. More...
 
void assign_ip (const char *ip_arg, const int ip_arg_length)
 Setter method for member m_ip. More...
 
LEX_CSTRING host_or_ip () const
 Getter method for member m_host_or_ip. More...
 
void set_host_or_ip_ptr ()
 Setter method for member m_host_or_ip. More...
 
void set_host_or_ip_ptr (const char *host_or_ip_arg, const int host_or_ip_arg_length)
 Setter method for member m_host_or_ip. More...
 
LEX_CSTRING external_user () const
 Getter method for member m_external_user. More...
 
void set_external_user_ptr (const char *ext_user_arg, const int ext_user_arg_length)
 Setter method for member m_external_user. More...
 
void assign_external_user (const char *ext_user_arg, const int ext_user_arg_length)
 Setter method for member m_external_user. More...
 
LEX_CSTRING priv_user () const
 Getter method for member m_priv_user. More...
 
void assign_priv_user (const char *priv_user_arg, const size_t priv_user_arg_length)
 Setter method for member m_priv_user. More...
 
LEX_CSTRING proxy_user () const
 Getter method for member m_proxy_user. More...
 
void assign_proxy_user (const char *proxy_user_arg, const size_t proxy_user_arg_length)
 Setter method for member m_proxy_user. More...
 
LEX_CSTRING priv_host () const
 Getter method for member m_priv_host. More...
 
void assign_priv_host (const char *priv_host_arg, const size_t priv_host_arg_length)
 Setter method for member m_priv_host. More...
 
const char * priv_host_name () const
 
Access_bitmask master_access () const
 Getter method for member m_master_access. More...
 
Access_bitmask master_access (const std::string &db_name) const
 
const Restrictions restrictions () const
 
void set_master_access (Access_bitmask master_access)
 
void set_master_access (Access_bitmask master_access, const Restrictions &restrictions)
 
bool has_account_assigned () const
 Check if a an account has been assigned to the security context. More...
 
bool check_access (Access_bitmask want_access, const std::string &db_name="", bool match_any=false)
 Check permission against m_master_access. More...
 
Access_bitmask current_db_access () const
 Returns the schema level effective privileges (with applied roles) for the currently active schema. More...
 
void cache_current_db_access (Access_bitmask db_access)
 Cache the schema level effective privileges (apply roles first!) for the currently active schema. More...
 
bool password_expired () const
 Getter method for member m_password_expired. More...
 
void set_password_expired (bool password_expired)
 
bool change_security_context (THD *thd, const LEX_CSTRING &definer_user, const LEX_CSTRING &definer_host, const char *db, Security_context **backup, bool force=false)
 Initialize this security context from the passed in credentials and activate it in the current thread. More...
 
void restore_security_context (THD *thd, Security_context *backup)
 
bool user_matches (Security_context *)
 
void logout ()
 
bool account_is_locked ()
 Locked account can still be used as routine definers and when they are there shouldn't be any checks for expired passwords. More...
 
void lock_account (bool is_locked)
 
void set_drop_policy (const std::function< void(Security_context *)> &func)
 
void add_as_local_temp_privs (const std::vector< std::string > &privs)
 
bool check_in_local_temp_privs (const std::string &priv)
 
bool has_drop_policy (void)
 
bool has_executed_drop_policy (void)
 
void execute_drop_policy (void)
 
bool is_access_restricted_on_db (Access_bitmask want_access, const std::string &db_name) const
 
void clear_db_restrictions ()
 
bool is_in_registration_sandbox_mode ()
 
void set_registration_sandbox_mode (bool v)
 
void set_thd (THD *thd)
 
THDget_thd ()
 

Static Public Member Functions

static Access_bitmask check_db_level_access (THD *thd, const Security_context *sctx, const char *host, const char *ip, const char *user, const char *db, size_t db_len, bool db_is_pattern=false)
 Checks if any database level privileges are granted to the current session either directly or through active roles. More...
 

Private Member Functions

void init ()
 
void destroy ()
 
void copy_security_ctx (const Security_context &src_sctx)
 Deep copy status of sctx object to this. More...
 
Access_bitmask filter_access (const Access_bitmask access, const std::string &db_name) const
 If there is a restriction attached to an access on the given database then remove that access otherwise return the access without any change. More...
 
void init_restrictions (const Restrictions &restrictions)
 
std::pair< bool, bool > fetch_global_grant (const ACL_USER &acl_user, const std::string &privilege, bool cumulative=false)
 Checks if the acl_user does have the asked dynamic privilege. More...
 
bool has_table_access (Access_bitmask priv, Table_ref *table)
 Check if required access to given table is granted. More...
 

Private Attributes

String m_user
 m_user - user of the client, set to NULL until the user has been read from the connection More...
 
String m_host
 m_host - host of the client More...
 
String m_ip
 m_ip - client IP More...
 
String m_host_or_ip
 m_host_or_ip - points to host if host is available, otherwise points to ip More...
 
String m_external_user
 
char m_priv_user [USERNAME_LENGTH]
 m_priv_user - The user privilege we are using. More...
 
size_t m_priv_user_length
 
char m_proxy_user [USERNAME_LENGTH+HOSTNAME_LENGTH+6]
 
size_t m_proxy_user_length
 
char m_priv_host [HOSTNAME_LENGTH+1]
 The host privilege we are using. More...
 
size_t m_priv_host_length
 
Access_bitmask m_master_access
 Global privileges from mysql.user. More...
 
Access_bitmask m_db_access
 Privileges for current db. More...
 
bool m_password_expired
 password expiration flag. More...
 
List_of_auth_id_refs m_active_roles
 
Acl_mapm_acl_map
 
bool m_is_locked
 True if this account can't be logged into. More...
 
bool m_is_skip_grants_user
 True if the skip_grants_user is set. More...
 
bool m_executed_drop_policy
 
bool m_has_drop_policy
 
std::unique_ptr< std::function< void(Security_context *)> > m_drop_policy
 
Restrictions m_restrictions
 
bool m_registration_sandbox_mode
 This flag tracks if server should be in sandbox mode or not. More...
 
THDm_thd
 m_thd - Thread handle, set to nullptr if this does not belong to any THD yet More...
 

Detailed Description

A set of THD members describing the current authenticated user.

Constructor & Destructor Documentation

◆ Security_context() [1/2]

Security_context::Security_context ( THD thd = nullptr)

◆ ~Security_context()

Security_context::~Security_context ( )

◆ Security_context() [2/2]

Security_context::Security_context ( const Security_context src_sctx)

Member Function Documentation

◆ account_is_locked()

bool Security_context::account_is_locked ( )
inline

Locked account can still be used as routine definers and when they are there shouldn't be any checks for expired passwords.

◆ activate_role()

int Security_context::activate_role ( LEX_CSTRING  role,
LEX_CSTRING  role_host,
bool  validate_access = false 
)

This method pushes a role to the list of active roles.

It requires Acl_cache_lock_guard.

This method allocates memory which must be freed when the role is deactivated.

Parameters
roleThe role name
role_hostThe role hostname-part.
validate_accessTrue if access validation should be performed. Default value is false.

◆ add_as_local_temp_privs()

void Security_context::add_as_local_temp_privs ( const std::vector< std::string > &  privs)

◆ any_sp_acl()

bool Security_context::any_sp_acl ( const LEX_CSTRING db)

◆ any_table_acl()

bool Security_context::any_table_acl ( const LEX_CSTRING db)

◆ assign_external_user()

void Security_context::assign_external_user ( const char *  ext_user_arg,
const int  ext_user_arg_length 
)

Setter method for member m_external_user.

Copies ext_user_arg value to the m_external_user if it is not null else m_external_user is set to NULL.

Parameters
[in]ext_user_argNew user value for m_external_user.
[in]ext_user_arg_lengthLength of "ext_user_arg" param.

◆ assign_host()

void Security_context::assign_host ( const char *  host_arg,
const size_t  host_arg_length 
)

Setter method for member m_host.

Copies host_arg value to the m_host if it is not null else m_user is set to empty string.

Parameters
[in]host_argNew user value for m_host.
[in]host_arg_lengthLength of "host_arg" param.

◆ assign_ip()

void Security_context::assign_ip ( const char *  ip_arg,
const int  ip_arg_length 
)

Setter method for member m_ip.

Copies ip_arg value to the m_ip if it is not null else m_ip is set to NULL.

Parameters
[in]ip_argNew user value for m_ip.
[in]ip_arg_lengthLength of "ip_arg" param.

◆ assign_priv_host()

void Security_context::assign_priv_host ( const char *  priv_host_arg,
const size_t  priv_host_arg_length 
)

Setter method for member m_priv_host.

Parameters
[in]priv_host_argNew user value for m_priv_host.
[in]priv_host_arg_lengthLength of "priv_host_arg" param.

◆ assign_priv_user()

void Security_context::assign_priv_user ( const char *  priv_user_arg,
const size_t  priv_user_arg_length 
)

Setter method for member m_priv_user.

Parameters
[in]priv_user_argNew user value for m_priv_user.
[in]priv_user_arg_lengthLength of "priv_user_arg" param.

◆ assign_proxy_user()

void Security_context::assign_proxy_user ( const char *  proxy_user_arg,
const size_t  proxy_user_arg_length 
)

Setter method for member m_proxy_user.

Parameters
[in]proxy_user_argNew user value for m_proxy_user.
[in]proxy_user_arg_lengthLength of "proxy_user_arg" param.

◆ assign_user()

void Security_context::assign_user ( const char *  user_arg,
const size_t  user_arg_length 
)

Setter method for member m_user.

Copies user_arg value to the m_user if it is not null else m_user is set to NULL.

Parameters
[in]user_argNew user value for m_user.
[in]user_arg_lengthLength of "user_arg" param.

◆ cache_current_db_access()

void Security_context::cache_current_db_access ( Access_bitmask  db_access)
inline

Cache the schema level effective privileges (apply roles first!) for the currently active schema.

◆ can_operate_with()

bool Security_context::can_operate_with ( const Auth_id auth_id,
const std::string &  privilege,
bool  cumulative = false,
bool  ignore_if_nonextant = true,
bool  throw_error = true 
)

Checks if the specified auth_id with privilege can work with the current_user.

If the auth_id has the specified privilege then current_user must also have the same privilege. Throws error is the auth_id has the privilege but current_user does not have it.

Parameters
[in]auth_idAuth_id that could represent either a user or a role
[in]privilegePrivilege to check for mismatch
[in]cumulativeFlag to decide how to check the privileges of auth_id false - privilege granted directly or set through a role true - privileges granted directly or coming through roles granted to it irrespective the roles are active or not.
[in]ignore_if_nonextantFlag to decide how to treat the non-existing auth_id. true - consider as privilege exists false - consider as privilege do not exist
[in]throw_errorFlag to decide if error needs to be thrown or not.
Return values
trueauth_id has the privilege but the current_auth does not, also throws error.
falseOtherwise

◆ change_security_context()

bool Security_context::change_security_context ( THD thd,
const LEX_CSTRING definer_user,
const LEX_CSTRING definer_host,
const char *  db,
Security_context **  backup,
bool  force = false 
)

Initialize this security context from the passed in credentials and activate it in the current thread.

Parameters
thdThread handle.
definer_useruser part of a 'definer' value.
definer_hosthost part of a 'definer' value.
dbDatabase name.
[out]backupSave a pointer to the current security context in the thread. In case of success it points to the saved old context, otherwise it points to NULL.
forceForce context switch
Note
The Security_context_factory should be used as a replacement to this function at every opportunity.

During execution of a statement, multiple security contexts may be needed:

  • the security context of the authenticated user, used as the default security context for all top-level statements
  • in case of a view or a stored program, possibly the security context of the definer of the routine, if the object is defined with SQL SECURITY DEFINER option.

The currently "active" security context is parameterized in THD member security_ctx. By default, after a connection is established, this member points at the "main" security context

  • the credentials of the authenticated user.

Later, if we would like to execute some sub-statement or a part of a statement under credentials of a different user, e.g. definer of a procedure, we authenticate this user in a local instance of Security_context by means of this method (and ultimately by means of acl_getroot), and make the local instance active in the thread by re-setting thd->m_security_ctx pointer.

Note, that the life cycle and memory management of the "main" and temporary security contexts are different. For the main security context, the memory for user/host/ip is allocated on system heap, and the THD class frees this memory in its destructor. The only case when contents of the main security context may change during its life time is when someone issued a CHANGE USER command. Memory management of a "temporary" security context is responsibility of the module that creates it.

Return values
trueThere is no user with the given credentials. The error is reported in the thread.
falsesuccess

◆ check_access()

bool Security_context::check_access ( Access_bitmask  want_access,
const std::string &  db_name = "",
bool  match_any = false 
)

Check permission against m_master_access.

Check global access

Parameters
want_accessThe required privileges
db_nameThe database name to check if it has restrictions attached
match_anyif the security context must match all or any of the req. privileges.
Returns
True if the security context fulfills the access requirements.

◆ check_db_level_access() [1/2]

Access_bitmask Security_context::check_db_level_access ( THD thd,
const char *  db,
size_t  db_len,
bool  db_is_pattern = false 
) const

Checks if any database level privileges are granted to the current session either directly or through active roles.

Parameters
[in]thdThread handler
[in]dbDatabase name
[in]db_lenDatabase name length
[in]db_is_patternFlag to treat db name as pattern
Returns
DB level privileges granted

◆ check_db_level_access() [2/2]

Access_bitmask Security_context::check_db_level_access ( THD thd,
const Security_context sctx,
const char *  host,
const char *  ip,
const char *  user,
const char *  db,
size_t  db_len,
bool  db_is_pattern = false 
)
static

Checks if any database level privileges are granted to the current session either directly or through active roles.

Parameters
[in]thdThread handler
[in]sctxSecurity context
[in]hostHost name
[in]ipIp
[in]userUser name
[in]dbDatabase name
[in]db_lenDatabase name length
[in]db_is_patternFlag to treat db name as pattern
Returns
DB level privileges granted

◆ check_in_local_temp_privs()

bool Security_context::check_in_local_temp_privs ( const std::string &  priv)

◆ checkout_access_maps()

void Security_context::checkout_access_maps ( void  )

Subscribes to a cache entry of aggregated ACLs.

A Security_context can only have one subscription at a time. If another one is requested, the former will be returned.

We do this subscription before execution of every statement(prepared or conventional) as the global acl version might have increased due to a grant/revoke or flush. Hence, the granularity of after effects of grant/revoke or flush due to roles is per statement.

◆ clear_active_roles()

void Security_context::clear_active_roles ( void  )

This helper method clears the active roles list and frees the allocated memory used for any previously activated roles.

◆ clear_db_restrictions()

void Security_context::clear_db_restrictions ( )
inline

◆ copy_security_ctx()

void Security_context::copy_security_ctx ( const Security_context src_sctx)
private

Deep copy status of sctx object to this.

Parameters
[in]src_sctxObject from which status should be copied.

◆ current_db_access()

Access_bitmask Security_context::current_db_access ( ) const
inline

Returns the schema level effective privileges (with applied roles) for the currently active schema.

◆ db_acl()

Access_bitmask Security_context::db_acl ( LEX_CSTRING  db,
bool  use_pattern_scan = true 
) const

Get grant information for given database.

Cached database access is split into two containers:

  1. Database names without wildcards
  2. Database names with wildcards

First we perform the exact name comprison. If that returns the result, all good.

Otherwise, we take a look at each db in second list and compare incoming database name against it. If patial_revokes is OFF, use_pattern_scan flag is passed to wild_compare. This would allow incoming database name like db1name to match against wild card db entry db_name/dbname.

Note
This function should not be used outside ACL subsystem code (sql/auth). Use check_db_level_access() instead.
Parameters
[in]dbName of the database
[in]use_pattern_scanFlag to treat database name as pattern
Returns
Access granted to user for given database

◆ destroy()

void Security_context::destroy ( )
private

◆ execute_drop_policy()

void Security_context::execute_drop_policy ( void  )

◆ external_user()

LEX_CSTRING Security_context::external_user ( ) const
inline

Getter method for member m_external_user.

Return values
LEX_CSTRINGobject having constant pointer to m_external_host.Ptr and its length

◆ fetch_global_grant()

std::pair< bool, bool > Security_context::fetch_global_grant ( const ACL_USER acl_user,
const std::string &  privilege,
bool  cumulative = false 
)
private

Checks if the acl_user does have the asked dynamic privilege.

This method assumes acl_cache_lock is already taken and ACL_USER is valid

Parameters
[in]acl_userACL_USER to check for privilege
[in]privilegeprivilege to check for
[in]cumulativeFlag to decide how to fetch the privileges of ACL_USER false - privilege granted directly or set through a role true - privileges granted directly or coming through roles granted to it irrespective the roles are active or not.
Returns
pair<has_privilege, has_with_grant_option>
Return values
<true, true>has required privilege with grant option
<true, false>has required privilege without grant option
<false, false>does not have the required privilege

◆ filter_access()

Access_bitmask Security_context::filter_access ( const Access_bitmask  access,
const std::string &  db_name 
) const
private

If there is a restriction attached to an access on the given database then remove that access otherwise return the access without any change.

Parameters
[in]accessaccess mask to be scanned to remove
[in]db_namedatabase to be searched in the restrictions
Return values
filteredaccess mask

◆ function_acl()

Access_bitmask Security_context::function_acl ( LEX_CSTRING  db,
LEX_CSTRING  procedure_name 
)

◆ get_active_roles() [1/2]

List_of_auth_id_refs * Security_context::get_active_roles ( void  )

◆ get_active_roles() [2/2]

void Security_context::get_active_roles ( THD thd,
List< LEX_USER > &  list 
)

Get sorted list of roles in LEX_USER format.

Parameters
[in]thdFor mem_root
[out]listList of active roles

◆ get_num_active_roles()

size_t Security_context::get_num_active_roles ( void  ) const

◆ get_thd()

THD * Security_context::get_thd ( )
inline

◆ has_account_assigned()

bool Security_context::has_account_assigned ( ) const
inline

Check if a an account has been assigned to the security context.

The account assignment to the security context is always executed in the following order: 1) assign user's name to the context 2) assign user's hostname to the context Whilst user name can be null, hostname cannot. This is why we can say that the full account has been assigned to the context when hostname is not equal to empty string.

Returns
Account assignment status
Return values
trueaccount has been assigned to the security context
falseaccount has not yet been assigned to the security context

◆ has_column_access()

bool Security_context::has_column_access ( Access_bitmask  priv,
TABLE const *  table,
std::vector< std::string >  columns 
)

Check if required access to given table column is granted.

Parameters
[in]privRequired access
[in]tableTable object
[in]columnsList of column names to check
Returns
access information
Return values
trueSuccess
falseFailure

◆ has_drop_policy()

bool Security_context::has_drop_policy ( void  )

◆ has_executed_drop_policy()

bool Security_context::has_executed_drop_policy ( void  )

◆ has_global_grant() [1/2]

std::pair< bool, bool > Security_context::has_global_grant ( const Auth_id auth_id,
const std::string &  privilege,
bool  cumulative = false 
)

Checks if the Auth_id have the asked dynamic privilege.

Parameters
[in]auth_idAuth_id that could represent either a user or a role
[in]privilegeprivilege to check for
[in]cumulativeFlag to decide how to fetch the privileges of ACL_USER false - privilege granted directly or set through a role true - privileges granted directly or coming through roles granted to it irrespective the roles are active or not.
Returns
pair<has_privilege, has_with_grant_option>
Return values
<true, true>has required privilege with grant option
<true, false>has required privilege without grant option
<false, false>does not have the required privilege, OR auth_id does not exist.

◆ has_global_grant() [2/2]

std::pair< bool, bool > Security_context::has_global_grant ( const char *  priv,
size_t  priv_len 
)

Checks if the Current_user has the asked dynamic privilege.

if the server is initializing the datadir, or current_user is –skip-grants-user then it returns that user has privilege with grant option.

Parameters
[in]privprivilege to check
[in]priv_lenlength of privilege
Returns
pair<has_privilege, has_with_grant_option>
Return values
<true, true>has required privilege with grant option
<true, false>has required privilege without grant option
<false, false>does not have the required privilege

◆ has_table_access()

bool Security_context::has_table_access ( Access_bitmask  priv,
Table_ref tables 
)
private

Check if required access to given table is granted.

Parameters
[in]privRequired access
[in,out]tablesTable list object
Returns
access information
Return values
trueSuccess
falseFailure

◆ has_with_admin_acl()

bool Security_context::has_with_admin_acl ( const LEX_CSTRING role_name,
const LEX_CSTRING role_host 
)

◆ host()

LEX_CSTRING Security_context::host ( ) const

Getter method for member m_host.

Return values
LEX_CSTRINGobject having constant pointer to m_host.Ptr and its length.

◆ host_or_ip()

LEX_CSTRING Security_context::host_or_ip ( ) const
inline

Getter method for member m_host_or_ip.

Return values
LEX_CSTRINGobject having constant pointer to m_host_or_ip.Ptr and its length

◆ init()

void Security_context::init ( )
private

◆ init_restrictions()

void Security_context::init_restrictions ( const Restrictions restrictions)
private

◆ ip()

LEX_CSTRING Security_context::ip ( ) const

Getter method for member m_ip.

Return values
LEX_CSTRINGobject having constant pointer to m_ip.Ptr and its length

◆ is_access_restricted_on_db()

bool Security_context::is_access_restricted_on_db ( Access_bitmask  want_access,
const std::string &  db_name 
) const

◆ is_in_registration_sandbox_mode()

bool Security_context::is_in_registration_sandbox_mode ( )
inline

◆ is_skip_grants_user()

bool Security_context::is_skip_grants_user ( )
inline

◆ is_table_blocked()

bool Security_context::is_table_blocked ( Access_bitmask  priv,
TABLE const *  table 
)

Check if required access to given table is not restricted.

Parameters
[in]privRequired access
[in,out]tableTable object
Returns
access information
Return values
trueAccess to the table is blocked
falseAccess to the table is not blocked

◆ lock_account()

void Security_context::lock_account ( bool  is_locked)
inline

◆ logout()

void Security_context::logout ( )

◆ master_access() [1/2]

Access_bitmask Security_context::master_access ( ) const
inline

Getter method for member m_master_access.

◆ master_access() [2/2]

Access_bitmask Security_context::master_access ( const std::string &  db_name) const

◆ operator=()

Security_context & Security_context::operator= ( const Security_context src_sctx)

◆ password_expired()

bool Security_context::password_expired ( ) const
inline

Getter method for member m_password_expired.

◆ priv_host()

LEX_CSTRING Security_context::priv_host ( ) const

Getter method for member m_priv_host.

Return values
LEX_CSTRINGobject having constant pointer to m_priv_host.Ptr and its length

◆ priv_host_name()

const char * Security_context::priv_host_name ( ) const
inline

◆ priv_user()

LEX_CSTRING Security_context::priv_user ( ) const

Getter method for member m_priv_user.

Return values
LEX_CSTRINGobject having constant pointer to m_priv_user.Ptr and its length

◆ procedure_acl()

Access_bitmask Security_context::procedure_acl ( LEX_CSTRING  db,
LEX_CSTRING  procedure_name 
)

◆ proxy_user()

LEX_CSTRING Security_context::proxy_user ( ) const

Getter method for member m_proxy_user.

Return values
LEX_CSTRINGobject having constant pointer to m_proxy_user.Ptr and its length

◆ restore_security_context()

void Security_context::restore_security_context ( THD thd,
Security_context backup 
)

◆ restrictions()

const Restrictions Security_context::restrictions ( ) const
inline

◆ set_drop_policy()

void Security_context::set_drop_policy ( const std::function< void(Security_context *)> &  func)

◆ set_external_user_ptr()

void Security_context::set_external_user_ptr ( const char *  ext_user_arg,
const int  ext_user_arg_length 
)

Setter method for member m_external_user.

Function just sets the ext_user_arg pointer to the m_external_user, ext_user_arg is not copied.

Parameters
[in]ext_user_argNew user value for m_external_user.
[in]ext_user_arg_lengthLength of "ext_user_arg" param.

◆ set_host_or_ip_ptr() [1/2]

void Security_context::set_host_or_ip_ptr ( )
inline

Setter method for member m_host_or_ip.

◆ set_host_or_ip_ptr() [2/2]

void Security_context::set_host_or_ip_ptr ( const char *  host_or_ip_arg,
const int  host_or_ip_arg_length 
)
inline

Setter method for member m_host_or_ip.

Parameters
[in]host_or_ip_argNew user value for m_host_or_ip.
[in]host_or_ip_arg_lengthLength of "host_or_ip_arg" param.

◆ set_host_ptr()

void Security_context::set_host_ptr ( const char *  host_arg,
const size_t  host_arg_length 
)

Setter method for member m_host.

Function just sets the host_arg pointer value to the m_host, host_arg value is not copied. host_arg value must not be NULL.

Parameters
[in]host_argNew user value for m_host.
[in]host_arg_lengthLength of "host_arg" param.

◆ set_ip_ptr()

void Security_context::set_ip_ptr ( const char *  ip_arg,
const int  ip_arg_length 
)

Setter method for member m_ip.

Function just sets the ip_arg pointer value to the m_ip, ip_arg value is not copied.

Parameters
[in]ip_argNew user value for m_ip.
[in]ip_arg_lengthLength of "ip_arg" param.

◆ set_master_access() [1/2]

void Security_context::set_master_access ( Access_bitmask  master_access)
inline

◆ set_master_access() [2/2]

void Security_context::set_master_access ( Access_bitmask  master_access,
const Restrictions restrictions 
)
inline

◆ set_password_expired()

void Security_context::set_password_expired ( bool  password_expired)
inline

◆ set_registration_sandbox_mode()

void Security_context::set_registration_sandbox_mode ( bool  v)
inline

◆ set_thd()

void Security_context::set_thd ( THD thd)
inline

◆ set_user_ptr()

void Security_context::set_user_ptr ( const char *  user_arg,
const size_t  user_arg_length 
)

Setter method for member m_user.

Function just sets the user_arg pointer value to the m_user, user_arg value is not copied.

Parameters
[in]user_argNew user value for m_user.
[in]user_arg_lengthLength of "user_arg" param.

◆ skip_grants()

void Security_context::skip_grants ( const char *  user = "skip-grants user",
const char *  host = "skip-grants host" 
)

Grants all privilegs to user.

Sets the user and host name of privilege user.

Parameters
[in]userUser name for current_user to set. Default value is "skip-grants user"
[in]hostHost name for the current user to set. Default value is "skip-grants host"

◆ table_acl()

Access_bitmask Security_context::table_acl ( LEX_CSTRING  db,
LEX_CSTRING  table 
)

◆ table_and_column_acls()

Grant_table_aggregate Security_context::table_and_column_acls ( LEX_CSTRING  db,
LEX_CSTRING  table 
)

◆ user()

LEX_CSTRING Security_context::user ( ) const

Getter method for member m_user.

Return values
LEX_CSTRINGobject having constant pointer to m_user.Ptr and its length.

◆ user_matches()

bool Security_context::user_matches ( Security_context them)

Member Data Documentation

◆ m_acl_map

Acl_map* Security_context::m_acl_map
private

◆ m_active_roles

List_of_auth_id_refs Security_context::m_active_roles
private

◆ m_db_access

Access_bitmask Security_context::m_db_access
private

Privileges for current db.

◆ m_drop_policy

std::unique_ptr<std::function<void(Security_context *)> > Security_context::m_drop_policy
private

◆ m_executed_drop_policy

bool Security_context::m_executed_drop_policy
private

◆ m_external_user

String Security_context::m_external_user
private

◆ m_has_drop_policy

bool Security_context::m_has_drop_policy
private

◆ m_host

String Security_context::m_host
private

m_host - host of the client

◆ m_host_or_ip

String Security_context::m_host_or_ip
private

m_host_or_ip - points to host if host is available, otherwise points to ip

◆ m_ip

String Security_context::m_ip
private

m_ip - client IP

◆ m_is_locked

bool Security_context::m_is_locked
private

True if this account can't be logged into.

◆ m_is_skip_grants_user

bool Security_context::m_is_skip_grants_user
private

True if the skip_grants_user is set.

◆ m_master_access

Access_bitmask Security_context::m_master_access
private

Global privileges from mysql.user.

◆ m_password_expired

bool Security_context::m_password_expired
private

password expiration flag.

This flag is set according to connecting user's context and not the effective user.

◆ m_priv_host

char Security_context::m_priv_host[HOSTNAME_LENGTH+1]
private

The host privilege we are using.

◆ m_priv_host_length

size_t Security_context::m_priv_host_length
private

◆ m_priv_user

char Security_context::m_priv_user[USERNAME_LENGTH]
private

m_priv_user - The user privilege we are using.

May be "" for anonymous user.

◆ m_priv_user_length

size_t Security_context::m_priv_user_length
private

◆ m_proxy_user

char Security_context::m_proxy_user[USERNAME_LENGTH+HOSTNAME_LENGTH+6]
private

◆ m_proxy_user_length

size_t Security_context::m_proxy_user_length
private

◆ m_registration_sandbox_mode

bool Security_context::m_registration_sandbox_mode
private

This flag tracks if server should be in sandbox mode or not.

When user account connects to server, with any of its authentication plugin's registration step pending, in that case, the connection is set in sandbox(or registration) mode i.e m_registration_sandbox_mode is set to TRUE. During this time only ALTER USER, SET PASSWORD statements are allowed. Once user finishes the registration steps for the authentication plugin via an ALTER USER statement, m_registration_sandbox_mode is set to FALSE, making a full fledged connection, where user can execute any sql statement.

◆ m_restrictions

Restrictions Security_context::m_restrictions
private

◆ m_thd

THD* Security_context::m_thd
private

m_thd - Thread handle, set to nullptr if this does not belong to any THD yet

◆ m_user

String Security_context::m_user
private

m_user - user of the client, set to NULL until the user has been read from the connection


The documentation for this class was generated from the following files: