MySQL 9.0.0
Source Code Documentation
partial_revokes.h
Go to the documentation of this file.
1/* Copyright (c) 2018, 2024, Oracle and/or its affiliates.
2
3This program is free software; you can redistribute it and/or modify
4it under the terms of the GNU General Public License, version 2.0,
5as published by the Free Software Foundation.
6
7This program is designed to work with certain software (including
8but not limited to OpenSSL) that is licensed under separate terms,
9as designated in a particular file or component or in included license
10documentation. The authors of MySQL hereby grant you an additional
11permission to link the program and your derivative works with the
12separately licensed software that they have either included with
13the program or referenced in the documentation.
14
15This program is distributed in the hope that it will be useful,
16but WITHOUT ANY WARRANTY; without even the implied warranty of
17MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18GNU General Public License, version 2.0, for more details.
19
20You should have received a copy of the GNU General Public License
21along with this program; if not, write to the Free Software
22Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
23
24#ifndef PARTIAL_REVOKES_INCLUDED
25#define PARTIAL_REVOKES_INCLUDED
26
27#include <map>
28#include <memory>
29#include <set>
30#include <unordered_map>
31
32#include "map_helpers.h"
33#include "memory_debugging.h"
34#include "my_inttypes.h"
35#include "my_sqlcommand.h"
38
39// Forward declarations
40class THD;
41class ACL_USER;
42class Json_array;
43class Json_object;
45
46// Alias declarations
47using db_revocations = std::unordered_map<std::string, Access_bitmask>;
48using Db_access_map = std::map<std::string, Access_bitmask>;
49
50/**
51 Abstract class for ACL restrictions.
52*/
54 public:
57 virtual bool is_empty() const = 0;
58 virtual size_t size() const = 0;
59 virtual void clear() = 0;
60};
61
62/**
63 DB Restrictions representation in memory.
64
65 Note that an instance of this class is owned by the security context.
66 Many of the usage pattern of the security context has complex life cycle, it
67 may be using memory allocated through MEM_ROOT. That may lead to an
68 unwarranted memory growth in some circumstances. Therefore, we wish to own the
69 life cycle of the non POD type members in this class. Please allocate them
70 dynamically otherwise you may cause some difficult to find memory leaks.
71
72 @@note : non POD members are allocated when needed but not in constructor to
73 avoid unnecessary memory allocations since it is frequently accessed code
74 path. Onus is on the user to call the APIs safely that is to make sure that if
75 the accessed member in the API is allocated if it was supposed to be.
76
77 DB_restrictions also provides functions to:
78 - Manage DB restrictions
79 - Status functions
80 - Transformation of in memory db restrictions
81*/
83 public:
85 ~DB_restrictions() override;
86
88 DB_restrictions(const DB_restrictions &restrictions);
89 DB_restrictions(DB_restrictions &&restrictions) = delete;
90 DB_restrictions &operator=(const DB_restrictions &restrictions);
92 bool operator==(const DB_restrictions &restrictions) const;
93 void add(const std::string &db_name, const Access_bitmask revoke_privs);
94 void add(const DB_restrictions &restrictions);
95 bool add(const Json_object &json_object);
96
97 void remove(const std::string &db_name, const Access_bitmask revoke_privs);
98 void remove(const Access_bitmask revoke_privs);
99
100 bool find(const std::string &db_name, Access_bitmask &access) const;
101 bool is_empty() const override;
102 size_t size() const override;
103 void clear() override;
104 void get_as_json(Json_array &restrictions_array) const;
105 const db_revocations &get() const;
107
108 private:
110 void remove(const Access_bitmask remove_restrictions,
111 Access_bitmask &restrictions_mask) const noexcept;
113 void copy_restrictions(const DB_restrictions &other);
114
115 private:
116 /**
117 Database restrictions.
118 Dynamically allocating the memory everytime in constructor would be
119 expensive because this is frequently accessed code path. Therefore, we shall
120 allocate the memory when needed later on.
121 */
123};
124
126 assert(m_restrictions != nullptr);
127 return *m_restrictions;
128}
129
131 if (!m_restrictions) {
133 }
134 return m_restrictions;
135}
136
138 assert(m_restrictions != nullptr);
139 return *m_restrictions;
140}
141
143 assert(m_restrictions == nullptr);
144 if (other.m_restrictions) {
146 }
147}
148
149/**
150 Container of all restrictions for a given user.
151
152 Each object created in the MEM_ROOT has to be destroyed manually.
153 It will be the client's responsibility that create the objects.
154*/
156 public:
157 explicit Restrictions();
158
159 Restrictions(const Restrictions &) = default;
164
166
167 const DB_restrictions &db() const;
168 void set_db(const DB_restrictions &db_restrictions);
169 void clear_db();
170 bool is_empty() const;
171
172 private:
173 /** Database restrictions */
175};
176
177/**
178 Factory class that solely creates an object of type Restrictions_aggregator.
179
180 - The concrete implementations of Restrictions_aggregator cannot be created
181 directly since their constructors are private. This class is declared as
182 friend in those concrete implementations.
183 - It also records the CURRENT_USER in the binlog so that partial_revokes can
184 be executed on the replica with context of current user
185*/
187 public:
188 static std::unique_ptr<Restrictions_aggregator> create(
189 THD *thd, const ACL_USER *acl_user, const char *db,
190 const Access_bitmask rights, bool is_grant_revoke_all_on_db);
191
192 static std::unique_ptr<Restrictions_aggregator> create(
193 const Auth_id &grantor, const Auth_id &grantee,
194 const Access_bitmask grantor_access, const Access_bitmask grantee_access,
195 const DB_restrictions &grantor_restrictions,
196 const DB_restrictions &grantee_restrictions,
197 const Access_bitmask required_access, Db_access_map *db_map);
198
199 private:
200 static Auth_id fetch_grantor(const Security_context *sctx);
201 static Auth_id fetch_grantee(const ACL_USER *acl_user);
202 static Access_bitmask fetch_grantor_db_access(THD *thd, const char *db);
204 const ACL_USER *acl_user,
205 const char *db);
206 static void fetch_grantor_access(const Security_context *sctx, const char *db,
207 Access_bitmask &global_access,
208 Restrictions &restrictions);
209 static void fetch_grantee_access(const ACL_USER *grantee,
210 Access_bitmask &access,
211 Restrictions &restrictions);
212};
213
214/**
215 Base class to perform aggregation of two restriction lists
216
217 Aggregation is required if all of the following requirements are met:
218 1. Partial revocation feature is enabled
219 2. GRANT/REVOKE operation
220 3. Either grantor or grantee or both have restrictions associated with them
221
222 Task of the aggregator is to evaluate updates required for grantee's
223 restriction. Based on restrictions associated with grantor/grantee:
224 A. Add additional restrictions
225 E.g. - GRANT of a new privileges by a grantor who has restrictions for
226 privileges being granted
227 - Creation of restrictions through REVOKE
228 B. Remove some restrictions
229 E.g. - GRANT of existing privileges by a grantor without restrictions
230 - REVOKE of existing privileges
231
232*/
234 public:
236
237 /* interface methods which derived classes have to implement */
238 virtual bool generate(Abstract_restrictions &restrictions) = 0;
240 Access_bitmask &rights) const = 0;
241
242 protected:
243 Restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee,
244 const Access_bitmask grantor_global_access,
245 const Access_bitmask grantee_global_access,
246 const Access_bitmask requested_access);
251
253
254 /** Grantor information */
256
257 /** Grantee information */
259
260 /** Global static privileges of grantor */
262
263 /** Global static privileges of grantee */
265
266 /** Privileges that are being granted or revoked */
268
269 /** Internal status of aggregation process */
271};
272
273/**
274 Restriction aggregator for database restrictions.
275 An umbrella class to cover common methods.
276 This is ultimately used for privilege aggregation
277 in case of GRANT/REVOKE of database level privileges.
278*/
280 public:
281 bool generate(Abstract_restrictions &restrictions) override;
282
283 protected:
285 DB_restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee,
286 const Access_bitmask grantor_global_access,
287 const Access_bitmask grantee_global_access,
288 const DB_restrictions &grantor_restrictions,
289 const DB_restrictions &grantee_restrictions,
290 const Access_bitmask requested_access,
291 const Security_context *sctx);
293 Access_bitmask &rights) const override;
294
295 /* Helper methods and members for derived classes */
296
298 const Access_bitmask grantee_db_access,
299 const Access_bitmask grantee_restrictions,
300 const std::string &db_name) noexcept;
302 const Access_bitmask requested_access,
303 const Access_bitmask restrictions_mask) noexcept;
304 enum class SQL_OP { SET_ROLE, GLOBAL_GRANT };
305 void aggregate_restrictions(SQL_OP sql_op, const Db_access_map *m_db_map,
306 DB_restrictions &restrictions);
307 Access_bitmask get_grantee_db_access(const std::string &db_name) const;
308 void get_grantee_db_access(const std::string &db_name,
309 Access_bitmask &access) const;
310
311 /** Privileges that needs to be checked further through DB grants */
313
314 /** Database restrictions for grantor */
316
317 /** Database restrictions for grantee */
319
320 /** Security context of the current user */
322
323 private:
324 virtual Status validate() = 0;
325 virtual void aggregate(DB_restrictions &restrictions) = 0;
326};
327
328/**
329 Database restriction aggregator for SET ROLE statement.
330*/
334 const Auth_id &grantor, const Auth_id grantee,
335 const Access_bitmask grantor_global_access,
336 const Access_bitmask grantee_global_access,
337 const DB_restrictions &grantor_restrictions,
338 const DB_restrictions &grantee_restrictions,
339 const Access_bitmask requested_access, Db_access_map *db_map);
340
341 Status validate() override;
342 void aggregate(DB_restrictions &db_restrictions) override;
344
345 private:
347};
348
349/**
350 Restriction aggregator for GRANT statement for GLOBAL privileges.
351*/
355 const Auth_id &grantor, const Auth_id grantee,
356 const Access_bitmask grantor_global_access,
357 const Access_bitmask grantee_global_access,
358 const DB_restrictions &grantor_restrictions,
359 const DB_restrictions &grantee_restrictions,
360 const Access_bitmask requested_access, const Security_context *sctx);
361
362 Status validate() override;
363 void aggregate(DB_restrictions &restrictions) override;
365};
366
369 protected:
371 const Auth_id &grantor, const Auth_id grantee,
372 const Access_bitmask grantor_global_access,
373 const Access_bitmask grantee_global_access,
374 const DB_restrictions &grantor_restrictions,
375 const DB_restrictions &grantee_restrictions,
376 const Access_bitmask requested_access, const Security_context *sctx);
378
379 private:
380 Status validate() override;
381 void aggregate(DB_restrictions &restrictions) override;
383};
384
385/**
386 Restriction aggregator for REVOKE statement over GLOBAL privileges.
387*/
391 const Auth_id &grantor, const Auth_id grantee,
392 const Access_bitmask grantor_global_access,
393 const Access_bitmask grantee_global_access,
394 const DB_restrictions &grantor_restrictions,
395 const DB_restrictions &grantee_restrictions,
396 const Access_bitmask requested_access, const Security_context *sctx);
397 Status validate() override;
398 void aggregate(DB_restrictions &restrictions) override;
400};
401
402/**
403 Restriction aggregator for GRANT statement over database privileges.
404*/
408 const Auth_id &grantor, const Auth_id grantee,
409 const Access_bitmask grantor_global_access,
410 const Access_bitmask grantee_global_access,
411 const Access_bitmask grantor_db_access,
412 const Access_bitmask grantee_db_access,
413 const DB_restrictions &grantor_restrictions,
414 const DB_restrictions &grantee_restrictions,
415 const Access_bitmask requested_access, bool is_grant_all,
416 const std::string &db_name, const Security_context *sctx);
417
418 void aggregate(DB_restrictions &restrictions) override;
419 Status validate() override;
420
421 /** Aggregator needs to access class members */
423
424 /** Grantor's database privileges */
426
427 /** Grantee's database privileges */
429
430 /** Flag for GRANT ALL ON <db>.* TO ... */
431 const bool m_is_grant_all;
432
433 /** Target database of GRANT */
434 const std::string m_db_name;
435};
436
437/**
438 Restriction aggregator for REVOKE statement for database privileges.
439*/
443 const Auth_id &grantor, const Auth_id grantee,
444 const Access_bitmask grantor_global_access,
445 const Access_bitmask grantee_global_access,
446 const Access_bitmask grantor_db_access,
447 const Access_bitmask grantee_db_access,
448 const DB_restrictions &grantor_restrictions,
449 const DB_restrictions &grantee_restrictions,
450 const Access_bitmask requested_access, bool is_revoke_all,
451 const std::string &db_name, const Security_context *sctx);
452
453 void aggregate(DB_restrictions &restrictions) override;
454 Status validate() override;
455
456 /** Aggregator needs to access class members */
458
459 /** Grantor's database privileges */
461
462 /** Grantee's database privileges */
464
465 /** Flag for GRANT ALL ON <db>.* TO ... */
466 const bool m_is_revoke_all;
467
468 /** Target database of REVOKE */
469 const std::string m_db_name;
470};
471
472#endif /* PARTIAL_REVOKES_INCLUDED */
uint32_t Access_bitmask
Definition: auth_acls.h:34
std::map< std::string, Access_bitmask > Db_access_map
Definition: auth_internal.h:66
Definition: sql_auth_cache.h:246
Abstract class for ACL restrictions.
Definition: partial_revokes.h:53
virtual bool is_empty() const =0
virtual void clear()=0
virtual ~Abstract_restrictions()
Abstract restriction destructor.
virtual size_t size() const =0
Abstract_restrictions()
Abstract restriction constructor.
Storage container for default auth ids.
Definition: auth_common.h:1070
Restriction aggregator for GRANT statement over database privileges.
Definition: partial_revokes.h:406
Status validate() override
Validation function for database level grant statement.
Definition: partial_revokes.cc:1309
const Access_bitmask m_grantee_db_access
Grantee's database privileges.
Definition: partial_revokes.h:428
const std::string m_db_name
Target database of GRANT.
Definition: partial_revokes.h:434
void aggregate(DB_restrictions &restrictions) override
Aggregate restriction lists.
Definition: partial_revokes.cc:1339
const Access_bitmask m_grantor_db_access
Grantor's database privileges.
Definition: partial_revokes.h:425
DB_restrictions_aggregator_db_grant(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const Access_bitmask grantor_db_access, const Access_bitmask grantee_db_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, bool is_grant_all, const std::string &db_name, const Security_context *sctx)
Constructor.
Definition: partial_revokes.cc:1288
const bool m_is_grant_all
Flag for GRANT ALL ON <db>.
Definition: partial_revokes.h:431
Restriction aggregator for REVOKE statement for database privileges.
Definition: partial_revokes.h:441
const Access_bitmask m_grantor_db_access
Grantor's database privileges.
Definition: partial_revokes.h:460
Status validate() override
Validation function for database level revoke statement.
Definition: partial_revokes.cc:1408
const std::string m_db_name
Target database of REVOKE.
Definition: partial_revokes.h:469
void aggregate(DB_restrictions &restrictions) override
Aggregate restriction lists.
Definition: partial_revokes.cc:1441
const Access_bitmask m_grantee_db_access
Grantee's database privileges.
Definition: partial_revokes.h:463
const bool m_is_revoke_all
Flag for GRANT ALL ON <db>.
Definition: partial_revokes.h:466
DB_restrictions_aggregator_db_revoke(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const Access_bitmask grantor_db_access, const Access_bitmask grantee_db_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, bool is_revoke_all, const std::string &db_name, const Security_context *sctx)
Constructor.
Definition: partial_revokes.cc:1387
Restriction aggregator for GRANT statement for GLOBAL privileges.
Definition: partial_revokes.h:353
void aggregate(DB_restrictions &restrictions) override
Generates DB_restrictions based on the requested access, grantor and grantee's DB_restrictions in the...
Definition: partial_revokes.cc:1078
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:1037
DB_restrictions_aggregator_global_grant(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_grant constructor.
Definition: partial_revokes.cc:1013
Restriction aggregator for REVOKE statement over GLOBAL privileges.
Definition: partial_revokes.h:389
void aggregate(DB_restrictions &restrictions) override
Clear all the restrictions and changes the status of object to aggregated.
Definition: partial_revokes.cc:1265
Status validate() override
Validate restriction list for REVOKE ALL.
Definition: partial_revokes.cc:1238
DB_restrictions_aggregator_global_revoke_all(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_revoke_all constructor.
Definition: partial_revokes.cc:1224
Definition: partial_revokes.h:368
Status validate_if_grantee_rl_not_empty()
If grantee restrictions_list is not empty then check the following.
Definition: partial_revokes.cc:1180
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:1121
DB_restrictions_aggregator_global_revoke(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_revoke constructor.
Definition: partial_revokes.cc:1098
void aggregate(DB_restrictions &restrictions) override
Definition: partial_revokes.cc:1156
Database restriction aggregator for SET ROLE statement.
Definition: partial_revokes.h:332
void aggregate(DB_restrictions &db_restrictions) override
Generates DB_restrictions based on the requested access, grantor and grantee's DB_restrictions in the...
Definition: partial_revokes.cc:966
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:941
DB_restrictions_aggregator_set_role(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, Db_access_map *db_map)
DB_restrictions_aggregator_set_role constructor.
Definition: partial_revokes.cc:916
Db_access_map * m_db_map
Definition: partial_revokes.h:346
Restriction aggregator for database restrictions.
Definition: partial_revokes.h:279
void aggregate_restrictions(SQL_OP sql_op, const Db_access_map *m_db_map, DB_restrictions &restrictions)
A helper method that aggregates the restrictions for global_grant and set_role operations since both ...
Definition: partial_revokes.cc:760
Access_bitmask get_grantee_db_access(const std::string &db_name) const
Fetches the grantee's DB access on the specified DB If security context of current user exists and ha...
Definition: partial_revokes.cc:878
virtual Status validate()=0
void set_if_db_level_operation(const Access_bitmask requested_access, const Access_bitmask restrictions_mask) noexcept
Set privileges that needs to be processed further.
Definition: partial_revokes.cc:721
DB_restrictions m_grantee_rl
Database restrictions for grantee.
Definition: partial_revokes.h:318
DB_restrictions m_grantor_rl
Database restrictions for grantor.
Definition: partial_revokes.h:315
bool find_if_require_next_level_operation(Access_bitmask &rights) const override
Get list of privileges that are not restricted through restriction list.
Definition: partial_revokes.cc:661
virtual void aggregate(DB_restrictions &restrictions)=0
const Security_context * m_sctx
Security context of the current user.
Definition: partial_revokes.h:321
SQL_OP
Definition: partial_revokes.h:304
DB_restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const Access_bitmask requested_access, const Security_context *sctx)
Constructor for database level restrictions aggregator.
Definition: partial_revokes.cc:609
bool check_db_access_and_restrictions_collision(const Access_bitmask grantee_db_access, const Access_bitmask grantee_restrictions, const std::string &db_name) noexcept
Check possible descrepancy between DB access being granted and existing restrictions.
Definition: partial_revokes.cc:695
bool generate(Abstract_restrictions &restrictions) override
Driver function to aggregate restriction lists.
Definition: partial_revokes.cc:638
Access_bitmask m_privs_not_processed
Privileges that needs to be checked further through DB grants.
Definition: partial_revokes.h:312
DB Restrictions representation in memory.
Definition: partial_revokes.h:82
const db_revocations & get() const
Definition: partial_revokes.h:125
void get_as_json(Json_array &restrictions_array) const
Serializer.
Definition: partial_revokes.cc:295
void clear() override
Clear restriction list.
Definition: partial_revokes.cc:285
size_t size() const override
Status function to get number of entries in restriction list.
Definition: partial_revokes.cc:279
bool find(const std::string &db_name, Access_bitmask &access) const
Get restricted access information for given database.
Definition: partial_revokes.cc:257
DB_restrictions & operator=(const DB_restrictions &restrictions)
Assignment operator.
Definition: partial_revokes.cc:77
bool is_empty() const override
Status function to check if restriction list is empty.
Definition: partial_revokes.cc:274
void copy_restrictions(const DB_restrictions &other)
Definition: partial_revokes.h:142
DB_restrictions()
DB Restrictions constructor.
Definition: partial_revokes.cc:58
db_revocations * m_restrictions
Database restrictions.
Definition: partial_revokes.h:122
db_revocations * create_restrictions_if_needed()
Definition: partial_revokes.h:130
void add(const std::string &db_name, const Access_bitmask revoke_privs)
Add given privileges as restricted for the database.
Definition: partial_revokes.cc:118
DB_restrictions(DB_restrictions &&restrictions)=delete
bool has_more_restrictions(const DB_restrictions &, Access_bitmask) const
Compare is two restriction list for given privileges.
Definition: partial_revokes.cc:322
db_revocations & db_restrictions()
Definition: partial_revokes.h:137
~DB_restrictions() override
Destructor.
Definition: partial_revokes.cc:70
db_revocations & operator()(void)
Definition: partial_revokes.h:87
bool operator==(const DB_restrictions &restrictions) const
Compare the two restrictions.
Definition: partial_revokes.cc:106
void remove(const std::string &db_name, const Access_bitmask revoke_privs)
Remove given set of privilegs for a database from restriction list.
Definition: partial_revokes.cc:203
Represents a JSON array container, i.e.
Definition: json_dom.h:516
Represents a JSON container value of type "object" (ECMA), type J_OBJECT here.
Definition: json_dom.h:369
Factory class that solely creates an object of type Restrictions_aggregator.
Definition: partial_revokes.h:186
static Access_bitmask fetch_grantor_db_access(THD *thd, const char *db)
Returns the privileges granted on the DB to the grantor.
Definition: partial_revokes.cc:516
static Access_bitmask fetch_grantee_db_access(THD *thd, const ACL_USER *acl_user, const char *db)
Returns the privileges granted on the DB to the grantee.
Definition: partial_revokes.cc:533
static void fetch_grantee_access(const ACL_USER *grantee, Access_bitmask &access, Restrictions &restrictions)
Definition: partial_revokes.cc:556
static std::unique_ptr< Restrictions_aggregator > create(THD *thd, const ACL_USER *acl_user, const char *db, const Access_bitmask rights, bool is_grant_revoke_all_on_db)
A factory method that creates objects from Restrictions_aggregator hierarchy.
Definition: partial_revokes.cc:376
static void fetch_grantor_access(const Security_context *sctx, const char *db, Access_bitmask &global_access, Restrictions &restrictions)
Returns the privileges and restrictions:
Definition: partial_revokes.cc:547
static Auth_id fetch_grantee(const ACL_USER *acl_user)
Returns the grantee's user name and host info.
Definition: partial_revokes.cc:497
static Auth_id fetch_grantor(const Security_context *sctx)
Returns the grantor user name and host id.
Definition: partial_revokes.cc:480
Base class to perform aggregation of two restriction lists.
Definition: partial_revokes.h:233
const Access_bitmask m_requested_access
Privileges that are being granted or revoked.
Definition: partial_revokes.h:267
Restrictions_aggregator(const Restrictions_aggregator &&)=delete
Restrictions_aggregator & operator=(const Restrictions_aggregator &)=delete
virtual ~Restrictions_aggregator()
Destructor.
const Access_bitmask m_grantor_global_access
Global static privileges of grantor.
Definition: partial_revokes.h:261
Restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee, const Access_bitmask grantor_global_access, const Access_bitmask grantee_global_access, const Access_bitmask requested_access)
Constructor.
Definition: partial_revokes.cc:574
Restrictions_aggregator(const Restrictions_aggregator &)=delete
const Access_bitmask m_grantee_global_access
Global static privileges of grantee.
Definition: partial_revokes.h:264
Status m_status
Internal status of aggregation process.
Definition: partial_revokes.h:270
Restrictions_aggregator & operator=(const Restrictions_aggregator &&)=delete
virtual bool generate(Abstract_restrictions &restrictions)=0
const Auth_id m_grantee
Grantee information.
Definition: partial_revokes.h:258
virtual bool find_if_require_next_level_operation(Access_bitmask &rights) const =0
const Auth_id m_grantor
Grantor information.
Definition: partial_revokes.h:255
Status
Definition: partial_revokes.h:252
Container of all restrictions for a given user.
Definition: partial_revokes.h:155
Restrictions & operator=(const Restrictions &)
Assignment operator for Restrictions.
Definition: partial_revokes.cc:1485
void set_db(const DB_restrictions &db_restrictions)
Set given database restrictions.
Definition: partial_revokes.cc:1510
~Restrictions()
Destructor.
Definition: partial_revokes.cc:1476
Restrictions()
Constructor for Restrictions.
Definition: partial_revokes.cc:1473
void clear_db()
Clear database restrictions.
Definition: partial_revokes.cc:1515
const DB_restrictions & db() const
Get database restrictions.
Definition: partial_revokes.cc:1507
Restrictions(const Restrictions &)=default
DB_restrictions m_db_restrictions
Database restrictions.
Definition: partial_revokes.h:174
bool has_more_db_restrictions(const Restrictions &, Access_bitmask)
Definition: partial_revokes.cc:1501
bool is_empty() const
Return if restrictions are empty or not.
Definition: partial_revokes.cc:1518
A set of THD members describing the current authenticated user.
Definition: sql_security_ctx.h:54
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:36
Various macros useful for communicating with memory debuggers, such as Valgrind.
Some integer typedefs for easier portability.
const char * db_name
Definition: rules_table_service.cc:55
std::unordered_map< std::string, Access_bitmask > db_revocations
Definition: partial_revokes.h:47