23#ifndef PARTIAL_REVOKES_INCLUDED
24#define PARTIAL_REVOKES_INCLUDED
29#include <unordered_map>
57 virtual size_t size()
const = 0;
92 void add(
const std::string &
db_name,
const ulong revoke_privs);
96 void remove(
const std::string &
db_name,
const ulong revoke_privs);
97 void remove(
const ulong revoke_privs);
99 bool find(
const std::string &
db_name, ulong &access)
const;
101 size_t size()
const override;
102 void clear()
override;
109 void remove(
const ulong remove_restrictions,
110 ulong &restrictions_mask)
const noexcept;
187 static std::unique_ptr<Restrictions_aggregator>
create(
188 THD *thd,
const ACL_USER *acl_user,
const char *db,
const ulong rights,
189 bool is_grant_revoke_all_on_db);
191 static std::unique_ptr<Restrictions_aggregator>
create(
193 const ulong grantor_access,
const ulong grantee_access,
195 const DB_restrictions &grantee_restrictions,
const ulong required_access,
205 ulong &global_access,
240 const ulong grantor_global_access,
241 const ulong grantee_global_access,
242 const ulong requested_access);
282 const ulong grantor_global_access,
283 const ulong grantee_global_access,
286 const ulong requested_access,
293 const ulong grantee_db_access,
const ulong grantee_restrictions,
294 const std::string &
db_name)
noexcept;
296 const ulong restrictions_mask)
noexcept;
327 const ulong grantor_global_access,
const ulong grantee_global_access,
329 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
347 const ulong grantor_global_access,
const ulong grantee_global_access,
349 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
362 const ulong grantor_global_access,
const ulong grantee_global_access,
364 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
381 const ulong grantor_global_access,
const ulong grantee_global_access,
383 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
397 const ulong grantor_global_access,
const ulong grantee_global_access,
398 const ulong grantor_db_access,
const ulong grantee_db_access,
400 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
401 bool is_grant_all,
const std::string &
db_name,
430 const ulong grantor_global_access,
const ulong grantee_global_access,
431 const ulong grantor_db_access,
const ulong grantee_db_access,
433 const DB_restrictions &grantee_restrictions,
const ulong requested_access,
434 bool is_revoke_all,
const std::string &
db_name,
std::map< std::string, unsigned long > Db_access_map
Definition: auth_internal.h:65
Definition: sql_auth_cache.h:245
Abstract class for ACL restrictions.
Definition: partial_revokes.h:52
virtual bool is_empty() const =0
virtual ~Abstract_restrictions()
Abstract restriction destructor.
virtual size_t size() const =0
Abstract_restrictions()
Abstract restriction constructor.
Storage container for default auth ids.
Definition: auth_common.h:1065
Restriction aggregator for GRANT statement over database privileges.
Definition: partial_revokes.h:394
Status validate() override
Validation function for database level grant statement.
Definition: partial_revokes.cc:1292
const std::string m_db_name
Target database of GRANT.
Definition: partial_revokes.h:420
void aggregate(DB_restrictions &restrictions) override
Aggregate restriction lists.
Definition: partial_revokes.cc:1322
const ulong m_grantor_db_access
Grantor's database privileges.
Definition: partial_revokes.h:411
const ulong m_grantee_db_access
Grantee's database privileges.
Definition: partial_revokes.h:414
DB_restrictions_aggregator_db_grant(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const ulong grantor_db_access, const ulong grantee_db_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, bool is_grant_all, const std::string &db_name, const Security_context *sctx)
Constructor.
Definition: partial_revokes.cc:1273
const bool m_is_grant_all
Flag for GRANT ALL ON <db>.
Definition: partial_revokes.h:417
Restriction aggregator for REVOKE statement for database privileges.
Definition: partial_revokes.h:427
const ulong m_grantee_db_access
Grantee's database privileges.
Definition: partial_revokes.h:447
Status validate() override
Validation function for database level revoke statement.
Definition: partial_revokes.cc:1389
const ulong m_grantor_db_access
Grantor's database privileges.
Definition: partial_revokes.h:444
const std::string m_db_name
Target database of REVOKE.
Definition: partial_revokes.h:453
void aggregate(DB_restrictions &restrictions) override
Aggregate restriction lists.
Definition: partial_revokes.cc:1422
DB_restrictions_aggregator_db_revoke(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const ulong grantor_db_access, const ulong grantee_db_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, bool is_revoke_all, const std::string &db_name, const Security_context *sctx)
Constructor.
Definition: partial_revokes.cc:1370
const bool m_is_revoke_all
Flag for GRANT ALL ON <db>.
Definition: partial_revokes.h:450
Restriction aggregator for GRANT statement for GLOBAL privileges.
Definition: partial_revokes.h:344
void aggregate(DB_restrictions &restrictions) override
Generates DB_restrictions based on the requested access, grantor and grantee's DB_restrictions in the...
Definition: partial_revokes.cc:1065
DB_restrictions_aggregator_global_grant(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_grant constructor.
Definition: partial_revokes.cc:1001
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:1024
Restriction aggregator for REVOKE statement over GLOBAL privileges.
Definition: partial_revokes.h:378
void aggregate(DB_restrictions &restrictions) override
Clear all the restrictions and changes the status of object to aggregated.
Definition: partial_revokes.cc:1250
Status validate() override
Validate restriction list for REVOKE ALL.
Definition: partial_revokes.cc:1223
DB_restrictions_aggregator_global_revoke_all(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_revoke_all constructor.
Definition: partial_revokes.cc:1210
Definition: partial_revokes.h:358
Status validate_if_grantee_rl_not_empty()
If grantee restrictions_list is not empty then check the following.
Definition: partial_revokes.cc:1166
DB_restrictions_aggregator_global_revoke(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
DB_restrictions_aggregator_global_revoke constructor.
Definition: partial_revokes.cc:1085
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:1107
void aggregate(DB_restrictions &restrictions) override
Definition: partial_revokes.cc:1142
Database restriction aggregator for SET ROLE statement.
Definition: partial_revokes.h:324
DB_restrictions_aggregator_set_role(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, Db_access_map *db_map)
DB_restrictions_aggregator_set_role constructor.
Definition: partial_revokes.cc:905
void aggregate(DB_restrictions &db_restrictions) override
Generates DB_restrictions based on the requested access, grantor and grantee's DB_restrictions in the...
Definition: partial_revokes.cc:954
Status validate() override
Evaluates the restrictions list of grantor and grantee, as well as requested privilege.
Definition: partial_revokes.cc:929
Db_access_map * m_db_map
Definition: partial_revokes.h:337
Restriction aggregator for database restrictions.
Definition: partial_revokes.h:275
void aggregate_restrictions(SQL_OP sql_op, const Db_access_map *m_db_map, DB_restrictions &restrictions)
A helper method that aggregates the restrictions for global_grant and set_role operations since both ...
Definition: partial_revokes.cc:750
bool find_if_require_next_level_operation(ulong &rights) const override
Get list of privileges that are not restricted through restriction list.
Definition: partial_revokes.cc:653
virtual Status validate()=0
void set_if_db_level_operation(const ulong requested_access, const ulong restrictions_mask) noexcept
Set privileges that needs to be processed further.
Definition: partial_revokes.cc:712
DB_restrictions m_grantee_rl
Database restrictions for grantee.
Definition: partial_revokes.h:310
DB_restrictions m_grantor_rl
Database restrictions for grantor.
Definition: partial_revokes.h:307
virtual void aggregate(DB_restrictions &restrictions)=0
const Security_context * m_sctx
Security context of the current user.
Definition: partial_revokes.h:313
bool check_db_access_and_restrictions_collision(const ulong grantee_db_access, const ulong grantee_restrictions, const std::string &db_name) noexcept
Check possible descrepancy between DB access being granted and existing restrictions.
Definition: partial_revokes.cc:687
ulong m_privs_not_processed
Privileges that needs to be checked further through DB grants.
Definition: partial_revokes.h:304
SQL_OP
Definition: partial_revokes.h:297
ulong get_grantee_db_access(const std::string &db_name) const
Fetches the grantee's DB access on the specified DB If security context of current user exists and ha...
Definition: partial_revokes.cc:867
bool generate(Abstract_restrictions &restrictions) override
Driver function to aggregate restriction lists.
Definition: partial_revokes.cc:630
DB_restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const DB_restrictions &grantor_restrictions, const DB_restrictions &grantee_restrictions, const ulong requested_access, const Security_context *sctx)
Constructor for database level restrictions aggregator.
Definition: partial_revokes.cc:602
DB Restrictions representation in memory.
Definition: partial_revokes.h:81
const db_revocations & get() const
Definition: partial_revokes.h:124
bool has_more_restrictions(const DB_restrictions &, ulong) const
Compare is two restriction list for given privileges.
Definition: partial_revokes.cc:320
void get_as_json(Json_array &restrictions_array) const
Serializer.
Definition: partial_revokes.cc:293
void clear() override
Clear restriction list.
Definition: partial_revokes.cc:283
void remove(const std::string &db_name, const ulong revoke_privs)
Remove given set of privilegs for a database from restriction list.
Definition: partial_revokes.cc:202
size_t size() const override
Status function to get number of entries in restriction list.
Definition: partial_revokes.cc:277
void add(const std::string &db_name, const ulong revoke_privs)
Add given privileges as restricted for the database.
Definition: partial_revokes.cc:117
DB_restrictions & operator=(const DB_restrictions &restrictions)
Assignment operator.
Definition: partial_revokes.cc:76
bool find(const std::string &db_name, ulong &access) const
Get restricted access information for given database.
Definition: partial_revokes.cc:256
bool is_empty() const override
Status function to check if restriction list is empty.
Definition: partial_revokes.cc:272
void copy_restrictions(const DB_restrictions &other)
Definition: partial_revokes.h:141
DB_restrictions()
DB Restrictions constructor.
Definition: partial_revokes.cc:57
db_revocations * m_restrictions
Database restrictions.
Definition: partial_revokes.h:121
db_revocations * create_restrictions_if_needed()
Definition: partial_revokes.h:129
DB_restrictions(DB_restrictions &&restrictions)=delete
db_revocations & db_restrictions()
Definition: partial_revokes.h:136
~DB_restrictions() override
Destructor.
Definition: partial_revokes.cc:69
db_revocations & operator()(void)
Definition: partial_revokes.h:86
bool operator==(const DB_restrictions &restrictions) const
Compare the two restrictions.
Definition: partial_revokes.cc:105
Represents a JSON array container, i.e.
Definition: json_dom.h:514
Represents a JSON container value of type "object" (ECMA), type J_OBJECT here.
Definition: json_dom.h:367
Factory class that solely creates an object of type Restrictions_aggregator.
Definition: partial_revokes.h:185
static void fetch_grantee_access(const ACL_USER *grantee, ulong &access, Restrictions &restrictions)
Definition: partial_revokes.cc:551
static ulong fetch_grantee_db_access(THD *thd, const ACL_USER *acl_user, const char *db)
Returns the privileges granted on the DB to the grantee.
Definition: partial_revokes.cc:528
static std::unique_ptr< Restrictions_aggregator > create(THD *thd, const ACL_USER *acl_user, const char *db, const ulong rights, bool is_grant_revoke_all_on_db)
A factory method that creates objects from Restrictions_aggregator hierarchy.
Definition: partial_revokes.cc:374
static ulong fetch_grantor_db_access(THD *thd, const char *db)
Returns the privileges granted on the DB to the grantor.
Definition: partial_revokes.cc:511
static Auth_id fetch_grantee(const ACL_USER *acl_user)
Returns the grantee's user name and host info.
Definition: partial_revokes.cc:492
static void fetch_grantor_access(const Security_context *sctx, const char *db, ulong &global_access, Restrictions &restrictions)
Returns the privileges and restrictions:
Definition: partial_revokes.cc:542
static Auth_id fetch_grantor(const Security_context *sctx)
Returns the grantor user name and host id.
Definition: partial_revokes.cc:475
Base class to perform aggregation of two restriction lists.
Definition: partial_revokes.h:230
Restrictions_aggregator(const Restrictions_aggregator &&)=delete
Restrictions_aggregator & operator=(const Restrictions_aggregator &)=delete
virtual ~Restrictions_aggregator()
Destructor.
const ulong m_grantor_global_access
Global static privileges of grantor.
Definition: partial_revokes.h:257
virtual bool find_if_require_next_level_operation(ulong &rights) const =0
const ulong m_grantee_global_access
Global static privileges of grantee.
Definition: partial_revokes.h:260
const ulong m_requested_access
Privileges that are being granted or revoked.
Definition: partial_revokes.h:263
Restrictions_aggregator(const Restrictions_aggregator &)=delete
Status m_status
Internal status of aggregation process.
Definition: partial_revokes.h:266
Restrictions_aggregator & operator=(const Restrictions_aggregator &&)=delete
virtual bool generate(Abstract_restrictions &restrictions)=0
Restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee, const ulong grantor_global_access, const ulong grantee_global_access, const ulong requested_access)
Constructor.
Definition: partial_revokes.cc:568
const Auth_id m_grantee
Grantee information.
Definition: partial_revokes.h:254
const Auth_id m_grantor
Grantor information.
Definition: partial_revokes.h:251
Status
Definition: partial_revokes.h:248
Container of all restrictions for a given user.
Definition: partial_revokes.h:154
bool has_more_db_restrictions(const Restrictions &, ulong)
Definition: partial_revokes.cc:1482
Restrictions & operator=(const Restrictions &)
Assignment operator for Restrictions.
Definition: partial_revokes.cc:1466
void set_db(const DB_restrictions &db_restrictions)
Set given database restrictions.
Definition: partial_revokes.cc:1491
~Restrictions()
Destructor.
Definition: partial_revokes.cc:1457
Restrictions()
Constructor for Restrictions.
Definition: partial_revokes.cc:1454
void clear_db()
Clear database restrictions.
Definition: partial_revokes.cc:1496
const DB_restrictions & db() const
Get database restrictions.
Definition: partial_revokes.cc:1488
Restrictions(const Restrictions &)=default
DB_restrictions m_db_restrictions
Database restrictions.
Definition: partial_revokes.h:173
bool is_empty() const
Return if restrictions are empty or not.
Definition: partial_revokes.cc:1499
A set of THD members describing the current authenticated user.
Definition: sql_security_ctx.h:52
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:35
Various macros useful for communicating with memory debuggers, such as Valgrind.
Some integer typedefs for easier portability.
const char * db_name
Definition: rules_table_service.cc:54
std::unordered_map< std::string, ulong > db_revocations
Definition: partial_revokes.h:46