 |
MySQL 9.1.0
Source Code Documentation
|
|
MySQL 9.1.0
Source Code Documentation
|
#include <assert.h>#include <stddef.h>#include <stdint.h>#include <sys/types.h>#include <functional>#include <list>#include <memory>#include <string>#include <utility>#include <vector>#include "lex_string.h"#include "my_command.h"#include "my_hostname.h"#include "my_inttypes.h"#include "mysql_com.h"#include "sql/auth/auth_acls.h"#include "template_utils.h"#include <openssl/rsa.h>Go to the source code of this file.
Classes | |
| class | ACL_internal_table_access |
| Per internal table ACL access rules. More... | |
| class | ACL_internal_schema_access |
| Per internal schema ACL access rules. More... | |
| class | ACL_internal_schema_registry |
| A registry for per internal schema ACL. More... | |
| class | IS_internal_schema_access |
| Extension of ACL_internal_schema_access for Information Schema. More... | |
| class | User_table_schema |
| class | User_table_current_schema |
| class | User_table_old_schema |
| class | User_table_schema_factory |
| struct | Security_context_policy |
| class | Create_authid< Derived > |
| class | Grant_privileges< Derived > |
| class | Security_context_factory |
| Factory for creating any Security_context given a pre-constructed policy. More... | |
| class | Default_local_authid |
| class | Grant_temporary_dynamic_privileges |
| Grant the privilege temporarily to the in-memory global privileges map. More... | |
| class | Drop_temporary_dynamic_privileges |
| class | Grant_temporary_static_privileges |
| class | Auth_id |
| Storage container for default auth ids. More... | |
| struct | random_password_info |
Namespaces | |
| namespace | consts |
Macros | |
| #define | NONE_ATTR 0L |
| #define | DEFAULT_AUTH_ATTR (1L << 0) /* update defaults auth */ |
| #define | PLUGIN_ATTR (1L << 1) /* update plugin */ |
| #define | SSL_ATTR (1L << 2) /* ex: SUBJECT,CIPHER.. */ |
| #define | RESOURCE_ATTR (1L << 3) /* ex: MAX_QUERIES_PER_HOUR.. */ |
| #define | PASSWORD_EXPIRE_ATTR (1L << 4) /* update password expire col */ |
| #define | ACCESS_RIGHTS_ATTR (1L << 5) /* update privileges */ |
| #define | ACCOUNT_LOCK_ATTR (1L << 6) /* update account lock status */ |
| #define | DIFFERENT_PLUGIN_ATTR (1L << 7) /* updated plugin with a different value */ |
| #define | USER_ATTRIBUTES (1L << 8) /* Request to update user attributes */ |
| #define | DEFAULT_SSL_CA_CERT "ca.pem" |
| #define | DEFAULT_SSL_CA_KEY "ca-key.pem" |
| #define | DEFAULT_SSL_SERVER_CERT "server-cert.pem" |
| #define | DEFAULT_SSL_SERVER_KEY "server-key.pem" |
Typedefs | |
| typedef struct user_conn | USER_CONN |
| typedef std::pair< LEX_CSTRING, LEX_CSTRING > | Auth_id_ref |
| user, host tuple which reference either acl_cache or g_default_roles More... | |
| typedef std::vector< Auth_id_ref > | List_of_auth_id_refs |
| typedef enum ssl_artifacts_status | ssl_artifacts_status |
| typedef std::function< bool(Security_context *, Security_context_policy::Operation)> | Security_context_functor |
| template<typename T > | |
| using | Sctx_ptr = std::unique_ptr< T, std::function< void(T *)> > |
| using | Role_id = Auth_id |
| typedef std::list< random_password_info > | Userhostpassword_list |
Functions | |
| bool | operator< (const Auth_id_ref &a, const Auth_id_ref &b) |
| void | acl_log_connect (const char *user, const char *host, const char *auth_as, const char *db, THD *thd, enum enum_server_command command) |
| Logging connection for the general query log, extracted from acl_authenticate() as it's reused at different times based on whether proxy users are checked. More... | |
| int | acl_authenticate (THD *thd, enum_server_command command) |
| Perform the handshake, authorize the client and update thd sctx variables. More... | |
| bool | acl_check_host (THD *thd, const char *host, const char *ip) |
| void | log_user (THD *thd, String *str, LEX_USER *user, bool comma) |
| Auxiliary function for constructing a user list string. More... | |
| bool | check_change_password (THD *thd, const char *host, const char *user, bool retain_current_password) |
| bool | change_password (THD *thd, LEX_USER *user, const char *password, const char *current_password, bool retain_current_password) |
| Change a password hash for a user. More... | |
| bool | mysql_create_user (THD *thd, List< LEX_USER > &list, bool if_not_exists, bool is_role) |
| bool | mysql_alter_user (THD *thd, List< LEX_USER > &list, bool if_exists) |
| bool | mysql_drop_user (THD *thd, List< LEX_USER > &list, bool if_exists, bool drop_role) |
| Drop a list of users and all their privileges. More... | |
| bool | mysql_rename_user (THD *thd, List< LEX_USER > &list) |
| bool | acl_can_access_user (THD *thd, LEX_USER *user) |
| Auxiliary function for the CAN_ACCESS_USER internal function used to check if a row from mysql.user can be accessed or not by the current user. More... | |
| void | init_acl_memory () |
| Allocates the memory in the the global_acl_memory MEM_ROOT. More... | |
| int | wild_case_compare (CHARSET_INFO *cs, const char *str, const char *wildstr) |
| int | wild_case_compare (CHARSET_INFO *cs, const char *str, size_t str_len, const char *wildstr, size_t wildstr_len) |
| Performs wildcard matching, aka globbing, on the input string with the given wildcard pattern, and the specified wildcard characters. More... | |
| bool | hostname_requires_resolving (const char *hostname) |
| Check if the given host name needs to be resolved or not. More... | |
| bool | acl_init (bool dont_read_acl_tables) |
| bool | is_acl_inited () |
| void | acl_free (bool end=false) |
| bool | check_engine_type_for_acl_table (THD *thd, bool mdl_locked) |
| bool | grant_init (bool skip_grant_tables) |
| Initialize structures responsible for table/column-level privilege checking and load information for them from tables in the 'mysql' database. More... | |
| void | grant_free (void) |
| bool | reload_acl_caches (THD *thd, bool mdl_locked) |
| Reload all ACL caches. More... | |
| Access_bitmask | acl_get (THD *thd, const char *host, const char *ip, const char *user, const char *db, bool db_is_pattern) |
| Get privilege for a host, user, and db combination. More... | |
| bool | is_acl_user (THD *thd, const char *host, const char *user) |
| bool | acl_getroot (THD *thd, Security_context *sctx, const char *user, const char *host, const char *ip, const char *db) |
| bool | check_acl_tables_intact (THD *thd, bool mdl_locked) |
| Opens the ACL tables and checks their sanity. More... | |
| bool | check_acl_tables_intact (THD *thd, Table_ref *tables) |
| Helper function that checks the sanity of tables object present in the Table_ref object. More... | |
| void | notify_flush_event (THD *thd) |
| Audit notification for flush. More... | |
| bool | wildcard_db_grant_exists () |
| void | append_auth_id_string (const THD *thd, const char *user, size_t user_len, const char *host, size_t host_len, String *str) |
| Append the user@host to the str. More... | |
| bool | skip_grant_tables () |
| bool | mysql_set_active_role_none (THD *thd) |
| Reset active roles. More... | |
| bool | mysql_set_role_default (THD *thd) |
| Activates all the default roles in the current security context. More... | |
| bool | mysql_set_active_role_all (THD *thd, const List< LEX_USER > *except_users) |
| Activates all granted role in the current security context. More... | |
| bool | mysql_set_active_role (THD *thd, const List< LEX_USER > *role_list) |
| bool | mysql_grant (THD *thd, const char *db, List< LEX_USER > &list, Access_bitmask rights, bool revoke_grant, bool is_proxy, const List< LEX_CSTRING > &dynamic_privilege, bool grant_all_current_privileges, LEX_GRANT_AS *grant_as) |
| bool | mysql_routine_grant (THD *thd, Table_ref *table, bool is_proc, List< LEX_USER > &user_list, Access_bitmask rights, bool revoke, bool write_to_binlog, bool all_current_privileges) |
| Store routine level grants in the privilege tables. More... | |
| int | mysql_table_grant (THD *thd, Table_ref *table, List< LEX_USER > &user_list, List< LEX_COLUMN > &column_list, Access_bitmask rights, bool revoke, bool all_current_privileges) |
| bool | check_grant (THD *thd, Access_bitmask want_access, Table_ref *tables, bool any_combination_will_do, uint number, bool no_errors) |
| Check table level grants. More... | |
| bool | check_grant_column (THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *name, size_t length, Security_context *sctx, Access_bitmask want_privilege) |
| bool | check_column_grant_in_table_ref (THD *thd, Table_ref *table_ref, const char *name, size_t length, Access_bitmask want_privilege) |
| Check the privileges for a column depending on the type of table. More... | |
| bool | check_grant_all_columns (THD *thd, Access_bitmask want_access, Field_iterator_table_ref *fields) |
| check if a query can access a set of columns More... | |
| bool | check_grant_routine (THD *thd, Access_bitmask want_access, Table_ref *procs, bool is_proc, bool no_error) |
| bool | check_grant_db (THD *thd, const char *db, const bool check_table_grant=false) |
| Check if a user has the right to access a database. More... | |
| bool | acl_check_proxy_grant_access (THD *thd, const char *host, const char *user, bool with_grant) |
| void | get_privilege_desc (char *to, uint max_length, Access_bitmask access) |
| void | get_mqh (THD *thd, const char *user, const char *host, USER_CONN *uc) |
| Access_bitmask | get_table_grant (THD *thd, Table_ref *table) |
| Access_bitmask | get_column_grant (THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *field_name) |
| bool | mysql_show_grants (THD *, LEX_USER *, const List_of_auth_id_refs &, bool, bool) |
| SHOW GRANTS FOR user USING [ALL | role [,role ...]]. More... | |
| bool | mysql_show_create_user (THD *thd, LEX_USER *user, bool are_both_users_same) |
| Auxiliary function for constructing CREATE USER sql for a given user. More... | |
| bool | mysql_revoke_all (THD *thd, List< LEX_USER > &list) |
| bool | sp_revoke_privileges (THD *thd, const char *sp_db, const char *sp_name, bool is_proc) |
| Revoke privileges for all users on a stored procedure. More... | |
| bool | sp_grant_privileges (THD *thd, const char *sp_db, const char *sp_name, bool is_proc) |
| Grant EXECUTE,ALTER privilege for a stored procedure. More... | |
| void | fill_effective_table_privileges (THD *thd, GRANT_INFO *grant, const char *db, const char *table) |
| int | fill_schema_user_privileges (THD *thd, Table_ref *tables, Item *cond) |
| int | fill_schema_schema_privileges (THD *thd, Table_ref *tables, Item *cond) |
| int | fill_schema_table_privileges (THD *thd, Table_ref *tables, Item *cond) |
| int | fill_schema_column_privileges (THD *thd, Table_ref *tables, Item *cond) |
| const ACL_internal_schema_access * | get_cached_schema_access (GRANT_INTERNAL_INFO *grant_internal_info, const char *schema_name) |
| Get a cached internal schema access. More... | |
| bool | lock_tables_precheck (THD *thd, Table_ref *tables) |
| Check privileges for LOCK TABLES statement. More... | |
| bool | create_table_precheck (THD *thd, Table_ref *tables, Table_ref *create_table) |
| CREATE TABLE query pre-check. More... | |
| bool | check_fk_parent_table_access (THD *thd, HA_CREATE_INFO *create_info, Alter_info *alter_info) |
| Checks foreign key's parent table access. More... | |
| bool | check_lock_view_underlying_table_access (THD *thd, Table_ref *tbl, bool *fake_lock_tables_acl) |
| For LOCK TABLES on a view checks if user in which context view is executed or user that has initiated this operation has SELECT and LOCK TABLES privileges on one of its underlying tables. More... | |
| bool | check_readonly (THD *thd, bool err_if_readonly) |
| Performs standardized check whether to prohibit (true) or allow (false) operations based on read_only and super_read_only state. More... | |
| void | err_readonly (THD *thd) |
| Generates appropriate error messages for read-only state depending on whether user has SUPER privilege or not. More... | |
| bool | is_secure_transport (int vio_type) |
| bool | check_one_table_access (THD *thd, Access_bitmask privilege, Table_ref *tables) |
| Check grants for commands which work only with one table and all other tables belonging to subselects or implicitly opened tables. More... | |
| bool | check_single_table_access (THD *thd, Access_bitmask privilege, Table_ref *tables, bool no_errors) |
| Check grants for commands which work only with one table. More... | |
| bool | check_routine_access (THD *thd, Access_bitmask want_access, const char *db, char *name, bool is_proc, bool no_errors) |
| bool | check_some_access (THD *thd, Access_bitmask want_access, Table_ref *table) |
| Check if the given table has any of the asked privileges. More... | |
| bool | has_full_view_routine_access (THD *thd, const char *db, const char *definer_user, const char *definer_host) |
| Check if user has full access to view routine's properties (i.e including stored routine code). More... | |
| bool | has_partial_view_routine_access (THD *thd, const char *db, const char *routine_name, bool is_proc) |
| Check if user has partial access to view routine's properties (i.e. More... | |
| bool | check_access (THD *thd, Access_bitmask want_access, const char *db, Access_bitmask *save_priv, GRANT_INTERNAL_INFO *grant_internal_info, bool dont_check_global_grants, bool no_errors) |
| Compare requested privileges with the privileges acquired from the User- and Db-tables. More... | |
| bool | check_table_access (THD *thd, Access_bitmask requirements, Table_ref *tables, bool any_combination_of_privileges_will_do, uint number, bool no_errors) |
| Check if the requested privileges exists in either User-, DB- or, tables- tables. More... | |
| bool | check_table_encryption_admin_access (THD *thd) |
| Check if a current user has the privilege TABLE_ENCRYPTION_ADMIN required to create encrypted table. More... | |
| bool | mysql_grant_role (THD *thd, const List< LEX_USER > *users, const List< LEX_USER > *roles, bool with_admin_opt) |
| Grants a list of roles to a list of users. More... | |
| bool | mysql_revoke_role (THD *thd, const List< LEX_USER > *users, const List< LEX_USER > *roles) |
| void | get_default_roles (const Auth_id_ref &user, List_of_auth_id_refs &list) |
| Shallow copy a list of default role authorization IDs from an Role_id storage. More... | |
| bool | is_granted_table_access (THD *thd, Access_bitmask required_acl, Table_ref *table) |
| Given a Table_ref object this function checks against. More... | |
| bool | mysql_alter_or_clear_default_roles (THD *thd, role_enum role_type, const List< LEX_USER > *users, const List< LEX_USER > *roles) |
| Set the default roles to NONE, ALL or list of authorization IDs as roles, depending upon the role_type argument. More... | |
| void | roles_graphml (THD *thd, String *) |
| bool | has_grant_role_privilege (THD *thd, const List< LEX_USER > *roles) |
| Auth_id_ref | create_authid_from (const LEX_USER *user) |
| std::string | create_authid_str_from (const LEX_USER *user) |
| Helper used for producing a key to a key-value-map. More... | |
| std::pair< std::string, std::string > | get_authid_from_quoted_string (std::string str) |
| Return the unquoted authorization id as a user,host-tuple. More... | |
| void | append_identifier (String *packet, const char *name, size_t length) |
| Convert and quote the given identifier if needed and append it to the target string. More... | |
| bool | is_role_id (LEX_USER *authid) |
| void | shutdown_acl_cache () |
| Shutdown the global Acl_cache system which was only initialized if the rwlocks were initialized. More... | |
| bool | is_granted_role (LEX_CSTRING user, LEX_CSTRING host, LEX_CSTRING role, LEX_CSTRING role_host) |
| This function works just like check_if_granted_role, but also guarantees that the proper lock is taken so that the function can be used in a wider context. More... | |
| bool | is_mandatory_role (LEX_CSTRING role, LEX_CSTRING role_host, bool *is_mandatory) |
| Determine if a role@role_host authid is a mandatory role. More... | |
| bool | check_global_access (THD *thd, Access_bitmask want_access) |
| check for global access and give descriptive error message if it fails. More... | |
| void | commit_and_close_mysql_tables (THD *thd) |
| A helper function to commit statement transaction and close ACL tables after reading some data from them as part of FLUSH PRIVILEGES statement or during server initialization. More... | |
| bool | is_acl_table_name (const char *name) |
| Check if given table name is a ACL table name. More... | |
| bool | is_acl_table (const TABLE *table) |
| Check if given TABLE* is a ACL table name. More... | |
| ulong | get_global_acl_cache_size () |
| bool | do_auto_cert_generation (ssl_artifacts_status auto_detection_status, const char **ssl_ca, const char **ssl_key, const char **ssl_cert) |
| Check auto_generate_certs option and generate SSL certificates if required. More... | |
| void | update_mandatory_roles (void) |
| bool | check_authorization_id_string (THD *thd, LEX_STRING &mandatory_roles) |
| void | func_current_role (const THD *thd, String *active_role) |
| Helper function for Item_func_current_role. More... | |
| bool | operator== (const LEX_CSTRING &a, const LEX_CSTRING &b) |
| bool | is_partial_revoke_exists (THD *thd) |
| Method to check if there exists at least one partial revokes in the cache. More... | |
| void | set_system_user_flag (THD *thd, bool check_for_main_security_ctx=false) |
| Set the system_user flag in the THD. More... | |
| void | set_connection_admin_flag (THD *thd, bool check_for_main_security_ctx=false) |
| Set the connection_admin flag in the THD. More... | |
| void | generate_random_password (std::string *password, uint32_t) |
| Generates a random password of the length decided by the system variable generated_random_password_length. More... | |
| bool | send_password_result_set (THD *thd, const Userhostpassword_list &generated_passwords) |
| Sends the result set of generated passwords to the client. More... | |
| bool | lock_and_get_mandatory_roles (std::vector< Role_id > *mandatory_roles) |
| Copy a list of mandatory role authorization IDs. More... | |
| bool | mysql_alter_user_comment (THD *thd, const List< LEX_USER > *users, const std::string &json_blob, bool expect_text) |
| bool | turn_off_sandbox_mode (THD *thd, LEX_USER *user) |
| Helper method to turn off sandbox mode once registration step is complete. More... | |
| bool | decrypt_RSA_private_key (uchar *pkt, int cipher_length, unsigned char *plain_text, size_t plain_text_len, RSA *private_key) |
| Decrypt pkt data using RSA private key. More... | |
Variables | |
| const std::string | consts::mysql |
| const std::string | consts::system_user |
| const std::string | consts::connection_admin |
| const std::vector< std::string > | global_acls_vector |
| Consts for static privileges. More... | |
| bool | mysql_user_table_is_in_short_password_format |
| bool | disconnect_on_expired_password |
| const char * | any_db |
| bool | validate_user_plugins |
| controls the extra checks on plugin availability for mysql.user records More... | |
| bool | opt_auto_generate_certs |
| uint32 | global_password_history |
| Global sysvar: the number of old passwords to check in the history. More... | |
| uint32 | global_password_reuse_interval |
| static constexpr int | USER_HOST_BUFF_SIZE |
| Length of string buffer, that is enough to contain username and hostname parts of the user identifier with trailing zero in MySQL standard format: user_name_part@host_name_part\0. More... | |
| #define DEFAULT_SSL_CA_CERT "ca.pem" |
| #define DEFAULT_SSL_CA_KEY "ca-key.pem" |
| #define DEFAULT_SSL_SERVER_CERT "server-cert.pem" |
| #define DEFAULT_SSL_SERVER_KEY "server-key.pem" |
| #define DIFFERENT_PLUGIN_ATTR (1L << 7) /* updated plugin with a different value */ |
| #define NONE_ATTR 0L |
| #define RESOURCE_ATTR (1L << 3) /* ex: MAX_QUERIES_PER_HOUR.. */ |
| #define SSL_ATTR (1L << 2) /* ex: SUBJECT,CIPHER.. */ |
| typedef std::pair<LEX_CSTRING, LEX_CSTRING> Auth_id_ref |
user, host tuple which reference either acl_cache or g_default_roles
| typedef std::vector<Auth_id_ref> List_of_auth_id_refs |
| using Sctx_ptr = std::unique_ptr<T, std::function<void(T *)> > |
| typedef std::function<bool(Security_context *, Security_context_policy::Operation)> Security_context_functor |
| typedef enum ssl_artifacts_status ssl_artifacts_status |
| typedef std::list<random_password_info> Userhostpassword_list |
| enum mysql_db_table_field |
| enum ssl_artifacts_status |
| int acl_authenticate | ( | THD * | thd, |
| enum_server_command | command | ||
| ) |
Perform the handshake, authorize the client and update thd sctx variables.
| thd | thread handle |
| command | the command to be executed, it can be either a COM_CHANGE_USER or COM_CONNECT (if it's a new connection) |
| 0 | success, thd is updated. |
| 1 | error |
Auxiliary function for the CAN_ACCESS_USER internal function used to check if a row from mysql.user can be accessed or not by the current user.
| true | the current user can access the user |
| false | the current user can't access the user |
| bool acl_check_host | ( | THD * | thd, |
| const char * | host, | ||
| const char * | ip | ||
| ) |
| bool acl_check_proxy_grant_access | ( | THD * | thd, |
| const char * | host, | ||
| const char * | user, | ||
| bool | with_grant | ||
| ) |
| void acl_free | ( | bool | end = false | ) |
| Access_bitmask acl_get | ( | THD * | thd, |
| const char * | host, | ||
| const char * | ip, | ||
| const char * | user, | ||
| const char * | db, | ||
| bool | db_is_pattern | ||
| ) |
Get privilege for a host, user, and db combination.
NOTES 1) db_cache is not used if db_is_pattern is set. 2) This function does not take into account privileges granted via active roles. 3) This should not be used outside ACL subsystem code (sql/auth). Use check_db_level_access() instead.
| thd | Thread handler |
| host | Host name |
| ip | Ip |
| user | user name |
| db | We look for the ACL of this database |
| db_is_pattern | true if db can be considered a pattern or false if not |
| bool acl_getroot | ( | THD * | thd, |
| Security_context * | sctx, | ||
| const char * | user, | ||
| const char * | host, | ||
| const char * | ip, | ||
| const char * | db | ||
| ) |
| bool acl_init | ( | bool | dont_read_acl_tables | ) |
| void acl_log_connect | ( | const char * | user, |
| const char * | host, | ||
| const char * | auth_as, | ||
| const char * | db, | ||
| THD * | thd, | ||
| enum enum_server_command | command | ||
| ) |
Logging connection for the general query log, extracted from acl_authenticate() as it's reused at different times based on whether proxy users are checked.
| user | authentication user name |
| host | authentication user host or IP address |
| auth_as | privilege user name |
| db | default database |
| thd | thread handle |
| command | type of command(connect or change user) |
| void append_auth_id_string | ( | const THD * | thd, |
| const char * | user, | ||
| size_t | user_len, | ||
| const char * | host, | ||
| size_t | host_len, | ||
| String * | str | ||
| ) |
Append the user@host to the str.
| [in] | thd | The THD to find the SQL mode |
| [in] | user | Username to append to authID |
| [in] | user_len | Length of Username |
| [in] | host | hostname to append to authID |
| [in] | host_len | Length of hostname |
| [in,out] | str | The string in which authID is suffixed |
| void append_identifier | ( | String * | packet, |
| const char * | name, | ||
| size_t | length | ||
| ) |
Convert and quote the given identifier if needed and append it to the target string.
If the given identifier is empty, it will be quoted. This function always use the backtick as escape char and thus rid itself of the THD dependency.
| packet | target string |
| name | the identifier to be appended |
| length | length of the appending identifier |
| bool change_password | ( | THD * | thd, |
| LEX_USER * | lex_user, | ||
| const char * | new_password, | ||
| const char * | current_password, | ||
| bool | retain_current_password | ||
| ) |
Change a password hash for a user.
| thd | Thread handle |
| lex_user | LEX_USER |
| new_password | New password hash for host@user |
| current_password | Current password for host@user |
| retain_current_password | Preference to retain current password |
Note : it will also reset the change_password flag. This is safe to do unconditionally since the simple userless form SET PASSWORD = 'text' will be the only allowed form when this flag is on. So we don't need to check user names here.
| 0 | ok |
| 1 | ERROR; In this case the error is sent to the client. |
| bool check_access | ( | THD * | thd, |
| Access_bitmask | want_access, | ||
| const char * | db, | ||
| Access_bitmask * | save_priv, | ||
| GRANT_INTERNAL_INFO * | grant_internal_info, | ||
| bool | dont_check_global_grants, | ||
| bool | no_errors | ||
| ) |
Compare requested privileges with the privileges acquired from the User- and Db-tables.
| thd | Thread handler | |
| want_access | The requested access privileges. | |
| db | A pointer to the Db name. | |
| [out] | save_priv | A pointer to the granted privileges will be stored. |
| grant_internal_info | A pointer to the internal grant cache. | |
| dont_check_global_grants | True if no global grants are checked. | |
| no_errors | True if no errors should be sent to the client. |
'save_priv' is used to save the User-table (global) and Db-table grants for the supplied db name. Note that we don't store db level grants if the global grants is enough to satisfy the request AND the global grants contains a SELECT grant.
For internal databases (INFORMATION_SCHEMA, PERFORMANCE_SCHEMA), additional rules apply, see ACL_internal_schema_access.
| false | Access can't exclusively be denied by Db- and User-table access unless Column- and Table-grants are checked too. |
| true | Access denied. The DA is set if no_error = false! |
| bool check_acl_tables_intact | ( | THD * | thd, |
| bool | mdl_locked | ||
| ) |
Opens the ACL tables and checks their sanity.
This method reports error only if it is unable to open or lock tables. It is called in situations when server has to continue even if a corrupt table was found - For example - acl_init()
| thd | Handle of current thread. |
| mdl_locked | MDL is locked |
| false | OK. true Unable to open the table(s). |
Helper function that checks the sanity of tables object present in the Table_ref object.
it logs a warning message when a table is missing
| thd | Handle of current thread. |
| tables | A valid table list pointer |
| false | OK. true Error. |
| bool check_authorization_id_string | ( | THD * | thd, |
| LEX_STRING & | mandatory_roles | ||
| ) |
| bool check_change_password | ( | THD * | thd, |
| const char * | host, | ||
| const char * | user, | ||
| bool | retain_current_password | ||
| ) |
| bool check_column_grant_in_table_ref | ( | THD * | thd, |
| Table_ref * | table_ref, | ||
| const char * | name, | ||
| size_t | length, | ||
| Access_bitmask | want_privilege | ||
| ) |
Check the privileges for a column depending on the type of table.
| thd | thread handler |
| table_ref | table reference where to check the field |
| name | name of field to check |
| length | length of name |
| want_privilege | wanted privileges |
Check the privileges for a column depending on the type of table the column belongs to. The function provides a generic interface to check column privileges that hides the heterogeneity of the column representation - whether it belongs to a view or a base table.
Notice that this function does not understand that a column from a view reference must be checked for privileges both in the view and in the underlying base table (or view) reference. This is the responsibility of the caller.
Columns from temporary tables and derived tables are ignored by this function.
| bool check_engine_type_for_acl_table | ( | THD * | thd, |
| bool | mdl_locked | ||
| ) |
| bool check_fk_parent_table_access | ( | THD * | thd, |
| HA_CREATE_INFO * | create_info, | ||
| Alter_info * | alter_info | ||
| ) |
Checks foreign key's parent table access.
| [in] | thd | Thread handler |
| [in] | create_info | Create information (like MAX_ROWS, ENGINE or temporary table flag) |
| [in] | alter_info | Initial list of columns and indexes for the table to be created |
| false | ok. |
| true | error or access denied. Error is sent to client in this case. |
| bool check_global_access | ( | THD * | thd, |
| Access_bitmask | want_access | ||
| ) |
check for global access and give descriptive error message if it fails.
| thd | Thread handler |
| want_access | Use should have any of these global rights |
| 0 | ok |
| 1 | Access denied. In this case an error is sent to the client |
| bool check_grant | ( | THD * | thd, |
| Access_bitmask | want_access, | ||
| Table_ref * | tables, | ||
| bool | any_combination_will_do, | ||
| uint | number, | ||
| bool | no_errors | ||
| ) |
Check table level grants.
| thd | Thread handler |
| want_access | Bits of privileges user needs to have. |
| tables | List of tables to check. The user should have 'want_access' to all tables in list. |
| any_combination_will_do | true if it's enough to have any privilege for any combination of the table columns. |
| number | Check at most this number of tables. |
| no_errors | true if no error should be sent directly to the client. |
If table->grant.want_privilege != 0 then the requested privileges where in the set of COL_ACLS but access was not granted on the table level. As a consequence an extra check of column privileges is required.
Specifically if this function returns false the user has some kind of privilege on a combination of columns in each table.
This function is usually preceded by check_access which establish the User-, Db- and Host access rights.
| false | Access granted; But column privileges need to be checked. |
| true | The user did not have the requested privileges on any of the tables. |
| bool check_grant_all_columns | ( | THD * | thd, |
| Access_bitmask | want_access_arg, | ||
| Field_iterator_table_ref * | fields | ||
| ) |
check if a query can access a set of columns
| thd | the current thread |
| want_access_arg | the privileges requested |
| fields | an iterator over the fields of a table reference. |
| 0 | Success |
| 1 | Failure |
This function walks over the columns of a table reference The columns may originate from different tables, depending on the kind of table reference, e.g. join, view. For each table it will retrieve the grant information and will use it to check the required access privileges for the fields requested from it.
| bool check_grant_column | ( | THD * | thd, |
| GRANT_INFO * | grant, | ||
| const char * | db_name, | ||
| const char * | table_name, | ||
| const char * | name, | ||
| size_t | length, | ||
| Security_context * | sctx, | ||
| Access_bitmask | want_privilege | ||
| ) |
| bool check_grant_db | ( | THD * | thd, |
| const char * | db, | ||
| const bool | check_table_grant | ||
| ) |
Check if a user has the right to access a database.
Access is accepted if the user has a database operations related grant (i.e. not including the GRANT_ACL) for any table/column/routine in the database.
| thd | The thread handler |
| db | The name of the database |
| check_table_grant | false by default, Access is granted for "show databases" and "show tables in database" when user has table level grant. |
| 1 | Access is denied |
| 0 | Otherwise |
| bool check_grant_routine | ( | THD * | thd, |
| Access_bitmask | want_access, | ||
| Table_ref * | procs, | ||
| bool | is_proc, | ||
| bool | no_error | ||
| ) |
| bool check_lock_view_underlying_table_access | ( | THD * | thd, |
| Table_ref * | tbl, | ||
| bool * | fake_lock_tables_acl | ||
| ) |
For LOCK TABLES on a view checks if user in which context view is executed or user that has initiated this operation has SELECT and LOCK TABLES privileges on one of its underlying tables.
| [in] | thd | Thread context. |
| [in] | tbl | Table list element for underlying table on which we check privilege. |
| [out] | fake_lock_tables_acl | Set to true if table in question is one of special I_S or P_S tables on which nobody can get LOCK TABLES privilege. So to preserve compatibility with dump tools we need to fake this privilege. Set to false otherwise. |
| false | Success. |
| true | Access denied. Error has been reported. |
| bool check_one_table_access | ( | THD * | thd, |
| Access_bitmask | privilege, | ||
| Table_ref * | all_tables | ||
| ) |
Check grants for commands which work only with one table and all other tables belonging to subselects or implicitly opened tables.
| thd | Thread handler |
| privilege | requested privilege |
| all_tables | global table list of query |
| bool check_readonly | ( | THD * | thd, |
| bool | err_if_readonly | ||
| ) |
Performs standardized check whether to prohibit (true) or allow (false) operations based on read_only and super_read_only state.
| thd | Thread handler |
| err_if_readonly | Boolean indicating whether or not to add the error to the thread context if read-only is violated. |
| true | The operation should be prohibited. @ retval false The operation should be allowed. |
| bool check_routine_access | ( | THD * | thd, |
| Access_bitmask | want_access, | ||
| const char * | db, | ||
| char * | name, | ||
| bool | is_proc, | ||
| bool | no_errors | ||
| ) |
| bool check_single_table_access | ( | THD * | thd, |
| Access_bitmask | privilege, | ||
| Table_ref * | all_tables, | ||
| bool | no_errors | ||
| ) |
Check grants for commands which work only with one table.
| thd | Thread handler |
| privilege | requested privilege |
| all_tables | global table list of query |
| no_errors | false/true - report/don't report error to the client (using my_error() call). |
| 0 | OK |
| 1 | access denied, error is sent to client |
| bool check_some_access | ( | THD * | thd, |
| Access_bitmask | want_access, | ||
| Table_ref * | table | ||
| ) |
Check if the given table has any of the asked privileges.
| thd | Thread handler |
| want_access | Bitmap of possible privileges to check for |
| table | The table for which access needs to be validated |
| 0 | ok |
| 1 | error |
| bool check_table_access | ( | THD * | thd, |
| Access_bitmask | requirements, | ||
| Table_ref * | tables, | ||
| bool | any_combination_of_privileges_will_do, | ||
| uint | number, | ||
| bool | no_errors | ||
| ) |
Check if the requested privileges exists in either User-, DB- or, tables- tables.
| thd | Thread context |
| requirements | Privileges requested |
| tables | List of tables to be compared against |
| no_errors | Don't report error to the client (using my_error() call). |
| any_combination_of_privileges_will_do | true if any privileges on any column combination is enough. |
| number | Only the first 'number' tables in the linked list are relevant. |
The supplied table list contains cached privileges. This functions calls the help functions check_access and check_grant to verify the first three steps in the privileges check queue:
| false | OK |
| true | Access denied; But column or routine privileges might need to be checked also. |
| bool check_table_encryption_admin_access | ( | THD * | thd | ) |
Check if a current user has the privilege TABLE_ENCRYPTION_ADMIN required to create encrypted table.
We skip the same for slave threads.
| thd | Current thread |
| false | A user has the privilege TABLE_ENCRYPTION_ADMIN |
| true | A user doesn't have the privilege TABLE_ENCRYPTION_ADMIN |
| void commit_and_close_mysql_tables | ( | THD * | thd | ) |
A helper function to commit statement transaction and close ACL tables after reading some data from them as part of FLUSH PRIVILEGES statement or during server initialization.
| Auth_id_ref create_authid_from | ( | const LEX_USER * | user | ) |
| std::string create_authid_str_from | ( | const LEX_USER * | user | ) |
Helper used for producing a key to a key-value-map.
CREATE TABLE query pre-check.
| thd | Thread handler |
| tables | Global table list |
| create_table | Table which will be created |
| false | OK |
| true | Error |
| bool decrypt_RSA_private_key | ( | uchar * | pkt, |
| int | cipher_length, | ||
| unsigned char * | plain_text, | ||
| size_t | plain_text_len, | ||
| RSA * | private_key | ||
| ) |
Decrypt pkt data using RSA private key.
| [in] | pkt | Data to decrypt. |
| [in] | cipher_length | Length of the data. |
| [in] | plain_text | Buffer to store result. |
| [in] | plain_text_len | size of buffer |
| [in] | private_key | Private key to use. |
| false | Success. |
| true | Failure. |
| bool do_auto_cert_generation | ( | ssl_artifacts_status | auto_detection_status, |
| const char ** | ssl_ca, | ||
| const char ** | ssl_key, | ||
| const char ** | ssl_cert | ||
| ) |
Check auto_generate_certs option and generate SSL certificates if required.
SSL Certificates are generated iff following conditions are met. 1> auto_generate_certs is set to ON. 2> None of the SSL system variables are specified. 3> Following files are not present in data directory. a> ca.pem b> server_cert.pem c> server_key.pem
If above mentioned conditions are satisfied, following action will be taken:
1> 6 File are generated and placed data directory: a> ca.pem b> ca_key.pem c> server_cert.pem d> server_key.pem e> client_cert.pem f> client_key.pem
ca.pem is self signed auto generated CA certificate. server_cert.pem and client_cert.pem are signed using auto generated CA.
ca_key.pem, client_cert.pem and client_key.pem are overwritten if they are present in data directory.
Path of following system variables are set if certificates are either generated or already present in data directory. a> ssl-ca b> ssl-cert c> ssl-key
Assumption : auto_detect_ssl() is called before control reaches to do_auto_cert_generation().
| [in] | auto_detection_status | Status of SSL artifacts detection process |
| [out] | ssl_ca | pointer to the generated CA certificate file |
| [out] | ssl_key | pointer to the generated key file |
| [out] | ssl_cert | pointer to the generated certificate file. |
| true | i Generation is successful or skipped |
| false | Generation failed. |
| void err_readonly | ( | THD * | thd | ) |
Generates appropriate error messages for read-only state depending on whether user has SUPER privilege or not.
| thd | Thread handler |
| void fill_effective_table_privileges | ( | THD * | thd, |
| GRANT_INFO * | grant, | ||
| const char * | db, | ||
| const char * | table | ||
| ) |
Helper function for Item_func_current_role.
| thd | Thread handler |
| active_role | [out] Comma separated list of auth ids |
| void generate_random_password | ( | std::string * | password, |
| uint32_t | length | ||
| ) |
Generates a random password of the length decided by the system variable generated_random_password_length.
| [out] | password | The generated password. |
| length | The length of the generated password. |
| std::pair< std::string, std::string > get_authid_from_quoted_string | ( | std::string | str | ) |
Return the unquoted authorization id as a user,host-tuple.
| str | The quoted or unquoted string representation of an authid |
| const ACL_internal_schema_access * get_cached_schema_access | ( | GRANT_INTERNAL_INFO * | grant_internal_info, |
| const char * | schema_name | ||
| ) |
Get a cached internal schema access.
| grant_internal_info | the cache |
| schema_name | the name of the internal schema |
| Access_bitmask get_column_grant | ( | THD * | thd, |
| GRANT_INFO * | grant, | ||
| const char * | db_name, | ||
| const char * | table_name, | ||
| const char * | field_name | ||
| ) |
| void get_default_roles | ( | const Auth_id_ref & | acl_user, |
| List_of_auth_id_refs & | authlist | ||
| ) |
Shallow copy a list of default role authorization IDs from an Role_id storage.
| acl_user | A valid authID for which we want the default roles. | |
| [out] | authlist | The target list to be populated. The target list is set to empty if no default role is found. |
| ulong get_global_acl_cache_size | ( | ) |
| void get_privilege_desc | ( | char * | to, |
| uint | max_length, | ||
| Access_bitmask | access | ||
| ) |
| Access_bitmask get_table_grant | ( | THD * | thd, |
| Table_ref * | table | ||
| ) |
| void grant_free | ( | void | ) |
| bool grant_init | ( | bool | skip_grant_tables | ) |
Initialize structures responsible for table/column-level privilege checking and load information for them from tables in the 'mysql' database.
| skip_grant_tables | true if the command line option –skip-grant-tables is specified, else false. |
| false | OK |
| true | Could not initialize grant subsystem. |
| bool has_full_view_routine_access | ( | THD * | thd, |
| const char * | db, | ||
| const char * | definer_user, | ||
| const char * | definer_host | ||
| ) |
Check if user has full access to view routine's properties (i.e including stored routine code).
User must have GLOBAL SELECT or SHOW_ROUTINE privilege, or be the definer of this routine.
| thd | Thread handler |
| db | Database name |
| definer_user | Definer username |
| definer_host | Definer host |
| false | no full access. |
| true | has full access. |
| bool has_partial_view_routine_access | ( | THD * | thd, |
| const char * | db, | ||
| const char * | routine_name, | ||
| bool | is_proc | ||
| ) |
Check if user has partial access to view routine's properties (i.e.
excluding stored routine code). User must have EXECUTE/CREATE/ALTER ROUTINE privileges.
| thd | Thread handler |
| db | Database name |
| routine_name | Routine name |
| is_proc | True if this routine is a stored procedure, rather than a stored function. |
| false | no access. |
| true | has partial access. |
| bool hostname_requires_resolving | ( | const char * | hostname | ) |
Check if the given host name needs to be resolved or not.
Host name has to be resolved if it actually contains name.
For example: 192.168.1.1 --> false 192.168.1.0/255.255.255.0 --> false % --> false 192.168.1.% --> false AB% --> false
AAAAFFFF --> true (Hostname) AAAA:FFFF:1234:5678 --> false ::1 --> false
This function does not check if the given string is a valid host name or not. It assumes that the argument is a valid host name.
| hostname | the string to check. |
| true | the argument is a host name and needs to be resolved. |
| false | the argument is either an IP address, or a patter and should not be resolved. |
| void init_acl_memory | ( | ) |
Allocates the memory in the the global_acl_memory MEM_ROOT.
| bool is_acl_inited | ( | ) |
| bool is_acl_table | ( | const TABLE * | table | ) |
Check if given TABLE* is a ACL table name.
| table | TABLE object. |
| true | If it is a ACL table, otherwise false. |
| bool is_acl_table_name | ( | const char * | name | ) |
Check if given table name is a ACL table name.
| name | Table name. |
| true | If it is a ACL table, otherwise false. |
| bool is_acl_user | ( | THD * | thd, |
| const char * | host, | ||
| const char * | user | ||
| ) |
| bool is_granted_role | ( | LEX_CSTRING | user, |
| LEX_CSTRING | host, | ||
| LEX_CSTRING | role, | ||
| LEX_CSTRING | role_host | ||
| ) |
This function works just like check_if_granted_role, but also guarantees that the proper lock is taken so that the function can be used in a wider context.
| user | The user name part of a authid which should be tested |
| host | The host name part of a authid which should be tested |
| role | The role name part of the role authid |
| role_host | The host name part of the role authid |
| true | The value user@host was previously granted role@role_host |
| false | role@role_host is not granted to user@host |
| bool is_granted_table_access | ( | THD * | thd, |
| Access_bitmask | required_acl, | ||
| Table_ref * | table | ||
| ) |
Given a Table_ref object this function checks against.
This function only checks the existence of required ACL on a single table object. No special consideration is made for the table type (derived, view, temporary etc).
| thd | Thread handle |
| required_acl | The privileges which are required to continue |
| table | An initialized, single Table_ref object |
| true | Access is granted |
| false | Access denied |
| bool is_mandatory_role | ( | LEX_CSTRING | role, |
| LEX_CSTRING | role_host, | ||
| bool * | is_mandatory | ||
| ) |
Determine if a role@role_host authid is a mandatory role.
| role | Role name. | |
| role_host | Host name of role. | |
| [out] | is_mandatory | Pointer to boolean hold status of check. |
| true | if failed to determine. e.g., ACL lock acquire failed. |
| false | otherwise. |
| bool is_partial_revoke_exists | ( | THD * | thd | ) |
Method to check if there exists at least one partial revokes in the cache.
If the cache is not initialized at the time of the method call then it returns no partial revokes exists.
| [in] | thd | THD handle |
| true | Partial revokes exists |
| false | Otherwise |
| bool is_role_id | ( | LEX_USER * | authid | ) |
| bool is_secure_transport | ( | int | vio_type | ) |
| bool lock_and_get_mandatory_roles | ( | std::vector< Role_id > * | mandatory_roles | ) |
Copy a list of mandatory role authorization IDs.
| [out] | mandatory_roles | Pointer to the target list to be populated. The target list is set to empty if no mandatory role is found. |
Check privileges for LOCK TABLES statement.
| thd | Thread context. |
| tables | List of tables to be locked. |
| false | - Success. |
| true | - Failure. |
Auxiliary function for constructing a user list string.
This function is used for error reporting and logging.
| thd | Thread context |
| str | A String to store the user list. |
| user | A LEX_USER which will be appended into user list. |
| comma | If true, append a ',' before the the user. |
| bool mysql_alter_or_clear_default_roles | ( | THD * | thd, |
| role_enum | role_type, | ||
| const List< LEX_USER > * | users, | ||
| const List< LEX_USER > * | roles | ||
| ) |
Set the default roles to NONE, ALL or list of authorization IDs as roles, depending upon the role_type argument.
It writes to table mysql.default_roles and binlog.
| thd | Thread handler |
| role_type | default role type specified by the user. |
| users | Users for whom the default roles are set. |
| roles | list of default roles to be set. |
| true | An error occurred and DA is set |
| false | Successful |
| bool mysql_alter_user_comment | ( | THD * | thd, |
| const List< LEX_USER > * | users, | ||
| const std::string & | json_blob, | ||
| bool | expect_text | ||
| ) |
Drop a list of users and all their privileges.
| thd | The current thread. |
| list | The users to drop. |
| if_exists | The if exists flag |
| on_drop_role_priv | enabled by the DROP ROLE privilege |
| false | OK |
| true | Error |
| bool mysql_grant | ( | THD * | thd, |
| const char * | db, | ||
| List< LEX_USER > & | list, | ||
| Access_bitmask | rights, | ||
| bool | revoke_grant, | ||
| bool | is_proxy, | ||
| const List< LEX_CSTRING > & | dynamic_privilege, | ||
| bool | grant_all_current_privileges, | ||
| LEX_GRANT_AS * | grant_as | ||
| ) |
| bool mysql_grant_role | ( | THD * | thd, |
| const List< LEX_USER > * | users, | ||
| const List< LEX_USER > * | roles, | ||
| bool | with_admin_opt | ||
| ) |
Grants a list of roles to a list of users.
Changes are persistent and written in the mysql.roles_edges table.
| thd | Thread handler |
| users | A list of authorization IDs |
| roles | A list of authorization IDs |
| with_admin_opt | True if the granted users should be able to pass on the roles to other authorization IDs |
| true | An error occurred and the DA is set. |
| false | The operation was successful and DA is set. |
| bool mysql_revoke_role | ( | THD * | thd, |
| const List< LEX_USER > * | users, | ||
| const List< LEX_USER > * | roles | ||
| ) |
| bool mysql_routine_grant | ( | THD * | thd, |
| Table_ref * | table_list, | ||
| bool | is_proc, | ||
| List< LEX_USER > & | user_list, | ||
| Access_bitmask | rights, | ||
| bool | revoke_grant, | ||
| bool | write_to_binlog, | ||
| bool | all_current_privileges | ||
| ) |
Store routine level grants in the privilege tables.
| thd | Thread handle |
| table_list | List of routines to give grant |
| is_proc | Is this a list of procedures? |
| user_list | List of users to give grant |
| rights | Table level grant |
| revoke_grant | Is this is a REVOKE command? |
| write_to_binlog | True if this statement should be written to binlog |
| all_current_privileges | Set to true if this is GRANT/REVOKE ALL |
| false | Success. |
| true | An error occurred. |
Activates all granted role in the current security context.
This function acquires the acl_user->lock mutex.
| thd | A valid THD handle |
| except_users | A pointer to a list of LEX_USER objects which represent roles that shouldn't be activated. |
| 0 | Success; the specified role was activated. |
| != | 0 Failure. DA is set. |
| bool mysql_set_active_role_none | ( | THD * | thd | ) |
Reset active roles.
| [in] | thd | THD handle |
| false | Success |
| true | Error |
| bool mysql_set_role_default | ( | THD * | thd | ) |
Activates all the default roles in the current security context.
This function acquires the Acl_cache_lock_guard in read lock.
| thd | A valid THD handle |
| 0 | Success; the specified role was activated. |
| != | 0 Failure. DA is set. |
Auxiliary function for constructing CREATE USER sql for a given user.
| thd | Thread context |
| user_name | user for which the sql should be constructed. |
| are_both_users_same | If the command is issued for self or not. |
| 0 | OK. 1 Error. |
| bool mysql_show_grants | ( | THD * | thd, |
| LEX_USER * | lex_user, | ||
| const List_of_auth_id_refs & | using_roles, | ||
| bool | show_mandatory_roles, | ||
| bool | have_using_clause | ||
| ) |
SHOW GRANTS FOR user USING [ALL | role [,role ...]].
| thd | thread handler |
| lex_user | The user,host descriptor |
| using_roles | An forward iterable container of LEX_STRING std::pair |
| show_mandatory_roles | true means mandatory roles are listed |
| have_using_clause | true means there's a non-empty USING clause specified |
| int mysql_table_grant | ( | THD * | thd, |
| Table_ref * | table, | ||
| List< LEX_USER > & | user_list, | ||
| List< LEX_COLUMN > & | column_list, | ||
| Access_bitmask | rights, | ||
| bool | revoke, | ||
| bool | all_current_privileges | ||
| ) |
| void notify_flush_event | ( | THD * | thd | ) |
Audit notification for flush.
| [in] | thd | Handle to THD |
| bool operator< | ( | const Auth_id_ref & | a, |
| const Auth_id_ref & | b | ||
| ) |
| bool operator== | ( | const LEX_CSTRING & | a, |
| const LEX_CSTRING & | b | ||
| ) |
| bool reload_acl_caches | ( | THD * | thd, |
| bool | mdl_locked | ||
| ) |
Reload all ACL caches.
We call this in two cases:
| [in] | thd | THD handle |
| [in] | mdl_locked | MDL locks are taken |
| false | Success |
| true | Error |
| bool send_password_result_set | ( | THD * | thd, |
| const Userhostpassword_list & | generated_passwords | ||
| ) |
Sends the result set of generated passwords to the client.
| thd | The thread handler |
| generated_passwords | A list of 3-tuple strings containing user, host and plaintext password. |
| true | An error occurred (DA is set) |
| false | Success (my_eof) |
| void set_connection_admin_flag | ( | THD * | thd, |
| bool | check_for_main_security_ctx | ||
| ) |
Set the connection_admin flag in the THD.
Probe the security context for the CONNECTION_ADMIN or SUPER dynamic privilege only if it has not been changed from original security context in the THD. If the original security context does not have CONNECTION_ADMIN or SUPER privlege then reset the flag in the THD, otherwise set it.
| [in,out] | thd | Thead handle |
| [in] | check_for_main_security_ctx | If this flag value is true then we toggle value in THD only if current security context is same as main security context. |
| void set_system_user_flag | ( | THD * | thd, |
| bool | check_for_main_security_ctx | ||
| ) |
Set the system_user flag in the THD.
Probe the security context for the SYSTEM_USER dynamic privileve only if it has not been changed from original security context in the THD. If the original security context does not have SYSTEM_USER privlege then reset the flag in the THD, otherwise set it.
| [in,out] | thd | Thead handle |
| [in] | check_for_main_security_ctx | If this flag value is true then we toggle value in THD only if current security context is same as main security context. |
| void shutdown_acl_cache | ( | ) |
Shutdown the global Acl_cache system which was only initialized if the rwlocks were initialized.
| bool skip_grant_tables | ( | ) |
| bool sp_grant_privileges | ( | THD * | thd, |
| const char * | sp_db, | ||
| const char * | sp_name, | ||
| bool | is_proc | ||
| ) |
Grant EXECUTE,ALTER privilege for a stored procedure.
| thd | The current thread. |
| sp_db | DB of the stored procedure. |
| sp_name | Name of the stored procedure |
| is_proc | True if this is a SP rather than a function |
| false | Success |
| true | An error occurred. Error message not yet sent. |
| bool sp_revoke_privileges | ( | THD * | thd, |
| const char * | sp_db, | ||
| const char * | sp_name, | ||
| bool | is_proc | ||
| ) |
Revoke privileges for all users on a stored procedure.
Use an error handler that converts errors about missing grants into warnings.
| thd | The current thread. |
| sp_db | DB of the stored procedure |
| sp_name | Name of the stored procedure |
| is_proc | True if this is a SP rather than a function. |
| false | OK. |
| true | Error. Error message not yet sent. |
Helper method to turn off sandbox mode once registration step is complete.
| thd | connection handle |
| user | user account for which registration is completed |
| false | registration successful |
| true | error |
| void update_mandatory_roles | ( | void | ) |
| int wild_case_compare | ( | CHARSET_INFO * | cs, |
| const char * | str, | ||
| const char * | wildstr | ||
| ) |
| int wild_case_compare | ( | CHARSET_INFO * | cs, |
| const char * | str, | ||
| size_t | str_len, | ||
| const char * | wildstr, | ||
| size_t | wildstr_len | ||
| ) |
Performs wildcard matching, aka globbing, on the input string with the given wildcard pattern, and the specified wildcard characters.
This method does case insensitive comparisons.
| [in] | cs | character set of the input string and wildcard pattern |
| [in] | str | input which should be matched against pattern |
| [in] | str_len | length of the input string |
| [in] | wildstr | pattern with wildcards |
| [in] | wildstr_len | length of the wildcards pattern |
| bool wildcard_db_grant_exists | ( | ) |
|
extern |
|
extern |
|
extern |
Consts for static privileges.
|
extern |
Global sysvar: the number of old passwords to check in the history.
| uint32 global_password_reuse_interval |
|
extern |
|
extern |
|
staticconstexpr |
Length of string buffer, that is enough to contain username and hostname parts of the user identifier with trailing zero in MySQL standard format: user_name_part@host_name_part\0.
|
extern |
controls the extra checks on plugin availability for mysql.user records
1.9.2