My Project
sql_acl.h
00001 #ifndef SQL_ACL_INCLUDED
00002 #define SQL_ACL_INCLUDED
00003 
00004 /* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
00005 
00006    This program is free software; you can redistribute it and/or modify
00007    it under the terms of the GNU General Public License as published by
00008    the Free Software Foundation; version 2 of the License.
00009 
00010    This program is distributed in the hope that it will be useful,
00011    but WITHOUT ANY WARRANTY; without even the implied warranty of
00012    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00013    GNU General Public License for more details.
00014 
00015    You should have received a copy of the GNU General Public License
00016    along with this program; if not, write to the Free Software Foundation,
00017    51 Franklin Street, Suite 500, Boston, MA 02110-1335 USA */
00018 
00019 #include "my_global.h"                          /* NO_EMBEDDED_ACCESS_CHECKS */
00020 #include "violite.h"                            /* SSL_type */
00021 #include "sql_class.h"                          /* LEX_COLUMN */
00022 
00023 #define SELECT_ACL      (1L << 0)
00024 #define INSERT_ACL      (1L << 1)
00025 #define UPDATE_ACL      (1L << 2)
00026 #define DELETE_ACL      (1L << 3)
00027 #define CREATE_ACL      (1L << 4)
00028 #define DROP_ACL        (1L << 5)
00029 #define RELOAD_ACL      (1L << 6)
00030 #define SHUTDOWN_ACL    (1L << 7)
00031 #define PROCESS_ACL     (1L << 8)
00032 #define FILE_ACL        (1L << 9)
00033 #define GRANT_ACL       (1L << 10)
00034 #define REFERENCES_ACL  (1L << 11)
00035 #define INDEX_ACL       (1L << 12)
00036 #define ALTER_ACL       (1L << 13)
00037 #define SHOW_DB_ACL     (1L << 14)
00038 #define SUPER_ACL       (1L << 15)
00039 #define CREATE_TMP_ACL  (1L << 16)
00040 #define LOCK_TABLES_ACL (1L << 17)
00041 #define EXECUTE_ACL     (1L << 18)
00042 #define REPL_SLAVE_ACL  (1L << 19)
00043 #define REPL_CLIENT_ACL (1L << 20)
00044 #define CREATE_VIEW_ACL (1L << 21)
00045 #define SHOW_VIEW_ACL   (1L << 22)
00046 #define CREATE_PROC_ACL (1L << 23)
00047 #define ALTER_PROC_ACL  (1L << 24)
00048 #define CREATE_USER_ACL (1L << 25)
00049 #define EVENT_ACL       (1L << 26)
00050 #define TRIGGER_ACL     (1L << 27)
00051 #define CREATE_TABLESPACE_ACL (1L << 28)
00052 /*
00053   don't forget to update
00054   1. static struct show_privileges_st sys_privileges[]
00055   2. static const char *command_array[] and static uint command_lengths[]
00056   3. mysql_system_tables.sql and mysql_system_tables_fix.sql
00057   4. acl_init() or whatever - to define behaviour for old privilege tables
00058   5. sql_yacc.yy - for GRANT/REVOKE to work
00059 */
00060 #define NO_ACCESS       (1L << 30)
00061 #define DB_ACLS \
00062 (UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
00063  GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | \
00064  LOCK_TABLES_ACL | EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
00065  CREATE_PROC_ACL | ALTER_PROC_ACL | EVENT_ACL | TRIGGER_ACL)
00066 
00067 #define TABLE_ACLS \
00068 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
00069  GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | \
00070  SHOW_VIEW_ACL | TRIGGER_ACL)
00071 
00072 #define COL_ACLS \
00073 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL)
00074 
00075 #define PROC_ACLS \
00076 (ALTER_PROC_ACL | EXECUTE_ACL | GRANT_ACL)
00077 
00078 #define SHOW_PROC_ACLS \
00079 (ALTER_PROC_ACL | EXECUTE_ACL | CREATE_PROC_ACL)
00080 
00081 #define GLOBAL_ACLS \
00082 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
00083  RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \
00084  REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \
00085  CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \
00086  EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \
00087  ALTER_PROC_ACL | CREATE_USER_ACL | EVENT_ACL | TRIGGER_ACL | \
00088  CREATE_TABLESPACE_ACL)
00089 
00090 #define DEFAULT_CREATE_PROC_ACLS \
00091 (ALTER_PROC_ACL | EXECUTE_ACL)
00092 
00093 #define SHOW_CREATE_TABLE_ACLS \
00094 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \
00095  CREATE_ACL | DROP_ACL | ALTER_ACL | INDEX_ACL | \
00096  TRIGGER_ACL | REFERENCES_ACL | GRANT_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL)
00097 
00102 #define TMP_TABLE_ACLS \
00103 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
00104  INDEX_ACL | ALTER_ACL)
00105 
00106 /*
00107   Defines to change the above bits to how things are stored in tables
00108   This is needed as the 'host' and 'db' table is missing a few privileges
00109 */
00110 
00111 /* Privileges that needs to be reallocated (in continous chunks) */
00112 #define DB_CHUNK0 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \
00113                    CREATE_ACL | DROP_ACL)
00114 #define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL)
00115 #define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL)
00116 #define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
00117                    CREATE_PROC_ACL | ALTER_PROC_ACL )
00118 #define DB_CHUNK4 (EXECUTE_ACL)
00119 #define DB_CHUNK5 (EVENT_ACL | TRIGGER_ACL)
00120 
00121 #define fix_rights_for_db(A)  (((A)       & DB_CHUNK0) | \
00122                               (((A) << 4) & DB_CHUNK1) | \
00123                               (((A) << 6) & DB_CHUNK2) | \
00124                               (((A) << 9) & DB_CHUNK3) | \
00125                               (((A) << 2) & DB_CHUNK4))| \
00126                               (((A) << 9) & DB_CHUNK5)
00127 #define get_rights_for_db(A)  (((A) & DB_CHUNK0)       | \
00128                               (((A) & DB_CHUNK1) >> 4) | \
00129                               (((A) & DB_CHUNK2) >> 6) | \
00130                               (((A) & DB_CHUNK3) >> 9) | \
00131                               (((A) & DB_CHUNK4) >> 2))| \
00132                               (((A) & DB_CHUNK5) >> 9)
00133 #define TBL_CHUNK0 DB_CHUNK0
00134 #define TBL_CHUNK1 DB_CHUNK1
00135 #define TBL_CHUNK2 (CREATE_VIEW_ACL | SHOW_VIEW_ACL)
00136 #define TBL_CHUNK3 TRIGGER_ACL
00137 #define fix_rights_for_table(A) (((A)        & TBL_CHUNK0) | \
00138                                 (((A) <<  4) & TBL_CHUNK1) | \
00139                                 (((A) << 11) & TBL_CHUNK2) | \
00140                                 (((A) << 15) & TBL_CHUNK3))
00141 #define get_rights_for_table(A) (((A) & TBL_CHUNK0)        | \
00142                                 (((A) & TBL_CHUNK1) >>  4) | \
00143                                 (((A) & TBL_CHUNK2) >> 11) | \
00144                                 (((A) & TBL_CHUNK3) >> 15))
00145 #define fix_rights_for_column(A) (((A) & 7) | (((A) & ~7) << 8))
00146 #define get_rights_for_column(A) (((A) & 7) | ((A) >> 8))
00147 #define fix_rights_for_procedure(A) ((((A) << 18) & EXECUTE_ACL) | \
00148                                      (((A) << 23) & ALTER_PROC_ACL) | \
00149                                      (((A) << 8) & GRANT_ACL))
00150 #define get_rights_for_procedure(A) ((((A) & EXECUTE_ACL) >> 18) |  \
00151                                      (((A) & ALTER_PROC_ACL) >> 23) | \
00152                                      (((A) & GRANT_ACL) >> 8))
00153 
00154 enum mysql_db_table_field
00155 {
00156   MYSQL_DB_FIELD_HOST = 0,
00157   MYSQL_DB_FIELD_DB,
00158   MYSQL_DB_FIELD_USER,
00159   MYSQL_DB_FIELD_SELECT_PRIV,
00160   MYSQL_DB_FIELD_INSERT_PRIV,
00161   MYSQL_DB_FIELD_UPDATE_PRIV,
00162   MYSQL_DB_FIELD_DELETE_PRIV,
00163   MYSQL_DB_FIELD_CREATE_PRIV,
00164   MYSQL_DB_FIELD_DROP_PRIV,
00165   MYSQL_DB_FIELD_GRANT_PRIV,
00166   MYSQL_DB_FIELD_REFERENCES_PRIV,
00167   MYSQL_DB_FIELD_INDEX_PRIV,
00168   MYSQL_DB_FIELD_ALTER_PRIV,
00169   MYSQL_DB_FIELD_CREATE_TMP_TABLE_PRIV,
00170   MYSQL_DB_FIELD_LOCK_TABLES_PRIV,
00171   MYSQL_DB_FIELD_CREATE_VIEW_PRIV,
00172   MYSQL_DB_FIELD_SHOW_VIEW_PRIV,
00173   MYSQL_DB_FIELD_CREATE_ROUTINE_PRIV,
00174   MYSQL_DB_FIELD_ALTER_ROUTINE_PRIV,
00175   MYSQL_DB_FIELD_EXECUTE_PRIV,
00176   MYSQL_DB_FIELD_EVENT_PRIV,
00177   MYSQL_DB_FIELD_TRIGGER_PRIV,
00178   MYSQL_DB_FIELD_COUNT
00179 };
00180 
00181 enum mysql_user_table_field
00182 {
00183   MYSQL_USER_FIELD_HOST= 0,
00184   MYSQL_USER_FIELD_USER,
00185   MYSQL_USER_FIELD_PASSWORD,
00186   MYSQL_USER_FIELD_SELECT_PRIV,
00187   MYSQL_USER_FIELD_INSERT_PRIV,
00188   MYSQL_USER_FIELD_UPDATE_PRIV,
00189   MYSQL_USER_FIELD_DELETE_PRIV,
00190   MYSQL_USER_FIELD_CREATE_PRIV,
00191   MYSQL_USER_FIELD_DROP_PRIV,
00192   MYSQL_USER_FIELD_RELOAD_PRIV,
00193   MYSQL_USER_FIELD_SHUTDOWN_PRIV,
00194   MYSQL_USER_FIELD_PROCESS_PRIV,
00195   MYSQL_USER_FIELD_FILE_PRIV,
00196   MYSQL_USER_FIELD_GRANT_PRIV,
00197   MYSQL_USER_FIELD_REFERENCES_PRIV,
00198   MYSQL_USER_FIELD_INDEX_PRIV,
00199   MYSQL_USER_FIELD_ALTER_PRIV,
00200   MYSQL_USER_FIELD_SHOW_DB_PRIV,
00201   MYSQL_USER_FIELD_SUPER_PRIV,
00202   MYSQL_USER_FIELD_CREATE_TMP_TABLE_PRIV,
00203   MYSQL_USER_FIELD_LOCK_TABLES_PRIV,
00204   MYSQL_USER_FIELD_EXECUTE_PRIV,
00205   MYSQL_USER_FIELD_REPL_SLAVE_PRIV,
00206   MYSQL_USER_FIELD_REPL_CLIENT_PRIV,
00207   MYSQL_USER_FIELD_CREATE_VIEW_PRIV,
00208   MYSQL_USER_FIELD_SHOW_VIEW_PRIV,
00209   MYSQL_USER_FIELD_CREATE_ROUTINE_PRIV,
00210   MYSQL_USER_FIELD_ALTER_ROUTINE_PRIV,
00211   MYSQL_USER_FIELD_CREATE_USER_PRIV,
00212   MYSQL_USER_FIELD_EVENT_PRIV,
00213   MYSQL_USER_FIELD_TRIGGER_PRIV,
00214   MYSQL_USER_FIELD_CREATE_TABLESPACE_PRIV,
00215   MYSQL_USER_FIELD_SSL_TYPE,
00216   MYSQL_USER_FIELD_SSL_CIPHER,
00217   MYSQL_USER_FIELD_X509_ISSUER,
00218   MYSQL_USER_FIELD_X509_SUBJECT,
00219   MYSQL_USER_FIELD_MAX_QUESTIONS,
00220   MYSQL_USER_FIELD_MAX_UPDATES,
00221   MYSQL_USER_FIELD_MAX_CONNECTIONS,
00222   MYSQL_USER_FIELD_MAX_USER_CONNECTIONS,
00223   MYSQL_USER_FIELD_PLUGIN,
00224   MYSQL_USER_FIELD_AUTHENTICATION_STRING,
00225   MYSQL_USER_FIELD_PASSWORD_EXPIRED,
00226   MYSQL_USER_FIELD_COUNT
00227 };
00228 
00229 extern const TABLE_FIELD_DEF mysql_db_table_def;
00230 extern bool mysql_user_table_is_in_short_password_format;
00231 extern my_bool disconnect_on_expired_password;
00232 extern const char *command_array[];
00233 extern uint        command_lengths[];
00234 
00235 
00236 /* prototypes */
00237 
00238 bool hostname_requires_resolving(const char *hostname);
00239 void append_user(THD *thd, String *str, LEX_USER *user, bool comma,
00240                  bool passwd);
00241 my_bool  acl_init(bool dont_read_acl_tables);
00242 my_bool acl_reload(THD *thd);
00243 void acl_free(bool end=0);
00244 ulong acl_get(const char *host, const char *ip,
00245               const char *user, const char *db, my_bool db_is_pattern);
00246 int acl_authenticate(THD *thd, uint com_change_user_pkt_len);
00247 bool acl_getroot(Security_context *sctx, char *user, char *host,
00248                  char *ip, char *db);
00249 bool acl_check_host(const char *host, const char *ip);
00250 int check_change_password(THD *thd, const char *host, const char *user,
00251                            char *password, uint password_len);
00252 bool change_password(THD *thd, const char *host, const char *user,
00253                      char *password);
00254 bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list,
00255                  ulong rights, bool revoke, bool is_proxy);
00256 int mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list,
00257                        List <LEX_COLUMN> &column_list, ulong rights,
00258                        bool revoke);
00259 bool mysql_routine_grant(THD *thd, TABLE_LIST *table, bool is_proc,
00260                          List <LEX_USER> &user_list, ulong rights,
00261                          bool revoke, bool write_to_binlog);
00262 my_bool grant_init();
00263 void grant_free(void);
00264 my_bool grant_reload(THD *thd);
00265 bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
00266                  bool any_combination_will_do, uint number, bool no_errors);
00267 bool check_grant_column (THD *thd, GRANT_INFO *grant,
00268                          const char *db_name, const char *table_name,
00269                          const char *name, uint length, Security_context *sctx);
00270 bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST * table_ref,
00271                                      const char *name, uint length);
00272 bool check_grant_all_columns(THD *thd, ulong want_access, 
00273                              Field_iterator_table_ref *fields);
00274 bool check_grant_routine(THD *thd, ulong want_access,
00275                          TABLE_LIST *procs, bool is_proc, bool no_error);
00276 bool check_grant_db(THD *thd,const char *db);
00277 ulong get_table_grant(THD *thd, TABLE_LIST *table);
00278 ulong get_column_grant(THD *thd, GRANT_INFO *grant,
00279                        const char *db_name, const char *table_name,
00280                        const char *field_name);
00281 bool mysql_show_grants(THD *thd, LEX_USER *user);
00282 void get_privilege_desc(char *to, uint max_length, ulong access);
00283 void get_mqh(const char *user, const char *host, USER_CONN *uc);
00284 bool mysql_create_user(THD *thd, List <LEX_USER> &list);
00285 bool mysql_drop_user(THD *thd, List <LEX_USER> &list);
00286 bool mysql_rename_user(THD *thd, List <LEX_USER> &list);
00287 bool mysql_user_password_expire(THD *thd, List <LEX_USER> &list);
00288 bool mysql_revoke_all(THD *thd, List <LEX_USER> &list);
00289 void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant,
00290                                      const char *db, const char *table);
00291 bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name,
00292                           bool is_proc);
00293 bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name,
00294                          bool is_proc);
00295 bool check_routine_level_acl(THD *thd, const char *db, const char *name,
00296                              bool is_proc);
00297 bool is_acl_user(const char *host, const char *user);
00298 int fill_schema_user_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
00299 int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
00300 int fill_schema_table_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
00301 int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
00302 int wild_case_compare(CHARSET_INFO *cs, const char *str,const char *wildstr);
00303 int digest_password(THD *thd, LEX_USER *user_record);
00304 int check_password_strength(String *password);
00305 int check_password_policy(String *password);
00306 #ifdef NO_EMBEDDED_ACCESS_CHECKS
00307 #define check_grant(A,B,C,D,E,F) 0
00308 #define check_grant_db(A,B) 0
00309 #endif
00310 void close_acl_tables(THD *thd);
00311 
00325 enum ACL_internal_access_result
00326 {
00333   ACL_INTERNAL_ACCESS_GRANTED,
00335   ACL_INTERNAL_ACCESS_DENIED,
00337   ACL_INTERNAL_ACCESS_CHECK_GRANT
00338 };
00339 
00346 class ACL_internal_table_access
00347 {
00348 public:
00349   ACL_internal_table_access()
00350   {}
00351 
00352   virtual ~ACL_internal_table_access()
00353   {}
00354 
00371   virtual ACL_internal_access_result check(ulong want_access,
00372                                            ulong *save_priv) const= 0;
00373 };
00374 
00385 class ACL_internal_schema_access
00386 {
00387 public:
00388   ACL_internal_schema_access()
00389   {}
00390 
00391   virtual ~ACL_internal_schema_access()
00392   {}
00393 
00408   virtual ACL_internal_access_result check(ulong want_access,
00409                                            ulong *save_priv) const= 0;
00410 
00416   virtual const ACL_internal_table_access *lookup(const char *name) const= 0;
00417 };
00418 
00424 class ACL_internal_schema_registry
00425 {
00426 public:
00427   static void register_schema(const LEX_STRING *name,
00428                               const ACL_internal_schema_access *access);
00429   static const ACL_internal_schema_access *lookup(const char *name);
00430 };
00431 
00432 const ACL_internal_schema_access *
00433 get_cached_schema_access(GRANT_INTERNAL_INFO *grant_internal_info,
00434                          const char *schema_name);
00435 
00436 const ACL_internal_table_access *
00437 get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info,
00438                         const char *schema_name,
00439                         const char *table_name);
00440 
00441 bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user,
00442                                    bool with_grant);
00443 
00444 void init_default_auth_plugin();
00445 int set_default_auth_plugin(char *, int);
00446 
00448 extern my_bool validate_user_plugins;
00449 
00450 #endif /* SQL_ACL_INCLUDED */
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Defines