MySQL  8.0.17
Source Code Documentation
auth_common.h
Go to the documentation of this file.
1 /* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
2 
3  This program is free software; you can redistribute it and/or modify
4  it under the terms of the GNU General Public License, version 2.0,
5  as published by the Free Software Foundation.
6 
7  This program is also distributed with certain software (including
8  but not limited to OpenSSL) that is licensed under separate terms,
9  as designated in a particular file or component or in included license
10  documentation. The authors of MySQL hereby grant you an additional
11  permission to link the program and your derivative works with the
12  separately licensed software that they have included with MySQL.
13 
14  This program is distributed in the hope that it will be useful,
15  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  GNU General Public License, version 2.0, for more details.
18 
19  You should have received a copy of the GNU General Public License
20  along with this program; if not, write to the Free Software
21  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22 
23 #ifndef AUTH_COMMON_INCLUDED
24 #define AUTH_COMMON_INCLUDED
25 
26 #include <stddef.h>
27 #include <sys/types.h>
28 #include <functional>
29 #include <memory>
30 #include <set>
31 #include <utility>
32 #include <vector>
33 
34 #include "lex_string.h"
35 #include "my_command.h"
36 #include "my_dbug.h"
37 #include "my_hostname.h" // HOSTNAME_LENGTH
38 #include "my_inttypes.h"
39 #include "mysql_com.h" // USERNAME_LENGTH
40 #include "template_utils.h"
41 
42 /* Forward Declarations */
43 class Alter_info;
45 class Item;
46 class LEX_COLUMN;
47 class String;
48 class THD;
49 struct CHARSET_INFO;
50 struct GRANT_INFO;
51 struct GRANT_INTERNAL_INFO;
52 struct HA_CREATE_INFO;
53 struct LEX_USER;
54 template <class T>
55 class List;
56 typedef struct user_conn USER_CONN;
57 class Security_context;
58 class ACL_USER;
59 struct TABLE;
60 struct MEM_ROOT;
61 struct TABLE_LIST;
62 enum class role_enum;
63 enum class Consumer_type;
64 class LEX_GRANT_AS;
65 
66 namespace consts {
67 extern const std::string mysql;
68 extern const std::string system_user;
69 } // namespace consts
70 
71 /** user, host tuple which reference either acl_cache or g_default_roles */
72 typedef std::pair<LEX_CSTRING, LEX_CSTRING> Auth_id_ref;
73 typedef std::vector<Auth_id_ref> List_of_auth_id_refs;
74 
75 bool operator<(const Auth_id_ref &a, const Auth_id_ref &b);
76 
78  /**
79  Access granted for all the requested privileges,
80  do not use the grant tables.
81  This flag is used only for the INFORMATION_SCHEMA privileges,
82  for compatibility reasons.
83  */
85  /** Access denied, do not use the grant tables. */
87  /** No decision yet, use the grant tables. */
89 };
90 
91 /* Classes */
92 
93 /**
94  Per internal table ACL access rules.
95  This class is an interface.
96  Per table(s) specific access rule should be implemented in a subclass.
97  @sa ACL_internal_schema_access
98 */
100  public:
102 
104 
105  /**
106  Check access to an internal table.
107  When a privilege is granted, this method add the requested privilege
108  to save_priv.
109  @param want_access the privileges requested
110  @param [in, out] save_priv the privileges granted
111  @return
112  @retval ACL_INTERNAL_ACCESS_GRANTED All the requested privileges
113  are granted, and saved in save_priv.
114  @retval ACL_INTERNAL_ACCESS_DENIED At least one of the requested
115  privileges was denied.
116  @retval ACL_INTERNAL_ACCESS_CHECK_GRANT No requested privilege
117  was denied, and grant should be checked for at least one
118  privilege. Requested privileges that are granted, if any, are saved
119  in save_priv.
120  */
121  virtual ACL_internal_access_result check(ulong want_access,
122  ulong *save_priv) const = 0;
123 };
124 
125 /**
126  Per internal schema ACL access rules.
127  This class is an interface.
128  Each per schema specific access rule should be implemented
129  in a different subclass, and registered.
130  Per schema access rules can control:
131  - every schema privileges on schema.*
132  - every table privileges on schema.table
133  @sa ACL_internal_schema_registry
134 */
136  public:
138 
140 
141  /**
142  Check access to an internal schema.
143  @param want_access the privileges requested
144  @param [in, out] save_priv the privileges granted
145  @return
146  @retval ACL_INTERNAL_ACCESS_GRANTED All the requested privileges
147  are granted, and saved in save_priv.
148  @retval ACL_INTERNAL_ACCESS_DENIED At least one of the requested
149  privileges was denied.
150  @retval ACL_INTERNAL_ACCESS_CHECK_GRANT No requested privilege
151  was denied, and grant should be checked for at least one
152  privilege. Requested privileges that are granted, if any, are saved
153  in save_priv.
154  */
155  virtual ACL_internal_access_result check(ulong want_access,
156  ulong *save_priv) const = 0;
157 
158  /**
159  Search for per table ACL access rules by table name.
160  @param name the table name
161  @return per table access rules, or NULL
162  */
163  virtual const ACL_internal_table_access *lookup(const char *name) const = 0;
164 };
165 
166 /**
167  A registry for per internal schema ACL.
168  An 'internal schema' is a database schema maintained by the
169  server implementation, such as 'performance_schema' and 'INFORMATION_SCHEMA'.
170 */
172  public:
173  static void register_schema(const LEX_CSTRING &name,
174  const ACL_internal_schema_access *access);
175  static const ACL_internal_schema_access *lookup(const char *name);
176 };
177 
178 /**
179  Extension of ACL_internal_schema_access for Information Schema
180 */
182  public:
184 
186 
187  ACL_internal_access_result check(ulong want_access, ulong *save_priv) const;
188 
189  const ACL_internal_table_access *lookup(const char *name) const;
190 };
191 
192 /* Data Structures */
193 
194 extern const std::vector<std::string> global_acls_vector;
195 
220 };
221 
275 };
276 
286 };
287 
298 };
299 
309 };
310 
321 };
322 
330 };
331 
338 };
339 
346 };
347 
354 };
355 
356 /* When we run mysql_upgrade we must make sure that the server can be run
357  using previous mysql.user table schema during acl_load.
358 
359  User_table_schema is a common interface for the current and the
360  previous mysql.user table schema.
361  */
363  public:
364  virtual uint host_idx() = 0;
365  virtual uint user_idx() = 0;
366  virtual uint password_idx() = 0;
367  virtual uint select_priv_idx() = 0;
368  virtual uint insert_priv_idx() = 0;
369  virtual uint update_priv_idx() = 0;
370  virtual uint delete_priv_idx() = 0;
371  virtual uint create_priv_idx() = 0;
372  virtual uint drop_priv_idx() = 0;
373  virtual uint reload_priv_idx() = 0;
374  virtual uint shutdown_priv_idx() = 0;
375  virtual uint process_priv_idx() = 0;
376  virtual uint file_priv_idx() = 0;
377  virtual uint grant_priv_idx() = 0;
378  virtual uint references_priv_idx() = 0;
379  virtual uint index_priv_idx() = 0;
380  virtual uint alter_priv_idx() = 0;
381  virtual uint show_db_priv_idx() = 0;
382  virtual uint super_priv_idx() = 0;
383  virtual uint create_tmp_table_priv_idx() = 0;
384  virtual uint lock_tables_priv_idx() = 0;
385  virtual uint execute_priv_idx() = 0;
386  virtual uint repl_slave_priv_idx() = 0;
387  virtual uint repl_client_priv_idx() = 0;
388  virtual uint create_view_priv_idx() = 0;
389  virtual uint show_view_priv_idx() = 0;
390  virtual uint create_routine_priv_idx() = 0;
391  virtual uint alter_routine_priv_idx() = 0;
392  virtual uint create_user_priv_idx() = 0;
393  virtual uint event_priv_idx() = 0;
394  virtual uint trigger_priv_idx() = 0;
395  virtual uint create_tablespace_priv_idx() = 0;
396  virtual uint create_role_priv_idx() = 0;
397  virtual uint drop_role_priv_idx() = 0;
398  virtual uint ssl_type_idx() = 0;
399  virtual uint ssl_cipher_idx() = 0;
400  virtual uint x509_issuer_idx() = 0;
401  virtual uint x509_subject_idx() = 0;
402  virtual uint max_questions_idx() = 0;
403  virtual uint max_updates_idx() = 0;
404  virtual uint max_connections_idx() = 0;
405  virtual uint max_user_connections_idx() = 0;
406  virtual uint plugin_idx() = 0;
407  virtual uint authentication_string_idx() = 0;
408  virtual uint password_expired_idx() = 0;
409  virtual uint password_last_changed_idx() = 0;
410  virtual uint password_lifetime_idx() = 0;
411  virtual uint account_locked_idx() = 0;
412  virtual uint password_reuse_history_idx() = 0;
413  virtual uint password_reuse_time_idx() = 0;
414  // Added in 8.0.13
415  virtual uint password_require_current_idx() = 0;
416  // Added in 8.0.14
417  virtual uint user_attributes_idx() = 0;
418 
419  virtual ~User_table_schema() {}
420 };
421 
422 /*
423  This class describes indices for the current mysql.user table schema.
424  */
426  public:
429  // not available
431  DBUG_ASSERT(0);
432  return MYSQL_USER_FIELD_COUNT;
433  }
454  }
463  }
470  }
480  }
484  }
488  }
493  }
496  }
499  }
501 };
502 
503 /*
504  This class describes indices for the old mysql.user table schema.
505  */
507  public:
553  };
554 
576  }
585  }
588  }
594  }
604  }
608  }
610 
611  // those fields are not available in 5.6 db schema
621 };
622 
624  public:
626  return is_old_user_table_schema(table)
628  : implicit_cast<User_table_schema *>(
630  }
631 
632  virtual bool is_old_user_table_schema(TABLE *table);
634 };
635 
638 extern const char *any_db; // Special symbol for check_access
639 /** controls the extra checks on plugin availability for mysql.user records */
640 
641 extern bool validate_user_plugins;
642 
643 /* Function Declarations */
644 
645 /* sql_authentication */
646 
647 int set_default_auth_plugin(char *plugin_name, size_t plugin_name_length);
649 
650 void acl_log_connect(const char *user, const char *host, const char *auth_as,
651  const char *db, THD *thd,
654 bool acl_check_host(THD *thd, const char *host, const char *ip);
655 
656 /*
657  User Attributes are the once which are defined during CREATE/ALTER/GRANT
658  statement. These attributes are divided into following catagories.
659 */
660 
661 #define NONE_ATTR 0L
662 #define DEFAULT_AUTH_ATTR (1L << 0) /* update defaults auth */
663 #define PLUGIN_ATTR (1L << 1) /* update plugin */
664  /* authentication_string */
665 #define SSL_ATTR (1L << 2) /* ex: SUBJECT,CIPHER.. */
666 #define RESOURCE_ATTR (1L << 3) /* ex: MAX_QUERIES_PER_HOUR.. */
667 #define PASSWORD_EXPIRE_ATTR (1L << 4) /* update password expire col */
668 #define ACCESS_RIGHTS_ATTR (1L << 5) /* update privileges */
669 #define ACCOUNT_LOCK_ATTR (1L << 6) /* update account lock status */
670 #define DIFFERENT_PLUGIN_ATTR \
671  (1L << 7) /* updated plugin with a different value */
672 #define USER_ATTRIBUTES (1L << 8) /* Request to update user attributes */
673 
674 /* sql_user */
675 void log_user(THD *thd, String *str, LEX_USER *user, bool comma);
676 bool check_change_password(THD *thd, const char *host, const char *user,
677  bool retain_current_password);
678 bool change_password(THD *thd, LEX_USER *user, char *password,
679  const char *current_password,
680  bool retain_current_password);
681 bool mysql_create_user(THD *thd, List<LEX_USER> &list, bool if_not_exists,
682  bool is_role);
683 bool mysql_alter_user(THD *thd, List<LEX_USER> &list, bool if_exists);
684 bool mysql_drop_user(THD *thd, List<LEX_USER> &list, bool if_exists,
685  bool drop_role);
687 
688 /* sql_auth_cache */
689 void init_acl_memory();
690 int wild_case_compare(CHARSET_INFO *cs, const char *str, const char *wildstr);
691 int wild_case_compare(CHARSET_INFO *cs, const char *str, size_t str_len,
692  const char *wildstr, size_t wildstr_len);
693 bool hostname_requires_resolving(const char *hostname);
694 bool acl_init(bool dont_read_acl_tables);
695 void acl_free(bool end = false);
697 bool grant_init(bool skip_grant_tables);
698 void grant_free(void);
699 bool reload_acl_caches(THD *thd);
700 ulong acl_get(THD *thd, const char *host, const char *ip, const char *user,
701  const char *db, bool db_is_pattern);
702 bool is_acl_user(THD *thd, const char *host, const char *user);
703 bool acl_getroot(THD *thd, Security_context *sctx, const char *user,
704  const char *host, const char *ip, const char *db);
705 bool check_acl_tables_intact(THD *thd);
706 bool check_acl_tables_intact(THD *thd, TABLE_LIST *tables);
707 void notify_flush_event(THD *thd);
709 
710 /* sql_authorization */
711 bool skip_grant_tables();
713 bool mysql_set_role_default(THD *thd);
714 bool mysql_set_active_role_all(THD *thd, const List<LEX_USER> *except_users);
715 bool mysql_set_active_role(THD *thd, const List<LEX_USER> *role_list);
716 bool mysql_grant(THD *thd, const char *db, List<LEX_USER> &list, ulong rights,
717  bool revoke_grant, bool is_proxy,
718  const List<LEX_CSTRING> &dynamic_privilege,
719  bool grant_all_current_privileges, LEX_GRANT_AS *grant_as);
720 bool mysql_routine_grant(THD *thd, TABLE_LIST *table, bool is_proc,
721  List<LEX_USER> &user_list, ulong rights, bool revoke,
722  bool write_to_binlog);
723 int mysql_table_grant(THD *thd, TABLE_LIST *table, List<LEX_USER> &user_list,
724  List<LEX_COLUMN> &column_list, ulong rights, bool revoke);
725 bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
726  bool any_combination_will_do, uint number, bool no_errors);
727 bool check_grant_column(THD *thd, GRANT_INFO *grant, const char *db_name,
728  const char *table_name, const char *name, size_t length,
729  Security_context *sctx, ulong want_privilege);
730 bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST *table_ref,
731  const char *name, size_t length,
732  ulong want_privilege);
733 bool check_grant_all_columns(THD *thd, ulong want_access,
734  Field_iterator_table_ref *fields);
735 bool check_grant_routine(THD *thd, ulong want_access, TABLE_LIST *procs,
736  bool is_proc, bool no_error);
737 bool check_grant_db(THD *thd, const char *db);
738 bool acl_check_proxy_grant_access(THD *thd, const char *host, const char *user,
739  bool with_grant);
740 void get_privilege_desc(char *to, uint max_length, ulong access);
741 void get_mqh(THD *thd, const char *user, const char *host, USER_CONN *uc);
742 ulong get_table_grant(THD *thd, TABLE_LIST *table);
743 ulong get_column_grant(THD *thd, GRANT_INFO *grant, const char *db_name,
744  const char *table_name, const char *field_name);
745 bool mysql_show_grants(THD *, LEX_USER *, const List_of_auth_id_refs &, bool);
746 bool mysql_show_create_user(THD *thd, LEX_USER *user, bool are_both_users_same);
748 bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name,
749  bool is_proc);
750 bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name,
751  bool is_proc);
753  const char *db, const char *table);
754 int fill_schema_user_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
755 int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
756 int fill_schema_table_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
757 int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
759  GRANT_INTERNAL_INFO *grant_internal_info, const char *schema_name);
760 
761 bool lock_tables_precheck(THD *thd, TABLE_LIST *tables);
762 bool create_table_precheck(THD *thd, TABLE_LIST *tables,
764 bool check_fk_parent_table_access(THD *thd, HA_CREATE_INFO *create_info,
765  Alter_info *alter_info);
766 bool check_readonly(THD *thd, bool err_if_readonly);
767 void err_readonly(THD *thd);
768 
769 bool is_secure_transport(int vio_type);
770 
771 bool check_one_table_access(THD *thd, ulong privilege, TABLE_LIST *tables);
772 bool check_single_table_access(THD *thd, ulong privilege, TABLE_LIST *tables,
773  bool no_errors);
774 bool check_routine_access(THD *thd, ulong want_access, const char *db,
775  char *name, bool is_proc, bool no_errors);
776 bool check_some_access(THD *thd, ulong want_access, TABLE_LIST *table);
777 bool check_some_routine_access(THD *thd, const char *db, const char *name,
778  bool is_proc);
779 bool check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv,
780  GRANT_INTERNAL_INFO *grant_internal_info,
781  bool dont_check_global_grants, bool no_errors);
782 bool check_table_access(THD *thd, ulong requirements, TABLE_LIST *tables,
783  bool any_combination_of_privileges_will_do, uint number,
784  bool no_errors);
786 bool mysql_grant_role(THD *thd, const List<LEX_USER> *users,
787  const List<LEX_USER> *roles, bool with_admin_opt);
788 bool mysql_revoke_role(THD *thd, const List<LEX_USER> *users,
789  const List<LEX_USER> *roles);
791 
792 bool is_granted_table_access(THD *thd, ulong required_acl, TABLE_LIST *table);
793 
795  const List<LEX_USER> *users,
796  const List<LEX_USER> *roles);
797 void roles_graphml(THD *thd, String *);
798 bool has_grant_role_privilege(THD *thd, const LEX_CSTRING &role_name,
799  const LEX_CSTRING &role_host);
801 std::string create_authid_str_from(const LEX_USER *user);
802 void append_identifier(String *packet, const char *name, size_t length);
803 bool is_role_id(LEX_USER *authid);
804 void shutdown_acl_cache();
806  LEX_CSTRING role_host);
807 bool check_show_access(THD *thd, TABLE_LIST *table);
808 bool check_global_access(THD *thd, ulong want_access);
809 
810 /* sql_user_table */
812 
813 typedef enum ssl_artifacts_status {
819 
821 #if defined(HAVE_OPENSSL) && !defined(HAVE_WOLFSSL)
822 extern bool opt_auto_generate_certs;
823 bool do_auto_cert_generation(ssl_artifacts_status auto_detection_status,
824  const char **ssl_ca, const char **ssl_key,
825  const char **ssl_cert);
826 #endif /* HAVE_OPENSSL && !HAVE_WOLFSSL */
827 
828 #define DEFAULT_SSL_CA_CERT "ca.pem"
829 #define DEFAULT_SSL_CA_KEY "ca-key.pem"
830 #define DEFAULT_SSL_SERVER_CERT "server-cert.pem"
831 #define DEFAULT_SSL_SERVER_KEY "server-key.pem"
832 
833 void update_mandatory_roles(void);
834 bool check_authorization_id_string(THD *thd, const char *buffer, size_t length);
835 void func_current_role(const THD *thd, String *active_role);
836 
838 
841  Security_context_policy() = default;
842  virtual ~Security_context_policy() = default;
844  virtual bool operator()(Security_context *, Operation) = 0;
845 };
846 
847 typedef std::function<bool(Security_context *,
850 
851 template <class Derived>
853  public:
855  if (op == Precheck && static_cast<Derived *>(this)->precheck(sctx))
856  return true;
857  if (op == Execute && static_cast<Derived *>(this)->create(sctx))
858  return true;
859  return false;
860  }
861 };
862 
863 template <class Derived>
865  public:
867  if (op == Precheck && static_cast<Derived *>(this)->precheck(sctx))
868  return true;
869  if (op == Execute && static_cast<Derived *>(this)->grant_privileges(sctx))
870  return true;
871  return false;
872  }
873 };
874 
875 template <typename T>
876 using Sctx_ptr = std::unique_ptr<T, std::function<void(T *)>>;
877 
878 /**
879  Factory for creating any Security_context given a pre-constructed policy.
880 */
882  public:
883  /**
884  Default Security_context factory implementation. Given two policies and
885  a authid this class returns a Security_context.
886  @param thd The thread handle
887  @param user User name associated with auth id
888  @param host Host name associated with auth id
889  @param extend_user_profile The policy for creating the user profile
890  @param priv The policy for authorizing the authid to
891  use the server.
892  @param static_priv Static privileges for authid.
893  @param drop_policy The policy for deleting the authid and
894  revoke privileges
895  */
897  THD *thd, const std::string &user, const std::string &host,
898  const Security_context_functor &extend_user_profile,
899  const Security_context_functor &priv,
900  const Security_context_functor &static_priv,
901  const std::function<void(Security_context *)> &drop_policy)
902  : m_thd(thd),
903  m_user(user),
904  m_host(host),
905  m_user_profile(extend_user_profile),
906  m_privileges(priv),
907  m_static_privileges(static_priv),
908  m_drop_policy(drop_policy) {}
909 
912 
913  private:
915 
917  std::string m_user;
918  std::string m_host;
922  const std::function<void(Security_context *)> m_drop_policy;
923 };
924 
925 class Default_local_authid : public Create_authid<Default_local_authid> {
926  public:
927  Default_local_authid(const THD *thd);
928  bool precheck(Security_context *sctx);
929  bool create(Security_context *sctx);
930 
931  private:
932  const THD *m_thd;
933 };
934 
935 /**
936  Grant the privilege temporarily to the in-memory global privleges map.
937  This class is not thread safe.
938  */
940  : public Grant_privileges<Grant_temporary_dynamic_privileges> {
941  public:
943  const std::vector<std::string> privs);
944  bool precheck(Security_context *sctx);
946 
947  private:
948  const THD *m_thd;
949  const std::vector<std::string> m_privs;
950 };
951 
953  public:
954  Drop_temporary_dynamic_privileges(const std::vector<std::string> privs)
955  : m_privs(privs) {}
956  void operator()(Security_context *sctx);
957 
958  private:
959  std::vector<std::string> m_privs;
960 };
961 
963  : public Grant_privileges<Grant_temporary_static_privileges> {
964  public:
965  Grant_temporary_static_privileges(const THD *thd, const ulong privs);
966  bool precheck(Security_context *sctx);
968 
969  private:
970  /** THD handle */
971  const THD *m_thd;
972 
973  /** Privileges */
974  const ulong m_privs;
975 };
976 
977 bool operator==(const LEX_CSTRING &a, const LEX_CSTRING &b);
978 bool is_partial_revoke_exists(THD *thd);
979 void set_system_user_flag(THD *thd, bool check_for_main_security_ctx = false);
980 
981 /**
982  Storage container for default auth ids. Default roles are only weakly
983  depending on ACL_USERs. You can retain a default role even if the
984  corresponding ACL_USER is missing in the acl_cache.
985 */
986 class Auth_id {
987  public:
988  Auth_id();
989  Auth_id(const char *user, size_t user_len, const char *host, size_t host_len);
990  Auth_id(const Auth_id_ref &id);
991  Auth_id(const LEX_CSTRING &user, const LEX_CSTRING &host);
992  Auth_id(const std::string &user, const std::string &host);
993  Auth_id(const LEX_USER *lex_user);
994  Auth_id(const ACL_USER *acl_user);
995 
996  ~Auth_id();
997  Auth_id(const Auth_id &id);
998  Auth_id &operator=(const Auth_id &) = default;
999 
1000  bool operator<(const Auth_id &id) const;
1001  void auth_str(std::string *out) const;
1002  std::string auth_str() const;
1003  const std::string &user() const;
1004  const std::string &host() const;
1005 
1006  private:
1007  void create_key();
1008  /** User part */
1009  std::string m_user;
1010  /** Host part */
1011  std::string m_host;
1012  /**
1013  Key: Internal representation mainly to facilitate use of
1014  Auth_id class in standard container.
1015  Format: 'user\0host\0'
1016  */
1017  std::string m_key;
1018 };
1019 
1020 /*
1021  As of now Role_id is an alias of Auth_id.
1022  We may extend the Auth_id as Role_id once
1023  more substances are added to latter.
1024 */
1026 
1027 /**
1028  Length of string buffer, that is enough to contain
1029  username and hostname parts of the user identifier with trailing zero in
1030  MySQL standard format:
1031  user_name_part\@host_name_part\\0
1032 */
1033 static constexpr int USER_HOST_BUFF_SIZE =
1035 
1036 #endif /* AUTH_COMMON_INCLUDED */
Definition: auth_common.h:623
uint create_role_priv_idx()
Definition: auth_common.h:615
virtual uint max_user_connections_idx()=0
Definition: auth_common.h:815
Definition: auth_common.h:273
void update_mandatory_roles(void)
Definition: sql_authorization.cc:7067
uint password_require_current_idx()
Definition: auth_common.h:619
virtual bool is_old_user_table_schema(TABLE *table)
Definition: auth_common.cc:71
virtual uint password_expired_idx()=0
std::vector< std::string > m_privs
Definition: auth_common.h:959
Operation
Definition: auth_common.h:840
uint account_locked_idx()
Definition: auth_common.h:614
Definition: auth_common.h:219
uint user_idx()
Definition: auth_common.h:556
void init_acl_memory()
Allocates the memory in the the global_acl_memory MEM_ROOT.
Definition: sql_auth_cache.cc:172
Grant_temporary_dynamic_privileges(const THD *thd, const std::vector< std::string > privs)
Definition: sql_authorization.cc:7099
LEX_STRING * plugin_name(st_plugin_int **ref)
Definition: sql_plugin_ref.h:94
Definition: auth_common.h:318
bool acl_check_host(THD *thd, const char *host, const char *ip)
Definition: sql_authentication.cc:1644
Definition: auth_common.h:214
Definition: auth_common.h:329
Security_context_factory(THD *thd, const std::string &user, const std::string &host, const Security_context_functor &extend_user_profile, const Security_context_functor &priv, const Security_context_functor &static_priv, const std::function< void(Security_context *)> &drop_policy)
Default Security_context factory implementation.
Definition: auth_common.h:896
#define USERNAME_LENGTH
Definition: mysql_com.h:66
Definition: auth_common.h:295
uint drop_priv_idx()
Definition: auth_common.h:563
virtual ~ACL_internal_table_access()
Definition: auth_common.h:103
void get_default_roles(const Auth_id_ref &user, List_of_auth_id_refs &list)
Shallow copy a list of default role authorization IDs from an Role_id storage.
Definition: sql_authorization.cc:6097
virtual uint account_locked_idx()=0
void shutdown_acl_cache()
Shutdown the global Acl_cache system which was only initialized if the rwlocks were initialized...
Definition: sql_auth_cache.cc:3200
virtual uint show_db_priv_idx()=0
virtual uint delete_priv_idx()=0
void append_identifier(String *packet, const char *name, size_t length)
Convert and quote the given identifier if needed and append it to the target string.
Definition: sql_show.cc:776
To implicit_cast(To x)
Sometimes the compiler insists that types be the same and does not do any implicit conversion...
Definition: template_utils.h:130
uint password_idx()
Definition: auth_common.h:430
Definition: auth_common.h:268
Definition: auth_common.h:840
uint trigger_priv_idx()
Definition: auth_common.h:467
const char * db_name
Definition: rules_table_service.cc:54
virtual ~User_table_schema_factory()
Definition: auth_common.h:633
uint delete_priv_idx()
Definition: auth_common.h:437
uint password_reuse_history_idx()
Definition: auth_common.h:491
uint delete_priv_idx()
Definition: auth_common.h:561
Definition: auth_common.h:218
char * user
Definition: mysqladmin.cc:58
Definition: auth_common.h:261
bool mysql_revoke_all(THD *thd, List< LEX_USER > &list)
Definition: sql_authorization.cc:4937
Storage container for default auth ids.
Definition: auth_common.h:986
Definition: auth_common.h:840
uint alter_routine_priv_idx()
Definition: auth_common.h:586
std::function< bool(Security_context *, Security_context_policy::Operation)> Security_context_functor
Definition: auth_common.h:849
Definition: auth_common.h:327
Definition: auth_common.h:250
Definition: auth_common.h:242
ACL_internal_schema_access()
Definition: auth_common.h:137
Security_context_policy()=default
virtual uint drop_role_priv_idx()=0
virtual uint lock_tables_priv_idx()=0
Definition: auth_common.h:316
std::string m_host
Definition: auth_common.h:918
Grant_temporary_static_privileges(const THD *thd, const ulong privs)
Definition: sql_authorization.cc:7126
const string name("\ame\)
Definition: auth_common.h:265
char buffer[STRING_BUFFER]
Definition: test_sql_9_sessions.cc:57
~Auth_id()
Definition: auth_common.cc:119
Definition: auth_common.h:240
uint password_require_current_idx()
Definition: auth_common.h:497
mysql_dynamic_priv_table_field
Definition: auth_common.h:348
bool is_acl_user(THD *thd, const char *host, const char *user)
Definition: sql_auth_cache.cc:1003
Extension of ACL_internal_schema_access for Information Schema.
Definition: auth_common.h:181
uint event_priv_idx()
Definition: auth_common.h:590
uint user_idx()
Definition: auth_common.h:428
uint max_questions_idx()
Definition: auth_common.h:475
bool validate_user_plugins
controls the extra checks on plugin availability for mysql.user records
Definition: sql_auth_cache.cc:164
Definition: auth_common.h:293
virtual uint file_priv_idx()=0
Some integer typedefs for easier portability.
Definition: auth_common.h:314
Definition: auth_common.h:238
Definition: auth_common.h:925
Definition: auth_common.h:290
#define bool
Definition: config_static.h:42
bool operator()(Security_context *sctx, Operation op)
Definition: auth_common.h:866
ACL_internal_table_access()
Definition: auth_common.h:101
Definition: auth_common.h:305
bool reload_acl_caches(THD *thd)
Reload all ACL caches.
Definition: sql_auth_cache.cc:3404
Definition: auth_common.h:344
Definition: auth_common.h:282
uint show_view_priv_idx()
Definition: auth_common.h:582
Definition: auth_common.h:203
Definition: auth_common.h:224
virtual uint password_idx()=0
Definition: auth_common.h:297
Definition: auth_common.h:351
No decision yet, use the grant tables.
Definition: auth_common.h:88
Definition: auth_common.h:271
Definition: auth_common.h:254
Definition: auth_common.h:264
Definition: auth_common.h:274
Definition: auth_common.h:333
Definition: auth_common.h:272
Definition: auth_common.h:308
Definition: auth_common.h:324
bool lock_tables_precheck(THD *thd, TABLE_LIST *tables)
Check privileges for LOCK TABLES statement.
Definition: sql_authorization.cc:1777
int fill_schema_table_privileges(THD *thd, TABLE_LIST *tables, Item *cond)
Definition: sql_authorization.cc:5538
int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, Item *cond)
Definition: sql_authorization.cc:5603
uint create_user_priv_idx()
Definition: auth_common.h:465
Definition: auth_common.h:334
Definition: auth_common.h:228
const char * host
Definition: mysqladmin.cc:57
bool mysql_create_user(THD *thd, List< LEX_USER > &list, bool if_not_exists, bool is_role)
Definition: sql_user.cc:1901
bool check_routine_access(THD *thd, ulong want_access, const char *db, char *name, bool is_proc, bool no_errors)
Definition: sql_authorization.cc:2042
virtual uint password_lifetime_idx()=0
bool mysql_alter_user(THD *thd, List< LEX_USER > &list, bool if_exists)
Definition: sql_user.cc:2431
virtual const ACL_internal_table_access * lookup(const char *name) const =0
Search for per table ACL access rules by table name.
void grant_free(void)
Definition: sql_auth_cache.cc:2102
Definition: mysql_lex_string.h:39
Definition: auth_common.h:284
uint insert_priv_idx()
Definition: auth_common.h:435
Definition: auth_common.h:319
Security_context_functor m_privileges
Definition: auth_common.h:920
IS_internal_schema_access()
Definition: auth_common.h:183
State information for internal tables grants.
Definition: table.h:310
Consumer_type
Target types where the rewritten query will be added.
Definition: sql_rewrite.h:37
A set of THD members describing the current authenticated user.
Definition: sql_security_ctx.h:52
bool is_secure_transport(int vio_type)
Definition: sql_authentication.cc:3551
bool precheck(Security_context *sctx)
Definition: sql_authorization.cc:7130
Definition: auth_common.h:266
Definition: auth_common.h:263
bool acl_init(bool dont_read_acl_tables)
Definition: sql_auth_cache.cc:1539
Definition: auth_common.h:246
volatile uint32 global_password_history
Global sysvar: the number of old passwords to check in the history.
Definition: sql_auth_cache.cc:3391
std::string m_key
Key: Internal representation mainly to facilitate use of Auth_id class in standard container...
Definition: auth_common.h:1017
const THD * m_thd
Definition: auth_common.h:948
bool grant_init(bool skip_grant_tables)
Initialize structures responsible for table/column-level privilege checking and load information for ...
Definition: sql_auth_cache.cc:2123
class udf_list * list
Definition: auth_common.h:247
std::string auth_str() const
Definition: auth_common.cc:136
Definition: auth_common.h:337
bool precheck(Security_context *sctx)
Check if the security context can be created as a local authid
Definition: sql_authorization.cc:7082
void apply_policies_to_security_ctx()
Definition: sql_authorization.cc:7194
const std::vector< std::string > m_privs
Definition: auth_common.h:949
Definition: auth_common.h:262
bool check_grant_routine(THD *thd, ulong want_access, TABLE_LIST *procs, bool is_proc, bool no_error)
Definition: sql_authorization.cc:4144
Definition: auth_common.h:234
const string comma(" , ")
static void register_schema(const LEX_CSTRING &name, const ACL_internal_schema_access *access)
Add an internal schema to the registry.
Definition: sql_auth_cache.cc:182
virtual uint host_idx()=0
const ACL_internal_schema_access * get_cached_schema_access(GRANT_INTERNAL_INFO *grant_internal_info, const char *schema_name)
Get a cached internal schema access.
Definition: sql_authorization.cc:1711
Definition: auth_common.h:312
virtual uint process_priv_idx()=0
Definition: auth_common.h:244
uint repl_client_priv_idx()
Definition: auth_common.h:458
uint insert_priv_idx()
Definition: auth_common.h:559
ulong get_column_grant(THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *field_name)
Definition: sql_authorization.cc:4282
ACL_internal_access_result
Definition: auth_common.h:77
std::string m_host
Host part.
Definition: auth_common.h:1011
Definition: auth_common.h:257
int wild_case_compare(CHARSET_INFO *cs, const char *str, const char *wildstr)
Definition: sql_auth_cache.cc:585
bool operator==(const LEX_CSTRING &a, const LEX_CSTRING &b)
Definition: sql_authorization.cc:7255
bool mysql_show_grants(THD *, LEX_USER *, const List_of_auth_id_refs &, bool)
SHOW GRANTS FOR user USING [ALL | role [,role ...]].
Definition: sql_authorization.cc:4606
uint process_priv_idx()
Definition: auth_common.h:442
bool operator<(const Auth_id_ref &a, const Auth_id_ref &b)
Definition: sql_authorization.cc:7238
Definition: auth_common.h:278
Common definition used by mysys, performance schema and server & client.
Security_context_functor m_user_profile
Definition: auth_common.h:919
Definition: auth_common.h:267
Using this class is fraught with peril, and you need to be very careful when doing so...
Definition: sql_string.h:159
bool check_authorization_id_string(THD *thd, const char *buffer, size_t length)
Definition: sql_authorization.cc:6992
Definition: auth_common.h:256
bool check_grant_db(THD *thd, const char *db)
Check if a user has the right to access a database.
Definition: sql_authorization.cc:4084
uint account_locked_idx()
Definition: auth_common.h:490
bool disconnect_on_expired_password
Definition: sql_authentication.cc:900
Auth_id & operator=(const Auth_id &)=default
uint shutdown_priv_idx()
Definition: auth_common.h:441
uint create_tmp_table_priv_idx()
Definition: auth_common.h:574
bool is_role_id(LEX_USER *authid)
Definition: sql_authorization.cc:780
Definition: auth_common.h:352
uint index_priv_idx()
Definition: auth_common.h:570
Definition: table.h:1294
uint alter_priv_idx()
Definition: auth_common.h:447
int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, Item *cond)
Definition: sql_authorization.cc:5478
bool mysql_show_create_user(THD *thd, LEX_USER *user, bool are_both_users_same)
Auxiliary function for constructing CREATE USER sql for a given user.
Definition: sql_user.cc:186
Common definition between mysql server & client.
bool hostname_requires_resolving(const char *hostname)
Check if the given host name needs to be resolved or not.
Definition: sql_auth_cache.cc:664
Definition: auth_common.h:216
Definition: sql_auth_cache.h:141
bool grant_privileges(Security_context *sctx)
Grant dynamic privileges to an in-memory global authid
Definition: sql_authorization.cc:7115
Grant the privilege temporarily to the in-memory global privleges map.
Definition: auth_common.h:939
Definition: auth_common.h:289
int set_default_auth_plugin(char *plugin_name, size_t plugin_name_length)
Initialize default authentication plugin based on command line options or configuration file setting...
Definition: sql_authentication.cc:1143
virtual uint plugin_idx()=0
Security_context_functor m_static_privileges
Definition: auth_common.h:921
bool check_one_table_access(THD *thd, ulong privilege, TABLE_LIST *tables)
Check grants for commands which work only with one table and all other tables belonging to subselects...
Definition: sql_authorization.cc:1964
Per internal schema ACL access rules.
Definition: auth_common.h:135
uint create_role_priv_idx()
Definition: auth_common.h:450
uint grant_priv_idx()
Definition: auth_common.h:444
uint max_updates_idx()
Definition: auth_common.h:476
uint max_questions_idx()
Definition: auth_common.h:599
uint password_reuse_time_idx()
Definition: auth_common.h:494
virtual uint max_questions_idx()=0
Definition: auth_common.h:237
Definition: table.h:2342
uint repl_slave_priv_idx()
Definition: auth_common.h:457
uint x509_subject_idx()
Definition: auth_common.h:598
#define DBUG_ASSERT(A)
Definition: my_dbug.h:183
uint password_lifetime_idx()
Definition: auth_common.h:489
Definition: auth_common.h:839
static const ACL_internal_schema_access * lookup(const char *name)
Search per internal schema ACL by name.
Definition: sql_auth_cache.cc:197
uint password_reuse_history_idx()
Definition: auth_common.h:617
uint create_routine_priv_idx()
Definition: auth_common.h:583
virtual uint create_role_priv_idx()=0
Definition: auth_common.h:208
Definition: auth_common.h:204
uint create_tablespace_priv_idx()
Definition: auth_common.h:468
~IS_internal_schema_access()
Definition: auth_common.h:185
uint password_lifetime_idx()
Definition: auth_common.h:613
Definition: auth_common.h:199
uint x509_issuer_idx()
Definition: auth_common.h:473
uint references_priv_idx()
Definition: auth_common.h:445
bool check_show_access(THD *thd, TABLE_LIST *table)
Check if user has enough privileges for execution of SHOW statement, which was converted to query to ...
Definition: sql_authorization.cc:5684
Definition: auth_common.h:317
uint lock_tables_priv_idx()
Definition: auth_common.h:455
bool change_password(THD *thd, LEX_USER *user, char *password, const char *current_password, bool retain_current_password)
Change a password hash for a user.
Definition: sql_user.cc:1309
bool check_readonly(THD *thd, bool err_if_readonly)
Performs standardized check whether to prohibit (true) or allow (false) operations based on read_onl...
Definition: sql_authorization.cc:1907
Definition: auth_common.h:260
mysql_proxies_priv_table_feild
Definition: auth_common.h:277
uint index_priv_idx()
Definition: auth_common.h:446
bool check_table_encryption_admin_access(THD *thd)
Check if a current user has the privilege TABLE_ENCRYPTION_ADMIN required to create encrypted table...
Definition: sql_authorization.cc:2461
Definition: auth_common.h:248
virtual ~ACL_internal_schema_access()
Definition: auth_common.h:139
uint execute_priv_idx()
Definition: auth_common.h:456
bool check_grant_all_columns(THD *thd, ulong want_access, Field_iterator_table_ref *fields)
check if a query can access a set of columns
Definition: sql_authorization.cc:3940
mysql_user_table_field_56
Definition: auth_common.h:508
virtual uint password_last_changed_idx()=0
Access granted for all the requested privileges, do not use the grant tables.
Definition: auth_common.h:84
virtual uint x509_subject_idx()=0
uint password_expired_idx()
Definition: auth_common.h:609
ulong acl_get(THD *thd, const char *host, const char *ip, const char *user, const char *db, bool db_is_pattern)
Get privilege for a host, user, and db combination.
Definition: sql_auth_cache.cc:1133
enum enum_vio_type vio_type(const MYSQL_VIO vio)
Definition: auth_common.h:313
uint show_db_priv_idx()
Definition: auth_common.h:572
Definition: auth_common.h:325
mysql_password_history_table_field
Definition: auth_common.h:340
void commit_and_close_mysql_tables(THD *thd)
A helper function to commit statement transaction and close ACL tables after reading some data from t...
Definition: sql_user_table.cc:469
virtual uint super_priv_idx()=0
bool mysql_set_active_role_all(THD *thd, const List< LEX_USER > *except_users)
Activates all granted role in the current security context
Definition: sql_authorization.cc:6533
Definition: auth_common.h:255
Definition: auth_common.h:226
const std::string & host() const
Definition: auth_common.cc:145
Definition: auth_common.h:236
bool acl_getroot(THD *thd, Security_context *sctx, const char *user, const char *host, const char *ip, const char *db)
Definition: sql_auth_cache.cc:1288
Definition: aggregate_check.h:523
virtual uint select_priv_idx()=0
bool check_change_password(THD *thd, const char *host, const char *user, bool retain_current_password)
Definition: sql_user.cc:134
bool create_table_precheck(THD *thd, TABLE_LIST *tables, TABLE_LIST *create_table)
CREATE TABLE query pre-check.
Definition: sql_authorization.cc:1805
virtual ACL_internal_access_result check(ulong want_access, ulong *save_priv) const =0
Check access to an internal table.
Cursor end()
A past-the-end Cursor.
Definition: rules_table_service.cc:191
int fill_schema_user_privileges(THD *thd, TABLE_LIST *tables, Item *cond)
Definition: sql_authorization.cc:5403
Definition: auth_common.h:362
int mysql_table_grant(THD *thd, TABLE_LIST *table, List< LEX_USER > &user_list, List< LEX_COLUMN > &column_list, ulong rights, bool revoke)
Definition: sql_authorization.cc:2616
uint file_priv_idx()
Definition: auth_common.h:443
const std::string & user() const
Definition: auth_common.cc:144
uint create_tmp_table_priv_idx()
Definition: auth_common.h:452
Definition: auth_common.h:315
mysql_default_roles_table_field
Definition: auth_common.h:332
Definition: auth_common.h:852
virtual uint max_updates_idx()=0
uint max_connections_idx()
Definition: auth_common.h:601
void notify_flush_event(THD *thd)
Audit notification for flush.
Definition: sql_auth_cache.cc:1482
virtual uint show_view_priv_idx()=0
uint host_idx()
Definition: auth_common.h:427
bool check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv, GRANT_INTERNAL_INFO *grant_internal_info, bool dont_check_global_grants, bool no_errors)
Compare requested privileges with the privileges acquired from the User- and Db-tables.
Definition: sql_authorization.cc:2173
virtual uint password_require_current_idx()=0
Definition: auth_common.h:232
const ulong m_privs
Privileges.
Definition: auth_common.h:974
Definition: auth_common.h:335
Definition: auth_common.h:342
Definition: auth_common.h:252
uint authentication_string_idx()
Definition: auth_common.h:606
Definition: auth_common.h:210
const std::string mysql
void acl_free(bool end=false)
Definition: sql_auth_cache.cc:1763
uint process_priv_idx()
Definition: auth_common.h:566
Definition: auth_common.h:283
Definition: item.h:666
unsigned int uint
Definition: uca-dump.cc:29
Definition: auth_common.h:239
virtual uint create_view_priv_idx()=0
PFS_table * create_table(PFS_table_share *share, PFS_thread *opening_thread, const void *identity)
Create instrumentation for a table instance.
Definition: pfs_instr.cc:1118
Definition: auth_common.h:303
uint ssl_type_idx()
Definition: auth_common.h:595
Default_local_authid(const THD *thd)
Definition: sql_authorization.cc:7073
ulong get_table_grant(THD *thd, TABLE_LIST *table)
Definition: sql_authorization.cc:4246
Definition: auth_common.h:353
std::string m_user
User part.
Definition: auth_common.h:1009
static constexpr int HOSTNAME_LENGTH
Definition: my_hostname.h:42
uint32_t uint32
Definition: my_inttypes.h:62
uint host_idx()
Definition: auth_common.h:555
uint user_attributes_idx()
Definition: auth_common.h:500
volatile uint32 global_password_reuse_interval
Global sysvar: the number of days before a password can be reused.
Definition: sql_auth_cache.cc:3393
Definition: auth_common.h:227
virtual uint create_user_priv_idx()=0
const std::vector< std::string > global_acls_vector
Consts for static privileges.
Definition: auth_acls.cc:61
Definition: auth_common.h:817
Definition: auth_common.h:197
uint user_attributes_idx()
Definition: auth_common.h:620
uint create_priv_idx()
Definition: auth_common.h:438
virtual uint update_priv_idx()=0
const THD * m_thd
Definition: auth_common.h:932
Definition: auth_common.h:209
const std::string system_user
Definition: auth_common.h:279
uint repl_client_priv_idx()
Definition: auth_common.h:580
Definition: m_ctype.h:359
uint shutdown_priv_idx()
Definition: auth_common.h:565
const char * any_db
Definition: sql_authorization.cc:497
Definition: auth_common.h:425
std::string m_user
Definition: auth_common.h:917
std::string create_authid_str_from(const LEX_USER *user)
Helper used for producing a key to a key-value-map.
Definition: sql_authorization.cc:6399
Definition: auth_common.h:301
mysql_columns_priv_table_field
Definition: auth_common.h:300
uint password_reuse_time_idx()
Definition: auth_common.h:618
virtual uint create_routine_priv_idx()=0
ulong get_global_acl_cache_size()
Definition: sql_auth_cache.cc:107
Definition: auth_common.h:281
bool create(Security_context *sctx)
Create a local authid without modifying any tables.
Definition: sql_authorization.cc:7094
enum_server_command
A list of all MySQL protocol commands.
Definition: my_command.h:47
virtual ~User_table_schema()
Definition: auth_common.h:419
Definition: auth_common.h:864
void roles_graphml(THD *thd, String *)
Definition: sql_authorization.cc:4699
Definition: auth_common.h:294
uint ssl_cipher_idx()
Definition: auth_common.h:472
virtual uint authentication_string_idx()=0
Definition: auth_common.h:962
virtual uint alter_priv_idx()=0
bool mysql_set_active_role_none(THD *thd)
Reset active roles.
Definition: sql_authorization.cc:6489
Definition: auth_common.h:212
uint password_last_changed_idx()
Definition: auth_common.h:612
bool wildcard_db_grant_exists()
void acl_log_connect(const char *user, const char *host, const char *auth_as, const char *db, THD *thd, enum enum_server_command command)
Logging connection for the general query log, extracted from acl_authenticate() as it&#39;s reused at di...
Definition: sql_authentication.cc:3056
Definition: auth_common.h:245
static MEM_ROOT mem_root
Definition: client_plugin.cc:107
virtual uint ssl_type_idx()=0
bool mysql_user_table_is_in_short_password_format
bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables, bool any_combination_will_do, uint number, bool no_errors)
Check table level grants.
Definition: sql_authorization.cc:3596
Definition: auth_common.h:349
virtual uint reload_priv_idx()=0
Definition: auth_common.h:215
uint update_priv_idx()
Definition: auth_common.h:436
bool acl_check_proxy_grant_access(THD *thd, const char *host, const char *user, bool with_grant)
Definition: sql_authorization.cc:5339
virtual uint create_tmp_table_priv_idx()=0
virtual uint repl_slave_priv_idx()=0
uint select_priv_idx()
Definition: auth_common.h:558
Definition: auth_common.h:202
const THD * m_thd
THD handle.
Definition: auth_common.h:971
Definition: auth_common.h:235
Sctx_ptr< Security_context > create(MEM_ROOT *mem_root)
Definition: sql_authorization.cc:7171
uint max_user_connections_idx()
Definition: auth_common.h:478
bool mysql_routine_grant(THD *thd, TABLE_LIST *table, bool is_proc, List< LEX_USER > &user_list, ulong rights, bool revoke, bool write_to_binlog)
Store routine level grants in the privilege tables.
Definition: sql_authorization.cc:2891
uint plugin_idx()
Definition: auth_common.h:605
mysql_procs_priv_table_field
Definition: auth_common.h:288
command
Definition: version_token.cc:278
bool check_some_access(THD *thd, ulong want_access, TABLE_LIST *table)
Check if the given table has any of the asked privileges.
Definition: sql_authorization.cc:2095
Definition: auth_common.h:270
Definition: sql_lex.h:3037
uint reload_priv_idx()
Definition: auth_common.h:440
bool mysql_grant_role(THD *thd, const List< LEX_USER > *users, const List< LEX_USER > *roles, bool with_admin_opt)
Grants a list of roles to a list of users.
Definition: sql_authorization.cc:3181
Definition: sql_connect.h:69
std::vector< Auth_id_ref > List_of_auth_id_refs
Definition: auth_common.h:73
Definition: auth_common.h:231
uint repl_slave_priv_idx()
Definition: auth_common.h:579
void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant, const char *db, const char *table)
Definition: sql_authorization.cc:5271
void get_privilege_desc(char *to, uint max_length, ulong access)
Definition: sql_authorization.cc:4339
uint create_view_priv_idx()
Definition: auth_common.h:581
virtual ~Security_context_policy()=default
Definition: auth_common.h:328
virtual uint ssl_cipher_idx()=0
const std::function< void(Security_context *)> m_drop_policy
Definition: auth_common.h:922
virtual uint references_priv_idx()=0
virtual uint repl_client_priv_idx()=0
uint alter_routine_priv_idx()
Definition: auth_common.h:464
bool mysql_set_active_role(THD *thd, const List< LEX_USER > *role_list)
Definition: sql_authorization.cc:6543
uint super_priv_idx()
Definition: auth_common.h:449
mysql_db_table_field
Definition: auth_common.h:196
static constexpr int USER_HOST_BUFF_SIZE
Length of string buffer, that is enough to contain username and hostname parts of the user identifier...
Definition: auth_common.h:1033
Definition: auth_common.h:336
bool check_fk_parent_table_access(THD *thd, HA_CREATE_INFO *create_info, Alter_info *alter_info)
Checks foreign key&#39;s parent table access.
Definition: sql_authorization.cc:5816
Definition: auth_common.h:304
void operator()(Security_context *sctx)
Definition: sql_authorization.cc:7121
Definition: auth_common.h:200
bool is_partial_revoke_exists(THD *thd)
Method to check if there exists at least one partial revokes in the cache.
Definition: sql_auth_cache.cc:3525
virtual uint user_idx()=0
bool check_table_access(THD *thd, ulong requirements, TABLE_LIST *tables, bool any_combination_of_privileges_will_do, uint number, bool no_errors)
Check if the requested privileges exists in either User-, DB- or, tables- tables. ...
Definition: sql_authorization.cc:2391
bool check_engine_type_for_acl_table(THD *thd)
Definition: sql_auth_cache.cc:1791
Definition: auth_common.h:350
mysql_user_table_field
Definition: auth_common.h:222
virtual uint create_tablespace_priv_idx()=0
uint select_priv_idx()
Definition: auth_common.h:434
Definition: auth_common.h:253
uint lock_tables_priv_idx()
Definition: auth_common.h:577
std::pair< LEX_CSTRING, LEX_CSTRING > Auth_id_ref
user, host tuple which reference either acl_cache or g_default_roles
Definition: auth_common.h:72
Definition: auth_common.h:341
uint x509_subject_idx()
Definition: auth_common.h:474
virtual uint max_connections_idx()=0
uint x509_issuer_idx()
Definition: auth_common.h:597
Data describing the table being created by CREATE TABLE or altered by ALTER TABLE.
Definition: sql_alter.h:188
virtual User_table_schema * get_user_table_schema(TABLE *table)
Definition: auth_common.h:625
mysql_tables_priv_table_field
Definition: auth_common.h:311
uint references_priv_idx()
Definition: auth_common.h:569
bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name, bool is_proc)
Grant EXECUTE,ALTER privilege for a stored procedure.
Definition: sql_authorization.cc:5182
Definition: auth_common.h:269
Drop_temporary_dynamic_privileges(const std::vector< std::string > privs)
Definition: auth_common.h:954
uint show_view_priv_idx()
Definition: auth_common.h:460
uint create_view_priv_idx()
Definition: auth_common.h:459
Definition: auth_common.h:345
uint trigger_priv_idx()
Definition: auth_common.h:591
uint grant_priv_idx()
Definition: auth_common.h:568
uint plugin_idx()
Definition: auth_common.h:481
bool check_acl_tables_intact(THD *thd)
Opens the ACL tables and checks their sanity.
Definition: sql_auth_cache.cc:1879
uint alter_priv_idx()
Definition: auth_common.h:571
The current state of the privilege checking process for the current user, SQL statement and SQL objec...
Definition: table.h:333
Definition: sql_lex.h:3049
void err_readonly(THD *thd)
Generates appropriate error messages for read-only state depending on whether user has SUPER privileg...
Definition: sql_authorization.cc:1943
role_enum
Definition: sql_admin.h:217
bool check_grant_column(THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *name, size_t length, Security_context *sctx, ulong want_privilege)
Definition: sql_authorization.cc:3784
Per internal table ACL access rules.
Definition: auth_common.h:99
uint execute_priv_idx()
Definition: auth_common.h:578
Definition: auth_common.h:243
Definition: auth_common.h:306
virtual uint grant_priv_idx()=0
bool mysql_set_role_default(THD *thd)
Activates all the default roles in the current security context.
Definition: sql_authorization.cc:6510
std::unique_ptr< T, std::function< void(T *)> > Sctx_ptr
Definition: auth_common.h:876
Definition: auth_common.h:952
virtual bool operator()(Security_context *, Operation)=0
uint max_updates_idx()
Definition: auth_common.h:600
uint create_tablespace_priv_idx()
Definition: auth_common.h:592
uint ssl_cipher_idx()
Definition: auth_common.h:596
Definition: handler.h:2607
uint reload_priv_idx()
Definition: auth_common.h:564
bool is_granted_table_access(THD *thd, ulong required_acl, TABLE_LIST *table)
Given a TABLE_LIST object this function checks against.
Definition: sql_authorization.cc:2496
Definition: auth_common.h:211
uint show_db_priv_idx()
Definition: auth_common.h:448
Auth_id()
Definition: auth_common.cc:83
virtual uint alter_routine_priv_idx()=0
virtual uint password_reuse_time_idx()=0
uint event_priv_idx()
Definition: auth_common.h:466
uint max_connections_idx()
Definition: auth_common.h:477
Auth_id_ref create_authid_from(const LEX_USER *user)
Definition: sql_authorization.cc:6407
virtual uint insert_priv_idx()=0
bool apply_pre_constructed_policies(Security_context *sctx)
Definition: sql_authorization.cc:7141
virtual uint user_attributes_idx()=0
Definition: auth_common.h:198
Definition: auth_common.h:233
Factory for creating any Security_context given a pre-constructed policy.
Definition: auth_common.h:881
Definition: auth_common.h:280
Definition: auth_common.h:207
virtual uint password_reuse_history_idx()=0
static char * password
Definition: mysql_secure_installation.cc:55
Definition: auth_common.h:296
Definition: auth_common.h:251
bool grant_privileges(Security_context *sctx)
Definition: sql_authorization.cc:7135
Definition: auth_common.h:326
void get_mqh(THD *thd, const char *user, const char *host, USER_CONN *uc)
Definition: sql_auth_cache.cc:2838
Definition: auth_common.h:814
bool is_granted_role(LEX_CSTRING user, LEX_CSTRING host, LEX_CSTRING role, LEX_CSTRING role_host)
This function works just like check_if_granted_role, but also guarantees that the proper lock is take...
Definition: sql_authorization.cc:6566
Definition: auth_common.h:241
bool mysql_grant(THD *thd, const char *db, List< LEX_USER > &list, ulong rights, bool revoke_grant, bool is_proxy, const List< LEX_CSTRING > &dynamic_privilege, bool grant_all_current_privileges, LEX_GRANT_AS *grant_as)
Definition: sql_authorization.cc:3289
bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST *table_ref, const char *name, size_t length, ulong want_privilege)
Check the privileges for a column depending on the type of table.
Definition: sql_authorization.cc:3864
uint max_user_connections_idx()
Definition: auth_common.h:602
virtual uint trigger_priv_idx()=0
uint ssl_type_idx()
Definition: auth_common.h:471
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:77
Definition: auth_common.h:205
bool mysql_revoke_role(THD *thd, const List< LEX_USER > *users, const List< LEX_USER > *roles)
Definition: sql_authorization.cc:3044
Definition: auth_common.h:223
ACL_internal_access_result check(ulong want_access, ulong *save_priv) const
Check access to an internal schema.
Definition: sql_authorization.cc:1744
Definition: table.h:2442
Definition: auth_common.h:206
uint update_priv_idx()
Definition: auth_common.h:560
virtual uint execute_priv_idx()=0
virtual ACL_internal_access_result check(ulong want_access, ulong *save_priv) const =0
Check access to an internal schema.
Definition: auth_common.h:201
bool check_some_routine_access(THD *thd, const char *db, const char *name, bool is_proc)
Check if the routine has any of the routine privileges.
Definition: sql_authorization.cc:2125
void set_system_user_flag(THD *thd, bool check_for_main_security_ctx=false)
Set the system_user flag in the THD.
Definition: auth_common.cc:186
uint authentication_string_idx()
Definition: auth_common.h:482
bool check_global_access(THD *thd, ulong want_access)
check for global access and give descriptive error message if it fails.
Definition: sql_authorization.cc:5791
bool precheck(Security_context *sctx)
Definition: sql_authorization.cc:7103
uint super_priv_idx()
Definition: auth_common.h:573
uint create_user_priv_idx()
Definition: auth_common.h:589
Definition: acl_table_user.cc:43
bool mysql_drop_user(THD *thd, List< LEX_USER > &list, bool if_exists, bool drop_role)
Drop a list of users and all their privileges.
Definition: sql_user.cc:2117
std::string get_default_autnetication_plugin_name()
Return the default authentication plugin name.
Definition: sql_authentication.cc:1165
Definition: auth_common.h:816
Definition: auth_common.h:292
bool check_single_table_access(THD *thd, ulong privilege, TABLE_LIST *tables, bool no_errors)
Check grants for commands which work only with one table.
Definition: sql_authorization.cc:2003
bool skip_grant_tables()
Definition: sql_auth_cache.cc:160
virtual uint create_priv_idx()=0
Definition: auth_common.h:320
uint file_priv_idx()
Definition: auth_common.h:567
ssl_artifacts_status
Definition: auth_common.h:813
uint drop_role_priv_idx()
Definition: auth_common.h:616
const ACL_internal_table_access * lookup(const char *name) const
Search for per table ACL access rules by table name.
Definition: sql_authorization.cc:1761
Definition: auth_common.h:249
Definition: auth_common.h:302
unsigned long ulong
Definition: my_inttypes.h:48
virtual uint x509_issuer_idx()=0
mysql_role_edges_table_field
Definition: auth_common.h:323
uint drop_role_priv_idx()
Definition: auth_common.h:451
void log_user(THD *thd, String *str, LEX_USER *user, bool comma)
Auxiliary function for constructing a user list string.
Definition: sql_user.cc:107
Definition: auth_common.h:506
uint drop_priv_idx()
Definition: auth_common.h:439
Definition: auth_common.h:258
virtual uint event_priv_idx()=0
bool length(const dd::Spatial_reference_system *srs, const Geometry *g1, double *length, bool *null) noexcept
Computes the length of linestrings and multilinestrings.
Definition: length.cc:75
bool drop_role(THD *thd, TABLE *edge_table, TABLE *defaults_table, const Auth_id_ref &authid_user)
Definition: sql_authorization.cc:607
uint create_priv_idx()
Definition: auth_common.h:562
Definition: auth_common.h:291
bool has_grant_role_privilege(THD *thd, const LEX_CSTRING &role_name, const LEX_CSTRING &role_host)
Definition: sql_authorization.cc:2566
Definition: auth_common.h:285
Definition: sp_head.h:125
Generic iterator over the fields of an arbitrary table reference.
Definition: table.h:3543
Definition: auth_common.h:225
void func_current_role(const THD *thd, String *active_role)
Helper function for Item_func_current_role.
Definition: sql_authorization.cc:6066
A registry for per internal schema ACL.
Definition: auth_common.h:171
bool operator()(Security_context *sctx, Operation op)
Definition: auth_common.h:854
Definition: auth_common.h:213
virtual uint shutdown_priv_idx()=0
virtual uint index_priv_idx()=0
THD * m_thd
Definition: auth_common.h:916
uint password_expired_idx()
Definition: auth_common.h:485
bool mysql_alter_or_clear_default_roles(THD *thd, role_enum role_type, const List< LEX_USER > *users, const List< LEX_USER > *roles)
Set the default roles to NONE, ALL or list of authorization IDs as roles, depending upon the role_typ...
Definition: sql_authorization.cc:6191
bool mysql_rename_user(THD *thd, List< LEX_USER > &list)
Definition: sql_user.cc:2257
uint password_idx()
Definition: auth_common.h:557
bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name, bool is_proc)
Revoke privileges for all users on a stored procedure.
Definition: sql_authorization.cc:5092
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_class.h:777
Definition: auth_common.h:230
uint password_last_changed_idx()
Definition: auth_common.h:486
Definition: auth_common.h:229
Definition: auth_common.h:307
Access denied, do not use the grant tables.
Definition: auth_common.h:86
int acl_authenticate(THD *thd, enum_server_command command)
Perform the handshake, authorize the client and update thd sctx variables.
Definition: sql_authentication.cc:3143
uint create_routine_priv_idx()
Definition: auth_common.h:461
bool operator<(const Auth_id &id) const
Definition: auth_common.cc:121
virtual uint drop_priv_idx()=0
Definition: auth_common.h:217
const char * table_name
Definition: rules_table_service.cc:55
void create_key()
Definition: auth_common.cc:77
Definition: auth_common.h:259