MySQL 9.3.0
Source Code Documentation
All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Modules Pages Concepts
auth_acls.h
Go to the documentation of this file.
1/* Copyright (c) 2000, 2025, Oracle and/or its affiliates.
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6
7 This program is designed to work with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have either included with
13 the program or referenced in the documentation.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License, version 2.0, for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
23#ifndef AUTH_ACLS_INCLUDED
24#define AUTH_ACLS_INCLUDED
25
26#include <cstdint>
27#include <string>
28#include <unordered_map>
29#include <vector>
30
31/* Total Number of ACLs present in mysql.user */
32#define NUM_ACLS 31
33
34typedef uint32_t Access_bitmask;
35
36#define SELECT_ACL ((Access_bitmask)1 << 0)
37#define INSERT_ACL ((Access_bitmask)1 << 1)
38#define UPDATE_ACL ((Access_bitmask)1 << 2)
39#define DELETE_ACL ((Access_bitmask)1 << 3)
40#define CREATE_ACL ((Access_bitmask)1 << 4)
41#define DROP_ACL ((Access_bitmask)1 << 5)
42#define RELOAD_ACL ((Access_bitmask)1 << 6)
43#define SHUTDOWN_ACL ((Access_bitmask)1 << 7)
44#define PROCESS_ACL ((Access_bitmask)1 << 8)
45#define FILE_ACL ((Access_bitmask)1 << 9)
46/** Set to true by both
47 GRANT GRANT OPTION ... TO ...
48and
49 GRANT ... TO ... WITH GRANT OPTION
50
51 Stored into the relevant column in the priv tables for static privileges.
52 And into the the GRANT_OPTION column for dynamic privilege grants.
53 Note that, once granted GRANT_OPTION applies to all static privs on the
54 same level, i.e. the following:
55 GRANT SELECT ON *.* TO foo;
56 GRANT INSERT ON *.* TO foo WITH GRANT OPTION;
57 is equivalent to:
58 GRANT SELECT,INSERT ON *.* TO foo WITH GRANT OPTION;
59 And is also equivalent to
60 GRANT SELECT,INSERT, GRANT OPTION ON *.* TO foo;
61
62 @sa @ref LEX::grant_privilege
63*/
64#define GRANT_ACL ((Access_bitmask)1 << 10)
65#define REFERENCES_ACL ((Access_bitmask)1 << 11)
66#define INDEX_ACL ((Access_bitmask)1 << 12)
67#define ALTER_ACL ((Access_bitmask)1 << 13)
68#define SHOW_DB_ACL ((Access_bitmask)1 << 14)
69#define SUPER_ACL ((Access_bitmask)1 << 15)
70#define CREATE_TMP_ACL ((Access_bitmask)1 << 16)
71#define LOCK_TABLES_ACL ((Access_bitmask)1 << 17)
72#define EXECUTE_ACL ((Access_bitmask)1 << 18)
73#define REPL_SLAVE_ACL ((Access_bitmask)1 << 19)
74#define REPL_CLIENT_ACL ((Access_bitmask)1 << 20)
75#define CREATE_VIEW_ACL ((Access_bitmask)1 << 21)
76#define SHOW_VIEW_ACL ((Access_bitmask)1 << 22)
77#define CREATE_PROC_ACL ((Access_bitmask)1 << 23)
78#define ALTER_PROC_ACL ((Access_bitmask)1 << 24)
79#define CREATE_USER_ACL ((Access_bitmask)1 << 25)
80#define EVENT_ACL ((Access_bitmask)1 << 26)
81#define TRIGGER_ACL ((Access_bitmask)1 << 27)
82#define CREATE_TABLESPACE_ACL ((Access_bitmask)1 << 28)
83#define CREATE_ROLE_ACL ((Access_bitmask)1 << 29)
84#define DROP_ROLE_ACL ((Access_bitmask)1 << 30)
85/*
86 don't forget to update
87 1. static struct show_privileges_st sys_privileges[]
88 2. static const char *command_array[] and static uint command_lengths[]
89 3. mysql_system_tables.sql and mysql_system_tables_fix.sql
90 4. acl_init() or whatever - to define behaviour for old privilege tables
91 5. sql_yacc.yy - for GRANT/REVOKE to work
92 6. global_privileges map and vector
93*/
94
95#define NO_ACCESS ((Access_bitmask)1 << NUM_ACLS)
96#define ALL_ACCESS (NO_ACCESS - 1)
97
98/**
99 Privileges to perform database related operations.
100 Use this macro over DB_ACLS unless there is real need to use
101 additional privileges present in the DB_ACLS
102*/
103#define DB_OP_ACLS \
104 (UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
105 REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | LOCK_TABLES_ACL | \
106 EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \
107 ALTER_PROC_ACL | EVENT_ACL | TRIGGER_ACL)
108
109/**
110 Privileges to perform table related operations.
111 Use this macro over TABLE_ACLS unless there is real need to use
112 additional privileges present in the DB_ACLS
113*/
114#define TABLE_OP_ACLS \
115 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
116 REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
117 TRIGGER_ACL)
118
119/**
120 Privileges to modify or execute stored procedures.
121 Use this macro over PROC_ACLS unless there is real need to use
122 additional privileges present in the PROC_ACLS
123*/
124#define PROC_OP_ACLS (ALTER_PROC_ACL | EXECUTE_ACL)
125
126/**
127 Represents all privileges which could be granted to users at DB-level. It
128 essentially represents all the privileges present in the mysql.db table.
129*/
130#define DB_ACLS (DB_OP_ACLS | GRANT_ACL)
131
132/**
133 Represents all privileges which could be granted to users at table-level. It
134 essentially represents all the privileges present in the mysql.tables_priv
135 table.
136*/
137#define TABLE_ACLS (TABLE_OP_ACLS | GRANT_ACL)
138
139/**
140 Represents all privileges which could be granted to users at column-level. It
141 essentially represents all the privileges present in the columns_priv table.
142*/
143#define COL_ACLS (SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL)
144
145/**
146 Represents all privileges which could be granted to users for stored
147 procedures. It essentially represents all the privileges present in the
148 mysql.procs_priv table.
149*/
150#define PROC_ACLS (PROC_OP_ACLS | GRANT_ACL)
151
152/**
153 Represents all privileges which are required to show the stored procedure.
154*/
155#define SHOW_PROC_ACLS (PROC_OP_ACLS | CREATE_PROC_ACL)
156
157/**
158 Represents all privileges which could be granted to users globally.
159 It essentially represents all the privileges present in the mysql.user table
160*/
161#define GLOBAL_ACLS \
162 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
163 RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \
164 REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \
165 CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \
166 EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \
167 ALTER_PROC_ACL | CREATE_USER_ACL | EVENT_ACL | TRIGGER_ACL | \
168 CREATE_TABLESPACE_ACL | CREATE_ROLE_ACL | DROP_ROLE_ACL)
169
170#define DEFAULT_CREATE_PROC_ACLS (ALTER_PROC_ACL | EXECUTE_ACL)
171
172/**
173 Table-level privileges which are automatically "granted" to everyone on
174 existing temporary tables (CREATE_ACL is necessary for ALTER ... RENAME).
175*/
176#define TMP_TABLE_ACLS \
177 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
178 INDEX_ACL | ALTER_ACL)
179
180/*
181 Defines to change the above bits to how things are stored in tables
182 This is needed as the 'host' and 'db' table is missing a few privileges
183*/
184
185/* Privileges that need to be reallocated (in continuous chunks) */
186#define DB_CHUNK0 \
187 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL)
188#define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL)
189#define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL)
190#define DB_CHUNK3 \
191 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | ALTER_PROC_ACL)
192#define DB_CHUNK4 (EXECUTE_ACL)
193#define DB_CHUNK5 (EVENT_ACL | TRIGGER_ACL)
194
195#define fix_rights_for_db(A) \
196 (((A)&DB_CHUNK0) | (((A) << 4) & DB_CHUNK1) | (((A) << 6) & DB_CHUNK2) | \
197 (((A) << 9) & DB_CHUNK3) | (((A) << 2) & DB_CHUNK4)) | \
198 (((A) << 9) & DB_CHUNK5)
199#define get_rights_for_db(A) \
200 (((A)&DB_CHUNK0) | (((A)&DB_CHUNK1) >> 4) | (((A)&DB_CHUNK2) >> 6) | \
201 (((A)&DB_CHUNK3) >> 9) | (((A)&DB_CHUNK4) >> 2)) | \
202 (((A)&DB_CHUNK5) >> 9)
203#define TBL_CHUNK0 DB_CHUNK0
204#define TBL_CHUNK1 DB_CHUNK1
205#define TBL_CHUNK2 (CREATE_VIEW_ACL | SHOW_VIEW_ACL)
206#define TBL_CHUNK3 TRIGGER_ACL
207#define fix_rights_for_table(A) \
208 (((A)&TBL_CHUNK0) | (((A) << 4) & TBL_CHUNK1) | (((A) << 11) & TBL_CHUNK2) | \
209 (((A) << 15) & TBL_CHUNK3))
210#define get_rights_for_table(A) \
211 (((A)&TBL_CHUNK0) | (((A)&TBL_CHUNK1) >> 4) | (((A)&TBL_CHUNK2) >> 11) | \
212 (((A)&TBL_CHUNK3) >> 15))
213#define fix_rights_for_column(A) (((A)&7) | (((A) & ~7) << 8))
214#define get_rights_for_column(A) (((A)&7) | ((A) >> 8))
215#define fix_rights_for_procedure(A) \
216 ((((A) << 18) & EXECUTE_ACL) | (((A) << 23) & ALTER_PROC_ACL) | \
217 (((A) << 8) & GRANT_ACL))
218#define get_rights_for_procedure(A) \
219 ((((A)&EXECUTE_ACL) >> 18) | (((A)&ALTER_PROC_ACL) >> 23) | \
220 (((A)&GRANT_ACL) >> 8))
221
222extern const std::vector<std::string> global_acls_vector;
223extern const std::unordered_map<std::string, int> global_acls_map;
224
225#endif /* AUTH_ACLS_INCLUDED */
global_acls_map
const std::unordered_map< std::string, int > global_acls_map
Bitmap offsets for static privileges.
Definition: auth_acls.cc:96
Access_bitmask
uint32_t Access_bitmask
Definition: auth_acls.h:34
global_acls_vector
const std::vector< std::string > global_acls_vector
Consts for static privileges.
Definition: auth_acls.cc:62