MySQL  8.0.18
Source Code Documentation
auth_common.h
Go to the documentation of this file.
1 /* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
2 
3  This program is free software; you can redistribute it and/or modify
4  it under the terms of the GNU General Public License, version 2.0,
5  as published by the Free Software Foundation.
6 
7  This program is also distributed with certain software (including
8  but not limited to OpenSSL) that is licensed under separate terms,
9  as designated in a particular file or component or in included license
10  documentation. The authors of MySQL hereby grant you an additional
11  permission to link the program and your derivative works with the
12  separately licensed software that they have included with MySQL.
13 
14  This program is distributed in the hope that it will be useful,
15  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  GNU General Public License, version 2.0, for more details.
18 
19  You should have received a copy of the GNU General Public License
20  along with this program; if not, write to the Free Software
21  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22 
23 #ifndef AUTH_COMMON_INCLUDED
24 #define AUTH_COMMON_INCLUDED
25 
26 #include <stddef.h>
27 #include <sys/types.h>
28 #include <functional>
29 #include <list>
30 #include <memory>
31 #include <set>
32 #include <utility>
33 #include <vector>
34 
35 #include "lex_string.h"
36 #include "my_command.h"
37 #include "my_dbug.h"
38 #include "my_hostname.h" // HOSTNAME_LENGTH
39 #include "my_inttypes.h"
40 #include "mysql_com.h" // USERNAME_LENGTH
41 #include "template_utils.h"
42 
43 /* Forward Declarations */
44 class Alter_info;
46 class Item;
47 class LEX_COLUMN;
48 class String;
49 class THD;
50 struct CHARSET_INFO;
51 struct GRANT_INFO;
52 struct GRANT_INTERNAL_INFO;
53 struct HA_CREATE_INFO;
54 struct LEX_USER;
55 template <class T>
56 class List;
57 typedef struct user_conn USER_CONN;
58 class Security_context;
59 class ACL_USER;
60 struct TABLE;
61 struct MEM_ROOT;
62 struct TABLE_LIST;
63 enum class role_enum;
64 enum class Consumer_type;
65 class LEX_GRANT_AS;
66 
67 namespace consts {
68 extern const std::string mysql;
69 extern const std::string system_user;
70 } // namespace consts
71 
72 /** user, host tuple which reference either acl_cache or g_default_roles */
73 typedef std::pair<LEX_CSTRING, LEX_CSTRING> Auth_id_ref;
74 typedef std::vector<Auth_id_ref> List_of_auth_id_refs;
75 
76 bool operator<(const Auth_id_ref &a, const Auth_id_ref &b);
77 
79  /**
80  Access granted for all the requested privileges,
81  do not use the grant tables.
82  This flag is used only for the INFORMATION_SCHEMA privileges,
83  for compatibility reasons.
84  */
86  /** Access denied, do not use the grant tables. */
88  /** No decision yet, use the grant tables. */
90 };
91 
92 /* Classes */
93 
94 /**
95  Per internal table ACL access rules.
96  This class is an interface.
97  Per table(s) specific access rule should be implemented in a subclass.
98  @sa ACL_internal_schema_access
99 */
101  public:
103 
105 
106  /**
107  Check access to an internal table.
108  When a privilege is granted, this method add the requested privilege
109  to save_priv.
110  @param want_access the privileges requested
111  @param [in, out] save_priv the privileges granted
112  @return
113  @retval ACL_INTERNAL_ACCESS_GRANTED All the requested privileges
114  are granted, and saved in save_priv.
115  @retval ACL_INTERNAL_ACCESS_DENIED At least one of the requested
116  privileges was denied.
117  @retval ACL_INTERNAL_ACCESS_CHECK_GRANT No requested privilege
118  was denied, and grant should be checked for at least one
119  privilege. Requested privileges that are granted, if any, are saved
120  in save_priv.
121  */
122  virtual ACL_internal_access_result check(ulong want_access,
123  ulong *save_priv) const = 0;
124 };
125 
126 /**
127  Per internal schema ACL access rules.
128  This class is an interface.
129  Each per schema specific access rule should be implemented
130  in a different subclass, and registered.
131  Per schema access rules can control:
132  - every schema privileges on schema.*
133  - every table privileges on schema.table
134  @sa ACL_internal_schema_registry
135 */
137  public:
139 
141 
142  /**
143  Check access to an internal schema.
144  @param want_access the privileges requested
145  @param [in, out] save_priv the privileges granted
146  @return
147  @retval ACL_INTERNAL_ACCESS_GRANTED All the requested privileges
148  are granted, and saved in save_priv.
149  @retval ACL_INTERNAL_ACCESS_DENIED At least one of the requested
150  privileges was denied.
151  @retval ACL_INTERNAL_ACCESS_CHECK_GRANT No requested privilege
152  was denied, and grant should be checked for at least one
153  privilege. Requested privileges that are granted, if any, are saved
154  in save_priv.
155  */
156  virtual ACL_internal_access_result check(ulong want_access,
157  ulong *save_priv) const = 0;
158 
159  /**
160  Search for per table ACL access rules by table name.
161  @param name the table name
162  @return per table access rules, or NULL
163  */
164  virtual const ACL_internal_table_access *lookup(const char *name) const = 0;
165 };
166 
167 /**
168  A registry for per internal schema ACL.
169  An 'internal schema' is a database schema maintained by the
170  server implementation, such as 'performance_schema' and 'INFORMATION_SCHEMA'.
171 */
173  public:
174  static void register_schema(const LEX_CSTRING &name,
175  const ACL_internal_schema_access *access);
176  static const ACL_internal_schema_access *lookup(const char *name);
177 };
178 
179 /**
180  Extension of ACL_internal_schema_access for Information Schema
181 */
183  public:
185 
187 
188  ACL_internal_access_result check(ulong want_access, ulong *save_priv) const;
189 
190  const ACL_internal_table_access *lookup(const char *name) const;
191 };
192 
193 /* Data Structures */
194 
195 extern const std::vector<std::string> global_acls_vector;
196 
221 };
222 
276 };
277 
287 };
288 
299 };
300 
310 };
311 
322 };
323 
331 };
332 
339 };
340 
347 };
348 
355 };
356 
357 /* When we run mysql_upgrade we must make sure that the server can be run
358  using previous mysql.user table schema during acl_load.
359 
360  User_table_schema is a common interface for the current and the
361  previous mysql.user table schema.
362  */
364  public:
365  virtual uint host_idx() = 0;
366  virtual uint user_idx() = 0;
367  virtual uint password_idx() = 0;
368  virtual uint select_priv_idx() = 0;
369  virtual uint insert_priv_idx() = 0;
370  virtual uint update_priv_idx() = 0;
371  virtual uint delete_priv_idx() = 0;
372  virtual uint create_priv_idx() = 0;
373  virtual uint drop_priv_idx() = 0;
374  virtual uint reload_priv_idx() = 0;
375  virtual uint shutdown_priv_idx() = 0;
376  virtual uint process_priv_idx() = 0;
377  virtual uint file_priv_idx() = 0;
378  virtual uint grant_priv_idx() = 0;
379  virtual uint references_priv_idx() = 0;
380  virtual uint index_priv_idx() = 0;
381  virtual uint alter_priv_idx() = 0;
382  virtual uint show_db_priv_idx() = 0;
383  virtual uint super_priv_idx() = 0;
384  virtual uint create_tmp_table_priv_idx() = 0;
385  virtual uint lock_tables_priv_idx() = 0;
386  virtual uint execute_priv_idx() = 0;
387  virtual uint repl_slave_priv_idx() = 0;
388  virtual uint repl_client_priv_idx() = 0;
389  virtual uint create_view_priv_idx() = 0;
390  virtual uint show_view_priv_idx() = 0;
391  virtual uint create_routine_priv_idx() = 0;
392  virtual uint alter_routine_priv_idx() = 0;
393  virtual uint create_user_priv_idx() = 0;
394  virtual uint event_priv_idx() = 0;
395  virtual uint trigger_priv_idx() = 0;
396  virtual uint create_tablespace_priv_idx() = 0;
397  virtual uint create_role_priv_idx() = 0;
398  virtual uint drop_role_priv_idx() = 0;
399  virtual uint ssl_type_idx() = 0;
400  virtual uint ssl_cipher_idx() = 0;
401  virtual uint x509_issuer_idx() = 0;
402  virtual uint x509_subject_idx() = 0;
403  virtual uint max_questions_idx() = 0;
404  virtual uint max_updates_idx() = 0;
405  virtual uint max_connections_idx() = 0;
406  virtual uint max_user_connections_idx() = 0;
407  virtual uint plugin_idx() = 0;
408  virtual uint authentication_string_idx() = 0;
409  virtual uint password_expired_idx() = 0;
410  virtual uint password_last_changed_idx() = 0;
411  virtual uint password_lifetime_idx() = 0;
412  virtual uint account_locked_idx() = 0;
413  virtual uint password_reuse_history_idx() = 0;
414  virtual uint password_reuse_time_idx() = 0;
415  // Added in 8.0.13
416  virtual uint password_require_current_idx() = 0;
417  // Added in 8.0.14
418  virtual uint user_attributes_idx() = 0;
419 
420  virtual ~User_table_schema() {}
421 };
422 
423 /*
424  This class describes indices for the current mysql.user table schema.
425  */
427  public:
430  // not available
432  DBUG_ASSERT(0);
433  return MYSQL_USER_FIELD_COUNT;
434  }
455  }
464  }
471  }
481  }
485  }
489  }
494  }
497  }
500  }
502 };
503 
504 /*
505  This class describes indices for the old mysql.user table schema.
506  */
508  public:
554  };
555 
577  }
586  }
589  }
595  }
605  }
609  }
611 
612  // those fields are not available in 5.6 db schema
622 };
623 
625  public:
627  return is_old_user_table_schema(table)
629  : implicit_cast<User_table_schema *>(
631  }
632 
633  virtual bool is_old_user_table_schema(TABLE *table);
635 };
636 
639 extern const char *any_db; // Special symbol for check_access
640 /** controls the extra checks on plugin availability for mysql.user records */
641 
642 extern bool validate_user_plugins;
643 
644 /* Function Declarations */
645 
646 /* sql_authentication */
647 
648 int set_default_auth_plugin(char *plugin_name, size_t plugin_name_length);
650 
651 void acl_log_connect(const char *user, const char *host, const char *auth_as,
652  const char *db, THD *thd,
655 bool acl_check_host(THD *thd, const char *host, const char *ip);
656 
657 /*
658  User Attributes are the once which are defined during CREATE/ALTER/GRANT
659  statement. These attributes are divided into following catagories.
660 */
661 
662 #define NONE_ATTR 0L
663 #define DEFAULT_AUTH_ATTR (1L << 0) /* update defaults auth */
664 #define PLUGIN_ATTR (1L << 1) /* update plugin */
665  /* authentication_string */
666 #define SSL_ATTR (1L << 2) /* ex: SUBJECT,CIPHER.. */
667 #define RESOURCE_ATTR (1L << 3) /* ex: MAX_QUERIES_PER_HOUR.. */
668 #define PASSWORD_EXPIRE_ATTR (1L << 4) /* update password expire col */
669 #define ACCESS_RIGHTS_ATTR (1L << 5) /* update privileges */
670 #define ACCOUNT_LOCK_ATTR (1L << 6) /* update account lock status */
671 #define DIFFERENT_PLUGIN_ATTR \
672  (1L << 7) /* updated plugin with a different value */
673 #define USER_ATTRIBUTES (1L << 8) /* Request to update user attributes */
674 
675 /* sql_user */
676 void log_user(THD *thd, String *str, LEX_USER *user, bool comma);
677 bool check_change_password(THD *thd, const char *host, const char *user,
678  bool retain_current_password);
679 bool change_password(THD *thd, LEX_USER *user, const char *password,
680  const char *current_password,
681  bool retain_current_password);
682 bool mysql_create_user(THD *thd, List<LEX_USER> &list, bool if_not_exists,
683  bool is_role);
684 bool mysql_alter_user(THD *thd, List<LEX_USER> &list, bool if_exists);
685 bool mysql_drop_user(THD *thd, List<LEX_USER> &list, bool if_exists,
686  bool drop_role);
688 
689 /* sql_auth_cache */
690 void init_acl_memory();
691 int wild_case_compare(CHARSET_INFO *cs, const char *str, const char *wildstr);
692 int wild_case_compare(CHARSET_INFO *cs, const char *str, size_t str_len,
693  const char *wildstr, size_t wildstr_len);
694 bool hostname_requires_resolving(const char *hostname);
695 bool acl_init(bool dont_read_acl_tables);
696 void acl_free(bool end = false);
697 bool check_engine_type_for_acl_table(THD *thd, bool mdl_locked);
698 bool grant_init(bool skip_grant_tables);
699 void grant_free(void);
700 bool reload_acl_caches(THD *thd, bool mdl_locked);
701 ulong acl_get(THD *thd, const char *host, const char *ip, const char *user,
702  const char *db, bool db_is_pattern);
703 bool is_acl_user(THD *thd, const char *host, const char *user);
704 bool acl_getroot(THD *thd, Security_context *sctx, const char *user,
705  const char *host, const char *ip, const char *db);
706 bool check_acl_tables_intact(THD *thd, bool mdl_locked);
707 bool check_acl_tables_intact(THD *thd, TABLE_LIST *tables);
708 void notify_flush_event(THD *thd);
710 
711 /* sql_authorization */
712 bool skip_grant_tables();
714 bool mysql_set_role_default(THD *thd);
715 bool mysql_set_active_role_all(THD *thd, const List<LEX_USER> *except_users);
716 bool mysql_set_active_role(THD *thd, const List<LEX_USER> *role_list);
717 bool mysql_grant(THD *thd, const char *db, List<LEX_USER> &list, ulong rights,
718  bool revoke_grant, bool is_proxy,
719  const List<LEX_CSTRING> &dynamic_privilege,
720  bool grant_all_current_privileges, LEX_GRANT_AS *grant_as);
721 bool mysql_routine_grant(THD *thd, TABLE_LIST *table, bool is_proc,
722  List<LEX_USER> &user_list, ulong rights, bool revoke,
723  bool write_to_binlog);
724 int mysql_table_grant(THD *thd, TABLE_LIST *table, List<LEX_USER> &user_list,
725  List<LEX_COLUMN> &column_list, ulong rights, bool revoke);
726 bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
727  bool any_combination_will_do, uint number, bool no_errors);
728 bool check_grant_column(THD *thd, GRANT_INFO *grant, const char *db_name,
729  const char *table_name, const char *name, size_t length,
730  Security_context *sctx, ulong want_privilege);
731 bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST *table_ref,
732  const char *name, size_t length,
733  ulong want_privilege);
734 bool check_grant_all_columns(THD *thd, ulong want_access,
735  Field_iterator_table_ref *fields);
736 bool check_grant_routine(THD *thd, ulong want_access, TABLE_LIST *procs,
737  bool is_proc, bool no_error);
738 bool check_grant_db(THD *thd, const char *db);
739 bool acl_check_proxy_grant_access(THD *thd, const char *host, const char *user,
740  bool with_grant);
741 void get_privilege_desc(char *to, uint max_length, ulong access);
742 void get_mqh(THD *thd, const char *user, const char *host, USER_CONN *uc);
743 ulong get_table_grant(THD *thd, TABLE_LIST *table);
744 ulong get_column_grant(THD *thd, GRANT_INFO *grant, const char *db_name,
745  const char *table_name, const char *field_name);
746 bool mysql_show_grants(THD *, LEX_USER *, const List_of_auth_id_refs &, bool);
747 bool mysql_show_create_user(THD *thd, LEX_USER *user, bool are_both_users_same);
749 bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name,
750  bool is_proc);
751 bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name,
752  bool is_proc);
754  const char *db, const char *table);
755 int fill_schema_user_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
756 int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
757 int fill_schema_table_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
758 int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
760  GRANT_INTERNAL_INFO *grant_internal_info, const char *schema_name);
761 
762 bool lock_tables_precheck(THD *thd, TABLE_LIST *tables);
763 bool create_table_precheck(THD *thd, TABLE_LIST *tables,
765 bool check_fk_parent_table_access(THD *thd, HA_CREATE_INFO *create_info,
766  Alter_info *alter_info);
767 bool check_readonly(THD *thd, bool err_if_readonly);
768 void err_readonly(THD *thd);
769 
770 bool is_secure_transport(int vio_type);
771 
772 bool check_one_table_access(THD *thd, ulong privilege, TABLE_LIST *tables);
773 bool check_single_table_access(THD *thd, ulong privilege, TABLE_LIST *tables,
774  bool no_errors);
775 bool check_routine_access(THD *thd, ulong want_access, const char *db,
776  char *name, bool is_proc, bool no_errors);
777 bool check_some_access(THD *thd, ulong want_access, TABLE_LIST *table);
778 bool check_some_routine_access(THD *thd, const char *db, const char *name,
779  bool is_proc);
780 bool check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv,
781  GRANT_INTERNAL_INFO *grant_internal_info,
782  bool dont_check_global_grants, bool no_errors);
783 bool check_table_access(THD *thd, ulong requirements, TABLE_LIST *tables,
784  bool any_combination_of_privileges_will_do, uint number,
785  bool no_errors);
787 bool mysql_grant_role(THD *thd, const List<LEX_USER> *users,
788  const List<LEX_USER> *roles, bool with_admin_opt);
789 bool mysql_revoke_role(THD *thd, const List<LEX_USER> *users,
790  const List<LEX_USER> *roles);
792 
793 bool is_granted_table_access(THD *thd, ulong required_acl, TABLE_LIST *table);
794 
796  const List<LEX_USER> *users,
797  const List<LEX_USER> *roles);
798 void roles_graphml(THD *thd, String *);
799 bool has_grant_role_privilege(THD *thd, const LEX_CSTRING &role_name,
800  const LEX_CSTRING &role_host);
802 std::string create_authid_str_from(const LEX_USER *user);
803 void append_identifier(String *packet, const char *name, size_t length);
804 bool is_role_id(LEX_USER *authid);
805 void shutdown_acl_cache();
807  LEX_CSTRING role_host);
808 bool check_show_access(THD *thd, TABLE_LIST *table);
809 bool check_global_access(THD *thd, ulong want_access);
810 
811 /* sql_user_table */
813 
814 typedef enum ssl_artifacts_status {
820 
822 #if defined(HAVE_OPENSSL)
823 extern bool opt_auto_generate_certs;
824 bool do_auto_cert_generation(ssl_artifacts_status auto_detection_status,
825  const char **ssl_ca, const char **ssl_key,
826  const char **ssl_cert);
827 #endif /* HAVE_OPENSSL */
828 
829 #define DEFAULT_SSL_CA_CERT "ca.pem"
830 #define DEFAULT_SSL_CA_KEY "ca-key.pem"
831 #define DEFAULT_SSL_SERVER_CERT "server-cert.pem"
832 #define DEFAULT_SSL_SERVER_KEY "server-key.pem"
833 
834 void update_mandatory_roles(void);
835 bool check_authorization_id_string(THD *thd, LEX_STRING &mandatory_roles);
836 void func_current_role(const THD *thd, String *active_role);
837 
839 
842  Security_context_policy() = default;
843  virtual ~Security_context_policy() = default;
845  virtual bool operator()(Security_context *, Operation) = 0;
846 };
847 
848 typedef std::function<bool(Security_context *,
851 
852 template <class Derived>
854  public:
856  if (op == Precheck && static_cast<Derived *>(this)->precheck(sctx))
857  return true;
858  if (op == Execute && static_cast<Derived *>(this)->create(sctx))
859  return true;
860  return false;
861  }
862 };
863 
864 template <class Derived>
866  public:
868  if (op == Precheck && static_cast<Derived *>(this)->precheck(sctx))
869  return true;
870  if (op == Execute && static_cast<Derived *>(this)->grant_privileges(sctx))
871  return true;
872  return false;
873  }
874 };
875 
876 template <typename T>
877 using Sctx_ptr = std::unique_ptr<T, std::function<void(T *)>>;
878 
879 /**
880  Factory for creating any Security_context given a pre-constructed policy.
881 */
883  public:
884  /**
885  Default Security_context factory implementation. Given two policies and
886  a authid this class returns a Security_context.
887  @param thd The thread handle
888  @param user User name associated with auth id
889  @param host Host name associated with auth id
890  @param extend_user_profile The policy for creating the user profile
891  @param priv The policy for authorizing the authid to
892  use the server.
893  @param static_priv Static privileges for authid.
894  @param drop_policy The policy for deleting the authid and
895  revoke privileges
896  */
898  THD *thd, const std::string &user, const std::string &host,
899  const Security_context_functor &extend_user_profile,
900  const Security_context_functor &priv,
901  const Security_context_functor &static_priv,
902  const std::function<void(Security_context *)> &drop_policy)
903  : m_thd(thd),
904  m_user(user),
905  m_host(host),
906  m_user_profile(extend_user_profile),
907  m_privileges(priv),
908  m_static_privileges(static_priv),
909  m_drop_policy(drop_policy) {}
910 
913 
914  private:
916 
918  std::string m_user;
919  std::string m_host;
923  const std::function<void(Security_context *)> m_drop_policy;
924 };
925 
926 class Default_local_authid : public Create_authid<Default_local_authid> {
927  public:
928  Default_local_authid(const THD *thd);
929  bool precheck(Security_context *sctx);
930  bool create(Security_context *sctx);
931 
932  private:
933  const THD *m_thd;
934 };
935 
936 /**
937  Grant the privilege temporarily to the in-memory global privleges map.
938  This class is not thread safe.
939  */
941  : public Grant_privileges<Grant_temporary_dynamic_privileges> {
942  public:
944  const std::vector<std::string> privs);
945  bool precheck(Security_context *sctx);
947 
948  private:
949  const THD *m_thd;
950  const std::vector<std::string> m_privs;
951 };
952 
954  public:
955  Drop_temporary_dynamic_privileges(const std::vector<std::string> privs)
956  : m_privs(privs) {}
957  void operator()(Security_context *sctx);
958 
959  private:
960  std::vector<std::string> m_privs;
961 };
962 
964  : public Grant_privileges<Grant_temporary_static_privileges> {
965  public:
966  Grant_temporary_static_privileges(const THD *thd, const ulong privs);
967  bool precheck(Security_context *sctx);
969 
970  private:
971  /** THD handle */
972  const THD *m_thd;
973 
974  /** Privileges */
975  const ulong m_privs;
976 };
977 
978 bool operator==(const LEX_CSTRING &a, const LEX_CSTRING &b);
979 bool is_partial_revoke_exists(THD *thd);
980 void set_system_user_flag(THD *thd, bool check_for_main_security_ctx = false);
981 
982 /**
983  Storage container for default auth ids. Default roles are only weakly
984  depending on ACL_USERs. You can retain a default role even if the
985  corresponding ACL_USER is missing in the acl_cache.
986 */
987 class Auth_id {
988  public:
989  Auth_id();
990  Auth_id(const char *user, size_t user_len, const char *host, size_t host_len);
991  Auth_id(const Auth_id_ref &id);
992  Auth_id(const LEX_CSTRING &user, const LEX_CSTRING &host);
993  Auth_id(const std::string &user, const std::string &host);
994  Auth_id(const LEX_USER *lex_user);
995  Auth_id(const ACL_USER *acl_user);
996 
997  ~Auth_id();
998  Auth_id(const Auth_id &id);
999  Auth_id &operator=(const Auth_id &) = default;
1000 
1001  bool operator<(const Auth_id &id) const;
1002  void auth_str(std::string *out) const;
1003  std::string auth_str() const;
1004  const std::string &user() const;
1005  const std::string &host() const;
1006 
1007  private:
1008  void create_key();
1009  /** User part */
1010  std::string m_user;
1011  /** Host part */
1012  std::string m_host;
1013  /**
1014  Key: Internal representation mainly to facilitate use of
1015  Auth_id class in standard container.
1016  Format: 'user\0host\0'
1017  */
1018  std::string m_key;
1019 };
1020 
1021 /*
1022  As of now Role_id is an alias of Auth_id.
1023  We may extend the Auth_id as Role_id once
1024  more substances are added to latter.
1025 */
1027 
1028 /**
1029  Length of string buffer, that is enough to contain
1030  username and hostname parts of the user identifier with trailing zero in
1031  MySQL standard format:
1032  user_name_part\@host_name_part\\0
1033 */
1034 static constexpr int USER_HOST_BUFF_SIZE =
1036 
1037 void generate_random_password(std::string *password, uint32_t);
1038 typedef std::list<std::vector<std::string>> Userhostpassword_list;
1039 bool send_password_result_set(THD *thd,
1040  const Userhostpassword_list &generated_passwords);
1041 #endif /* AUTH_COMMON_INCLUDED */
Definition: auth_common.h:624
uint create_role_priv_idx()
Definition: auth_common.h:616
virtual uint max_user_connections_idx()=0
Definition: auth_common.h:816
Definition: auth_common.h:274
void update_mandatory_roles(void)
Definition: sql_authorization.cc:7157
uint password_require_current_idx()
Definition: auth_common.h:620
virtual bool is_old_user_table_schema(TABLE *table)
Definition: auth_common.cc:71
virtual uint password_expired_idx()=0
bool check_acl_tables_intact(THD *thd, bool mdl_locked)
Opens the ACL tables and checks their sanity.
Definition: sql_auth_cache.cc:1875
std::vector< std::string > m_privs
Definition: auth_common.h:960
Operation
Definition: auth_common.h:841
uint account_locked_idx()
Definition: auth_common.h:615
Definition: auth_common.h:220
uint user_idx()
Definition: auth_common.h:557
void init_acl_memory()
Allocates the memory in the the global_acl_memory MEM_ROOT.
Definition: sql_auth_cache.cc:172
Grant_temporary_dynamic_privileges(const THD *thd, const std::vector< std::string > privs)
Definition: sql_authorization.cc:7189
Definition: auth_common.h:319
bool acl_check_host(THD *thd, const char *host, const char *ip)
Definition: sql_authentication.cc:1670
Definition: auth_common.h:215
Definition: auth_common.h:330
Security_context_factory(THD *thd, const std::string &user, const std::string &host, const Security_context_functor &extend_user_profile, const Security_context_functor &priv, const Security_context_functor &static_priv, const std::function< void(Security_context *)> &drop_policy)
Default Security_context factory implementation.
Definition: auth_common.h:897
#define USERNAME_LENGTH
Definition: mysql_com.h:69
Definition: auth_common.h:296
uint drop_priv_idx()
Definition: auth_common.h:564
virtual ~ACL_internal_table_access()
Definition: auth_common.h:104
void get_default_roles(const Auth_id_ref &user, List_of_auth_id_refs &list)
Shallow copy a list of default role authorization IDs from an Role_id storage.
Definition: sql_authorization.cc:6154
virtual uint account_locked_idx()=0
void shutdown_acl_cache()
Shutdown the global Acl_cache system which was only initialized if the rwlocks were initialized...
Definition: sql_auth_cache.cc:3191
virtual uint show_db_priv_idx()=0
virtual uint delete_priv_idx()=0
void append_identifier(String *packet, const char *name, size_t length)
Convert and quote the given identifier if needed and append it to the target string.
Definition: sql_show.cc:776
To implicit_cast(To x)
Sometimes the compiler insists that types be the same and does not do any implicit conversion...
Definition: template_utils.h:130
uint password_idx()
Definition: auth_common.h:431
Definition: auth_common.h:269
Definition: auth_common.h:841
bool check_engine_type_for_acl_table(THD *thd, bool mdl_locked)
Definition: sql_auth_cache.cc:1779
uint trigger_priv_idx()
Definition: auth_common.h:468
const char * db_name
Definition: rules_table_service.cc:54
virtual ~User_table_schema_factory()
Definition: auth_common.h:634
uint delete_priv_idx()
Definition: auth_common.h:438
uint password_reuse_history_idx()
Definition: auth_common.h:492
uint delete_priv_idx()
Definition: auth_common.h:562
Definition: auth_common.h:219
char * user
Definition: mysqladmin.cc:59
Definition: auth_common.h:262
Definition: mysql_lex_string.h:34
bool mysql_revoke_all(THD *thd, List< LEX_USER > &list)
Definition: sql_authorization.cc:4990
Storage container for default auth ids.
Definition: auth_common.h:987
Definition: auth_common.h:841
uint alter_routine_priv_idx()
Definition: auth_common.h:587
std::function< bool(Security_context *, Security_context_policy::Operation)> Security_context_functor
Definition: auth_common.h:850
Definition: auth_common.h:328
Definition: auth_common.h:251
Definition: auth_common.h:243
ACL_internal_schema_access()
Definition: auth_common.h:138
Security_context_policy()=default
virtual uint drop_role_priv_idx()=0
virtual uint lock_tables_priv_idx()=0
Definition: auth_common.h:317
std::string m_host
Definition: auth_common.h:919
Grant_temporary_static_privileges(const THD *thd, const ulong privs)
Definition: sql_authorization.cc:7216
LEX_CSTRING * plugin_name(st_plugin_int **ref)
Definition: sql_plugin_ref.h:94
const string name("\ame\)
Definition: auth_common.h:266
~Auth_id()
Definition: auth_common.cc:119
Definition: auth_common.h:241
uint password_require_current_idx()
Definition: auth_common.h:498
mysql_dynamic_priv_table_field
Definition: auth_common.h:349
bool is_acl_user(THD *thd, const char *host, const char *user)
Definition: sql_auth_cache.cc:1000
Extension of ACL_internal_schema_access for Information Schema.
Definition: auth_common.h:182
uint event_priv_idx()
Definition: auth_common.h:591
uint user_idx()
Definition: auth_common.h:429
uint max_questions_idx()
Definition: auth_common.h:476
bool validate_user_plugins
controls the extra checks on plugin availability for mysql.user records
Definition: sql_auth_cache.cc:164
Definition: auth_common.h:294
uint32 global_password_reuse_interval
Global sysvar: the number of days before a password can be reused.
Definition: sql_auth_cache.cc:3384
virtual uint file_priv_idx()=0
Some integer typedefs for easier portability.
Definition: auth_common.h:315
Definition: auth_common.h:239
Definition: auth_common.h:926
Definition: auth_common.h:291
#define bool
Definition: config_static.h:42
bool operator()(Security_context *sctx, Operation op)
Definition: auth_common.h:867
ACL_internal_table_access()
Definition: auth_common.h:102
Definition: auth_common.h:306
Definition: auth_common.h:345
Definition: auth_common.h:283
uint show_view_priv_idx()
Definition: auth_common.h:583
Definition: auth_common.h:204
Definition: auth_common.h:225
virtual uint password_idx()=0
Definition: auth_common.h:298
Definition: auth_common.h:352
No decision yet, use the grant tables.
Definition: auth_common.h:89
Definition: auth_common.h:272
Definition: auth_common.h:255
Definition: auth_common.h:265
Definition: auth_common.h:275
Definition: auth_common.h:334
Definition: auth_common.h:273
Definition: auth_common.h:309
Definition: auth_common.h:325
bool lock_tables_precheck(THD *thd, TABLE_LIST *tables)
Check privileges for LOCK TABLES statement.
Definition: sql_authorization.cc:1793
int fill_schema_table_privileges(THD *thd, TABLE_LIST *tables, Item *cond)
Definition: sql_authorization.cc:5598
int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, Item *cond)
Definition: sql_authorization.cc:5663
uint create_user_priv_idx()
Definition: auth_common.h:466
Definition: auth_common.h:335
Definition: auth_common.h:229
const char * host
Definition: mysqladmin.cc:58
bool mysql_create_user(THD *thd, List< LEX_USER > &list, bool if_not_exists, bool is_role)
Definition: sql_user.cc:2021
bool check_routine_access(THD *thd, ulong want_access, const char *db, char *name, bool is_proc, bool no_errors)
Definition: sql_authorization.cc:2058
virtual uint password_lifetime_idx()=0
bool mysql_alter_user(THD *thd, List< LEX_USER > &list, bool if_exists)
Definition: sql_user.cc:2573
virtual const ACL_internal_table_access * lookup(const char *name) const =0
Search for per table ACL access rules by table name.
void grant_free(void)
Definition: sql_auth_cache.cc:2098
Definition: mysql_lex_string.h:39
Definition: auth_common.h:285
uint insert_priv_idx()
Definition: auth_common.h:436
Definition: auth_common.h:320
Security_context_functor m_privileges
Definition: auth_common.h:921
IS_internal_schema_access()
Definition: auth_common.h:184
State information for internal tables grants.
Definition: table.h:317
Consumer_type
Target types where the rewritten query will be added.
Definition: sql_rewrite.h:37
A set of THD members describing the current authenticated user.
Definition: sql_security_ctx.h:53
bool is_secure_transport(int vio_type)
Definition: sql_authentication.cc:3623
bool precheck(Security_context *sctx)
Definition: sql_authorization.cc:7220
Definition: auth_common.h:267
Definition: auth_common.h:264
bool acl_init(bool dont_read_acl_tables)
Definition: sql_auth_cache.cc:1527
Definition: auth_common.h:247
std::string m_key
Key: Internal representation mainly to facilitate use of Auth_id class in standard container...
Definition: auth_common.h:1018
const THD * m_thd
Definition: auth_common.h:949
bool grant_init(bool skip_grant_tables)
Initialize structures responsible for table/column-level privilege checking and load information for ...
Definition: sql_auth_cache.cc:2118
class udf_list * list
Definition: auth_common.h:248
std::string auth_str() const
Definition: auth_common.cc:136
Definition: auth_common.h:338
bool precheck(Security_context *sctx)
Check if the security context can be created as a local authid
Definition: sql_authorization.cc:7172
void apply_policies_to_security_ctx()
Definition: sql_authorization.cc:7284
const std::vector< std::string > m_privs
Definition: auth_common.h:950
Definition: auth_common.h:263
bool check_grant_routine(THD *thd, ulong want_access, TABLE_LIST *procs, bool is_proc, bool no_error)
Definition: sql_authorization.cc:4200
Definition: auth_common.h:235
const string comma(" , ")
static void register_schema(const LEX_CSTRING &name, const ACL_internal_schema_access *access)
Add an internal schema to the registry.
Definition: sql_auth_cache.cc:182
virtual uint host_idx()=0
const ACL_internal_schema_access * get_cached_schema_access(GRANT_INTERNAL_INFO *grant_internal_info, const char *schema_name)
Get a cached internal schema access.
Definition: sql_authorization.cc:1727
Definition: auth_common.h:313
virtual uint process_priv_idx()=0
Definition: auth_common.h:245
uint repl_client_priv_idx()
Definition: auth_common.h:459
uint insert_priv_idx()
Definition: auth_common.h:560
ulong get_column_grant(THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *field_name)
Definition: sql_authorization.cc:4338
ACL_internal_access_result
Definition: auth_common.h:78
std::string m_host
Host part.
Definition: auth_common.h:1012
Definition: auth_common.h:258
int wild_case_compare(CHARSET_INFO *cs, const char *str, const char *wildstr)
Definition: sql_auth_cache.cc:583
bool operator==(const LEX_CSTRING &a, const LEX_CSTRING &b)
Definition: sql_authorization.cc:7345
bool mysql_show_grants(THD *, LEX_USER *, const List_of_auth_id_refs &, bool)
SHOW GRANTS FOR user USING [ALL | role [,role ...]].
Definition: sql_authorization.cc:4659
uint process_priv_idx()
Definition: auth_common.h:443
bool operator<(const Auth_id_ref &a, const Auth_id_ref &b)
Definition: sql_authorization.cc:7328
Definition: auth_common.h:279
Common definition used by mysys, performance schema and server & client.
Security_context_functor m_user_profile
Definition: auth_common.h:920
Definition: auth_common.h:268
Using this class is fraught with peril, and you need to be very careful when doing so...
Definition: sql_string.h:161
Definition: auth_common.h:257
bool check_grant_db(THD *thd, const char *db)
Check if a user has the right to access a database.
Definition: sql_authorization.cc:4140
uint account_locked_idx()
Definition: auth_common.h:491
bool disconnect_on_expired_password
Definition: sql_authentication.cc:898
Auth_id & operator=(const Auth_id &)=default
uint shutdown_priv_idx()
Definition: auth_common.h:442
uint create_tmp_table_priv_idx()
Definition: auth_common.h:575
bool is_role_id(LEX_USER *authid)
Definition: sql_authorization.cc:798
Definition: auth_common.h:353
uint index_priv_idx()
Definition: auth_common.h:571
Definition: table.h:1301
uint alter_priv_idx()
Definition: auth_common.h:448
int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, Item *cond)
Definition: sql_authorization.cc:5538
bool mysql_show_create_user(THD *thd, LEX_USER *user, bool are_both_users_same)
Auxiliary function for constructing CREATE USER sql for a given user.
Definition: sql_user.cc:187
Common definition between mysql server & client.
bool hostname_requires_resolving(const char *hostname)
Check if the given host name needs to be resolved or not.
Definition: sql_auth_cache.cc:662
Definition: auth_common.h:217
Definition: sql_auth_cache.h:141
bool grant_privileges(Security_context *sctx)
Grant dynamic privileges to an in-memory global authid
Definition: sql_authorization.cc:7205
Grant the privilege temporarily to the in-memory global privleges map.
Definition: auth_common.h:940
Definition: auth_common.h:290
int set_default_auth_plugin(char *plugin_name, size_t plugin_name_length)
Initialize default authentication plugin based on command line options or configuration file setting...
Definition: sql_authentication.cc:1137
virtual uint plugin_idx()=0
Security_context_functor m_static_privileges
Definition: auth_common.h:922
bool check_one_table_access(THD *thd, ulong privilege, TABLE_LIST *tables)
Check grants for commands which work only with one table and all other tables belonging to subselects...
Definition: sql_authorization.cc:1980
Per internal schema ACL access rules.
Definition: auth_common.h:136
uint create_role_priv_idx()
Definition: auth_common.h:451
uint grant_priv_idx()
Definition: auth_common.h:445
uint max_updates_idx()
Definition: auth_common.h:477
uint max_questions_idx()
Definition: auth_common.h:600
uint password_reuse_time_idx()
Definition: auth_common.h:495
virtual uint max_questions_idx()=0
Definition: auth_common.h:238
Definition: table.h:2367
uint repl_slave_priv_idx()
Definition: auth_common.h:458
uint x509_subject_idx()
Definition: auth_common.h:599
#define DBUG_ASSERT(A)
Definition: my_dbug.h:197
uint password_lifetime_idx()
Definition: auth_common.h:490
Definition: auth_common.h:840
static const ACL_internal_schema_access * lookup(const char *name)
Search per internal schema ACL by name.
Definition: sql_auth_cache.cc:197
uint password_reuse_history_idx()
Definition: auth_common.h:618
uint create_routine_priv_idx()
Definition: auth_common.h:584
virtual uint create_role_priv_idx()=0
Definition: auth_common.h:209
Definition: auth_common.h:205
uint create_tablespace_priv_idx()
Definition: auth_common.h:469
~IS_internal_schema_access()
Definition: auth_common.h:186
uint password_lifetime_idx()
Definition: auth_common.h:614
Definition: auth_common.h:200
uint x509_issuer_idx()
Definition: auth_common.h:474
uint references_priv_idx()
Definition: auth_common.h:446
bool check_show_access(THD *thd, TABLE_LIST *table)
Check if user has enough privileges for execution of SHOW statement, which was converted to query to ...
Definition: sql_authorization.cc:5744
Definition: auth_common.h:318
uint lock_tables_priv_idx()
Definition: auth_common.h:456
bool check_readonly(THD *thd, bool err_if_readonly)
Performs standardized check whether to prohibit (true) or allow (false) operations based on read_onl...
Definition: sql_authorization.cc:1923
Definition: auth_common.h:261
mysql_proxies_priv_table_feild
Definition: auth_common.h:278
uint index_priv_idx()
Definition: auth_common.h:447
bool check_table_encryption_admin_access(THD *thd)
Check if a current user has the privilege TABLE_ENCRYPTION_ADMIN required to create encrypted table...
Definition: sql_authorization.cc:2475
Definition: auth_common.h:249
virtual ~ACL_internal_schema_access()
Definition: auth_common.h:140
uint execute_priv_idx()
Definition: auth_common.h:457
bool check_grant_all_columns(THD *thd, ulong want_access, Field_iterator_table_ref *fields)
check if a query can access a set of columns
Definition: sql_authorization.cc:3996
mysql_user_table_field_56
Definition: auth_common.h:509
virtual uint password_last_changed_idx()=0
Access granted for all the requested privileges, do not use the grant tables.
Definition: auth_common.h:85
virtual uint x509_subject_idx()=0
uint password_expired_idx()
Definition: auth_common.h:610
ulong acl_get(THD *thd, const char *host, const char *ip, const char *user, const char *db, bool db_is_pattern)
Get privilege for a host, user, and db combination.
Definition: sql_auth_cache.cc:1129
enum enum_vio_type vio_type(const MYSQL_VIO vio)
Definition: auth_common.h:314
uint show_db_priv_idx()
Definition: auth_common.h:573
Definition: auth_common.h:326
mysql_password_history_table_field
Definition: auth_common.h:341
void commit_and_close_mysql_tables(THD *thd)
A helper function to commit statement transaction and close ACL tables after reading some data from t...
Definition: sql_user_table.cc:470
virtual uint super_priv_idx()=0
bool mysql_set_active_role_all(THD *thd, const List< LEX_USER > *except_users)
Activates all granted role in the current security context
Definition: sql_authorization.cc:6608
Definition: auth_common.h:256
Definition: auth_common.h:227
const std::string & host() const
Definition: auth_common.cc:145
Definition: auth_common.h:237
bool acl_getroot(THD *thd, Security_context *sctx, const char *user, const char *host, const char *ip, const char *db)
Definition: sql_auth_cache.cc:1283
Definition: aggregate_check.h:523
virtual uint select_priv_idx()=0
bool check_change_password(THD *thd, const char *host, const char *user, bool retain_current_password)
Definition: sql_user.cc:135
bool create_table_precheck(THD *thd, TABLE_LIST *tables, TABLE_LIST *create_table)
CREATE TABLE query pre-check.
Definition: sql_authorization.cc:1821
virtual ACL_internal_access_result check(ulong want_access, ulong *save_priv) const =0
Check access to an internal table.
Cursor end()
A past-the-end Cursor.
Definition: rules_table_service.cc:188
int fill_schema_user_privileges(THD *thd, TABLE_LIST *tables, Item *cond)
Definition: sql_authorization.cc:5463
Definition: auth_common.h:363
int mysql_table_grant(THD *thd, TABLE_LIST *table, List< LEX_USER > &user_list, List< LEX_COLUMN > &column_list, ulong rights, bool revoke)
Definition: sql_authorization.cc:2630
uint file_priv_idx()
Definition: auth_common.h:444
const std::string & user() const
Definition: auth_common.cc:144
uint create_tmp_table_priv_idx()
Definition: auth_common.h:453
Definition: auth_common.h:316
mysql_default_roles_table_field
Definition: auth_common.h:333
Definition: auth_common.h:853
virtual uint max_updates_idx()=0
uint max_connections_idx()
Definition: auth_common.h:602
void notify_flush_event(THD *thd)
Audit notification for flush.
Definition: sql_auth_cache.cc:1470
virtual uint show_view_priv_idx()=0
uint host_idx()
Definition: auth_common.h:428
bool check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv, GRANT_INTERNAL_INFO *grant_internal_info, bool dont_check_global_grants, bool no_errors)
Compare requested privileges with the privileges acquired from the User- and Db-tables.
Definition: sql_authorization.cc:2188
virtual uint password_require_current_idx()=0
Definition: auth_common.h:233
const ulong m_privs
Privileges.
Definition: auth_common.h:975
Definition: auth_common.h:336
Definition: auth_common.h:343
uint32 global_password_history
Global sysvar: the number of old passwords to check in the history.
Definition: sql_auth_cache.cc:3382
Definition: auth_common.h:253
uint authentication_string_idx()
Definition: auth_common.h:607
Definition: auth_common.h:211
const std::string mysql
void acl_free(bool end=false)
Definition: sql_auth_cache.cc:1751
uint process_priv_idx()
Definition: auth_common.h:567
Definition: auth_common.h:284
Definition: item.h:668
unsigned int uint
Definition: uca-dump.cc:29
Definition: auth_common.h:240
virtual uint create_view_priv_idx()=0
PFS_table * create_table(PFS_table_share *share, PFS_thread *opening_thread, const void *identity)
Create instrumentation for a table instance.
Definition: pfs_instr.cc:1118
Definition: auth_common.h:304
uint ssl_type_idx()
Definition: auth_common.h:596
Default_local_authid(const THD *thd)
Definition: sql_authorization.cc:7163
ulong get_table_grant(THD *thd, TABLE_LIST *table)
Definition: sql_authorization.cc:4302
Definition: auth_common.h:354
std::string m_user
User part.
Definition: auth_common.h:1010
static constexpr int HOSTNAME_LENGTH
Definition: my_hostname.h:42
bool change_password(THD *thd, LEX_USER *user, const char *password, const char *current_password, bool retain_current_password)
Change a password hash for a user.
Definition: sql_user.cc:1404
uint32_t uint32
Definition: my_inttypes.h:66
uint host_idx()
Definition: auth_common.h:556
uint user_attributes_idx()
Definition: auth_common.h:501
Definition: auth_common.h:228
virtual uint create_user_priv_idx()=0
const std::vector< std::string > global_acls_vector
Consts for static privileges.
Definition: auth_acls.cc:61
Definition: auth_common.h:818
Definition: auth_common.h:198
uint user_attributes_idx()
Definition: auth_common.h:621
uint create_priv_idx()
Definition: auth_common.h:439
virtual uint update_priv_idx()=0
const THD * m_thd
Definition: auth_common.h:933
Definition: auth_common.h:210
const std::string system_user
bool reload_acl_caches(THD *thd, bool mdl_locked)
Reload all ACL caches.
Definition: sql_auth_cache.cc:3396
Definition: auth_common.h:280
uint repl_client_priv_idx()
Definition: auth_common.h:581
Definition: m_ctype.h:359
uint shutdown_priv_idx()
Definition: auth_common.h:566
const char * any_db
Definition: sql_authorization.cc:515
Definition: auth_common.h:426
std::string m_user
Definition: auth_common.h:918
std::string create_authid_str_from(const LEX_USER *user)
Helper used for producing a key to a key-value-map.
Definition: sql_authorization.cc:6474
Definition: auth_common.h:302
mysql_columns_priv_table_field
Definition: auth_common.h:301
uint password_reuse_time_idx()
Definition: auth_common.h:619
virtual uint create_routine_priv_idx()=0
ulong get_global_acl_cache_size()
Definition: sql_auth_cache.cc:107
Definition: auth_common.h:282
bool create(Security_context *sctx)
Create a local authid without modifying any tables.
Definition: sql_authorization.cc:7184
enum_server_command
A list of all MySQL protocol commands.
Definition: my_command.h:47
virtual ~User_table_schema()
Definition: auth_common.h:420
Definition: auth_common.h:865
std::list< std::vector< std::string > > Userhostpassword_list
Definition: auth_common.h:1038
void roles_graphml(THD *thd, String *)
Definition: sql_authorization.cc:4752
Definition: auth_common.h:295
uint ssl_cipher_idx()
Definition: auth_common.h:473
virtual uint authentication_string_idx()=0
Definition: auth_common.h:963
virtual uint alter_priv_idx()=0
bool mysql_set_active_role_none(THD *thd)
Reset active roles.
Definition: sql_authorization.cc:6564
Definition: auth_common.h:213
uint password_last_changed_idx()
Definition: auth_common.h:613
bool wildcard_db_grant_exists()
void acl_log_connect(const char *user, const char *host, const char *auth_as, const char *db, THD *thd, enum enum_server_command command)
Logging connection for the general query log, extracted from acl_authenticate() as it&#39;s reused at di...
Definition: sql_authentication.cc:3128
Definition: auth_common.h:246
static MEM_ROOT mem_root
Definition: client_plugin.cc:107
virtual uint ssl_type_idx()=0
bool mysql_user_table_is_in_short_password_format
bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables, bool any_combination_will_do, uint number, bool no_errors)
Check table level grants.
Definition: sql_authorization.cc:3652
Definition: auth_common.h:350
virtual uint reload_priv_idx()=0
Definition: auth_common.h:216
uint update_priv_idx()
Definition: auth_common.h:437
bool acl_check_proxy_grant_access(THD *thd, const char *host, const char *user, bool with_grant)
Definition: sql_authorization.cc:5399
virtual uint create_tmp_table_priv_idx()=0
virtual uint repl_slave_priv_idx()=0
uint select_priv_idx()
Definition: auth_common.h:559
Definition: auth_common.h:203
const THD * m_thd
THD handle.
Definition: auth_common.h:972
Definition: auth_common.h:236
Sctx_ptr< Security_context > create(MEM_ROOT *mem_root)
Definition: sql_authorization.cc:7261
uint max_user_connections_idx()
Definition: auth_common.h:479
bool mysql_routine_grant(THD *thd, TABLE_LIST *table, bool is_proc, List< LEX_USER > &user_list, ulong rights, bool revoke, bool write_to_binlog)
Store routine level grants in the privilege tables.
Definition: sql_authorization.cc:2914
uint plugin_idx()
Definition: auth_common.h:606
mysql_procs_priv_table_field
Definition: auth_common.h:289
command
Definition: version_token.cc:278
bool check_some_access(THD *thd, ulong want_access, TABLE_LIST *table)
Check if the given table has any of the asked privileges.
Definition: sql_authorization.cc:2110
Definition: auth_common.h:271
Definition: sql_lex.h:3166
uint reload_priv_idx()
Definition: auth_common.h:441
bool mysql_grant_role(THD *thd, const List< LEX_USER > *users, const List< LEX_USER > *roles, bool with_admin_opt)
Grants a list of roles to a list of users.
Definition: sql_authorization.cc:3219
Definition: sql_connect.h:69
std::vector< Auth_id_ref > List_of_auth_id_refs
Definition: auth_common.h:74
Definition: auth_common.h:232
uint repl_slave_priv_idx()
Definition: auth_common.h:580
void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant, const char *db, const char *table)
Definition: sql_authorization.cc:5332
void get_privilege_desc(char *to, uint max_length, ulong access)
Definition: sql_authorization.cc:4395
uint create_view_priv_idx()
Definition: auth_common.h:582
virtual ~Security_context_policy()=default
Definition: auth_common.h:329
virtual uint ssl_cipher_idx()=0
const std::function< void(Security_context *)> m_drop_policy
Definition: auth_common.h:923
virtual uint references_priv_idx()=0
virtual uint repl_client_priv_idx()=0
bool check_authorization_id_string(THD *thd, LEX_STRING &mandatory_roles)
Definition: sql_authorization.cc:7070
uint alter_routine_priv_idx()
Definition: auth_common.h:465
bool mysql_set_active_role(THD *thd, const List< LEX_USER > *role_list)
Definition: sql_authorization.cc:6618
uint super_priv_idx()
Definition: auth_common.h:450
mysql_db_table_field
Definition: auth_common.h:197
static constexpr int USER_HOST_BUFF_SIZE
Length of string buffer, that is enough to contain username and hostname parts of the user identifier...
Definition: auth_common.h:1034
Definition: auth_common.h:337
bool check_fk_parent_table_access(THD *thd, HA_CREATE_INFO *create_info, Alter_info *alter_info)
Checks foreign key&#39;s parent table access.
Definition: sql_authorization.cc:5876
Definition: auth_common.h:305
void operator()(Security_context *sctx)
Definition: sql_authorization.cc:7211
Definition: auth_common.h:201
bool is_partial_revoke_exists(THD *thd)
Method to check if there exists at least one partial revokes in the cache.
Definition: sql_auth_cache.cc:3518
virtual uint user_idx()=0
bool check_table_access(THD *thd, ulong requirements, TABLE_LIST *tables, bool any_combination_of_privileges_will_do, uint number, bool no_errors)
Check if the requested privileges exists in either User-, DB- or, tables- tables. ...
Definition: sql_authorization.cc:2406
Definition: auth_common.h:351
mysql_user_table_field
Definition: auth_common.h:223
bool send_password_result_set(THD *thd, const Userhostpassword_list &generated_passwords)
Sends the result set of generated passwords to the client.
Definition: sql_user.cc:837
virtual uint create_tablespace_priv_idx()=0
uint select_priv_idx()
Definition: auth_common.h:435
Definition: auth_common.h:254
uint lock_tables_priv_idx()
Definition: auth_common.h:578
std::pair< LEX_CSTRING, LEX_CSTRING > Auth_id_ref
user, host tuple which reference either acl_cache or g_default_roles
Definition: auth_common.h:73
Definition: auth_common.h:342
uint x509_subject_idx()
Definition: auth_common.h:475
virtual uint max_connections_idx()=0
uint x509_issuer_idx()
Definition: auth_common.h:598
Data describing the table being created by CREATE TABLE or altered by ALTER TABLE.
Definition: sql_alter.h:188
virtual User_table_schema * get_user_table_schema(TABLE *table)
Definition: auth_common.h:626
mysql_tables_priv_table_field
Definition: auth_common.h:312
uint references_priv_idx()
Definition: auth_common.h:570
bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name, bool is_proc)
Grant EXECUTE,ALTER privilege for a stored procedure.
Definition: sql_authorization.cc:5243
Definition: auth_common.h:270
Drop_temporary_dynamic_privileges(const std::vector< std::string > privs)
Definition: auth_common.h:955
uint show_view_priv_idx()
Definition: auth_common.h:461
uint create_view_priv_idx()
Definition: auth_common.h:460
Definition: auth_common.h:346
uint trigger_priv_idx()
Definition: auth_common.h:592
uint grant_priv_idx()
Definition: auth_common.h:569
uint plugin_idx()
Definition: auth_common.h:482
uint alter_priv_idx()
Definition: auth_common.h:572
The current state of the privilege checking process for the current user, SQL statement and SQL objec...
Definition: table.h:340
Definition: sql_lex.h:3178
void err_readonly(THD *thd)
Generates appropriate error messages for read-only state depending on whether user has SUPER privileg...
Definition: sql_authorization.cc:1959
role_enum
Definition: sql_admin.h:217
bool check_grant_column(THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *name, size_t length, Security_context *sctx, ulong want_privilege)
Definition: sql_authorization.cc:3840
Per internal table ACL access rules.
Definition: auth_common.h:100
uint execute_priv_idx()
Definition: auth_common.h:579
Definition: auth_common.h:244
Definition: auth_common.h:307
virtual uint grant_priv_idx()=0
bool mysql_set_role_default(THD *thd)
Activates all the default roles in the current security context.
Definition: sql_authorization.cc:6585
std::unique_ptr< T, std::function< void(T *)> > Sctx_ptr
Definition: auth_common.h:877
Definition: auth_common.h:953
virtual bool operator()(Security_context *, Operation)=0
uint max_updates_idx()
Definition: auth_common.h:601
uint create_tablespace_priv_idx()
Definition: auth_common.h:593
uint ssl_cipher_idx()
Definition: auth_common.h:597
Definition: handler.h:2629
uint reload_priv_idx()
Definition: auth_common.h:565
bool is_granted_table_access(THD *thd, ulong required_acl, TABLE_LIST *table)
Given a TABLE_LIST object this function checks against.
Definition: sql_authorization.cc:2510
Definition: auth_common.h:212
uint show_db_priv_idx()
Definition: auth_common.h:449
Auth_id()
Definition: auth_common.cc:83
virtual uint alter_routine_priv_idx()=0
virtual uint password_reuse_time_idx()=0
uint event_priv_idx()
Definition: auth_common.h:467
uint max_connections_idx()
Definition: auth_common.h:478
Auth_id_ref create_authid_from(const LEX_USER *user)
Definition: sql_authorization.cc:6482
virtual uint insert_priv_idx()=0
bool apply_pre_constructed_policies(Security_context *sctx)
Definition: sql_authorization.cc:7231
virtual uint user_attributes_idx()=0
Definition: auth_common.h:199
Definition: auth_common.h:234
Factory for creating any Security_context given a pre-constructed policy.
Definition: auth_common.h:882
Definition: auth_common.h:281
Definition: auth_common.h:208
virtual uint password_reuse_history_idx()=0
static char * password
Definition: mysql_secure_installation.cc:55
Definition: auth_common.h:297
Definition: auth_common.h:252
bool grant_privileges(Security_context *sctx)
Definition: sql_authorization.cc:7225
void generate_random_password(std::string *password, uint32_t)
Generates a random password of the length decided by the system variable generated_random_password_le...
Definition: sql_user.cc:817
Definition: auth_common.h:327
void get_mqh(THD *thd, const char *user, const char *host, USER_CONN *uc)
Definition: sql_auth_cache.cc:2832
Definition: auth_common.h:815
bool is_granted_role(LEX_CSTRING user, LEX_CSTRING host, LEX_CSTRING role, LEX_CSTRING role_host)
This function works just like check_if_granted_role, but also guarantees that the proper lock is take...
Definition: sql_authorization.cc:6641
Definition: auth_common.h:242
bool mysql_grant(THD *thd, const char *db, List< LEX_USER > &list, ulong rights, bool revoke_grant, bool is_proxy, const List< LEX_CSTRING > &dynamic_privilege, bool grant_all_current_privileges, LEX_GRANT_AS *grant_as)
Definition: sql_authorization.cc:3333
bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST *table_ref, const char *name, size_t length, ulong want_privilege)
Check the privileges for a column depending on the type of table.
Definition: sql_authorization.cc:3920
uint max_user_connections_idx()
Definition: auth_common.h:603
virtual uint trigger_priv_idx()=0
uint ssl_type_idx()
Definition: auth_common.h:472
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:77
Definition: auth_common.h:206
bool mysql_revoke_role(THD *thd, const List< LEX_USER > *users, const List< LEX_USER > *roles)
Definition: sql_authorization.cc:3077
Definition: auth_common.h:224
ACL_internal_access_result check(ulong want_access, ulong *save_priv) const
Check access to an internal schema.
Definition: sql_authorization.cc:1760
Definition: table.h:2468
Definition: auth_common.h:207
uint update_priv_idx()
Definition: auth_common.h:561
virtual uint execute_priv_idx()=0
virtual ACL_internal_access_result check(ulong want_access, ulong *save_priv) const =0
Check access to an internal schema.
Definition: auth_common.h:202
bool check_some_routine_access(THD *thd, const char *db, const char *name, bool is_proc)
Check if the routine has any of the routine privileges.
Definition: sql_authorization.cc:2140
void set_system_user_flag(THD *thd, bool check_for_main_security_ctx=false)
Set the system_user flag in the THD.
Definition: auth_common.cc:186
uint authentication_string_idx()
Definition: auth_common.h:483
bool check_global_access(THD *thd, ulong want_access)
check for global access and give descriptive error message if it fails.
Definition: sql_authorization.cc:5851
bool precheck(Security_context *sctx)
Definition: sql_authorization.cc:7193
uint super_priv_idx()
Definition: auth_common.h:574
uint create_user_priv_idx()
Definition: auth_common.h:590
Definition: acl_table_user.cc:43
bool mysql_drop_user(THD *thd, List< LEX_USER > &list, bool if_exists, bool drop_role)
Drop a list of users and all their privileges.
Definition: sql_user.cc:2248
std::string get_default_autnetication_plugin_name()
Return the default authentication plugin name.
Definition: sql_authentication.cc:1159
Definition: auth_common.h:817
Definition: auth_common.h:293
bool check_single_table_access(THD *thd, ulong privilege, TABLE_LIST *tables, bool no_errors)
Check grants for commands which work only with one table.
Definition: sql_authorization.cc:2019
bool skip_grant_tables()
Definition: sql_auth_cache.cc:160
virtual uint create_priv_idx()=0
Definition: auth_common.h:321
uint file_priv_idx()
Definition: auth_common.h:568
ssl_artifacts_status
Definition: auth_common.h:814
uint drop_role_priv_idx()
Definition: auth_common.h:617
const ACL_internal_table_access * lookup(const char *name) const
Search for per table ACL access rules by table name.
Definition: sql_authorization.cc:1777
Definition: auth_common.h:250
Definition: auth_common.h:303
unsigned long ulong
Definition: my_inttypes.h:48
virtual uint x509_issuer_idx()=0
mysql_role_edges_table_field
Definition: auth_common.h:324
uint drop_role_priv_idx()
Definition: auth_common.h:452
void log_user(THD *thd, String *str, LEX_USER *user, bool comma)
Auxiliary function for constructing a user list string.
Definition: sql_user.cc:108
Definition: auth_common.h:507
uint drop_priv_idx()
Definition: auth_common.h:440
Definition: auth_common.h:259
virtual uint event_priv_idx()=0
bool length(const dd::Spatial_reference_system *srs, const Geometry *g1, double *length, bool *null) noexcept
Computes the length of linestrings and multilinestrings.
Definition: length.cc:75
bool drop_role(THD *thd, TABLE *edge_table, TABLE *defaults_table, const Auth_id_ref &authid_user)
Definition: sql_authorization.cc:625
uint create_priv_idx()
Definition: auth_common.h:563
Definition: auth_common.h:292
bool has_grant_role_privilege(THD *thd, const LEX_CSTRING &role_name, const LEX_CSTRING &role_host)
Definition: sql_authorization.cc:2580
Definition: auth_common.h:286
Definition: sp_head.h:125
Generic iterator over the fields of an arbitrary table reference.
Definition: table.h:3621
Definition: auth_common.h:226
void func_current_role(const THD *thd, String *active_role)
Helper function for Item_func_current_role.
Definition: sql_authorization.cc:6123
A registry for per internal schema ACL.
Definition: auth_common.h:172
bool operator()(Security_context *sctx, Operation op)
Definition: auth_common.h:855
Definition: auth_common.h:214
virtual uint shutdown_priv_idx()=0
virtual uint index_priv_idx()=0
THD * m_thd
Definition: auth_common.h:917
uint password_expired_idx()
Definition: auth_common.h:486
bool mysql_alter_or_clear_default_roles(THD *thd, role_enum role_type, const List< LEX_USER > *users, const List< LEX_USER > *roles)
Set the default roles to NONE, ALL or list of authorization IDs as roles, depending upon the role_typ...
Definition: sql_authorization.cc:6248
bool mysql_rename_user(THD *thd, List< LEX_USER > &list)
Definition: sql_user.cc:2395
uint password_idx()
Definition: auth_common.h:558
bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name, bool is_proc)
Revoke privileges for all users on a stored procedure.
Definition: sql_authorization.cc:5153
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_class.h:778
Definition: auth_common.h:231
uint password_last_changed_idx()
Definition: auth_common.h:487
Definition: auth_common.h:230
Definition: auth_common.h:308
Access denied, do not use the grant tables.
Definition: auth_common.h:87
int acl_authenticate(THD *thd, enum_server_command command)
Perform the handshake, authorize the client and update thd sctx variables.
Definition: sql_authentication.cc:3215
uint create_routine_priv_idx()
Definition: auth_common.h:462
bool operator<(const Auth_id &id) const
Definition: auth_common.cc:121
virtual uint drop_priv_idx()=0
Definition: auth_common.h:218
const char * table_name
Definition: rules_table_service.cc:55
void create_key()
Definition: auth_common.cc:77
Definition: auth_common.h:260