MySQL  8.0.27
Source Code Documentation
auth_acls.h
Go to the documentation of this file.
1 /* Copyright (c) 2000, 2021, Oracle and/or its affiliates.
2 
3  This program is free software; you can redistribute it and/or modify
4  it under the terms of the GNU General Public License, version 2.0,
5  as published by the Free Software Foundation.
6 
7  This program is also distributed with certain software (including
8  but not limited to OpenSSL) that is licensed under separate terms,
9  as designated in a particular file or component or in included license
10  documentation. The authors of MySQL hereby grant you an additional
11  permission to link the program and your derivative works with the
12  separately licensed software that they have included with MySQL.
13 
14  This program is distributed in the hope that it will be useful,
15  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  GNU General Public License, version 2.0, for more details.
18 
19  You should have received a copy of the GNU General Public License
20  along with this program; if not, write to the Free Software
21  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22 #ifndef AUTH_ACLS_INCLUDED
23 #define AUTH_ACLS_INCLUDED
24 
25 #include <string>
26 #include <unordered_map>
27 #include <vector>
28 
29 /* Total Number of ACLs present in mysql.user */
30 #define NUM_ACLS 31
31 
32 #define SELECT_ACL (1L << 0)
33 #define INSERT_ACL (1L << 1)
34 #define UPDATE_ACL (1L << 2)
35 #define DELETE_ACL (1L << 3)
36 #define CREATE_ACL (1L << 4)
37 #define DROP_ACL (1L << 5)
38 #define RELOAD_ACL (1L << 6)
39 #define SHUTDOWN_ACL (1L << 7)
40 #define PROCESS_ACL (1L << 8)
41 #define FILE_ACL (1L << 9)
42 /** Set to true by both
43  GRANT GRANT OPTION ... TO ...
44 and
45  GRANT ... TO ... WITH GRANT OPTION
46 
47  Stored into the relevant column in the priv tables for static privileges.
48  And into the the GRANT_OPTION column for dynamic privilege grants.
49  Note that, once granted GRANT_OPTION applies to all static privs on the
50  same level, i.e. the following:
51  GRANT SELECT ON *.* TO foo;
52  GRANT INSERT ON *.* TO foo WITH GRANT OPTION;
53  is equivalent to:
54  GRANT SELECT,INSERT ON *.* TO foo WITH GRANT OPTION;
55  And is also equivalent to
56  GRANT SELECT,INSERT, GRANT OPTION ON *.* TO foo;
57 
58  @sa @ref LEX::grant_privilege
59 */
60 #define GRANT_ACL (1L << 10)
61 #define REFERENCES_ACL (1L << 11)
62 #define INDEX_ACL (1L << 12)
63 #define ALTER_ACL (1L << 13)
64 #define SHOW_DB_ACL (1L << 14)
65 #define SUPER_ACL (1L << 15)
66 #define CREATE_TMP_ACL (1L << 16)
67 #define LOCK_TABLES_ACL (1L << 17)
68 #define EXECUTE_ACL (1L << 18)
69 #define REPL_SLAVE_ACL (1L << 19)
70 #define REPL_CLIENT_ACL (1L << 20)
71 #define CREATE_VIEW_ACL (1L << 21)
72 #define SHOW_VIEW_ACL (1L << 22)
73 #define CREATE_PROC_ACL (1L << 23)
74 #define ALTER_PROC_ACL (1L << 24)
75 #define CREATE_USER_ACL (1L << 25)
76 #define EVENT_ACL (1L << 26)
77 #define TRIGGER_ACL (1L << 27)
78 #define CREATE_TABLESPACE_ACL (1L << 28)
79 #define CREATE_ROLE_ACL (1L << 29)
80 #define DROP_ROLE_ACL (1L << 30)
81 /*
82  don't forget to update
83  1. static struct show_privileges_st sys_privileges[]
84  2. static const char *command_array[] and static uint command_lengths[]
85  3. mysql_system_tables.sql and mysql_system_tables_fix.sql
86  4. acl_init() or whatever - to define behaviour for old privilege tables
87  5. sql_yacc.yy - for GRANT/REVOKE to work
88  6. global_privileges map and vector
89 */
90 
91 #define NO_ACCESS (1L << 31)
92 
93 /**
94  Privileges to perform database related operations.
95  Use this macro over DB_ACLS unless there is real need to use
96  additional privileges present in the DB_ACLS
97 */
98 #define DB_OP_ACLS \
99  (UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
100  REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | LOCK_TABLES_ACL | \
101  EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \
102  ALTER_PROC_ACL | EVENT_ACL | TRIGGER_ACL)
103 
104 /**
105  Privileges to perform table related operations.
106  Use this macro over TABLE_ACLS unless there is real need to use
107  additional privileges present in the DB_ACLS
108 */
109 #define TABLE_OP_ACLS \
110  (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
111  REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
112  TRIGGER_ACL)
113 
114 /**
115  Privileges to modify or execute stored procedures.
116  Use this macro over PROC_ACLS unless there is real need to use
117  additional privileges present in the PROC_ACLS
118 */
119 #define PROC_OP_ACLS (ALTER_PROC_ACL | EXECUTE_ACL)
120 
121 /**
122  Represents all privileges which could be granted to users at DB-level. It
123  essentially represents all the privileges present in the mysql.db table.
124 */
125 #define DB_ACLS (DB_OP_ACLS | GRANT_ACL)
126 
127 /**
128  Represents all privileges which could be granted to users at table-level. It
129  essentially represents all the privileges present in the mysql.tables_priv
130  table.
131 */
132 #define TABLE_ACLS (TABLE_OP_ACLS | GRANT_ACL)
133 
134 /**
135  Represents all privileges which could be granted to users at column-level. It
136  essentially represents all the privileges present in the columns_priv table.
137 */
138 #define COL_ACLS (SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL)
139 
140 /**
141  Represents all privileges which could be granted to users for stored
142  procedures. It essentially represents all the privileges present in the
143  mysql.procs_priv table.
144 */
145 #define PROC_ACLS (PROC_OP_ACLS | GRANT_ACL)
146 
147 /**
148  Represents all privileges which are required to show the stored procedure.
149 */
150 #define SHOW_PROC_ACLS (PROC_OP_ACLS | CREATE_PROC_ACL)
151 
152 /**
153  Represents all privileges which could be granted to users globally.
154  It essentially represents all the privileges present in the mysql.user table
155 */
156 #define GLOBAL_ACLS \
157  (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
158  RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \
159  REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \
160  CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \
161  EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \
162  ALTER_PROC_ACL | CREATE_USER_ACL | EVENT_ACL | TRIGGER_ACL | \
163  CREATE_TABLESPACE_ACL | CREATE_ROLE_ACL | DROP_ROLE_ACL)
164 
165 #define DEFAULT_CREATE_PROC_ACLS (ALTER_PROC_ACL | EXECUTE_ACL)
166 
167 /**
168  Table-level privileges which are automatically "granted" to everyone on
169  existing temporary tables (CREATE_ACL is necessary for ALTER ... RENAME).
170 */
171 #define TMP_TABLE_ACLS \
172  (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
173  INDEX_ACL | ALTER_ACL)
174 
175 /*
176  Defines to change the above bits to how things are stored in tables
177  This is needed as the 'host' and 'db' table is missing a few privileges
178 */
179 
180 /* Privileges that needs to be reallocated (in continous chunks) */
181 #define DB_CHUNK0 \
182  (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL)
183 #define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL)
184 #define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL)
185 #define DB_CHUNK3 \
186  (CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | ALTER_PROC_ACL)
187 #define DB_CHUNK4 (EXECUTE_ACL)
188 #define DB_CHUNK5 (EVENT_ACL | TRIGGER_ACL)
189 
190 #define fix_rights_for_db(A) \
191  (((A)&DB_CHUNK0) | (((A) << 4) & DB_CHUNK1) | (((A) << 6) & DB_CHUNK2) | \
192  (((A) << 9) & DB_CHUNK3) | (((A) << 2) & DB_CHUNK4)) | \
193  (((A) << 9) & DB_CHUNK5)
194 #define get_rights_for_db(A) \
195  (((A)&DB_CHUNK0) | (((A)&DB_CHUNK1) >> 4) | (((A)&DB_CHUNK2) >> 6) | \
196  (((A)&DB_CHUNK3) >> 9) | (((A)&DB_CHUNK4) >> 2)) | \
197  (((A)&DB_CHUNK5) >> 9)
198 #define TBL_CHUNK0 DB_CHUNK0
199 #define TBL_CHUNK1 DB_CHUNK1
200 #define TBL_CHUNK2 (CREATE_VIEW_ACL | SHOW_VIEW_ACL)
201 #define TBL_CHUNK3 TRIGGER_ACL
202 #define fix_rights_for_table(A) \
203  (((A)&TBL_CHUNK0) | (((A) << 4) & TBL_CHUNK1) | (((A) << 11) & TBL_CHUNK2) | \
204  (((A) << 15) & TBL_CHUNK3))
205 #define get_rights_for_table(A) \
206  (((A)&TBL_CHUNK0) | (((A)&TBL_CHUNK1) >> 4) | (((A)&TBL_CHUNK2) >> 11) | \
207  (((A)&TBL_CHUNK3) >> 15))
208 #define fix_rights_for_column(A) (((A)&7) | (((A) & ~7) << 8))
209 #define get_rights_for_column(A) (((A)&7) | ((A) >> 8))
210 #define fix_rights_for_procedure(A) \
211  ((((A) << 18) & EXECUTE_ACL) | (((A) << 23) & ALTER_PROC_ACL) | \
212  (((A) << 8) & GRANT_ACL))
213 #define get_rights_for_procedure(A) \
214  ((((A)&EXECUTE_ACL) >> 18) | (((A)&ALTER_PROC_ACL) >> 23) | \
215  (((A)&GRANT_ACL) >> 8))
216 
217 extern const std::vector<std::string> global_acls_vector;
218 extern const std::unordered_map<std::string, int> global_acls_map;
219 
220 #endif /* AUTH_ACLS_INCLUDED */
const std::unordered_map< std::string, int > global_acls_map
Bitmap offsets for static privileges.
Definition: auth_acls.cc:95
const std::vector< std::string > global_acls_vector
Consts for static privileges.
Definition: auth_acls.cc:61