MySQL 8.3.0
Source Code Documentation
sql_auth_cache.cc File Reference
#include "sql/auth/sql_auth_cache.h"
#include <stdarg.h>
#include <boost/graph/properties.hpp>
#include <memory>
#include <new>
#include "m_string.h"
#include "mutex_lock.h"
#include "my_base.h"
#include "my_compiler.h"
#include "my_dbug.h"
#include "my_macros.h"
#include "mysql/components/services/bits/psi_bits.h"
#include "mysql/components/services/bits/psi_mutex_bits.h"
#include "mysql/components/services/log_builtins.h"
#include "mysql/my_loglevel.h"
#include "mysql/plugin.h"
#include "mysql/plugin_audit.h"
#include "mysql/plugin_auth.h"
#include "mysql/psi/mysql_mutex.h"
#include "mysql/service_mysql_alloc.h"
#include "mysql/strings/m_ctype.h"
#include "mysqld_error.h"
#include "prealloced_array.h"
#include "sql/auth/auth_acls.h"
#include "sql/auth/auth_common.h"
#include "sql/auth/auth_internal.h"
#include "sql/auth/auth_utility.h"
#include "sql/auth/dynamic_privilege_table.h"
#include "sql/auth/sql_authentication.h"
#include "sql/auth/sql_security_ctx.h"
#include "sql/auth/sql_user_table.h"
#include "sql/auth/user_table.h"
#include "sql/current_thd.h"
#include "sql/debug_sync.h"
#include "sql/error_handler.h"
#include "sql/field.h"
#include "sql/handler.h"
#include "sql/iterators/row_iterator.h"
#include "sql/key.h"
#include "sql/mdl.h"
#include "sql/mysqld.h"
#include "sql/psi_memory_key.h"
#include "sql/set_var.h"
#include "sql/sql_audit.h"
#include "sql/sql_base.h"
#include "sql/sql_class.h"
#include "sql/sql_const.h"
#include "sql/sql_error.h"
#include "sql/sql_executor.h"
#include "sql/sql_lex.h"
#include "sql/sql_plugin.h"
#include "sql/sql_plugin_ref.h"
#include "sql/ssl_acceptor_context_operator.h"
#include "sql/system_variables.h"
#include "sql/table.h"
#include "sql/thd_raii.h"
#include "sql/thr_malloc.h"
#include "sql/tztime.h"
#include "sql/xa.h"
#include "sql_string.h"
#include "str2int.h"
#include "string_with_len.h"
#include "thr_lock.h"
#include "thr_mutex.h"
#include <algorithm>
#include <functional>
#include <unordered_map>
#include <utility>
#include <vector>
#include <boost/property_map/property_map.hpp>

Classes

struct  ACL_internal_schema_registry_entry
 
class  Acl_ignore_error_handler
 
struct  Free_grant_table
 
struct  Acl_hash_entry
 
class  Acl_cache_error_handler
 Internal_error_handler subclass to suppress ER_LOCK_DEADLOCK, ER_LOCK_WAIT_TIMEOUT, ER_QUERY_INTERRUPTED and ER_QUERY_TIMEOUT. More...
 
class  Release_acl_cache_locks
 

Macros

#define INVALID_DATE   "0000-00-00 00:00:00"
 
#define IP_ADDR_STRLEN   (3 + 1 + 3 + 1 + 3 + 1 + 3)
 
#define ACL_KEY_LENGTH   (IP_ADDR_STRLEN + 1 + NAME_LEN + 1 + USERNAME_LENGTH + 1)
 

Typedefs

typedef std::unordered_map< std::string, Acl_user_ptr_list, std::hash< std::string >, std::equal_to< std::string >, Acl_cache_allocator< std::pair< const std::string, Acl_user_ptr_list > > > Name_to_userlist
 A hashmap on user part of account name for quick lookup. More...
 

Functions

Acl_cacheget_global_acl_cache ()
 
ulong get_global_acl_cache_size ()
 
void init_acl_cache ()
 
bool skip_grant_tables (void)
 
static void set_username (char **user, const char *user_arg, MEM_ROOT *mem)
 Helper: Set user name. More...
 
static void set_hostname (ACL_HOST_AND_IP *host, const char *host_arg, MEM_ROOT *mem)
 Helper: Set host name. More...
 
void init_acl_memory ()
 Allocates the memory in the the global_acl_memory MEM_ROOT. More...
 
void append_auth_id (const THD *thd, ACL_USER *acl_user, String *str)
 Append the authorization id for the user. More...
 
void append_auth_id_string (const THD *thd, const char *user, size_t user_len, const char *host, size_t host_len, String *str)
 Append the user@host to the str. More...
 
int wild_case_compare (CHARSET_INFO *cs, const char *str, size_t str_len, const char *wildstr, size_t wildstr_len)
 Performs wildcard matching, aka globbing, on the input string with the given wildcard pattern, and the specified wildcard characters. More...
 
int wild_case_compare (CHARSET_INFO *cs, const char *str, const char *wildstr)
 
ulong get_sort (uint count,...)
 
bool hostname_requires_resolving (const char *hostname)
 Check if the given host name needs to be resolved or not. More...
 
void rebuild_cached_acl_users_for_name (void)
 Build the lists of ACL_USERs which share name or have no name. More...
 
Acl_user_ptr_listcached_acl_users_for_name (const char *name)
 Fetch the list of ACL_USERs which share name or have no name. More...
 
ACL_USERfind_acl_user (const char *host, const char *user, bool exact)
 
bool is_acl_user (THD *thd, const char *host, const char *user)
 
ACL_PROXY_USERacl_find_proxy_user (const char *user, const char *host, const char *ip, char *authenticated_as, bool *proxy_used)
 Validate if a user can proxy as another user. More...
 
void clear_and_init_db_cache ()
 
static void insert_entry_in_db_cache (THD *thd, acl_entry *entry)
 Insert a new entry in db_cache. More...
 
ulong acl_get (THD *thd, const char *host, const char *ip, const char *user, const char *db, bool db_is_pattern)
 Get privilege for a host, user, and db combination. More...
 
static void init_check_host (void)
 
void rebuild_check_host (void)
 
bool acl_getroot (THD *thd, Security_context *sctx, const char *user, const char *host, const char *ip, const char *db)
 
bool set_user_salt (ACL_USER *acl_user)
 Convert scrambled password to binary form, according to scramble type, Binary form is stored in user.salt. More...
 
static void validate_user_plugin_records ()
 Iterate over the user records and check for irregularities. More...
 
void notify_flush_event (THD *thd)
 Audit notification for flush. More...
 
static bool reload_roles_cache (THD *thd, Table_ref *tablelst)
 Initialize roles structures from role tables handle. More...
 
bool acl_init (bool dont_read_acl_tables)
 
void clean_user_cache ()
 
static bool acl_load (THD *thd, Table_ref *tables)
 
void free_name_to_userlist ()
 Clear second level cache on account names. More...
 
void acl_free (bool end)
 
bool check_engine_type_for_acl_table (THD *thd, bool mdl_locked)
 
bool check_acl_tables_intact (THD *thd, Table_ref *tables)
 Helper function that checks the sanity of tables object present in the Table_ref object. More...
 
bool check_acl_tables_intact (THD *thd, bool mdl_locked)
 Opens the ACL tables and checks their sanity. More...
 
bool is_expected_or_transient_error (THD *thd)
 Small helper function which allows to determine if error which caused failure to open and lock privilege tables should not be reported to error log (because this is expected or temporary condition). More...
 
bool acl_reload (THD *thd, bool mdl_locked)
 
void acl_insert_proxy_user (ACL_PROXY_USER *new_value)
 
void grant_free (void)
 
bool grant_init (bool skip_grant_tables)
 Initialize structures responsible for table/column-level privilege checking and load information for them from tables in the 'mysql' database. More...
 
static bool grant_load_procs_priv (TABLE *p_table)
 Helper function to grant_reload_procs_priv. More...
 
static bool grant_load (THD *thd, Table_ref *tables)
 Initialize structures responsible for table/column-level privilege checking and load information about grants from open privilege tables. More...
 
static bool grant_reload_procs_priv (Table_ref *table)
 Helper function to grant_reload. More...
 
bool grant_reload (THD *thd, bool mdl_locked)
 Reload information about table and column level privileges if possible. More...
 
void acl_update_user (const char *user, const char *host, enum SSL_type ssl_type, const char *ssl_cipher, const char *x509_issuer, const char *x509_subject, USER_RESOURCES *mqh, ulong privileges, const LEX_CSTRING &plugin, const LEX_CSTRING &auth, const std::string &second_auth, const MYSQL_TIME &password_change_time, const LEX_ALTER &password_life, Restrictions &restrictions, acl_table::Pod_user_what_to_update &what_to_update, uint failed_login_attempts, int password_lock_time, const I_multi_factor_auth *mfa)
 
void acl_users_add_one (const char *user, const char *host, enum SSL_type ssl_type, const char *ssl_cipher, const char *x509_issuer, const char *x509_subject, USER_RESOURCES *mqh, ulong privileges, const LEX_CSTRING &plugin, const LEX_CSTRING &auth, const LEX_CSTRING &second_auth, const MYSQL_TIME &password_change_time, const LEX_ALTER &password_life, bool add_role_vertex, Restrictions &restrictions, uint failed_login_attempts, int password_lock_time, const I_multi_factor_auth *mfa, THD *thd)
 
void acl_insert_user (THD *thd, const char *user, const char *host, enum SSL_type ssl_type, const char *ssl_cipher, const char *x509_issuer, const char *x509_subject, USER_RESOURCES *mqh, ulong privileges, const LEX_CSTRING &plugin, const LEX_CSTRING &auth, const MYSQL_TIME &password_change_time, const LEX_ALTER &password_life, Restrictions &restrictions, uint failed_login_attempts, int password_lock_time, const I_multi_factor_auth *mfa)
 
void acl_update_proxy_user (ACL_PROXY_USER *new_value, bool is_revoke)
 
void acl_update_db (const char *user, const char *host, const char *db, ulong privileges)
 
void acl_insert_db (const char *user, const char *host, const char *db, ulong privileges)
 
void get_mqh (THD *thd, const char *user, const char *host, USER_CONN *uc)
 
bool update_sctx_cache (Security_context *sctx, ACL_USER *acl_user_ptr, bool expired)
 Update the security context when updating the user. More...
 
const ucharhash_key (const uchar *el, size_t *length)
 
bool create_acl_cache_hash_key (uchar **out_key, unsigned *key_len, uint64 version, const Auth_id_ref &uid, const List_of_auth_id_refs &active_roles)
 Allocate a new cache key based on active roles, current user and global cache version. More...
 
static int cache_flusher (const uchar *ptr, void *arg)
 Utility function for removing all items from the hash. More...
 
void shutdown_acl_cache ()
 Shutdown the global Acl_cache system which was only initialized if the rwlocks were initialized. More...
 
bool assert_acl_cache_read_lock (THD *thd)
 Assert that thread owns MDL_SHARED on partition specific to the thread. More...
 
bool assert_acl_cache_write_lock (THD *thd)
 Assert that thread owns MDL_EXCLUSIVE on all partitions. More...
 
bool reload_acl_caches (THD *thd, bool mdl_locked)
 Reload all ACL caches. More...
 
bool is_partial_revoke_exists (THD *thd)
 Method to check if there exists at least one partial revokes in the cache. More...
 
bool is_acl_inited ()
 

Variables

PSI_mutex_key key_LOCK_acl_cache_flush
 
PSI_mutex_info all_acl_cache_mutexes []
 
Acl_cacheg_acl_cache = nullptr
 
Role_index_mapg_authid_to_vertex
 
Granted_roles_graphg_granted_roles
 
static ACL_internal_schema_registry_entry registry_array [2]
 Internal schema registered. More...
 
static uint m_registry_array_size = 0
 
MEM_ROOT global_acl_memory
 
MEM_ROOT memex
 
Prealloced_array< ACL_USER, ACL_PREALLOC_SIZE > * acl_users = nullptr
 
Prealloced_array< ACL_PROXY_USER, ACL_PREALLOC_SIZE > * acl_proxy_users = nullptr
 
Prealloced_array< ACL_DB, ACL_PREALLOC_SIZE > * acl_dbs = nullptr
 
Prealloced_array< ACL_HOST_AND_IP, ACL_PREALLOC_SIZE > * acl_wild_hosts = nullptr
 
Db_access_map acl_db_map
 
Default_rolesg_default_roles = nullptr
 
std::vector< Role_id > * g_mandatory_roles = nullptr
 
unique_ptr< malloc_unordered_multimap< string, unique_ptr_destroy_only< GRANT_TABLE > > > column_priv_hash
 
unique_ptr< malloc_unordered_multimap< string, unique_ptr_destroy_only< GRANT_NAME > > > proc_priv_hash
 
unique_ptr< malloc_unordered_multimap< string, unique_ptr_destroy_only< GRANT_NAME > > > func_priv_hash
 
malloc_unordered_map< std::string, unique_ptr_my_free< acl_entry > > db_cache
 
collation_unordered_map< std::string, ACL_USER * > * acl_check_hosts = nullptr
 
unique_ptr< Acl_restrictionsacl_restrictions = nullptr
 
Name_to_userlistname_to_userlist = nullptr
 
bool initialized = false
 
bool acl_cache_initialized = false
 
bool allow_all_hosts = true
 
uint grant_version = 0
 
bool validate_user_plugins = true
 controls the extra checks on plugin availability for mysql.user records More...
 
uint64 l_cache_flusher_global_version
 This global is protected by the Acl_cache::m_cache_flush_mutex and used when iterating the Acl_map hash in Acl_cache::flush_cache. More...
 
static const ulong ACL_CACHE_LOCK_TIMEOUT = 3600UL
 
static const MDL_key ACL_CACHE_KEY (MDL_key::ACL_CACHE, "", "")
 
uint32 global_password_history = 0
 Global sysvar: the number of old passwords to check in the history. More...
 
uint32 global_password_reuse_interval = 0
 Global sysvar: the number of days before a password can be reused. More...
 

Macro Definition Documentation

◆ ACL_KEY_LENGTH

#define ACL_KEY_LENGTH   (IP_ADDR_STRLEN + 1 + NAME_LEN + 1 + USERNAME_LENGTH + 1)

◆ INVALID_DATE

#define INVALID_DATE   "0000-00-00 00:00:00"

◆ IP_ADDR_STRLEN

#define IP_ADDR_STRLEN   (3 + 1 + 3 + 1 + 3 + 1 + 3)

Typedef Documentation

◆ Name_to_userlist

typedef std::unordered_map< std::string, Acl_user_ptr_list, std::hash<std::string>, std::equal_to<std::string>, Acl_cache_allocator<std::pair<const std::string, Acl_user_ptr_list> > > Name_to_userlist

A hashmap on user part of account name for quick lookup.

Function Documentation

◆ acl_find_proxy_user()

ACL_PROXY_USER * acl_find_proxy_user ( const char *  user,
const char *  host,
const char *  ip,
char *  authenticated_as,
bool *  proxy_used 
)

Validate if a user can proxy as another user.

Parameters
userthe logged in user (proxy user)
hostthe hostname part of the logged in userid
ipthe ip of the logged in userid
authenticated_asthe effective user a plugin is trying to impersonate as (proxied user)
[out]proxy_usedTrue if a proxy is found
Returns
proxy user definition
Return values
NULLproxy user definition not found or not applicable
non-nullthe proxy user data

◆ acl_free()

void acl_free ( bool  end)

◆ acl_get()

ulong acl_get ( THD thd,
const char *  host,
const char *  ip,
const char *  user,
const char *  db,
bool  db_is_pattern 
)

Get privilege for a host, user, and db combination.

NOTES 1) db_cache is not used if db_is_pattern is set. 2) This function does not take into account privileges granted via active roles. 3) This should not be used outside ACL subsystem code (sql/auth). Use check_db_level_access() instead.

Parameters
thdThread handler
hostHost name
ipIp
useruser name
dbWe look for the ACL of this database
db_is_patterntrue if db can be considered a pattern or false if not
Returns
Database ACL

◆ acl_getroot()

bool acl_getroot ( THD thd,
Security_context sctx,
const char *  user,
const char *  host,
const char *  ip,
const char *  db 
)

◆ acl_init()

bool acl_init ( bool  dont_read_acl_tables)

◆ acl_insert_db()

void acl_insert_db ( const char *  user,
const char *  host,
const char *  db,
ulong  privileges 
)

◆ acl_insert_proxy_user()

void acl_insert_proxy_user ( ACL_PROXY_USER new_value)

◆ acl_insert_user()

void acl_insert_user ( THD thd,
const char *  user,
const char *  host,
enum SSL_type  ssl_type,
const char *  ssl_cipher,
const char *  x509_issuer,
const char *  x509_subject,
USER_RESOURCES mqh,
ulong  privileges,
const LEX_CSTRING plugin,
const LEX_CSTRING auth,
const MYSQL_TIME password_change_time,
const LEX_ALTER password_life,
Restrictions restrictions,
uint  failed_login_attempts,
int  password_lock_time,
const I_multi_factor_auth mfa 
)

◆ acl_load()

static bool acl_load ( THD thd,
Table_ref tables 
)
static

◆ acl_reload()

bool acl_reload ( THD thd,
bool  mdl_locked 
)

◆ acl_update_db()

void acl_update_db ( const char *  user,
const char *  host,
const char *  db,
ulong  privileges 
)

◆ acl_update_proxy_user()

void acl_update_proxy_user ( ACL_PROXY_USER new_value,
bool  is_revoke 
)

◆ acl_update_user()

void acl_update_user ( const char *  user,
const char *  host,
enum SSL_type  ssl_type,
const char *  ssl_cipher,
const char *  x509_issuer,
const char *  x509_subject,
USER_RESOURCES mqh,
ulong  privileges,
const LEX_CSTRING plugin,
const LEX_CSTRING auth,
const std::string &  second_auth,
const MYSQL_TIME password_change_time,
const LEX_ALTER password_life,
Restrictions restrictions,
acl_table::Pod_user_what_to_update what_to_update,
uint  failed_login_attempts,
int  password_lock_time,
const I_multi_factor_auth mfa 
)

◆ acl_users_add_one()

void acl_users_add_one ( const char *  user,
const char *  host,
enum SSL_type  ssl_type,
const char *  ssl_cipher,
const char *  x509_issuer,
const char *  x509_subject,
USER_RESOURCES mqh,
ulong  privileges,
const LEX_CSTRING plugin,
const LEX_CSTRING auth,
const LEX_CSTRING second_auth,
const MYSQL_TIME password_change_time,
const LEX_ALTER password_life,
bool  add_role_vertex,
Restrictions restrictions,
uint  failed_login_attempts,
int  password_lock_time,
const I_multi_factor_auth mfa,
THD thd 
)

◆ append_auth_id()

void append_auth_id ( const THD thd,
ACL_USER acl_user,
String str 
)

Append the authorization id for the user.

Parameters
[in]thdThe THD to find the SQL mode
[in]acl_userACL User to retrieve the user information
[in,out]strThe string in which authID is suffixed

◆ append_auth_id_string()

void append_auth_id_string ( const THD thd,
const char *  user,
size_t  user_len,
const char *  host,
size_t  host_len,
String str 
)

Append the user@host to the str.

Parameters
[in]thdThe THD to find the SQL mode
[in]userUsername to append to authID
[in]user_lenLength of Username
[in]hosthostname to append to authID
[in]host_lenLength of hostname
[in,out]strThe string in which authID is suffixed

◆ assert_acl_cache_read_lock()

bool assert_acl_cache_read_lock ( THD thd)

Assert that thread owns MDL_SHARED on partition specific to the thread.

Parameters
[in]thdThread for which lock is to be checked
Returns
thread owns required lock or not
Return values
trueThread owns lock
falseThread does not own lock

◆ assert_acl_cache_write_lock()

bool assert_acl_cache_write_lock ( THD thd)

Assert that thread owns MDL_EXCLUSIVE on all partitions.

Parameters
[in]thdThread for which lock is to be checked
Returns
thread owns required lock or not
Return values
trueThread owns lock
falseThread does not own lock

◆ cache_flusher()

static int cache_flusher ( const uchar ptr,
void *  arg 
)
static

Utility function for removing all items from the hash.

Parameters
ptrA pointer to a Acl_hash_entry
argnot used
Returns
Always 0 with the intention that this causes the hash_search function to iterate every single element in the hash.

◆ cached_acl_users_for_name()

Acl_user_ptr_list * cached_acl_users_for_name ( const char *  name)

Fetch the list of ACL_USERs which share name or have no name.

Parameters
[in]nameUser entry to be searched
Returns
List of users that share same name

◆ check_acl_tables_intact() [1/2]

bool check_acl_tables_intact ( THD thd,
bool  mdl_locked 
)

Opens the ACL tables and checks their sanity.

This method reports error only if it is unable to open or lock tables. It is called in situations when server has to continue even if a corrupt table was found - For example - acl_init()

Parameters
thdHandle of current thread.
mdl_lockedMDL is locked
Return values
falseOK. true Unable to open the table(s).

◆ check_acl_tables_intact() [2/2]

bool check_acl_tables_intact ( THD thd,
Table_ref tables 
)

Helper function that checks the sanity of tables object present in the Table_ref object.

it logs a warning message when a table is missing

Parameters
thdHandle of current thread.
tablesA valid table list pointer
Return values
falseOK. true Error.

◆ check_engine_type_for_acl_table()

bool check_engine_type_for_acl_table ( THD thd,
bool  mdl_locked 
)

◆ clean_user_cache()

void clean_user_cache ( )

◆ clear_and_init_db_cache()

void clear_and_init_db_cache ( )

◆ create_acl_cache_hash_key()

bool create_acl_cache_hash_key ( uchar **  out_key,
unsigned *  key_len,
uint64  version,
const Auth_id_ref uid,
const List_of_auth_id_refs active_roles 
)

Allocate a new cache key based on active roles, current user and global cache version.

Parameters
[out]out_keyThe resulting key
[out]key_lenKey length
versionGlobal Acl_cache version
uidThe authorization ID of the current user
active_rolesThe active roles of the current user
Returns
Success state
Return values
trueOK
falseFatal error occurred.

◆ find_acl_user()

ACL_USER * find_acl_user ( const char *  host,
const char *  user,
bool  exact 
)

◆ free_name_to_userlist()

void free_name_to_userlist ( )

Clear second level cache on account names.

◆ get_global_acl_cache()

Acl_cache * get_global_acl_cache ( )

◆ get_global_acl_cache_size()

ulong get_global_acl_cache_size ( )

◆ get_mqh()

void get_mqh ( THD thd,
const char *  user,
const char *  host,
USER_CONN uc 
)

◆ get_sort()

ulong get_sort ( uint  count,
  ... 
)

◆ grant_free()

void grant_free ( void  )

◆ grant_init()

bool grant_init ( bool  skip_grant_tables)

Initialize structures responsible for table/column-level privilege checking and load information for them from tables in the 'mysql' database.

Parameters
skip_grant_tablestrue if the command line option –skip-grant-tables is specified, else false.
Returns
Error status
Return values
falseOK
trueCould not initialize grant subsystem.

◆ grant_load()

static bool grant_load ( THD thd,
Table_ref tables 
)
static

Initialize structures responsible for table/column-level privilege checking and load information about grants from open privilege tables.

Parameters
thdCurrent thread
tablesList containing open "mysql.tables_priv" and "mysql.columns_priv" tables.
See also
grant_reload
Returns
Error state
Return values
falseSuccess
trueError

◆ grant_load_procs_priv()

static bool grant_load_procs_priv ( TABLE p_table)
static

Helper function to grant_reload_procs_priv.

Reads the procs_priv table into memory hash.

Parameters
p_tableA pointer to the procs_priv table structure.
See also
grant_reload
grant_reload_procs_priv
Returns
Error state
Return values
trueAn error occurred
falseSuccess

◆ grant_reload()

bool grant_reload ( THD thd,
bool  mdl_locked 
)

Reload information about table and column level privileges if possible.

Parameters
thdCurrent thread
mdl_lockedMDL lock status - affects open/close table operations

Locked tables are checked by acl_reload() and doesn't have to be checked in this call. This function is also used for initialization of structures responsible for table/column-level privilege checking.

Returns
Error state
Return values
falseSuccess
trueError

◆ grant_reload_procs_priv()

static bool grant_reload_procs_priv ( Table_ref table)
static

Helper function to grant_reload.

Reloads procs_priv table is it exists.

Parameters
tableA pointer to the table list.
See also
grant_reload
Returns
Error state
Return values
falseSuccess
trueAn error has occurred.

◆ hash_key()

const uchar * hash_key ( const uchar el,
size_t *  length 
)

◆ hostname_requires_resolving()

bool hostname_requires_resolving ( const char *  hostname)

Check if the given host name needs to be resolved or not.

Host name has to be resolved if it actually contains name.

For example: 192.168.1.1 --> false 192.168.1.0/255.255.255.0 --> false % --> false 192.168.1.% --> false AB% --> false

AAAAFFFF --> true (Hostname) AAAA:FFFF:1234:5678 --> false ::1 --> false

This function does not check if the given string is a valid host name or not. It assumes that the argument is a valid host name.

Parameters
hostnamethe string to check.
Returns
a flag telling if the argument needs to be resolved or not.
Return values
truethe argument is a host name and needs to be resolved.
falsethe argument is either an IP address, or a patter and should not be resolved.

◆ init_acl_cache()

void init_acl_cache ( )

◆ init_acl_memory()

void init_acl_memory ( )

Allocates the memory in the the global_acl_memory MEM_ROOT.

◆ init_check_host()

static void init_check_host ( void  )
static

◆ insert_entry_in_db_cache()

static void insert_entry_in_db_cache ( THD thd,
acl_entry entry 
)
static

Insert a new entry in db_cache.

Parameters
[in]thdHandle to THD object
[in]entryEntry to be inserted in db_cache

◆ is_acl_inited()

bool is_acl_inited ( )

◆ is_acl_user()

bool is_acl_user ( THD thd,
const char *  host,
const char *  user 
)

◆ is_expected_or_transient_error()

bool is_expected_or_transient_error ( THD thd)

Small helper function which allows to determine if error which caused failure to open and lock privilege tables should not be reported to error log (because this is expected or temporary condition).

◆ is_partial_revoke_exists()

bool is_partial_revoke_exists ( THD thd)

Method to check if there exists at least one partial revokes in the cache.

If the cache is not initialized at the time of the method call then it returns no partial revokes exists.

Parameters
[in]thdTHD handle
Return values
truePartial revokes exists
falseOtherwise

◆ notify_flush_event()

void notify_flush_event ( THD thd)

Audit notification for flush.

Parameters
[in]thdHandle to THD

◆ rebuild_cached_acl_users_for_name()

void rebuild_cached_acl_users_for_name ( void  )

Build the lists of ACL_USERs which share name or have no name.

All accounts with same name will be chained so that they can be retrieved by a single lookup. These entries are sorted using ACL_compare to make sure that most specific account is picked up first. Anonymous user is added to each chain.

◆ rebuild_check_host()

void rebuild_check_host ( void  )

◆ reload_acl_caches()

bool reload_acl_caches ( THD thd,
bool  mdl_locked 
)

Reload all ACL caches.

We call this in two cases:

  1. FLUSH PRIVILEGES
  2. ACL DDL rollback
Parameters
[in]thdTHD handle
[in]mdl_lockedMDL locks are taken
Returns
Status of reloading ACL caches
Return values
falseSuccess
trueError

◆ reload_roles_cache()

static bool reload_roles_cache ( THD thd,
Table_ref tablelst 
)
static

Initialize roles structures from role tables handle.

This function is called by acl_reload and may fail to initialize role structures if handle to role_edges and/or default_roles are NUL

Parameters
[in]thdHandle to THD object
[in]tablelstHandle to Roles tables
Returns
status of cache update
Return values
falseSuccess
truefailure

◆ set_hostname()

static void set_hostname ( ACL_HOST_AND_IP host,
const char *  host_arg,
MEM_ROOT mem 
)
static

Helper: Set host name.

◆ set_user_salt()

bool set_user_salt ( ACL_USER acl_user)

Convert scrambled password to binary form, according to scramble type, Binary form is stored in user.salt.

Parameters
acl_userThe object where to store the salt

Despite the name of the function it is used when loading ACLs from disk to store the password hash in the ACL_USER object. Note that it works only for native and "old" mysql authentication built-in plugins.

Assumption : user's authentication plugin information is available.

Returns
Password hash validation
Return values
falseHash is of suitable length
trueHash is of wrong length or format

◆ set_username()

static void set_username ( char **  user,
const char *  user_arg,
MEM_ROOT mem 
)
static

Helper: Set user name.

◆ shutdown_acl_cache()

void shutdown_acl_cache ( )

Shutdown the global Acl_cache system which was only initialized if the rwlocks were initialized.

See also
acl_init()

◆ skip_grant_tables()

bool skip_grant_tables ( void  )

◆ update_sctx_cache()

bool update_sctx_cache ( Security_context sctx,
ACL_USER acl_user_ptr,
bool  expired 
)

Update the security context when updating the user.

Helper function. Update only if the security context is pointing to the same user and the user is not a proxied user for a different proxy user. And return true if the update happens (i.e. we're operating on the user account of the current user). Normalize the names for a safe compare.

Parameters
sctxThe security context to update
acl_user_ptrUser account being updated
expirednew value of the expiration flag
Returns
did the update happen ?

◆ validate_user_plugin_records()

static void validate_user_plugin_records ( )
static

Iterate over the user records and check for irregularities.

Currently this includes :

  • checking if the plugin referenced is present.
  • if there's sha256 users and there's neither SSL nor RSA configured

◆ wild_case_compare() [1/2]

int wild_case_compare ( CHARSET_INFO cs,
const char *  str,
const char *  wildstr 
)

◆ wild_case_compare() [2/2]

int wild_case_compare ( CHARSET_INFO cs,
const char *  str,
size_t  str_len,
const char *  wildstr,
size_t  wildstr_len 
)

Performs wildcard matching, aka globbing, on the input string with the given wildcard pattern, and the specified wildcard characters.

This method does case insensitive comparisons.

Parameters
[in]cscharacter set of the input string and wildcard pattern
[in]strinput which should be matched against pattern
[in]str_lenlength of the input string
[in]wildstrpattern with wildcards
[in]wildstr_lenlength of the wildcards pattern
Returns
0 if input string match with the pattern
1 otherwise

Variable Documentation

◆ acl_cache_initialized

bool acl_cache_initialized = false

◆ ACL_CACHE_KEY

const MDL_key ACL_CACHE_KEY(MDL_key::ACL_CACHE, "", "") ( MDL_key::ACL_CACHE  ,
""  ,
""   
)
static

◆ ACL_CACHE_LOCK_TIMEOUT

const ulong ACL_CACHE_LOCK_TIMEOUT = 3600UL
static

◆ acl_check_hosts

collation_unordered_map<std::string, ACL_USER *>* acl_check_hosts = nullptr

◆ acl_db_map

Db_access_map acl_db_map

◆ acl_dbs

◆ acl_proxy_users

◆ acl_restrictions

unique_ptr<Acl_restrictions> acl_restrictions = nullptr

◆ acl_users

◆ acl_wild_hosts

◆ all_acl_cache_mutexes

PSI_mutex_info all_acl_cache_mutexes[]
Initial value:
= {
{&key_LOCK_acl_cache_flush, "LOCK_acl_cache_flush", PSI_FLAG_SINGLETON, 0,
#define PSI_DOCUMENT_ME
Definition: component_common.h:28
#define PSI_FLAG_SINGLETON
Singleton flag.
Definition: component_common.h:34
PSI_mutex_key key_LOCK_acl_cache_flush
Definition: sql_auth_cache.cc:103

◆ allow_all_hosts

bool allow_all_hosts = true

◆ column_priv_hash

unique_ptr< malloc_unordered_multimap<string, unique_ptr_destroy_only<GRANT_TABLE> > > column_priv_hash

◆ db_cache

Initial value:
{
PSI_memory_key key_memory_acl_cache
Definition: psi_memory_key.cc:99

◆ func_priv_hash

unique_ptr< malloc_unordered_multimap<string, unique_ptr_destroy_only<GRANT_NAME> > > func_priv_hash

◆ g_acl_cache

Acl_cache* g_acl_cache = nullptr

◆ g_authid_to_vertex

Role_index_map* g_authid_to_vertex
extern

◆ g_default_roles

Default_roles* g_default_roles = nullptr

◆ g_granted_roles

Granted_roles_graph* g_granted_roles
extern

◆ g_mandatory_roles

std::vector<Role_id>* g_mandatory_roles = nullptr

◆ global_acl_memory

MEM_ROOT global_acl_memory

◆ global_password_history

uint32 global_password_history = 0

Global sysvar: the number of old passwords to check in the history.

◆ global_password_reuse_interval

uint32 global_password_reuse_interval = 0

Global sysvar: the number of days before a password can be reused.

◆ grant_version

uint grant_version = 0

◆ initialized

bool initialized = false

◆ key_LOCK_acl_cache_flush

PSI_mutex_key key_LOCK_acl_cache_flush

◆ l_cache_flusher_global_version

uint64 l_cache_flusher_global_version

This global is protected by the Acl_cache::m_cache_flush_mutex and used when iterating the Acl_map hash in Acl_cache::flush_cache.

See also
Acl_cache::flush_cache

◆ m_registry_array_size

uint m_registry_array_size = 0
static

◆ memex

MEM_ROOT memex

◆ name_to_userlist

Name_to_userlist* name_to_userlist = nullptr

◆ proc_priv_hash

unique_ptr< malloc_unordered_multimap<string, unique_ptr_destroy_only<GRANT_NAME> > > proc_priv_hash

◆ registry_array

ACL_internal_schema_registry_entry registry_array[2]
static

Internal schema registered.

Currently, this is only:

  • performance_schema
  • information_schema, This can be reused later for:
  • mysql

◆ validate_user_plugins

bool validate_user_plugins = true

controls the extra checks on plugin availability for mysql.user records