MySQL  8.0.18
Source Code Documentation
partial_revokes.h
Go to the documentation of this file.
1 /* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
2 
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6 
7 This program is also distributed with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have included with MySQL.
13 
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License, version 2.0, for more details.
18 
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22 
23 #ifndef PARTIAL_REVOKES_INCLUDED
24 #define PARTIAL_REVOKES_INCLUDED
25 
26 #include <map>
27 #include <memory>
28 #include <set>
29 
30 #include "map_helpers.h"
31 #include "memory_debugging.h"
32 #include "my_alloc.h"
33 #include "my_inttypes.h"
34 #include "my_sqlcommand.h"
35 #include "sql/auth/auth_common.h"
36 #include "sql/auth/auth_utility.h"
37 #include "sql/memroot_allocator.h"
38 
39 // Forward declarations
40 class THD;
41 class ACL_USER;
42 class Json_array;
43 class Json_object;
46 
47 // Alias declarations
49 using Db_access_map = std::map<std::string, unsigned long>;
50 
51 /**
52  Abstract class for ACL restrictions.
53 */
55  public:
57  virtual ~Abstract_restrictions();
58  virtual bool is_empty() const = 0;
59  virtual size_t size() const = 0;
60  virtual void clear() = 0;
61 
62  protected:
63  /** MEM_ROOT manager */
65 };
66 
67 /**
68  DB Restrictions representation in memory.
69  It uses memroot based, collation aware map to store
70  (<dbname>, <restricted_access>) mapping.
71 
72  Each object created in the MEM_ROOT has to be destroyed manually.
73  It will be the client's responsibility that create the objects.
74 
75  It also provides functions to:
76  - Manage DB restrictions
77  - Status functions
78  - Transformation of in memory db restrictions
79 */
81  public:
83  virtual ~DB_restrictions() override;
84 
86  DB_restrictions(const DB_restrictions &restrictions);
87  DB_restrictions(DB_restrictions &&restrictions) = delete;
88  DB_restrictions &operator=(const DB_restrictions &restrictions);
89  DB_restrictions &operator=(DB_restrictions &&restrictions);
90  bool operator==(const DB_restrictions &restrictions) const;
91  void add(const std::string &db_name, const std::set<std::string> &privs);
92  void add(const std::string &db_name, const ulong revoke_privs);
93  void add(const DB_restrictions &restrictions);
94  bool add(const Json_object &json_object);
95 
96  void remove(const std::string &db_name,
97  const std::set<std::string> &revoke_privs);
98  void remove(const std::string &db_name, const ulong revoke_privs);
99  void remove(const ulong revoke_privs);
100 
101  bool find(const std::string &db_name, ulong &access) const;
102  bool is_empty() const override;
103  bool is_not_empty() const;
104  size_t size() const override;
105  void clear() override;
106  void get_as_json(Json_array &restrictions_array) const;
107  const db_revocations &get() const { return m_restrictions; }
108  bool has_more_restrictions(const DB_restrictions &, ulong) const;
109 
110  private:
112  void remove(const ulong remove_restrictions, ulong &restrictions_mask) const
113  noexcept;
114 
115  private:
116  /** Database restrictions */
118 };
119 
120 /**
121  Container of all restrictions for a given user.
122 
123  Each object created in the MEM_ROOT has to be destroyed manually.
124  It will be the client's responsibility that create the objects.
125 */
127  public:
128  explicit Restrictions(MEM_ROOT *mem_root);
129 
130  Restrictions(const Restrictions &);
135 
136  ~Restrictions();
137 
138  const DB_restrictions &db() const;
139  void set_db(const DB_restrictions &db_restrictions);
140  void add_db(const DB_restrictions &db_restrictions);
141  void clear_db();
142  bool is_empty() const;
143 
144  private:
145  /** Database restrictions */
147 };
148 
149 /**
150  Factory class that solely creates an object of type Restrictions_aggregator.
151 
152  - The concrete implemenations of Restrictions_aggregator cannot be created
153  directly since their constructors are private. This class is declared as
154  friend in those concrete implementations.
155  - It also records the CURRENT_USER in the binlog so that partial_revokes can
156  be executed on slave with context of current user
157 */
159  public:
160  static std::unique_ptr<Restrictions_aggregator> create(
161  THD *thd, const ACL_USER *acl_user, const char *db, const ulong rights,
162  bool is_grant_revoke_all_on_db);
163 
164  static std::unique_ptr<Restrictions_aggregator> create(
165  const Auth_id &grantor, const Auth_id &grantee,
166  const ulong grantor_access, const ulong grantee_access,
167  const DB_restrictions &grantor_restrictions,
168  const DB_restrictions &grantee_restrictions, const ulong required_access,
169  Db_access_map *db_map);
170 
171  private:
172  static Auth_id fetch_grantor(const Security_context *sctx);
173  static Auth_id fetch_grantee(const ACL_USER *acl_user);
174  static ulong fetch_grantor_db_access(THD *thd, const char *db);
175  static ulong fetch_grantee_db_access(THD *thd, const ACL_USER *acl_user,
176  const char *db);
177  static void fetch_grantor_access(const Security_context *sctx, const char *db,
178  ulong &global_access,
179  Restrictions &restrictions);
180  static void fetch_grantee_access(const ACL_USER *grantee, ulong &access,
181  Restrictions &restrictions);
182 };
183 
184 /**
185  Base class to perform aggregation of two restriction lists
186 
187  Aggregation is required if all of the following requirements are met:
188  1. Partial revocation feature is enabled
189  2. GRANT/REVOKE operation
190  3. Either grantor or grantee or both have restrictions associated with them
191 
192  Task of the aggregator is to evaluate updates required for grantee's
193  restriction. Based on restrictions associated with grantor/grantee:
194  A. Add additional restrictions
195  E.g. - GRANT of a new privileges by a grantor who has restrictions for
196  privileges being granted
197  - Creation of restrictions through REVOKE
198  B. Remove some restrictions
199  E.g. - GRANT of existing privileges by a grantor without restrictions
200  - REVOKE of existing privileges
201 
202 */
204  public:
205  virtual ~Restrictions_aggregator();
206 
207  /* interface methods which derived classes havee to implement */
208  virtual bool generate(Abstract_restrictions &restrictions) = 0;
209  virtual bool find_if_require_next_level_operation(ulong &rights) const = 0;
210 
211  protected:
212  Restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee,
213  const ulong grantor_global_access,
214  const ulong grantee_global_access,
215  const ulong requested_access);
220 
222 
223  /** Grantor information */
225 
226  /** Grantee information */
228 
229  /** Global static privileges of grantor */
231 
232  /** Global static privileges of grantee */
234 
235  /** Privileges that are being granted or revoked */
237 
238  /** Internal status of aggregation process */
240 };
241 
242 /**
243  Restriction aggregator for database restrictions.
244  An umbrella class to cover common methods.
245  This is ultimately used for privilege aggregation
246  in case of GRANT/REVOKE of database level privileges.
247 */
249  public:
250  bool generate(Abstract_restrictions &restrictions) override;
251 
252  protected:
254  DB_restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee,
255  const ulong grantor_global_access,
256  const ulong grantee_global_access,
257  const DB_restrictions &grantor_restrictions,
258  const DB_restrictions &grantee_restrictions,
259  const ulong requested_access,
260  const Security_context *sctx);
261  bool find_if_require_next_level_operation(ulong &rights) const override;
262 
263  /* Helper methods and members for derived classes */
264 
266  const ulong grantee_db_access, const ulong grantee_restrictions,
267  const std::string &db_name) noexcept;
268  void set_if_db_level_operation(const ulong requested_access,
269  const ulong restrictions_mask) noexcept;
270  enum class SQL_OP { SET_ROLE, GLOBAL_GRANT };
271  void aggregate_restrictions(SQL_OP sql_op, const Db_access_map *m_db_map,
272  DB_restrictions &restrictions);
273  ulong get_grantee_db_access(const std::string &db_name) const;
274  void get_grantee_db_access(const std::string &db_name, ulong &access) const;
275 
276  /** Privileges that needs to be checked further through DB grants */
278 
279  /** Database restrictions for grantor */
281 
282  /** Database restrictions for grantee */
284 
285  /** Security context of the current user */
287 
288  private:
289  virtual Status validate() = 0;
290  virtual void aggregate(DB_restrictions &restrictions) = 0;
291 };
292 
293 /**
294  Database restriction aggregator for SET ROLE statement.
295 */
297  : public DB_restrictions_aggregator {
299  const Auth_id &grantor, const Auth_id grantee,
300  const ulong grantor_global_access, const ulong grantee_global_access,
301  const DB_restrictions &grantor_restrictions,
302  const DB_restrictions &grantee_restrictions, const ulong requested_access,
303  Db_access_map *db_map);
304 
305  Status validate() override;
306  void aggregate(DB_restrictions &restrictions) override;
308 
309  private:
311 };
312 
313 /**
314  Restriction aggregator for GRANT statement for GLOBAL privileges.
315 */
317  : public DB_restrictions_aggregator {
319  const Auth_id &grantor, const Auth_id grantee,
320  const ulong grantor_global_access, const ulong grantee_global_access,
321  const DB_restrictions &grantor_restrictions,
322  const DB_restrictions &grantee_restrictions, const ulong requested_access,
323  const Security_context *sctx);
324 
325  Status validate() override;
326  void aggregate(DB_restrictions &restrictions) override;
328 };
329 
331  : public DB_restrictions_aggregator {
332  protected:
334  const Auth_id &grantor, const Auth_id grantee,
335  const ulong grantor_global_access, const ulong grantee_global_access,
336  const DB_restrictions &grantor_restrictions,
337  const DB_restrictions &grantee_restrictions, const ulong requested_access,
338  const Security_context *sctx);
340 
341  private:
342  Status validate() override;
343  void aggregate(DB_restrictions &restrictions) override;
345 };
346 
347 /**
348  Restriction aggregator for REVOKE statement over GLOBAL privileges.
349 */
353  const Auth_id &grantor, const Auth_id grantee,
354  const ulong grantor_global_access, const ulong grantee_global_access,
355  const DB_restrictions &grantor_restrictions,
356  const DB_restrictions &grantee_restrictions, const ulong requested_access,
357  const Security_context *sctx);
358  Status validate() override;
359  void aggregate(DB_restrictions &restrictions) override;
361 };
362 
363 /**
364  Restriction aggregator for GRANT statement over database privileges.
365 */
367  : public DB_restrictions_aggregator {
369  const Auth_id &grantor, const Auth_id grantee,
370  const ulong grantor_global_access, const ulong grantee_global_access,
371  const ulong grantor_db_access, const ulong grantee_db_access,
372  const DB_restrictions &grantor_restrictions,
373  const DB_restrictions &grantee_restrictions, const ulong requested_access,
374  bool is_grant_all, const std::string &db_name,
375  const Security_context *sctx);
376 
377  void aggregate(DB_restrictions &restrictions) override;
378  Status validate() override;
379 
380  /** Aggregator needs to access class members */
382 
383  /** Grantor's database privileges */
385 
386  /** Grantee's database privileges */
388 
389  /** Flag for GRANT ALL ON <db>.* TO ... */
390  const bool m_is_grant_all;
391 
392  /** Target database of GRANT */
393  const std::string m_db_name;
394 };
395 
396 /**
397  Restriction aggregator for REVOKE statement for database privileges.
398 */
400  : public DB_restrictions_aggregator {
402  const Auth_id &grantor, const Auth_id grantee,
403  const ulong grantor_global_access, const ulong grantee_global_access,
404  const ulong grantor_db_access, const ulong grantee_db_access,
405  const DB_restrictions &grantor_restrictions,
406  const DB_restrictions &grantee_restrictions, const ulong requested_access,
407  bool is_revoke_all, const std::string &db_name,
408  const Security_context *sctx);
409 
410  void aggregate(DB_restrictions &restrictions) override;
411  Status validate() override;
412 
413  /** Aggregator needs to access class members */
415 
416  /** Grantor's database privileges */
418 
419  /** Grantee's database privileges */
421 
422  /** Flag for GRANT ALL ON <db>.* TO ... */
423  const bool m_is_revoke_all;
424 
425  /** Target database of REVOKE */
426  const std::string m_db_name;
427 };
428 
429 #endif /* PARTIAL_REVOKES_INCLUDED */
static ulong fetch_grantee_db_access(THD *thd, const ACL_USER *acl_user, const char *db)
Returns the privileges granted on the DB to the grantee.
Definition: partial_revokes.cc:558
virtual Status validate()=0
static Auth_id fetch_grantor(const Security_context *sctx)
Returns the grantor user name and host id.
Definition: partial_revokes.cc:503
~Restrictions()
Destructor.
Definition: partial_revokes.cc:1477
Restrictions_aggregator & operator=(const Restrictions_aggregator &)=delete
const char * db_name
Definition: rules_table_service.cc:54
Class to manage MEM_ROOT.
Definition: auth_utility.h:37
Storage container for default auth ids.
Definition: auth_common.h:987
bool is_empty() const override
Status function to check if restriction list is empty.
Definition: partial_revokes.cc:304
const std::string m_db_name
Target database of REVOKE.
Definition: partial_revokes.h:426
Restriction aggregator for REVOKE statement for database privileges.
Definition: partial_revokes.h:399
const bool m_is_grant_all
Flag for GRANT ALL ON <db>.
Definition: partial_revokes.h:390
const std::string m_db_name
Target database of GRANT.
Definition: partial_revokes.h:393
const ulong m_grantee_db_access
Grantee&#39;s database privileges.
Definition: partial_revokes.h:387
virtual ~DB_restrictions() override
Destructor.
Definition: partial_revokes.cc:80
Some integer typedefs for easier portability.
Mem_root_base m_mem_root_base
MEM_ROOT manager.
Definition: partial_revokes.h:64
Status validate_if_grantee_rl_not_empty()
If grantee restrictions_list is not empty then check the following.
Definition: partial_revokes.cc:1184
virtual ~Abstract_restrictions()
Abstract restriction destructor.
Definition: partial_revokes.cc:56
void aggregate(DB_restrictions &restrictions) override
Generates DB_restrictions based on the requested access, grantor and grantee&#39;s DB_restrictions in the...
Definition: partial_revokes.cc:964
db_revocations m_restrictions
Database restrictions.
Definition: partial_revokes.h:117
void aggregate(DB_restrictions &restrictions) override
Aggregate restriction lists.
Definition: partial_revokes.cc:1340
Restriction aggregator for database restrictions.
Definition: partial_revokes.h:248
void aggregate(DB_restrictions &restrictions) override
Aggregate restriction lists.
Definition: partial_revokes.cc:1440
DB_restrictions m_grantor_rl
Database restrictions for grantor.
Definition: partial_revokes.h:280
Status m_status
Internal status of aggregation process.
Definition: partial_revokes.h:239
void aggregate(DB_restrictions &restrictions) override
Clear all the restrictions and changes the status of object to aggregated.
Definition: partial_revokes.cc:1268
const Security_context * m_sctx
Security context of the current user.
Definition: partial_revokes.h:286
void aggregate_restrictions(SQL_OP sql_op, const Db_access_map *m_db_map, DB_restrictions &restrictions)
A helper method that aggregates the restrictions for global_grant and set_role operations since both ...
Definition: partial_revokes.cc:783
bool is_empty() const
Return if restrictions are empty or not.
Definition: partial_revokes.cc:1534
A set of THD members describing the current authenticated user.
Definition: sql_security_ctx.h:53
virtual bool find_if_require_next_level_operation(ulong &rights) const =0
void add(const std::string &db_name, const std::set< std::string > &privs)
Add given set of privileges (in string format) and add them to restriction list for given database...
Definition: partial_revokes.cc:129
size_t size() const override
Status function to get number of entries in restriction list.
Definition: partial_revokes.cc:310
Container of all restrictions for a given user.
Definition: partial_revokes.h:126
bool has_more_restrictions(const DB_restrictions &, ulong) const
Compare is two restriction list for given privileges.
Definition: partial_revokes.cc:346
const Auth_id m_grantee
Grantee information.
Definition: partial_revokes.h:227
Abstract_restrictions(MEM_ROOT *mem_root)
Abstract restriction constructor.
Definition: partial_revokes.cc:52
const Auth_id m_grantor
Grantor information.
Definition: partial_revokes.h:224
void set_db(const DB_restrictions &db_restrictions)
Set given database restrictions.
Definition: partial_revokes.cc:1521
static void fetch_grantee_access(const ACL_USER *grantee, ulong &access, Restrictions &restrictions)
Definition: partial_revokes.cc:584
static void fetch_grantor_access(const Security_context *sctx, const char *db, ulong &global_access, Restrictions &restrictions)
Returns the privileges and restrictions:
Definition: partial_revokes.cc:575
const ulong m_grantor_global_access
Global static privileges of grantor.
Definition: partial_revokes.h:230
const ulong m_grantor_db_access
Grantor&#39;s database privileges.
Definition: partial_revokes.h:417
Status
Definition: partial_revokes.h:221
DB_restrictions & operator=(const DB_restrictions &restrictions)
Assignment operator.
Definition: partial_revokes.cc:87
void get_as_json(Json_array &restrictions_array) const
Serializer.
Definition: partial_revokes.cc:320
bool has_more_db_restrictions(const Restrictions &, ulong)
Definition: partial_revokes.cc:1512
Definition: sql_auth_cache.h:141
bool generate(Abstract_restrictions &restrictions) override
Driver function to aggregate restriction lists.
Definition: partial_revokes.cc:663
Represents a JSON array container, i.e.
Definition: json_dom.h:518
DB Restrictions representation in memory.
Definition: partial_revokes.h:80
Various macros useful for communicating with memory debuggers, such as Valgrind.
Status validate() override
Validation function for database level grant statement.
Definition: partial_revokes.cc:1310
DB_restrictions_aggregator_global_grant(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_grant constructor.
Definition: partial_revokes.cc:1011
void set_if_db_level_operation(const ulong requested_access, const ulong restrictions_mask) noexcept
Set privileges that needs to be processed further.
Definition: partial_revokes.cc:745
void clear() override
Clear restriction list.
Definition: partial_revokes.cc:313
DB_restrictions m_grantee_rl
Database restrictions for grantee.
Definition: partial_revokes.h:283
Factory class that solely creates an object of type Restrictions_aggregator.
Definition: partial_revokes.h:158
DB_restrictions m_db_restrictions
Database restrictions.
Definition: partial_revokes.h:146
DB_restrictions(MEM_ROOT *mem_root)
DB Restrictions constructor.
Definition: partial_revokes.cc:64
virtual size_t size() const =0
Restriction aggregator for GRANT statement over database privileges.
Definition: partial_revokes.h:366
static std::unique_ptr< Restrictions_aggregator > create(THD *thd, const ACL_USER *acl_user, const char *db, const ulong rights, bool is_grant_revoke_all_on_db)
A factory method that creates objects from Restrictions_aggregator hierarchy.
Definition: partial_revokes.cc:401
DB_restrictions_aggregator_db_revoke(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const ulong grantor_db_access, const ulong grantee_db_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, bool is_revoke_all, const std::string &db_name, const Security_context *sctx)
Constructor.
Definition: partial_revokes.cc:1388
std::map< std::string, unsigned long > Db_access_map
Definition: auth_internal.h:63
ulong m_privs_not_processed
Privileges that needs to be checked further through DB grants.
Definition: partial_revokes.h:277
bool check_db_access_and_restrictions_collision(const ulong grantee_db_access, const ulong grantee_restrictions, const std::string &db_name) noexcept
Check possible descrepancy between DB access being granted and existing restrictions.
Definition: partial_revokes.cc:720
#define final(a, b, c)
Definition: hash.c:109
virtual ~Restrictions_aggregator()
Destructor.
Definition: partial_revokes.cc:616
Restrictions(MEM_ROOT *mem_root)
Constructor for Restrictions.
Definition: partial_revokes.cc:1474
Db_access_map * m_db_map
Definition: partial_revokes.h:310
void aggregate(DB_restrictions &restrictions) override
Generates DB_restrictions based on the requested access, grantor and grantee&#39;s DB_restrictions in the...
Definition: partial_revokes.cc:1155
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:939
SQL_OP
Definition: partial_revokes.h:270
Definition: partial_revokes.h:330
bool is_not_empty() const
Status function to check if restriction list is non-empty.
Definition: partial_revokes.cc:307
MEM_ROOT global_acl_memory
Definition: sql_auth_cache.cc:128
Restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const ulong requested_access)
Constructor.
Definition: partial_revokes.cc:601
Base class to perform aggregation of two restriction lists.
Definition: partial_revokes.h:203
static MEM_ROOT mem_root
Definition: client_plugin.cc:107
Restriction aggregator for REVOKE statement over GLOBAL privileges.
Definition: partial_revokes.h:350
bool operator==(const DB_restrictions &restrictions) const
Compare the two restrictions.
Definition: partial_revokes.cc:118
Status validate() override
Validation function for database level revoke statement.
Definition: partial_revokes.cc:1407
DB_restrictions_aggregator_global_revoke(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_revoke constructor.
Definition: partial_revokes.cc:1094
Represents a JSON container value of type "object" (ECMA), type J_OBJECT here.
Definition: json_dom.h:367
const bool m_is_revoke_all
Flag for GRANT ALL ON <db>.
Definition: partial_revokes.h:423
Restrictions & operator=(const Restrictions &)
Assignment operator for Restrictions.
Definition: partial_revokes.cc:1496
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:1035
static Auth_id fetch_grantee(const ACL_USER *acl_user)
Returns the grantee&#39;s user name and host info.
Definition: partial_revokes.cc:521
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:1117
const DB_restrictions & db() const
Get database restrictions.
Definition: partial_revokes.cc:1518
void aggregate(DB_restrictions &restrictions) override
Generates DB_restrictions based on the requested access, grantor and grantee&#39;s DB_restrictions in the...
Definition: partial_revokes.cc:1074
void add_db(const DB_restrictions &db_restrictions)
Add given database restrictions.
Definition: partial_revokes.cc:1526
virtual void aggregate(DB_restrictions &restrictions)=0
Restriction aggregator for GRANT statement for GLOBAL privileges.
Definition: partial_revokes.h:316
DB_restrictions_aggregator_db_grant(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const ulong grantor_db_access, const ulong grantee_db_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, bool is_grant_all, const std::string &db_name, const Security_context *sctx)
Constructor.
Definition: partial_revokes.cc:1291
Status validate() override
Validate restriction list for REVOKE ALL.
Definition: partial_revokes.cc:1241
virtual bool is_empty() const =0
static ulong fetch_grantor_db_access(THD *thd, const char *db)
Returns the privileges granted on the DB to the grantor.
Definition: partial_revokes.cc:540
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:77
ulong get_grantee_db_access(const std::string &db_name) const
Fetches the grantee&#39;s DB access on the specified DB If security context of current user exists and ha...
Definition: partial_revokes.cc:870
db_revocations & db_restrictions()
Definition: partial_revokes.h:111
db_revocations & operator()(void)
Definition: partial_revokes.h:85
bool find(const std::string &db_name, ulong &access) const
Get restricted access information for given database.
Definition: partial_revokes.cc:294
bool find_if_require_next_level_operation(ulong &rights) const override
Get list of privileges that are not restricted through restriction list.
Definition: partial_revokes.cc:686
const ulong m_grantor_db_access
Grantor&#39;s database privileges.
Definition: partial_revokes.h:384
Database restriction aggregator for SET ROLE statement.
Definition: partial_revokes.h:296
unsigned long ulong
Definition: my_inttypes.h:48
virtual bool generate(Abstract_restrictions &restrictions)=0
DB_restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
Constructor for database level restrictions aggregator.
Definition: partial_revokes.cc:635
Abstract class for ACL restrictions.
Definition: partial_revokes.h:54
const ulong m_grantee_db_access
Grantee&#39;s database privileges.
Definition: partial_revokes.h:420
virtual void clear()=0
const ulong m_requested_access
Privileges that are being granted or revoked.
Definition: partial_revokes.h:236
This file follows Google coding style, except for the name MEM_ROOT (which is kept for historical rea...
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_class.h:778
const ulong m_grantee_global_access
Global static privileges of grantee.
Definition: partial_revokes.h:233
DB_restrictions_aggregator_global_revoke_all(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_revoke_all constructor.
Definition: partial_revokes.cc:1228
void clear_db()
Clear database restrictions.
Definition: partial_revokes.cc:1531
DB_restrictions_aggregator_set_role(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, Db_access_map *db_map)
DB_restrictions_aggregator_set_role constructor.
Definition: partial_revokes.cc:914