MySQL  8.0.21
Source Code Documentation
partial_revokes.h
Go to the documentation of this file.
1 /* Copyright (c) 2018, 2020, Oracle and/or its affiliates.
2 
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6 
7 This program is also distributed with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have included with MySQL.
13 
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License, version 2.0, for more details.
18 
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22 
23 #ifndef PARTIAL_REVOKES_INCLUDED
24 #define PARTIAL_REVOKES_INCLUDED
25 
26 #include <map>
27 #include <memory>
28 #include <set>
29 
30 #include "map_helpers.h"
31 #include "memory_debugging.h"
32 #include "my_alloc.h"
33 #include "my_inttypes.h"
34 #include "my_sqlcommand.h"
35 #include "sql/auth/auth_common.h"
36 #include "sql/auth/auth_utility.h"
37 #include "sql/mem_root_allocator.h"
38 
39 // Forward declarations
40 class THD;
41 class ACL_USER;
42 class Json_array;
43 class Json_object;
46 
47 // Alias declarations
49 using Db_access_map = std::map<std::string, unsigned long>;
50 
51 /**
52  Abstract class for ACL restrictions.
53 */
55  public:
57  virtual ~Abstract_restrictions();
58  virtual bool is_empty() const = 0;
59  virtual size_t size() const = 0;
60  virtual void clear() = 0;
61 
62  protected:
63  /** MEM_ROOT manager */
65 };
66 
67 /**
68  DB Restrictions representation in memory.
69  It uses memroot based, collation aware map to store
70  (<dbname>, <restricted_access>) mapping.
71 
72  Each object created in the MEM_ROOT has to be destroyed manually.
73  It will be the client's responsibility that create the objects.
74 
75  It also provides functions to:
76  - Manage DB restrictions
77  - Status functions
78  - Transformation of in memory db restrictions
79 */
81  public:
83  virtual ~DB_restrictions() override;
84 
85  db_revocations &operator()(void) { return db_restrictions(); }
86  DB_restrictions(const DB_restrictions &restrictions);
87  DB_restrictions(DB_restrictions &&restrictions) = delete;
88  DB_restrictions &operator=(const DB_restrictions &restrictions);
89  DB_restrictions &operator=(DB_restrictions &&restrictions);
90  bool operator==(const DB_restrictions &restrictions) const;
91  void add(const std::string &db_name, const ulong revoke_privs);
92  void add(const DB_restrictions &restrictions);
93  bool add(const Json_object &json_object);
94 
95  void remove(const std::string &db_name, const ulong revoke_privs);
96  void remove(const ulong revoke_privs);
97 
98  bool find(const std::string &db_name, ulong &access) const;
99  bool is_empty() const override;
100  bool is_not_empty() const;
101  size_t size() const override;
102  void clear() override;
103  void get_as_json(Json_array &restrictions_array) const;
104  const db_revocations &get() const { return m_restrictions; }
105  bool has_more_restrictions(const DB_restrictions &, ulong) const;
106 
107  private:
109  void remove(const ulong remove_restrictions,
110  ulong &restrictions_mask) const noexcept;
111 
112  private:
113  /** Database restrictions */
115 };
116 
117 /**
118  Container of all restrictions for a given user.
119 
120  Each object created in the MEM_ROOT has to be destroyed manually.
121  It will be the client's responsibility that create the objects.
122 */
124  public:
125  explicit Restrictions(MEM_ROOT *mem_root);
126 
127  Restrictions(const Restrictions &);
129  Restrictions &operator=(const Restrictions &);
130  Restrictions &operator=(Restrictions &&);
131  bool has_more_db_restrictions(const Restrictions &, ulong);
132 
133  ~Restrictions();
134 
135  const DB_restrictions &db() const;
136  void set_db(const DB_restrictions &db_restrictions);
137  void clear_db();
138  bool is_empty() const;
139 
140  private:
141  /** Database restrictions */
143 };
144 
145 /**
146  Factory class that solely creates an object of type Restrictions_aggregator.
147 
148  - The concrete implemenations of Restrictions_aggregator cannot be created
149  directly since their constructors are private. This class is declared as
150  friend in those concrete implementations.
151  - It also records the CURRENT_USER in the binlog so that partial_revokes can
152  be executed on slave with context of current user
153 */
155  public:
156  static std::unique_ptr<Restrictions_aggregator> create(
157  THD *thd, const ACL_USER *acl_user, const char *db, const ulong rights,
158  bool is_grant_revoke_all_on_db);
159 
160  static std::unique_ptr<Restrictions_aggregator> create(
161  const Auth_id &grantor, const Auth_id &grantee,
162  const ulong grantor_access, const ulong grantee_access,
163  const DB_restrictions &grantor_restrictions,
164  const DB_restrictions &grantee_restrictions, const ulong required_access,
165  Db_access_map *db_map);
166 
167  private:
168  static Auth_id fetch_grantor(const Security_context *sctx);
169  static Auth_id fetch_grantee(const ACL_USER *acl_user);
170  static ulong fetch_grantor_db_access(THD *thd, const char *db);
171  static ulong fetch_grantee_db_access(THD *thd, const ACL_USER *acl_user,
172  const char *db);
173  static void fetch_grantor_access(const Security_context *sctx, const char *db,
174  ulong &global_access,
175  Restrictions &restrictions);
176  static void fetch_grantee_access(const ACL_USER *grantee, ulong &access,
177  Restrictions &restrictions);
178 };
179 
180 /**
181  Base class to perform aggregation of two restriction lists
182 
183  Aggregation is required if all of the following requirements are met:
184  1. Partial revocation feature is enabled
185  2. GRANT/REVOKE operation
186  3. Either grantor or grantee or both have restrictions associated with them
187 
188  Task of the aggregator is to evaluate updates required for grantee's
189  restriction. Based on restrictions associated with grantor/grantee:
190  A. Add additional restrictions
191  E.g. - GRANT of a new privileges by a grantor who has restrictions for
192  privileges being granted
193  - Creation of restrictions through REVOKE
194  B. Remove some restrictions
195  E.g. - GRANT of existing privileges by a grantor without restrictions
196  - REVOKE of existing privileges
197 
198 */
200  public:
201  virtual ~Restrictions_aggregator();
202 
203  /* interface methods which derived classes havee to implement */
204  virtual bool generate(Abstract_restrictions &restrictions) = 0;
205  virtual bool find_if_require_next_level_operation(ulong &rights) const = 0;
206 
207  protected:
208  Restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee,
209  const ulong grantor_global_access,
210  const ulong grantee_global_access,
211  const ulong requested_access);
213  Restrictions_aggregator &operator=(const Restrictions_aggregator &) = delete;
215  Restrictions_aggregator &operator=(const Restrictions_aggregator &&) = delete;
216 
217  enum class Status { Error, Warning, Validated, Aggregated, No_op };
218 
219  /** Grantor information */
221 
222  /** Grantee information */
224 
225  /** Global static privileges of grantor */
227 
228  /** Global static privileges of grantee */
230 
231  /** Privileges that are being granted or revoked */
232  const ulong m_requested_access;
233 
234  /** Internal status of aggregation process */
236 };
237 
238 /**
239  Restriction aggregator for database restrictions.
240  An umbrella class to cover common methods.
241  This is ultimately used for privilege aggregation
242  in case of GRANT/REVOKE of database level privileges.
243 */
245  public:
246  bool generate(Abstract_restrictions &restrictions) override;
247 
248  protected:
250  DB_restrictions_aggregator(const Auth_id &grantor, const Auth_id grantee,
251  const ulong grantor_global_access,
252  const ulong grantee_global_access,
253  const DB_restrictions &grantor_restrictions,
254  const DB_restrictions &grantee_restrictions,
255  const ulong requested_access,
256  const Security_context *sctx);
257  bool find_if_require_next_level_operation(ulong &rights) const override;
258 
259  /* Helper methods and members for derived classes */
260 
261  bool check_db_access_and_restrictions_collision(
262  const ulong grantee_db_access, const ulong grantee_restrictions,
263  const std::string &db_name) noexcept;
264  void set_if_db_level_operation(const ulong requested_access,
265  const ulong restrictions_mask) noexcept;
266  enum class SQL_OP { SET_ROLE, GLOBAL_GRANT };
267  void aggregate_restrictions(SQL_OP sql_op, const Db_access_map *m_db_map,
268  DB_restrictions &restrictions);
269  ulong get_grantee_db_access(const std::string &db_name) const;
270  void get_grantee_db_access(const std::string &db_name, ulong &access) const;
271 
272  /** Privileges that needs to be checked further through DB grants */
273  ulong m_privs_not_processed = 0;
274 
275  /** Database restrictions for grantor */
277 
278  /** Database restrictions for grantee */
280 
281  /** Security context of the current user */
283 
284  private:
285  virtual Status validate() = 0;
286  virtual void aggregate(DB_restrictions &restrictions) = 0;
287 };
288 
289 /**
290  Database restriction aggregator for SET ROLE statement.
291 */
293  : public DB_restrictions_aggregator {
295  const Auth_id &grantor, const Auth_id grantee,
296  const ulong grantor_global_access, const ulong grantee_global_access,
297  const DB_restrictions &grantor_restrictions,
298  const DB_restrictions &grantee_restrictions, const ulong requested_access,
299  Db_access_map *db_map);
300 
301  Status validate() override;
302  void aggregate(DB_restrictions &db_restrictions) override;
304 
305  private:
307 };
308 
309 /**
310  Restriction aggregator for GRANT statement for GLOBAL privileges.
311 */
313  : public DB_restrictions_aggregator {
315  const Auth_id &grantor, const Auth_id grantee,
316  const ulong grantor_global_access, const ulong grantee_global_access,
317  const DB_restrictions &grantor_restrictions,
318  const DB_restrictions &grantee_restrictions, const ulong requested_access,
319  const Security_context *sctx);
320 
321  Status validate() override;
322  void aggregate(DB_restrictions &restrictions) override;
324 };
325 
327  : public DB_restrictions_aggregator {
328  protected:
330  const Auth_id &grantor, const Auth_id grantee,
331  const ulong grantor_global_access, const ulong grantee_global_access,
332  const DB_restrictions &grantor_restrictions,
333  const DB_restrictions &grantee_restrictions, const ulong requested_access,
334  const Security_context *sctx);
335  Status validate_if_grantee_rl_not_empty();
336 
337  private:
338  Status validate() override;
339  void aggregate(DB_restrictions &restrictions) override;
341 };
342 
343 /**
344  Restriction aggregator for REVOKE statement over GLOBAL privileges.
345 */
349  const Auth_id &grantor, const Auth_id grantee,
350  const ulong grantor_global_access, const ulong grantee_global_access,
351  const DB_restrictions &grantor_restrictions,
352  const DB_restrictions &grantee_restrictions, const ulong requested_access,
353  const Security_context *sctx);
354  Status validate() override;
355  void aggregate(DB_restrictions &restrictions) override;
357 };
358 
359 /**
360  Restriction aggregator for GRANT statement over database privileges.
361 */
363  : public DB_restrictions_aggregator {
365  const Auth_id &grantor, const Auth_id grantee,
366  const ulong grantor_global_access, const ulong grantee_global_access,
367  const ulong grantor_db_access, const ulong grantee_db_access,
368  const DB_restrictions &grantor_restrictions,
369  const DB_restrictions &grantee_restrictions, const ulong requested_access,
370  bool is_grant_all, const std::string &db_name,
371  const Security_context *sctx);
372 
373  void aggregate(DB_restrictions &restrictions) override;
374  Status validate() override;
375 
376  /** Aggregator needs to access class members */
378 
379  /** Grantor's database privileges */
380  const ulong m_grantor_db_access;
381 
382  /** Grantee's database privileges */
383  const ulong m_grantee_db_access;
384 
385  /** Flag for GRANT ALL ON <db>.* TO ... */
386  const bool m_is_grant_all;
387 
388  /** Target database of GRANT */
389  const std::string m_db_name;
390 };
391 
392 /**
393  Restriction aggregator for REVOKE statement for database privileges.
394 */
396  : public DB_restrictions_aggregator {
398  const Auth_id &grantor, const Auth_id grantee,
399  const ulong grantor_global_access, const ulong grantee_global_access,
400  const ulong grantor_db_access, const ulong grantee_db_access,
401  const DB_restrictions &grantor_restrictions,
402  const DB_restrictions &grantee_restrictions, const ulong requested_access,
403  bool is_revoke_all, const std::string &db_name,
404  const Security_context *sctx);
405 
406  void aggregate(DB_restrictions &restrictions) override;
407  Status validate() override;
408 
409  /** Aggregator needs to access class members */
411 
412  /** Grantor's database privileges */
413  const ulong m_grantor_db_access;
414 
415  /** Grantee's database privileges */
416  const ulong m_grantee_db_access;
417 
418  /** Flag for GRANT ALL ON <db>.* TO ... */
419  const bool m_is_revoke_all;
420 
421  /** Target database of REVOKE */
422  const std::string m_db_name;
423 };
424 
425 #endif /* PARTIAL_REVOKES_INCLUDED */
const char * db_name
Definition: rules_table_service.cc:54
void add(ENGINE_HANDLE *h, ENGINE_HANDLE_V1 *h1)
Definition: suite_stubs.c:69
Class representing an error.
Definition: error.h:47
Class to manage MEM_ROOT.
Definition: auth_utility.h:37
Storage container for default auth ids.
Definition: auth_common.h:990
const std::string m_db_name
Target database of REVOKE.
Definition: partial_revokes.h:422
Restriction aggregator for REVOKE statement for database privileges.
Definition: partial_revokes.h:395
const bool m_is_grant_all
Flag for GRANT ALL ON <db>.
Definition: partial_revokes.h:386
const std::string m_db_name
Target database of GRANT.
Definition: partial_revokes.h:389
const ulong m_grantee_db_access
Grantee&#39;s database privileges.
Definition: partial_revokes.h:383
Some integer typedefs for easier portability.
Mem_root_base m_mem_root_base
MEM_ROOT manager.
Definition: partial_revokes.h:64
virtual ~Abstract_restrictions()
Abstract restriction destructor.
Definition: partial_revokes.cc:56
db_revocations m_restrictions
Database restrictions.
Definition: partial_revokes.h:114
Restriction aggregator for database restrictions.
Definition: partial_revokes.h:244
bool operator==(const Uuid &a, const Uuid &b)
Definition: uuid.h:169
DB_restrictions m_grantor_rl
Database restrictions for grantor.
Definition: partial_revokes.h:276
Status m_status
Internal status of aggregation process.
Definition: partial_revokes.h:235
const Security_context * m_sctx
Security context of the current user.
Definition: partial_revokes.h:282
A set of THD members describing the current authenticated user.
Definition: sql_security_ctx.h:53
Container of all restrictions for a given user.
Definition: partial_revokes.h:123
const Auth_id m_grantee
Grantee information.
Definition: partial_revokes.h:223
Abstract_restrictions(MEM_ROOT *mem_root)
Abstract restriction constructor.
Definition: partial_revokes.cc:52
const Auth_id m_grantor
Grantor information.
Definition: partial_revokes.h:220
const ulong m_grantor_global_access
Global static privileges of grantor.
Definition: partial_revokes.h:226
const ulong m_grantor_db_access
Grantor&#39;s database privileges.
Definition: partial_revokes.h:413
Status
Definition: partial_revokes.h:217
const std::string Restrictions("Restrictions")
For partial revokes.
Definition: sql_auth_cache.h:146
Represents a JSON array container, i.e.
Definition: json_dom.h:519
DB Restrictions representation in memory.
Definition: partial_revokes.h:80
Various macros useful for communicating with memory debuggers, such as Valgrind.
Restrictions m_restrictions
Restrictions_list on certain databases for user.
Definition: acl_table_user.cc:237
DB_restrictions m_grantee_rl
Database restrictions for grantee.
Definition: partial_revokes.h:279
Factory class that solely creates an object of type Restrictions_aggregator.
Definition: partial_revokes.h:154
DB_restrictions m_db_restrictions
Database restrictions.
Definition: partial_revokes.h:142
virtual size_t size() const =0
Restriction aggregator for GRANT statement over database privileges.
Definition: partial_revokes.h:362
std::map< std::string, unsigned long > Db_access_map
Definition: auth_internal.h:64
dberr_t create() noexcept
Create the dblwr data structures in the system tablespace.
Definition: buf0dblwr.cc:1835
Class representing a warning.
Definition: warning.h:40
#define final(a, b, c)
Definition: hash.c:109
Db_access_map * m_db_map
Definition: partial_revokes.h:306
SQL_OP
Definition: partial_revokes.h:266
Definition: partial_revokes.h:326
MEM_ROOT global_acl_memory
Definition: sql_auth_cache.cc:127
Base class to perform aggregation of two restriction lists.
Definition: partial_revokes.h:199
static MEM_ROOT mem_root
Definition: client_plugin.cc:109
Restriction aggregator for REVOKE statement over GLOBAL privileges.
Definition: partial_revokes.h:346
Represents a JSON container value of type "object" (ECMA), type J_OBJECT here.
Definition: json_dom.h:368
const bool m_is_revoke_all
Flag for GRANT ALL ON <db>.
Definition: partial_revokes.h:419
Restriction aggregator for GRANT statement for GLOBAL privileges.
Definition: partial_revokes.h:312
virtual bool is_empty() const =0
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:77
db_revocations & db_restrictions()
Definition: partial_revokes.h:108
db_revocations & operator()(void)
Definition: partial_revokes.h:85
const ulong m_grantor_db_access
Grantor&#39;s database privileges.
Definition: partial_revokes.h:380
Database restriction aggregator for SET ROLE statement.
Definition: partial_revokes.h:292
Abstract class for ACL restrictions.
Definition: partial_revokes.h:54
const ulong m_grantee_db_access
Grantee&#39;s database privileges.
Definition: partial_revokes.h:416
virtual void clear()=0
const ulong m_requested_access
Privileges that are being granted or revoked.
Definition: partial_revokes.h:232
This file follows Google coding style, except for the name MEM_ROOT (which is kept for historical rea...
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_class.h:799
const byte * find(const Pages *pages, const page_id_t &page_id) noexcept
Find a doublewrite copy of a page.
Definition: buf0dblwr.cc:2223
const ulong m_grantee_global_access
Global static privileges of grantee.
Definition: partial_revokes.h:229