sql_masking_policy.h File Reference

#include <optional>
#include <string>
#include "lex_string.h"
#include "my_inttypes.h"

Go to the source code of this file.

Classes
struct	Sql_masking_policy_spec

Functions
std::optional< Sql_masking_policy_spec >	get_masking_policy_spec (THD *thd, LEX_CSTRING policy_name, std::string *reason)
	Returns the masking policy with the given name if it can be found. More...
bool	check_masking_policy_manage_privilege (THD *thd)
	Checks if the current user has the MANAGE_DATA_MASKING_POLICY privilege. More...
bool	drop_masking_policy (THD *thd, LEX_CSTRING policy_name, bool if_exists)
	Drop the masking policy with the given name. More...
bool	create_masking_policy (THD *thd, bool if_not_exists, const Sql_masking_policy_spec &spec)
	Create a masking policy with the given specification. More...
bool	check_masking_policy_name (LEX_CSTRING name)
	Check if the name is valid for a masking policy name or a masking policy argument name. More...
bool	validate_masking_policy_syntax (THD *thd, LEX_CSTRING argument_name, Item *expr)
	Validate structural and semantic restrictions for a masking policy expression. More...
Item *	resolve_masking_expression (THD *thd, Item_field *item_field, const Sql_masking_policy_spec &spec)
	Parse and resolve the column’s masking expression under the column’s security context. More...
bool	validate_masking_policy_for_create_alter_table (THD *thd, uchar *buf, TABLE *table, const Create_field &field)
	Validates masking policies for CREATE/ALTER TABLE. More...

Function Documentation

check_masking_policy_manage_privilege()

bool check_masking_policy_manage_privilege

(

THD *

thd

)

Checks if the current user has the MANAGE_DATA_MASKING_POLICY privilege.

Raises an error if the privilege is missing.

Parameters

thd	Thread context

Return values

false	Privilege is granted
true	Privilege is missing (error is reported)

check_masking_policy_name()

bool check_masking_policy_name

(

LEX_CSTRING

name

)

Check if the name is valid for a masking policy name or a masking policy argument name.

Raises an error if it is not valid.

Parameters

name	Name to validate

Return values

false	Name is valid
true	Validation failed (error is reported)

create_masking_policy()

bool create_masking_policy	(	THD *	thd,
		bool	if_not_exists,
		const Sql_masking_policy_spec &	spec
	)

Create a masking policy with the given specification.

Parameters

thd	Thread context
if_not_exists	True if CREATE MASKING POLICY IF NOT EXIST, which means it is not an error if the policy already exists. The existing policy is kept.
spec	Masking policy specification

Return values

false	On success
true	If an error has been raised

drop_masking_policy()

bool drop_masking_policy	(	THD *	thd,
		LEX_CSTRING	policy_name,
		bool	if_exists
	)

Drop the masking policy with the given name.

Parameters

thd	Thread context
policy_name	The name of the policy to drop
if_exists	True if DROP IF EXISTS, which means it is not an error to call it with a policy name that does not exist.

Return values

true	If an error is raised
false	On success

get_masking_policy_spec()

std::optional< Sql_masking_policy_spec > get_masking_policy_spec	(	THD *	thd,
		LEX_CSTRING	policy_name,
		std::string *	reason
	)

Returns the masking policy with the given name if it can be found.

Returns an empty result if the masking policy with that name could not be found. No error is raised, but the output parameter reason contains the reason why the masking policy was not found.

Parameters

	thd	Thread context
	policy_name	The name of the policy to look for
[out]	reason	If the function returns an empty value, this parameter will return the reason why the policy was not found.

Returns

The policy specification if found; otherwise empty.

resolve_masking_expression()

Item * resolve_masking_expression	(	THD *	thd,
		Item_field *	item_field,
		const Sql_masking_policy_spec &	spec
	)

Parse and resolve the column’s masking expression under the column’s security context.

Replaces the policy argument with the actual Item_field and keeps name resolution otherwise empty to prevent references to other columns.

Parameters

thd	Thread context
item_field	Column reference substituted for the policy argument
spec	Masking policy specification (previously fetched)

Returns

a pointer to the resolved Item on success, or nullptr on error (error is reported)

validate_masking_policy_for_create_alter_table()

bool validate_masking_policy_for_create_alter_table	(	THD *	thd,
		uchar *	buf,
		TABLE *	table,
		const Create_field &	field
	)

Validates masking policies for CREATE/ALTER TABLE.

Performs validation in three categories and delegates details to helpers:

• Column eligibility for masking (validate_masking_policy_column_constraints()).
• Masking function resolution and post-resolve validation (validate_masking_function_post_resolve()).
• Column/function type compatibility (compatible_types()).

See the referenced helpers for detailed rules and rationale.

Parameters

thd	Thread context
buf	Row buffer used to back a temporary Field instance
table	Table being created/altered
field	Column definition being validated

Return values

true	Validation failed (error was reported)
false	Validation succeeded

validate_masking_policy_syntax()

bool validate_masking_policy_syntax	(	THD *	thd,
		LEX_CSTRING	argument_name,
		Item *	expr
	)

Validate structural and semantic restrictions for a masking policy expression.

Rules enforced:

• Must use the form CASE WHEN <CURRENT_USER_IN|CURRENT_ROLE_IN>(...) THEN <expr> ELSE <expr>
• Exactly one WHEN clause and a required ELSE clause
• THEN/ELSE must meet generated-column-like rules (UDFs allowed)
• Only the policy argument may reference a column
• Either THEN or ELSE must return the unmasked value

Parameters

thd	Thread context
argument_name	Name of the argument used in the policy
expr	Expression tree of the policy

Return values

true	Validation failed (error reported)
false	Validation succeeded