MySQL  8.0.16
Source Code Documentation
auth_common.h File Reference
#include <stddef.h>
#include <sys/types.h>
#include <functional>
#include <memory>
#include <set>
#include <utility>
#include <vector>
#include "lex_string.h"
#include "my_command.h"
#include "my_dbug.h"
#include "my_inttypes.h"
#include "template_utils.h"

Go to the source code of this file.

Classes

class  List< T >
 
class  ACL_internal_table_access
 Per internal table ACL access rules. More...
 
class  ACL_internal_schema_access
 Per internal schema ACL access rules. More...
 
class  ACL_internal_schema_registry
 A registry for per internal schema ACL. More...
 
class  IS_internal_schema_access
 Extension of ACL_internal_schema_access for Information Schema. More...
 
class  User_table_schema
 
class  User_table_current_schema
 
class  User_table_old_schema
 
class  User_table_schema_factory
 
struct  Security_context_policy
 
class  Create_authid< Derived >
 
class  Grant_privileges< Derived >
 
class  Security_context_factory
 Factory for creating any Security_context given a pre-constructed policy. More...
 
class  Default_local_authid
 
class  Grant_temporary_dynamic_privileges
 Grant the privilege temporarily to the in-memory global privleges map. More...
 
class  Drop_temporary_dynamic_privileges
 
class  Grant_temporary_static_privileges
 
class  Auth_id
 Storage container for default auth ids. More...
 

Namespaces

 consts
 

Macros

#define NONE_ATTR   0L
 
#define DEFAULT_AUTH_ATTR   (1L << 0) /* update defaults auth */
 
#define PLUGIN_ATTR   (1L << 1) /* update plugin */
 
#define SSL_ATTR   (1L << 2) /* ex: SUBJECT,CIPHER.. */
 
#define RESOURCE_ATTR   (1L << 3) /* ex: MAX_QUERIES_PER_HOUR.. */
 
#define PASSWORD_EXPIRE_ATTR   (1L << 4) /* update password expire col */
 
#define ACCESS_RIGHTS_ATTR   (1L << 5) /* update privileges */
 
#define ACCOUNT_LOCK_ATTR   (1L << 6) /* update account lock status */
 
#define DIFFERENT_PLUGIN_ATTR   (1L << 7) /* updated plugin with a different value */
 
#define USER_ATTRIBUTES   (1L << 8) /* Request to update user attributes */
 
#define DEFAULT_SSL_CA_CERT   "ca.pem"
 
#define DEFAULT_SSL_CA_KEY   "ca-key.pem"
 
#define DEFAULT_SSL_SERVER_CERT   "server-cert.pem"
 
#define DEFAULT_SSL_SERVER_KEY   "server-key.pem"
 

Typedefs

typedef struct user_conn USER_CONN
 
typedef std::pair< LEX_CSTRING, LEX_CSTRINGAuth_id_ref
 user, host tuple which reference either acl_cache or g_default_roles More...
 
typedef std::vector< Auth_id_refList_of_auth_id_refs
 
typedef enum ssl_artifacts_status ssl_artifacts_status
 
typedef std::function< bool(Security_context *, Security_context_policy::Operation)> Security_context_functor
 
template<typename T >
using Sctx_ptr = std::unique_ptr< T, std::function< void(T *)> >
 
using Role_id = Auth_id
 

Enumerations

enum  ACL_internal_access_result { ACL_INTERNAL_ACCESS_GRANTED, ACL_INTERNAL_ACCESS_DENIED, ACL_INTERNAL_ACCESS_CHECK_GRANT }
 
enum  mysql_db_table_field {
  MYSQL_DB_FIELD_HOST = 0, MYSQL_DB_FIELD_DB, MYSQL_DB_FIELD_USER, MYSQL_DB_FIELD_SELECT_PRIV,
  MYSQL_DB_FIELD_INSERT_PRIV, MYSQL_DB_FIELD_UPDATE_PRIV, MYSQL_DB_FIELD_DELETE_PRIV, MYSQL_DB_FIELD_CREATE_PRIV,
  MYSQL_DB_FIELD_DROP_PRIV, MYSQL_DB_FIELD_GRANT_PRIV, MYSQL_DB_FIELD_REFERENCES_PRIV, MYSQL_DB_FIELD_INDEX_PRIV,
  MYSQL_DB_FIELD_ALTER_PRIV, MYSQL_DB_FIELD_CREATE_TMP_TABLE_PRIV, MYSQL_DB_FIELD_LOCK_TABLES_PRIV, MYSQL_DB_FIELD_CREATE_VIEW_PRIV,
  MYSQL_DB_FIELD_SHOW_VIEW_PRIV, MYSQL_DB_FIELD_CREATE_ROUTINE_PRIV, MYSQL_DB_FIELD_ALTER_ROUTINE_PRIV, MYSQL_DB_FIELD_EXECUTE_PRIV,
  MYSQL_DB_FIELD_EVENT_PRIV, MYSQL_DB_FIELD_TRIGGER_PRIV, MYSQL_DB_FIELD_COUNT
}
 
enum  mysql_user_table_field {
  MYSQL_USER_FIELD_HOST = 0, MYSQL_USER_FIELD_USER, MYSQL_USER_FIELD_SELECT_PRIV, MYSQL_USER_FIELD_INSERT_PRIV,
  MYSQL_USER_FIELD_UPDATE_PRIV, MYSQL_USER_FIELD_DELETE_PRIV, MYSQL_USER_FIELD_CREATE_PRIV, MYSQL_USER_FIELD_DROP_PRIV,
  MYSQL_USER_FIELD_RELOAD_PRIV, MYSQL_USER_FIELD_SHUTDOWN_PRIV, MYSQL_USER_FIELD_PROCESS_PRIV, MYSQL_USER_FIELD_FILE_PRIV,
  MYSQL_USER_FIELD_GRANT_PRIV, MYSQL_USER_FIELD_REFERENCES_PRIV, MYSQL_USER_FIELD_INDEX_PRIV, MYSQL_USER_FIELD_ALTER_PRIV,
  MYSQL_USER_FIELD_SHOW_DB_PRIV, MYSQL_USER_FIELD_SUPER_PRIV, MYSQL_USER_FIELD_CREATE_TMP_TABLE_PRIV, MYSQL_USER_FIELD_LOCK_TABLES_PRIV,
  MYSQL_USER_FIELD_EXECUTE_PRIV, MYSQL_USER_FIELD_REPL_SLAVE_PRIV, MYSQL_USER_FIELD_REPL_CLIENT_PRIV, MYSQL_USER_FIELD_CREATE_VIEW_PRIV,
  MYSQL_USER_FIELD_SHOW_VIEW_PRIV, MYSQL_USER_FIELD_CREATE_ROUTINE_PRIV, MYSQL_USER_FIELD_ALTER_ROUTINE_PRIV, MYSQL_USER_FIELD_CREATE_USER_PRIV,
  MYSQL_USER_FIELD_EVENT_PRIV, MYSQL_USER_FIELD_TRIGGER_PRIV, MYSQL_USER_FIELD_CREATE_TABLESPACE_PRIV, MYSQL_USER_FIELD_SSL_TYPE,
  MYSQL_USER_FIELD_SSL_CIPHER, MYSQL_USER_FIELD_X509_ISSUER, MYSQL_USER_FIELD_X509_SUBJECT, MYSQL_USER_FIELD_MAX_QUESTIONS,
  MYSQL_USER_FIELD_MAX_UPDATES, MYSQL_USER_FIELD_MAX_CONNECTIONS, MYSQL_USER_FIELD_MAX_USER_CONNECTIONS, MYSQL_USER_FIELD_PLUGIN,
  MYSQL_USER_FIELD_AUTHENTICATION_STRING, MYSQL_USER_FIELD_PASSWORD_EXPIRED, MYSQL_USER_FIELD_PASSWORD_LAST_CHANGED, MYSQL_USER_FIELD_PASSWORD_LIFETIME,
  MYSQL_USER_FIELD_ACCOUNT_LOCKED, MYSQL_USER_FIELD_CREATE_ROLE_PRIV, MYSQL_USER_FIELD_DROP_ROLE_PRIV, MYSQL_USER_FIELD_PASSWORD_REUSE_HISTORY,
  MYSQL_USER_FIELD_PASSWORD_REUSE_TIME, MYSQL_USER_FIELD_PASSWORD_REQUIRE_CURRENT, MYSQL_USER_FIELD_USER_ATTRIBUTES, MYSQL_USER_FIELD_COUNT
}
 
enum  mysql_proxies_priv_table_feild {
  MYSQL_PROXIES_PRIV_FIELD_HOST = 0, MYSQL_PROXIES_PRIV_FIELD_USER, MYSQL_PROXIES_PRIV_FIELD_PROXIED_HOST, MYSQL_PROXIES_PRIV_FIELD_PROXIED_USER,
  MYSQL_PROXIES_PRIV_FIELD_WITH_GRANT, MYSQL_PROXIES_PRIV_FIELD_GRANTOR, MYSQL_PROXIES_PRIV_FIELD_TIMESTAMP, MYSQL_PROXIES_PRIV_FIELD_COUNT
}
 
enum  mysql_procs_priv_table_field {
  MYSQL_PROCS_PRIV_FIELD_HOST = 0, MYSQL_PROCS_PRIV_FIELD_DB, MYSQL_PROCS_PRIV_FIELD_USER, MYSQL_PROCS_PRIV_FIELD_ROUTINE_NAME,
  MYSQL_PROCS_PRIV_FIELD_ROUTINE_TYPE, MYSQL_PROCS_PRIV_FIELD_GRANTOR, MYSQL_PROCS_PRIV_FIELD_PROC_PRIV, MYSQL_PROCS_PRIV_FIELD_TIMESTAMP,
  MYSQL_PROCS_PRIV_FIELD_COUNT
}
 
enum  mysql_columns_priv_table_field {
  MYSQL_COLUMNS_PRIV_FIELD_HOST = 0, MYSQL_COLUMNS_PRIV_FIELD_DB, MYSQL_COLUMNS_PRIV_FIELD_USER, MYSQL_COLUMNS_PRIV_FIELD_TABLE_NAME,
  MYSQL_COLUMNS_PRIV_FIELD_COLUMN_NAME, MYSQL_COLUMNS_PRIV_FIELD_TIMESTAMP, MYSQL_COLUMNS_PRIV_FIELD_COLUMN_PRIV, MYSQL_COLUMNS_PRIV_FIELD_COUNT
}
 
enum  mysql_tables_priv_table_field {
  MYSQL_TABLES_PRIV_FIELD_HOST = 0, MYSQL_TABLES_PRIV_FIELD_DB, MYSQL_TABLES_PRIV_FIELD_USER, MYSQL_TABLES_PRIV_FIELD_TABLE_NAME,
  MYSQL_TABLES_PRIV_FIELD_GRANTOR, MYSQL_TABLES_PRIV_FIELD_TIMESTAMP, MYSQL_TABLES_PRIV_FIELD_TABLE_PRIV, MYSQL_TABLES_PRIV_FIELD_COLUMN_PRIV,
  MYSQL_TABLES_PRIV_FIELD_COUNT
}
 
enum  mysql_role_edges_table_field {
  MYSQL_ROLE_EDGES_FIELD_FROM_HOST = 0, MYSQL_ROLE_EDGES_FIELD_FROM_USER, MYSQL_ROLE_EDGES_FIELD_TO_HOST, MYSQL_ROLE_EDGES_FIELD_TO_USER,
  MYSQL_ROLE_EDGES_FIELD_WITH_ADMIN_OPTION, MYSQL_ROLE_EDGES_FIELD_COUNT
}
 
enum  mysql_default_roles_table_field {
  MYSQL_DEFAULT_ROLES_FIELD_HOST = 0, MYSQL_DEFAULT_ROLES_FIELD_USER, MYSQL_DEFAULT_ROLES_FIELD_DEFAULT_ROLE_HOST, MYSQL_DEFAULT_ROLES_FIELD_DEFAULT_ROLE_USER,
  MYSQL_DEFAULT_ROLES_FIELD_COUNT
}
 
enum  mysql_password_history_table_field {
  MYSQL_PASSWORD_HISTORY_FIELD_HOST = 0, MYSQL_PASSWORD_HISTORY_FIELD_USER, MYSQL_PASSWORD_HISTORY_FIELD_PASSWORD_TIMESTAMP, MYSQL_PASSWORD_HISTORY_FIELD_PASSWORD,
  MYSQL_PASSWORD_HISTORY_FIELD_COUNT
}
 
enum  mysql_dynamic_priv_table_field {
  MYSQL_DYNAMIC_PRIV_FIELD_USER = 0, MYSQL_DYNAMIC_PRIV_FIELD_HOST, MYSQL_DYNAMIC_PRIV_FIELD_PRIV, MYSQL_DYNAMIC_PRIV_FIELD_WITH_GRANT_OPTION,
  MYSQL_DYNAMIC_PRIV_FIELD_COUNT
}
 
enum  ssl_artifacts_status { SSL_ARTIFACTS_NOT_FOUND = 0, SSL_ARTIFACTS_VIA_OPTIONS, SSL_ARTIFACT_TRACES_FOUND, SSL_ARTIFACTS_AUTO_DETECTED }
 

Functions

bool operator< (const Auth_id_ref &a, const Auth_id_ref &b)
 
int set_default_auth_plugin (char *plugin_name, size_t plugin_name_length)
 
Initialize default authentication plugin based on command line options or configuration file settings. More...
 
std::string get_default_autnetication_plugin_name ()
 Return the default authentication plugin name. More...
 
void acl_log_connect (const char *user, const char *host, const char *auth_as, const char *db, THD *thd, enum enum_server_command command)
 
Logging connection for the general query log, extracted from acl_authenticate() as it's reused at different times based on whether proxy users are checked. More...
 
int acl_authenticate (THD *thd, enum_server_command command)
 Perform the handshake, authorize the client and update thd sctx variables. More...
 
bool acl_check_host (THD *thd, const char *host, const char *ip)
 
void log_user (THD *thd, String *str, LEX_USER *user, bool comma)
 Auxiliary function for constructing a user list string. More...
 
bool check_change_password (THD *thd, const char *host, const char *user, bool retain_current_password)
 
bool change_password (THD *thd, LEX_USER *user, char *password, const char *current_password, bool retain_current_password)
 Change a password hash for a user. More...
 
bool mysql_create_user (THD *thd, List< LEX_USER > &list, bool if_not_exists, bool is_role)
 
bool mysql_alter_user (THD *thd, List< LEX_USER > &list, bool if_exists)
 
bool mysql_drop_user (THD *thd, List< LEX_USER > &list, bool if_exists, bool drop_role)
 Drop a list of users and all their privileges. More...
 
bool mysql_rename_user (THD *thd, List< LEX_USER > &list)
 
void init_acl_memory ()
 Allocates the memory in the the global_acl_memory MEM_ROOT. More...
 
int wild_case_compare (CHARSET_INFO *cs, const char *str, const char *wildstr)
 
int wild_case_compare (CHARSET_INFO *cs, const char *str, size_t str_len, const char *wildstr, size_t wildstr_len)
 Performs wildcard matching, aka globbing, on the input string with the given wildcard pattern, and the specified wildcard characters. More...
 
bool hostname_requires_resolving (const char *hostname)
 Check if the given host name needs to be resolved or not. More...
 
bool acl_init (bool dont_read_acl_tables)
 
void acl_free (bool end=false)
 
bool check_engine_type_for_acl_table (THD *thd)
 
bool grant_init (bool skip_grant_tables)
 Initialize structures responsible for table/column-level privilege checking and load information for them from tables in the 'mysql' database. More...
 
void grant_free (void)
 
bool reload_acl_caches (THD *thd)
 Reload all ACL caches. More...
 
ulong acl_get (THD *thd, const char *host, const char *ip, const char *user, const char *db, bool db_is_pattern)
 Get privilege for a host, user, and db combination. More...
 
bool is_acl_user (THD *thd, const char *host, const char *user)
 
bool acl_getroot (THD *thd, Security_context *sctx, char *user, char *host, char *ip, const char *db)
 
bool check_acl_tables_intact (THD *thd)
 Opens the ACL tables and checks their sanity. More...
 
bool check_acl_tables_intact (THD *thd, TABLE_LIST *tables)
 Helper function that checks the sanity of tables object present in the TABLE_LIST object. More...
 
void notify_flush_event (THD *thd)
 Audit notification for flush. More...
 
bool wildcard_db_grant_exists ()
 
bool skip_grant_tables ()
 
bool mysql_set_active_role_none (THD *thd)
 Reset active roles. More...
 
bool mysql_set_role_default (THD *thd)
 Activates all the default roles in the current security context. More...
 
bool mysql_set_active_role_all (THD *thd, const List< LEX_USER > *except_users)
 
Activates all granted role in the current security context More...
 
bool mysql_set_active_role (THD *thd, const List< LEX_USER > *role_list)
 
bool mysql_grant (THD *thd, const char *db, List< LEX_USER > &list, ulong rights, bool revoke_grant, bool is_proxy, const List< LEX_CSTRING > &dynamic_privilege, bool grant_all_current_privileges, LEX_GRANT_AS *grant_as)
 
bool mysql_routine_grant (THD *thd, TABLE_LIST *table, bool is_proc, List< LEX_USER > &user_list, ulong rights, bool revoke, bool write_to_binlog)
 Store routine level grants in the privilege tables. More...
 
int mysql_table_grant (THD *thd, TABLE_LIST *table, List< LEX_USER > &user_list, List< LEX_COLUMN > &column_list, ulong rights, bool revoke)
 
bool check_grant (THD *thd, ulong want_access, TABLE_LIST *tables, bool any_combination_will_do, uint number, bool no_errors)
 Check table level grants. More...
 
bool check_grant_column (THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *name, size_t length, Security_context *sctx, ulong want_privilege)
 
bool check_column_grant_in_table_ref (THD *thd, TABLE_LIST *table_ref, const char *name, size_t length, ulong want_privilege)
 Check the privileges for a column depending on the type of table. More...
 
bool check_grant_all_columns (THD *thd, ulong want_access, Field_iterator_table_ref *fields)
 check if a query can access a set of columns More...
 
bool check_grant_routine (THD *thd, ulong want_access, TABLE_LIST *procs, bool is_proc, bool no_error)
 
bool check_grant_db (THD *thd, const char *db)
 Check if a user has the right to access a database Access is accepted if he has a grant for any table/routine in the database Return 1 if access is denied. More...
 
bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user, bool with_grant)
 
void get_privilege_desc (char *to, uint max_length, ulong access)
 
void get_mqh (THD *thd, const char *user, const char *host, USER_CONN *uc)
 
ulong get_table_grant (THD *thd, TABLE_LIST *table)
 
ulong get_column_grant (THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *field_name)
 
bool mysql_show_grants (THD *, LEX_USER *, const List_of_auth_id_refs &, bool)
 SHOW GRANTS FOR user USING [ALL | role [,role ...]]. More...
 
bool mysql_show_create_user (THD *thd, LEX_USER *user, bool are_both_users_same)
 Auxiliary function for constructing CREATE USER sql for a given user. More...
 
bool mysql_revoke_all (THD *thd, List< LEX_USER > &list)
 
bool sp_revoke_privileges (THD *thd, const char *sp_db, const char *sp_name, bool is_proc)
 Revoke privileges for all users on a stored procedure. More...
 
bool sp_grant_privileges (THD *thd, const char *sp_db, const char *sp_name, bool is_proc)
 Grant EXECUTE,ALTER privilege for a stored procedure. More...
 
void fill_effective_table_privileges (THD *thd, GRANT_INFO *grant, const char *db, const char *table)
 
int fill_schema_user_privileges (THD *thd, TABLE_LIST *tables, Item *cond)
 
int fill_schema_schema_privileges (THD *thd, TABLE_LIST *tables, Item *cond)
 
int fill_schema_table_privileges (THD *thd, TABLE_LIST *tables, Item *cond)
 
int fill_schema_column_privileges (THD *thd, TABLE_LIST *tables, Item *cond)
 
const ACL_internal_schema_accessget_cached_schema_access (GRANT_INTERNAL_INFO *grant_internal_info, const char *schema_name)
 Get a cached internal schema access. More...
 
bool lock_tables_precheck (THD *thd, TABLE_LIST *tables)
 Check privileges for LOCK TABLES statement. More...
 
bool create_table_precheck (THD *thd, TABLE_LIST *tables, TABLE_LIST *create_table)
 CREATE TABLE query pre-check. More...
 
bool check_fk_parent_table_access (THD *thd, HA_CREATE_INFO *create_info, Alter_info *alter_info)
 Checks foreign key's parent table access. More...
 
bool check_readonly (THD *thd, bool err_if_readonly)
 
Performs standardized check whether to prohibit (true) or allow (false) operations based on read_only and super_read_only state. More...
 
void err_readonly (THD *thd)
 Generates appropriate error messages for read-only state depending on whether user has SUPER privilege or not. More...
 
bool is_secure_transport (int vio_type)
 
bool check_one_table_access (THD *thd, ulong privilege, TABLE_LIST *tables)
 Check grants for commands which work only with one table and all other tables belonging to subselects or implicitly opened tables. More...
 
bool check_single_table_access (THD *thd, ulong privilege, TABLE_LIST *tables, bool no_errors)
 Check grants for commands which work only with one table. More...
 
bool check_routine_access (THD *thd, ulong want_access, const char *db, char *name, bool is_proc, bool no_errors)
 
bool check_some_access (THD *thd, ulong want_access, TABLE_LIST *table)
 Check if the given table has any of the asked privileges. More...
 
bool check_some_routine_access (THD *thd, const char *db, const char *name, bool is_proc)
 Check if the routine has any of the routine privileges. More...
 
bool check_access (THD *thd, ulong want_access, const char *db, ulong *save_priv, GRANT_INTERNAL_INFO *grant_internal_info, bool dont_check_global_grants, bool no_errors)
 Compare requested privileges with the privileges acquired from the User- and Db-tables. More...
 
bool check_table_access (THD *thd, ulong requirements, TABLE_LIST *tables, bool any_combination_of_privileges_will_do, uint number, bool no_errors)
 Check if the requested privileges exists in either User-, Host- or Db-tables. More...
 
bool check_table_encryption_admin_access (THD *thd)
 Check if a current user has the privilege TABLE_ENCRYPTION_ADMIN required to create encrypted table. More...
 
bool mysql_grant_role (THD *thd, const List< LEX_USER > *users, const List< LEX_USER > *roles, bool with_admin_opt)
 Grants a list of roles to a list of users. More...
 
bool mysql_revoke_role (THD *thd, const List< LEX_USER > *users, const List< LEX_USER > *roles)
 
void get_default_roles (const Auth_id_ref &user, List_of_auth_id_refs &list)
 Shallow copy a list of default role authorization IDs from an Role_id storage. More...
 
bool is_granted_table_access (THD *thd, ulong required_acl, TABLE_LIST *table)
 Given a TABLE_LIST object this function checks against. More...
 
bool mysql_alter_or_clear_default_roles (THD *thd, role_enum role_type, const List< LEX_USER > *users, const List< LEX_USER > *roles)
 Set the default roles to NONE, ALL or list of authorization IDs as roles, depending upon the role_type argument. More...
 
void roles_graphml (THD *thd, String *)
 
bool has_grant_role_privilege (THD *thd, const LEX_CSTRING &role_name, const LEX_CSTRING &role_host)
 
Auth_id_ref create_authid_from (const LEX_USER *user)
 
std::string create_authid_str_from (const LEX_USER *user)
 Helper used for producing a key to a key-value-map. More...
 
void append_identifier (String *packet, const char *name, size_t length)
 Convert and quote the given identifier if needed and append it to the target string. More...
 
bool is_role_id (LEX_USER *authid)
 
void shutdown_acl_cache ()
 Shutdown the global Acl_cache system which was only initialized if the rwlocks were initialized. More...
 
bool is_granted_role (LEX_CSTRING user, LEX_CSTRING host, LEX_CSTRING role, LEX_CSTRING role_host)
 This function works just like check_if_granted_role, but also guarantees that the proper lock is taken so that the function can be used in a wider context. More...
 
bool check_show_access (THD *thd, TABLE_LIST *table)
 Check if user has enough privileges for execution of SHOW statement, which was converted to query to one of I_S tables. More...
 
bool check_global_access (THD *thd, ulong want_access)
 check for global access and give descriptive error message if it fails. More...
 
void commit_and_close_mysql_tables (THD *thd)
 A helper function to commit statement transaction and close ACL tables after reading some data from them as part of FLUSH PRIVILEGES statement or during server initialization. More...
 
ulong get_global_acl_cache_size ()
 
void update_mandatory_roles (void)
 
bool check_authorization_id_string (THD *thd, const char *buffer, size_t length)
 
void func_current_role (const THD *thd, String *active_role)
 Helper function for Item_func_current_role. More...
 
bool operator== (const LEX_CSTRING &a, const LEX_CSTRING &b)
 
bool is_partial_revoke_exists (THD *thd)
 Method to check if there exists at least one partial revokes in the cache. More...
 
void set_system_user_flag (THD *thd, bool check_for_main_security_ctx=false)
 Set the system_user flag in the THD. More...
 

Variables

const std::string consts::mysql
 
const std::string consts::system_user
 
const std::vector< std::string > global_acls_vector
 Consts for static privileges. More...
 
bool mysql_user_table_is_in_short_password_format
 
bool disconnect_on_expired_password
 
const char * any_db
 
bool validate_user_plugins
 controls the extra checks on plugin availability for mysql.user records More...
 
volatile uint32 global_password_history
 Global sysvar: the number of old passwords to check in the history. More...
 
volatile uint32 global_password_reuse_interval
 Global sysvar: the number of days before a password can be reused. More...
 

Macro Definition Documentation

◆ ACCESS_RIGHTS_ATTR

#define ACCESS_RIGHTS_ATTR   (1L << 5) /* update privileges */

◆ ACCOUNT_LOCK_ATTR

#define ACCOUNT_LOCK_ATTR   (1L << 6) /* update account lock status */

◆ DEFAULT_AUTH_ATTR

#define DEFAULT_AUTH_ATTR   (1L << 0) /* update defaults auth */

◆ DEFAULT_SSL_CA_CERT

#define DEFAULT_SSL_CA_CERT   "ca.pem"

◆ DEFAULT_SSL_CA_KEY

#define DEFAULT_SSL_CA_KEY   "ca-key.pem"

◆ DEFAULT_SSL_SERVER_CERT

#define DEFAULT_SSL_SERVER_CERT   "server-cert.pem"

◆ DEFAULT_SSL_SERVER_KEY

#define DEFAULT_SSL_SERVER_KEY   "server-key.pem"

◆ DIFFERENT_PLUGIN_ATTR

#define DIFFERENT_PLUGIN_ATTR   (1L << 7) /* updated plugin with a different value */

◆ NONE_ATTR

#define NONE_ATTR   0L

◆ PASSWORD_EXPIRE_ATTR

#define PASSWORD_EXPIRE_ATTR   (1L << 4) /* update password expire col */

◆ PLUGIN_ATTR

#define PLUGIN_ATTR   (1L << 1) /* update plugin */

◆ RESOURCE_ATTR

#define RESOURCE_ATTR   (1L << 3) /* ex: MAX_QUERIES_PER_HOUR.. */

◆ SSL_ATTR

#define SSL_ATTR   (1L << 2) /* ex: SUBJECT,CIPHER.. */

◆ USER_ATTRIBUTES

#define USER_ATTRIBUTES   (1L << 8) /* Request to update user attributes */

Typedef Documentation

◆ Auth_id_ref

typedef std::pair<LEX_CSTRING, LEX_CSTRING> Auth_id_ref

user, host tuple which reference either acl_cache or g_default_roles

◆ List_of_auth_id_refs

typedef std::vector<Auth_id_ref> List_of_auth_id_refs

◆ Role_id

using Role_id = Auth_id

◆ Sctx_ptr

template<typename T >
using Sctx_ptr = std::unique_ptr<T, std::function<void(T *)> >

◆ Security_context_functor

◆ ssl_artifacts_status

◆ USER_CONN

typedef struct user_conn USER_CONN

Enumeration Type Documentation

◆ ACL_internal_access_result

Enumerator
ACL_INTERNAL_ACCESS_GRANTED 

Access granted for all the requested privileges, do not use the grant tables.

This flag is used only for the INFORMATION_SCHEMA privileges, for compatibility reasons.

ACL_INTERNAL_ACCESS_DENIED 

Access denied, do not use the grant tables.

ACL_INTERNAL_ACCESS_CHECK_GRANT 

No decision yet, use the grant tables.

◆ mysql_columns_priv_table_field

Enumerator
MYSQL_COLUMNS_PRIV_FIELD_HOST 
MYSQL_COLUMNS_PRIV_FIELD_DB 
MYSQL_COLUMNS_PRIV_FIELD_USER 
MYSQL_COLUMNS_PRIV_FIELD_TABLE_NAME 
MYSQL_COLUMNS_PRIV_FIELD_COLUMN_NAME 
MYSQL_COLUMNS_PRIV_FIELD_TIMESTAMP 
MYSQL_COLUMNS_PRIV_FIELD_COLUMN_PRIV 
MYSQL_COLUMNS_PRIV_FIELD_COUNT 

◆ mysql_db_table_field

Enumerator
MYSQL_DB_FIELD_HOST 
MYSQL_DB_FIELD_DB 
MYSQL_DB_FIELD_USER 
MYSQL_DB_FIELD_SELECT_PRIV 
MYSQL_DB_FIELD_INSERT_PRIV 
MYSQL_DB_FIELD_UPDATE_PRIV 
MYSQL_DB_FIELD_DELETE_PRIV 
MYSQL_DB_FIELD_CREATE_PRIV 
MYSQL_DB_FIELD_DROP_PRIV 
MYSQL_DB_FIELD_GRANT_PRIV 
MYSQL_DB_FIELD_REFERENCES_PRIV 
MYSQL_DB_FIELD_INDEX_PRIV 
MYSQL_DB_FIELD_ALTER_PRIV 
MYSQL_DB_FIELD_CREATE_TMP_TABLE_PRIV 
MYSQL_DB_FIELD_LOCK_TABLES_PRIV 
MYSQL_DB_FIELD_CREATE_VIEW_PRIV 
MYSQL_DB_FIELD_SHOW_VIEW_PRIV 
MYSQL_DB_FIELD_CREATE_ROUTINE_PRIV 
MYSQL_DB_FIELD_ALTER_ROUTINE_PRIV 
MYSQL_DB_FIELD_EXECUTE_PRIV 
MYSQL_DB_FIELD_EVENT_PRIV 
MYSQL_DB_FIELD_TRIGGER_PRIV 
MYSQL_DB_FIELD_COUNT 

◆ mysql_default_roles_table_field

Enumerator
MYSQL_DEFAULT_ROLES_FIELD_HOST 
MYSQL_DEFAULT_ROLES_FIELD_USER 
MYSQL_DEFAULT_ROLES_FIELD_DEFAULT_ROLE_HOST 
MYSQL_DEFAULT_ROLES_FIELD_DEFAULT_ROLE_USER 
MYSQL_DEFAULT_ROLES_FIELD_COUNT 

◆ mysql_dynamic_priv_table_field

Enumerator
MYSQL_DYNAMIC_PRIV_FIELD_USER 
MYSQL_DYNAMIC_PRIV_FIELD_HOST 
MYSQL_DYNAMIC_PRIV_FIELD_PRIV 
MYSQL_DYNAMIC_PRIV_FIELD_WITH_GRANT_OPTION 
MYSQL_DYNAMIC_PRIV_FIELD_COUNT 

◆ mysql_password_history_table_field

Enumerator
MYSQL_PASSWORD_HISTORY_FIELD_HOST 
MYSQL_PASSWORD_HISTORY_FIELD_USER 
MYSQL_PASSWORD_HISTORY_FIELD_PASSWORD_TIMESTAMP 
MYSQL_PASSWORD_HISTORY_FIELD_PASSWORD 
MYSQL_PASSWORD_HISTORY_FIELD_COUNT 

◆ mysql_procs_priv_table_field

Enumerator
MYSQL_PROCS_PRIV_FIELD_HOST 
MYSQL_PROCS_PRIV_FIELD_DB 
MYSQL_PROCS_PRIV_FIELD_USER 
MYSQL_PROCS_PRIV_FIELD_ROUTINE_NAME 
MYSQL_PROCS_PRIV_FIELD_ROUTINE_TYPE 
MYSQL_PROCS_PRIV_FIELD_GRANTOR 
MYSQL_PROCS_PRIV_FIELD_PROC_PRIV 
MYSQL_PROCS_PRIV_FIELD_TIMESTAMP 
MYSQL_PROCS_PRIV_FIELD_COUNT 

◆ mysql_proxies_priv_table_feild

Enumerator
MYSQL_PROXIES_PRIV_FIELD_HOST 
MYSQL_PROXIES_PRIV_FIELD_USER 
MYSQL_PROXIES_PRIV_FIELD_PROXIED_HOST 
MYSQL_PROXIES_PRIV_FIELD_PROXIED_USER 
MYSQL_PROXIES_PRIV_FIELD_WITH_GRANT 
MYSQL_PROXIES_PRIV_FIELD_GRANTOR 
MYSQL_PROXIES_PRIV_FIELD_TIMESTAMP 
MYSQL_PROXIES_PRIV_FIELD_COUNT 

◆ mysql_role_edges_table_field

Enumerator
MYSQL_ROLE_EDGES_FIELD_FROM_HOST 
MYSQL_ROLE_EDGES_FIELD_FROM_USER 
MYSQL_ROLE_EDGES_FIELD_TO_HOST 
MYSQL_ROLE_EDGES_FIELD_TO_USER 
MYSQL_ROLE_EDGES_FIELD_WITH_ADMIN_OPTION 
MYSQL_ROLE_EDGES_FIELD_COUNT 

◆ mysql_tables_priv_table_field

Enumerator
MYSQL_TABLES_PRIV_FIELD_HOST 
MYSQL_TABLES_PRIV_FIELD_DB 
MYSQL_TABLES_PRIV_FIELD_USER 
MYSQL_TABLES_PRIV_FIELD_TABLE_NAME 
MYSQL_TABLES_PRIV_FIELD_GRANTOR 
MYSQL_TABLES_PRIV_FIELD_TIMESTAMP 
MYSQL_TABLES_PRIV_FIELD_TABLE_PRIV 
MYSQL_TABLES_PRIV_FIELD_COLUMN_PRIV 
MYSQL_TABLES_PRIV_FIELD_COUNT 

◆ mysql_user_table_field

Enumerator
MYSQL_USER_FIELD_HOST 
MYSQL_USER_FIELD_USER 
MYSQL_USER_FIELD_SELECT_PRIV 
MYSQL_USER_FIELD_INSERT_PRIV 
MYSQL_USER_FIELD_UPDATE_PRIV 
MYSQL_USER_FIELD_DELETE_PRIV 
MYSQL_USER_FIELD_CREATE_PRIV 
MYSQL_USER_FIELD_DROP_PRIV 
MYSQL_USER_FIELD_RELOAD_PRIV 
MYSQL_USER_FIELD_SHUTDOWN_PRIV 
MYSQL_USER_FIELD_PROCESS_PRIV 
MYSQL_USER_FIELD_FILE_PRIV 
MYSQL_USER_FIELD_GRANT_PRIV 
MYSQL_USER_FIELD_REFERENCES_PRIV 
MYSQL_USER_FIELD_INDEX_PRIV 
MYSQL_USER_FIELD_ALTER_PRIV 
MYSQL_USER_FIELD_SHOW_DB_PRIV 
MYSQL_USER_FIELD_SUPER_PRIV 
MYSQL_USER_FIELD_CREATE_TMP_TABLE_PRIV 
MYSQL_USER_FIELD_LOCK_TABLES_PRIV 
MYSQL_USER_FIELD_EXECUTE_PRIV 
MYSQL_USER_FIELD_REPL_SLAVE_PRIV 
MYSQL_USER_FIELD_REPL_CLIENT_PRIV 
MYSQL_USER_FIELD_CREATE_VIEW_PRIV 
MYSQL_USER_FIELD_SHOW_VIEW_PRIV 
MYSQL_USER_FIELD_CREATE_ROUTINE_PRIV 
MYSQL_USER_FIELD_ALTER_ROUTINE_PRIV 
MYSQL_USER_FIELD_CREATE_USER_PRIV 
MYSQL_USER_FIELD_EVENT_PRIV 
MYSQL_USER_FIELD_TRIGGER_PRIV 
MYSQL_USER_FIELD_CREATE_TABLESPACE_PRIV 
MYSQL_USER_FIELD_SSL_TYPE 
MYSQL_USER_FIELD_SSL_CIPHER 
MYSQL_USER_FIELD_X509_ISSUER 
MYSQL_USER_FIELD_X509_SUBJECT 
MYSQL_USER_FIELD_MAX_QUESTIONS 
MYSQL_USER_FIELD_MAX_UPDATES 
MYSQL_USER_FIELD_MAX_CONNECTIONS 
MYSQL_USER_FIELD_MAX_USER_CONNECTIONS 
MYSQL_USER_FIELD_PLUGIN 
MYSQL_USER_FIELD_AUTHENTICATION_STRING 
MYSQL_USER_FIELD_PASSWORD_EXPIRED 
MYSQL_USER_FIELD_PASSWORD_LAST_CHANGED 
MYSQL_USER_FIELD_PASSWORD_LIFETIME 
MYSQL_USER_FIELD_ACCOUNT_LOCKED 
MYSQL_USER_FIELD_CREATE_ROLE_PRIV 
MYSQL_USER_FIELD_DROP_ROLE_PRIV 
MYSQL_USER_FIELD_PASSWORD_REUSE_HISTORY 
MYSQL_USER_FIELD_PASSWORD_REUSE_TIME 
MYSQL_USER_FIELD_PASSWORD_REQUIRE_CURRENT 
MYSQL_USER_FIELD_USER_ATTRIBUTES 
MYSQL_USER_FIELD_COUNT 

◆ ssl_artifacts_status

Enumerator
SSL_ARTIFACTS_NOT_FOUND 
SSL_ARTIFACTS_VIA_OPTIONS 
SSL_ARTIFACT_TRACES_FOUND 
SSL_ARTIFACTS_AUTO_DETECTED 

Function Documentation

◆ acl_authenticate()

int acl_authenticate ( THD thd,
enum_server_command  command 
)

Perform the handshake, authorize the client and update thd sctx variables.

Parameters
thdthread handle
commandthe command to be executed, it can be either a COM_CHANGE_USER or COM_CONNECT (if it's a new connection)
Return values
0success, thd is updated.
1error

◆ acl_check_host()

bool acl_check_host ( THD thd,
const char *  host,
const char *  ip 
)

◆ acl_check_proxy_grant_access()

bool acl_check_proxy_grant_access ( THD thd,
const char *  host,
const char *  user,
bool  with_grant 
)

◆ acl_free()

void acl_free ( bool  end = false)

◆ acl_get()

ulong acl_get ( THD thd,
const char *  host,
const char *  ip,
const char *  user,
const char *  db,
bool  db_is_pattern 
)

Get privilege for a host, user, and db combination.

Note
db_cache is not used if db_is_pattern is set.
Parameters
thdThread handler
hostHost name
ipIp
useruser name
dbWe look for the ACL of this database
db_is_pattern
Returns
Database ACL

◆ acl_getroot()

bool acl_getroot ( THD thd,
Security_context sctx,
char *  user,
char *  host,
char *  ip,
const char *  db 
)

◆ acl_init()

bool acl_init ( bool  dont_read_acl_tables)

◆ acl_log_connect()

void acl_log_connect ( const char *  user,
const char *  host,
const char *  auth_as,
const char *  db,
THD thd,
enum enum_server_command  command 
)


Logging connection for the general query log, extracted from acl_authenticate() as it's reused at different times based on whether proxy users are checked.

Parameters
userauthentication user name
hostauthentication user host or IP address
auth_asprivilege user name
dbdefault database
thdthread handle
commandtype of command(connect or change user)

◆ append_identifier()

void append_identifier ( String packet,
const char *  name,
size_t  length 
)

Convert and quote the given identifier if needed and append it to the target string.

If the given identifier is empty, it will be quoted. This function always use the backtick as escape char and thus rid itself of the THD dependency.

Parameters
packettarget string
namethe identifier to be appended
lengthlength of the appending identifier

◆ change_password()

bool change_password ( THD thd,
LEX_USER lex_user,
char *  new_password,
const char *  current_password,
bool  retain_current_password 
)

Change a password hash for a user.

Parameters
thdThread handle
lex_userLEX_USER
new_passwordNew password hash for host@user
current_passwordCurrent password for host@user
retain_current_passwordPreference to retain current password

Note : it will also reset the change_password flag. This is safe to do unconditionally since the simple userless form SET PASSWORD = 'text' will be the only allowed form when this flag is on. So we don't need to check user names here.

See also
set_var_password::update(THD *thd)
Returns
Error code
Return values
0ok
1ERROR; In this case the error is sent to the client.

◆ check_access()

bool check_access ( THD thd,
ulong  want_access,
const char *  db,
ulong save_priv,
GRANT_INTERNAL_INFO grant_internal_info,
bool  dont_check_global_grants,
bool  no_errors 
)

Compare requested privileges with the privileges acquired from the User- and Db-tables.

Parameters
thdThread handler
want_accessThe requested access privileges.
dbA pointer to the Db name.
[out]save_privA pointer to the granted privileges will be stored.
grant_internal_infoA pointer to the internal grant cache.
dont_check_global_grantsTrue if no global grants are checked.
no_errorsTrue if no errors should be sent to the client.

'save_priv' is used to save the User-table (global) and Db-table grants for the supplied db name. Note that we don't store db level grants if the global grants is enough to satisfy the request AND the global grants contains a SELECT grant.

For internal databases (INFORMATION_SCHEMA, PERFORMANCE_SCHEMA), additional rules apply, see ACL_internal_schema_access.

See also
check_grant
Returns
Status of denial of access by exclusive ACLs.
Return values
falseAccess can't exclusively be denied by Db- and User-table access unless Column- and Table-grants are checked too.
trueAccess denied. The DA is set if no_error = false!

◆ check_acl_tables_intact() [1/2]

bool check_acl_tables_intact ( THD thd)

Opens the ACL tables and checks their sanity.

This method reports error only if it is unable to open or lock tables. It is called in situations when server has to continue even if a corrupt table was found - For example - acl_init()

Parameters
thdHandle of current thread.
Return values
falseOK. true Unable to open the table(s).

◆ check_acl_tables_intact() [2/2]

bool check_acl_tables_intact ( THD thd,
TABLE_LIST tables 
)

Helper function that checks the sanity of tables object present in the TABLE_LIST object.

it logs a warning message when a table is missing

Parameters
thdHandle of current thread.
tablesA valid table list pointer
Return values
falseOK. true Error.

◆ check_authorization_id_string()

bool check_authorization_id_string ( THD thd,
const char *  buffer,
size_t  length 
)

◆ check_change_password()

bool check_change_password ( THD thd,
const char *  host,
const char *  user,
bool  retain_current_password 
)

◆ check_column_grant_in_table_ref()

bool check_column_grant_in_table_ref ( THD thd,
TABLE_LIST table_ref,
const char *  name,
size_t  length,
ulong  want_privilege 
)

Check the privileges for a column depending on the type of table.

Parameters
thdthread handler
table_reftable reference where to check the field
namename of field to check
lengthlength of name
want_privilegewanted privileges

Check the privileges for a column depending on the type of table the column belongs to. The function provides a generic interface to check column privileges that hides the heterogeneity of the column representation - whether it belongs to a view or a base table.

Notice that this function does not understand that a column from a view reference must be checked for privileges both in the view and in the underlying base table (or view) reference. This is the responsibility of the caller.

Columns from temporary tables and derived tables are ignored by this function.

Returns
false if success, true if error (access denied)

◆ check_engine_type_for_acl_table()

bool check_engine_type_for_acl_table ( THD thd)

◆ check_fk_parent_table_access()

bool check_fk_parent_table_access ( THD thd,
HA_CREATE_INFO create_info,
Alter_info alter_info 
)

Checks foreign key's parent table access.

Parameters
[in]thdThread handler
[in]create_infoCreate information (like MAX_ROWS, ENGINE or temporary table flag)
[in]alter_infoInitial list of columns and indexes for the table to be created
Return values
falseok.
trueerror or access denied. Error is sent to client in this case.

◆ check_global_access()

bool check_global_access ( THD thd,
ulong  want_access 
)

check for global access and give descriptive error message if it fails.

Parameters
thdThread handler
want_accessUse should have any of these global rights
Warning
One gets access right if one has ANY of the rights in want_access. This is useful as one in most cases only need one global right, but in some case we want to check if the user has SUPER or REPL_CLIENT_ACL rights.
Return values
0ok
1Access denied. In this case an error is sent to the client

◆ check_grant()

bool check_grant ( THD thd,
ulong  want_access,
TABLE_LIST tables,
bool  any_combination_will_do,
uint  number,
bool  no_errors 
)

Check table level grants.

Parameters
thdThread handler
want_accessBits of privileges user needs to have.
tablesList of tables to check. The user should have 'want_access' to all tables in list.
any_combination_will_dotrue if it's enough to have any privilege for any combination of the table columns.
numberCheck at most this number of tables.
no_errorstrue if no error should be sent directly to the client.

If table->grant.want_privilege != 0 then the requested privileges where in the set of COL_ACLS but access was not granted on the table level. As a consequence an extra check of column privileges is required.

Specifically if this function returns false the user has some kind of privilege on a combination of columns in each table.

This function is usually preceeded by check_access which establish the User-, Db- and Host access rights.

See also
check_access
check_table_access
Note
This functions assumes that either number of tables to be inspected by it is limited explicitly (i.e. is is not UINT_MAX) or table list used and thd->lex->query_tables_own_last value correspond to each other (the latter should be either 0 or point to next_global member of one of elements of this table list).
Returns
Access status
Return values
falseAccess granted; But column privileges need to be checked.
trueThe user did not have the requested privileges on any of the tables.

◆ check_grant_all_columns()

bool check_grant_all_columns ( THD thd,
ulong  want_access_arg,
Field_iterator_table_ref fields 
)

check if a query can access a set of columns

Parameters
thdthe current thread
want_access_argthe privileges requested
fieldsan iterator over the fields of a table reference.
Returns
Operation status
Return values
0Success
1Falure

This function walks over the columns of a table reference The columns may originate from different tables, depending on the kind of table reference, e.g. join, view. For each table it will retrieve the grant information and will use it to check the required access privileges for the fields requested from it.

◆ check_grant_column()

bool check_grant_column ( THD thd,
GRANT_INFO grant,
const char *  db_name,
const char *  table_name,
const char *  name,
size_t  length,
Security_context sctx,
ulong  want_privilege 
)

◆ check_grant_db()

bool check_grant_db ( THD thd,
const char *  db 
)

Check if a user has the right to access a database Access is accepted if he has a grant for any table/routine in the database Return 1 if access is denied.

Parameters
thdThe thread handler
dbThe name of the database

◆ check_grant_routine()

bool check_grant_routine ( THD thd,
ulong  want_access,
TABLE_LIST procs,
bool  is_proc,
bool  no_error 
)

◆ check_one_table_access()

bool check_one_table_access ( THD thd,
ulong  privilege,
TABLE_LIST all_tables 
)

Check grants for commands which work only with one table and all other tables belonging to subselects or implicitly opened tables.

Parameters
thdThread handler
privilegerequested privilege
all_tablesglobal table list of query
Returns
false on success, true on access denied error

◆ check_readonly()

bool check_readonly ( THD thd,
bool  err_if_readonly 
)


Performs standardized check whether to prohibit (true) or allow (false) operations based on read_only and super_read_only state.

Parameters
thdThread handler
err_if_readonlyBoolean indicating whether or not to add the error to the thread context if read-only is violated.
Returns
Status code
Return values
trueThe operation should be prohibited. @ retval false The operation should be allowed.

◆ check_routine_access()

bool check_routine_access ( THD thd,
ulong  want_access,
const char *  db,
char *  name,
bool  is_proc,
bool  no_errors 
)

◆ check_show_access()

bool check_show_access ( THD thd,
TABLE_LIST table 
)

Check if user has enough privileges for execution of SHOW statement, which was converted to query to one of I_S tables.

Parameters
thdThread context.
tableTable list element for I_S table to be queried..
Return values
false- Success.
true- Failure.

◆ check_single_table_access()

bool check_single_table_access ( THD thd,
ulong  privilege,
TABLE_LIST all_tables,
bool  no_errors 
)

Check grants for commands which work only with one table.

Parameters
thdThread handler
privilegerequested privilege
all_tablesglobal table list of query
no_errorsfalse/true - report/don't report error to the client (using my_error() call).
Return values
0OK
1access denied, error is sent to client

◆ check_some_access()

bool check_some_access ( THD thd,
ulong  want_access,
TABLE_LIST table 
)

Check if the given table has any of the asked privileges.

Parameters
thdThread handler
want_accessBitmap of possible privileges to check for
tableThe table for which access needs to be validated
Return values
0ok
1error

◆ check_some_routine_access()

bool check_some_routine_access ( THD thd,
const char *  db,
const char *  name,
bool  is_proc 
)

Check if the routine has any of the routine privileges.

Parameters
thdThread handler
dbDatabase name
nameRoutine name
is_procTrue if this is a SP rather than a function
Return values
0ok
1error

◆ check_table_access()

bool check_table_access ( THD thd,
ulong  requirements,
TABLE_LIST tables,
bool  any_combination_of_privileges_will_do,
uint  number,
bool  no_errors 
)

Check if the requested privileges exists in either User-, Host- or Db-tables.

Parameters
thdThread context
requirementsPrivileges requested
tablesList of tables to be compared against
no_errorsDon't report error to the client (using my_error() call).
any_combination_of_privileges_will_dotrue if any privileges on any column combination is enough.
numberOnly the first 'number' tables in the linked list are relevant.

The suppled table list contains cached privileges. This functions calls the help functions check_access and check_grant to verify the first three steps in the privileges check queue:

  1. Global privileges
  2. OR (db privileges AND host privileges)
  3. OR table privileges
  4. OR column privileges (not checked by this function!)
  5. OR routine privileges (not checked by this function!)
See also
check_access
check_grant
Note
This functions assumes that table list used and thd->lex->query_tables_own_last value correspond to each other (the latter should be either 0 or point to next_global member of one of elements of this table list).
Returns
Return values
falseOK
trueAccess denied; But column or routine privileges might need to be checked also.

◆ check_table_encryption_admin_access()

bool check_table_encryption_admin_access ( THD thd)

Check if a current user has the privilege TABLE_ENCRYPTION_ADMIN required to create encrypted table.

We skip the same for slave threads.

Parameters
thdCurrent thread
Return values
falseA user has the privilege TABLE_ENCRYPTION_ADMIN
trueA user doesn't have the privilege TABLE_ENCRYPTION_ADMIN

◆ commit_and_close_mysql_tables()

void commit_and_close_mysql_tables ( THD thd)

A helper function to commit statement transaction and close ACL tables after reading some data from them as part of FLUSH PRIVILEGES statement or during server initialization.

Note
We assume that we have only read from the tables so commit can't fail.
See also
close_mysql_tables().
Note
This function also rollbacks the transaction if rollback was requested (e.g. as result of deadlock).

◆ create_authid_from()

Auth_id_ref create_authid_from ( const LEX_USER user)

◆ create_authid_str_from()

std::string create_authid_str_from ( const LEX_USER user)

Helper used for producing a key to a key-value-map.

◆ create_table_precheck()

bool create_table_precheck ( THD thd,
TABLE_LIST tables,
TABLE_LIST create_table 
)

CREATE TABLE query pre-check.

Parameters
thdThread handler
tablesGlobal table list
create_tableTable which will be created
Return values
falseOK
trueError

◆ err_readonly()

void err_readonly ( THD thd)

Generates appropriate error messages for read-only state depending on whether user has SUPER privilege or not.

Parameters
thdThread handler

◆ fill_effective_table_privileges()

void fill_effective_table_privileges ( THD thd,
GRANT_INFO grant,
const char *  db,
const char *  table 
)

◆ fill_schema_column_privileges()

int fill_schema_column_privileges ( THD thd,
TABLE_LIST tables,
Item cond 
)

◆ fill_schema_schema_privileges()

int fill_schema_schema_privileges ( THD thd,
TABLE_LIST tables,
Item cond 
)

◆ fill_schema_table_privileges()

int fill_schema_table_privileges ( THD thd,
TABLE_LIST tables,
Item cond 
)

◆ fill_schema_user_privileges()

int fill_schema_user_privileges ( THD thd,
TABLE_LIST tables,
Item cond 
)

◆ func_current_role()

void func_current_role ( const THD thd,
String active_role 
)

Helper function for Item_func_current_role.

Parameters
thdThread handler
active_role[out] Comma separated list of auth ids
Returns
pointer to a string with all active roles or "NONE" if none found

◆ get_cached_schema_access()

const ACL_internal_schema_access* get_cached_schema_access ( GRANT_INTERNAL_INFO grant_internal_info,
const char *  schema_name 
)

Get a cached internal schema access.

Parameters
grant_internal_infothe cache
schema_namethe name of the internal schema

◆ get_column_grant()

ulong get_column_grant ( THD thd,
GRANT_INFO grant,
const char *  db_name,
const char *  table_name,
const char *  field_name 
)

◆ get_default_autnetication_plugin_name()

std::string get_default_autnetication_plugin_name ( )

Return the default authentication plugin name.

Return values
Astring containing the default authentication plugin name

◆ get_default_roles()

void get_default_roles ( const Auth_id_ref acl_user,
List_of_auth_id_refs authlist 
)

Shallow copy a list of default role authorization IDs from an Role_id storage.

Parameters
acl_userA valid authID for which we want the default roles.
[out]authlistThe target list to be populated. The target list is set to empty if no default role is found.

◆ get_global_acl_cache_size()

ulong get_global_acl_cache_size ( )

◆ get_mqh()

void get_mqh ( THD thd,
const char *  user,
const char *  host,
USER_CONN uc 
)

◆ get_privilege_desc()

void get_privilege_desc ( char *  to,
uint  max_length,
ulong  access 
)

◆ get_table_grant()

ulong get_table_grant ( THD thd,
TABLE_LIST table 
)

◆ grant_free()

void grant_free ( void  )

◆ grant_init()

bool grant_init ( bool  skip_grant_tables)

Initialize structures responsible for table/column-level privilege checking and load information for them from tables in the 'mysql' database.

Parameters
skip_grant_tablestrue if the command line option –skip-grant-tables is specified, else false.
Returns
Error status
Return values
falseOK
trueCould not initialize grant subsystem.

◆ has_grant_role_privilege()

bool has_grant_role_privilege ( THD thd,
const LEX_CSTRING role_name,
const LEX_CSTRING role_host 
)

◆ hostname_requires_resolving()

bool hostname_requires_resolving ( const char *  hostname)

Check if the given host name needs to be resolved or not.

Host name has to be resolved if it actually contains name.

For example: 192.168.1.1 –> false 192.168.1.0/255.255.255.0 –> false % –> false 192.168.1.% –> false AB% –> false

AAAAFFFF –> true (Hostname) AAAA:FFFF:1234:5678 –> false ::1 –> false

This function does not check if the given string is a valid host name or not. It assumes that the argument is a valid host name.

Parameters
hostnamethe string to check.
Returns
a flag telling if the argument needs to be resolved or not.
Return values
truethe argument is a host name and needs to be resolved.
falsethe argument is either an IP address, or a patter and should not be resolved.

◆ init_acl_memory()

void init_acl_memory ( )

Allocates the memory in the the global_acl_memory MEM_ROOT.

◆ is_acl_user()

bool is_acl_user ( THD thd,
const char *  host,
const char *  user 
)

◆ is_granted_role()

bool is_granted_role ( LEX_CSTRING  user,
LEX_CSTRING  host,
LEX_CSTRING  role,
LEX_CSTRING  role_host 
)

This function works just like check_if_granted_role, but also guarantees that the proper lock is taken so that the function can be used in a wider context.

Parameters
userThe user name part of a authid which should be tested
hostThe host name part of a authid which should be tested
roleThe role name part of the role authid
role_hostThe host name part of the role authid
Returns
success value
Return values
trueThe value user@host was previously granted role@role_host
falserole@role_host is not granted to user@host

◆ is_granted_table_access()

bool is_granted_table_access ( THD thd,
ulong  required_acl,
TABLE_LIST table 
)

Given a TABLE_LIST object this function checks against.

  1. global privileges
  2. db privileges
  3. table level privileges

This function only checks the existence of required ACL on a single table object. No special consideration is made for the table type (derived, view, temporary etc).

Parameters
thdThread handle
required_aclThe privileges which are required to continue
tableAn initialized, single TABLE_LIST object
Returns
Return values
trueAccess is granted
falseAccess denied

◆ is_partial_revoke_exists()

bool is_partial_revoke_exists ( THD thd)

Method to check if there exists at least one partial revokes in the cache.

If the cache is not initialized at the time of the method call then it returns no partial revokes exists.

Parameters
[in]thdTHD handle
Returns
Return values
truePartial revokes exists
falseOtherwise

◆ is_role_id()

bool is_role_id ( LEX_USER authid)

◆ is_secure_transport()

bool is_secure_transport ( int  vio_type)

◆ lock_tables_precheck()

bool lock_tables_precheck ( THD thd,
TABLE_LIST tables 
)

Check privileges for LOCK TABLES statement.

Parameters
thdThread context.
tablesList of tables to be locked.
Return values
false- Success.
true- Failure.

◆ log_user()

void log_user ( THD thd,
String str,
LEX_USER user,
bool  comma = true 
)

Auxiliary function for constructing a user list string.

This function is used for error reporting and logging.

Parameters
thdThread context
strA String to store the user list.
userA LEX_USER which will be appended into user list.
commaIf true, append a ',' before the the user.

◆ mysql_alter_or_clear_default_roles()

bool mysql_alter_or_clear_default_roles ( THD thd,
role_enum  role_type,
const List< LEX_USER > *  users,
const List< LEX_USER > *  roles 
)

Set the default roles to NONE, ALL or list of authorization IDs as roles, depending upon the role_type argument.

It writes to table mysql.default_roles and binlog.

Parameters
thdThread handler
role_typedefault role type specified by the user.
usersUsers for whom the default roles are set.
roleslist of default roles to be set.
Returns
Return values
trueAn error occurred and DA is set
falseSuccessful

◆ mysql_alter_user()

bool mysql_alter_user ( THD thd,
List< LEX_USER > &  list,
bool  if_exists 
)

◆ mysql_create_user()

bool mysql_create_user ( THD thd,
List< LEX_USER > &  list,
bool  if_not_exists,
bool  is_role 
)

◆ mysql_drop_user()

bool mysql_drop_user ( THD thd,
List< LEX_USER > &  list,
bool  if_exists,
bool  on_drop_role_priv 
)

Drop a list of users and all their privileges.

Parameters
thdThe current thread.
listThe users to drop.
if_existsThe if exists flag
on_drop_role_privenabled by the DROP ROLE privilege
Return values
falseOK
trueError

◆ mysql_grant()

bool mysql_grant ( THD thd,
const char *  db,
List< LEX_USER > &  list,
ulong  rights,
bool  revoke_grant,
bool  is_proxy,
const List< LEX_CSTRING > &  dynamic_privilege,
bool  grant_all_current_privileges,
LEX_GRANT_AS grant_as 
)

◆ mysql_grant_role()

bool mysql_grant_role ( THD thd,
const List< LEX_USER > *  users,
const List< LEX_USER > *  roles,
bool  with_admin_opt 
)

Grants a list of roles to a list of users.

Changes are persistent and written in the mysql.roles_edges table.

Parameters
thdThread handler
usersA list of authorization IDs
rolesA list of authorization IDs
with_admin_optTrue if the granted users should be able to pass on the roles to other authorization IDs
Returns
Success state
Return values
trueAn error occurred and the DA is set.
falseThe operation was successful and DA is set.

◆ mysql_rename_user()

bool mysql_rename_user ( THD thd,
List< LEX_USER > &  list 
)

◆ mysql_revoke_all()

bool mysql_revoke_all ( THD thd,
List< LEX_USER > &  list 
)

◆ mysql_revoke_role()

bool mysql_revoke_role ( THD thd,
const List< LEX_USER > *  users,
const List< LEX_USER > *  roles 
)

◆ mysql_routine_grant()

bool mysql_routine_grant ( THD thd,
TABLE_LIST table_list,
bool  is_proc,
List< LEX_USER > &  user_list,
ulong  rights,
bool  revoke_grant,
bool  write_to_binlog 
)

Store routine level grants in the privilege tables.

Parameters
thdThread handle
table_listList of routines to give grant
is_procIs this a list of procedures?
user_listList of users to give grant
rightsTable level grant
revoke_grantIs this is a REVOKE command?
write_to_binlogTrue if this statement should be written to binlog
Returns
Return values
falseSuccess.
trueAn error occurred.

◆ mysql_set_active_role()

bool mysql_set_active_role ( THD thd,
const List< LEX_USER > *  role_list 
)

◆ mysql_set_active_role_all()

bool mysql_set_active_role_all ( THD thd,
const List< LEX_USER > *  except_users 
)


Activates all granted role in the current security context

This function acquires the acl_user->lock mutex.

Parameters
thdA valid THD handle
except_usersA pointer to a list of LEX_USER objects which represent roles that shouldn't be activated.
Returns
Error code
Return values
0Success; the specified role was activated.
!=0 Failure. DA is set.

◆ mysql_set_active_role_none()

bool mysql_set_active_role_none ( THD thd)

Reset active roles.

Parameters
[in]thdTHD handle
Returns
status of resetting active roles
Return values
falseSuccess
trueError

◆ mysql_set_role_default()

bool mysql_set_role_default ( THD thd)

Activates all the default roles in the current security context.

This function acquires the Acl_cache_lock_guard in read lock.

Parameters
thdA valid THD handle
Returns
Error code
Return values
0Success; the specified role was activated.
!=0 Failure. DA is set.

◆ mysql_show_create_user()

bool mysql_show_create_user ( THD thd,
LEX_USER user_name,
bool  are_both_users_same 
)

Auxiliary function for constructing CREATE USER sql for a given user.

Parameters
thdThread context
user_nameuser for which the sql should be constructed.
are_both_users_sameIf the command is issued for self or not.
Return values
0OK. 1 Error.

◆ mysql_show_grants()

bool mysql_show_grants ( THD thd,
LEX_USER lex_user,
const List_of_auth_id_refs using_roles,
bool  show_mandatory_roles 
)

SHOW GRANTS FOR user USING [ALL | role [,role ...]].

Parameters
thd
lex_user
using_rolesAn forward iterable container of LEX_STRING std::pair
show_mandatory_rolestrue means mandatory roles are listed
Returns
Success status

◆ mysql_table_grant()

int mysql_table_grant ( THD thd,
TABLE_LIST table,
List< LEX_USER > &  user_list,
List< LEX_COLUMN > &  column_list,
ulong  rights,
bool  revoke 
)

◆ notify_flush_event()

void notify_flush_event ( THD thd)

Audit notification for flush.

Parameters
[in]thdHandle to THD

◆ operator<()

bool operator< ( const Auth_id_ref a,
const Auth_id_ref b 
)

◆ operator==()

bool operator== ( const LEX_CSTRING a,
const LEX_CSTRING b 
)

◆ reload_acl_caches()

bool reload_acl_caches ( THD thd)

Reload all ACL caches.

Parameters
[in]thdTHD handle
Returns
Status of reloading ACL caches
Return values
falseSuccess
trueError

◆ roles_graphml()

void roles_graphml ( THD thd,
String  
)

◆ set_default_auth_plugin()

int set_default_auth_plugin ( char *  plugin_name,
size_t  plugin_name_length 
)


Initialize default authentication plugin based on command line options or configuration file settings.

Parameters
plugin_nameName of the plugin
plugin_name_lengthLength of the string

◆ set_system_user_flag()

void set_system_user_flag ( THD thd,
bool  check_for_main_security_ctx 
)

Set the system_user flag in the THD.

Probe the security context for the SYSTEM_USER dynamic privileve only if it has not been changed from original security context in the THD. If the original security context does not have SYSTEM_USER privlege then reset the flag in the THD, otherwise set it.

Parameters
[in,out]thdThead handle
[in]check_for_main_security_ctxIf this flag value is true then we toggle value in THD only if current security context is same as main security context.

◆ shutdown_acl_cache()

void shutdown_acl_cache ( )

Shutdown the global Acl_cache system which was only initialized if the rwlocks were initialized.

See also
acl_init()

◆ skip_grant_tables()

bool skip_grant_tables ( )

◆ sp_grant_privileges()

bool sp_grant_privileges ( THD thd,
const char *  sp_db,
const char *  sp_name,
bool  is_proc 
)

Grant EXECUTE,ALTER privilege for a stored procedure.

Parameters
thdThe current thread.
sp_dbDB of the stored procedure.
sp_nameName of the stored procedure
is_procTrue if this is a SP rather than a function
Returns
Return values
falseSuccess
trueAn error occured. Error message not yet sent.

◆ sp_revoke_privileges()

bool sp_revoke_privileges ( THD thd,
const char *  sp_db,
const char *  sp_name,
bool  is_proc 
)

Revoke privileges for all users on a stored procedure.

Use an error handler that converts errors about missing grants into warnings.

Parameters
thdThe current thread.
sp_dbDB of the stored procedure
sp_nameName of the stored procedure
is_procTrue if this is a SP rather than a function.
Return values
0OK.
<0 Error. Error message not yet sent.

◆ update_mandatory_roles()

void update_mandatory_roles ( void  )

◆ wild_case_compare() [1/2]

int wild_case_compare ( CHARSET_INFO cs,
const char *  str,
const char *  wildstr 
)

◆ wild_case_compare() [2/2]

int wild_case_compare ( CHARSET_INFO cs,
const char *  str,
size_t  str_len,
const char *  wildstr,
size_t  wildstr_len 
)

Performs wildcard matching, aka globbing, on the input string with the given wildcard pattern, and the specified wildcard characters.

This method does case insensitive comparisons.

Parameters
[in]cscharacter set of the input string and wildcard pattern
[in]strinput which should be matched against pattern
[in]str_lenlength of the input string
[in]wildstrpattern with wildcards
[in]wildstr_lenlength of the wildcards pattern
Returns
0 if input string match with the pattern
1 otherwise

◆ wildcard_db_grant_exists()

bool wildcard_db_grant_exists ( )

Variable Documentation

◆ any_db

const char* any_db

◆ disconnect_on_expired_password

bool disconnect_on_expired_password

◆ global_acls_vector

const std::vector<std::string> global_acls_vector

Consts for static privileges.

◆ global_password_history

volatile uint32 global_password_history

Global sysvar: the number of old passwords to check in the history.

◆ global_password_reuse_interval

volatile uint32 global_password_reuse_interval

Global sysvar: the number of days before a password can be reused.

◆ mysql_user_table_is_in_short_password_format

bool mysql_user_table_is_in_short_password_format

◆ validate_user_plugins

bool validate_user_plugins

controls the extra checks on plugin availability for mysql.user records