|
My Project
|
|
My Project
|
00001 #ifndef SQL_ACL_INCLUDED 00002 #define SQL_ACL_INCLUDED 00003 00004 /* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. 00005 00006 This program is free software; you can redistribute it and/or modify 00007 it under the terms of the GNU General Public License as published by 00008 the Free Software Foundation; version 2 of the License. 00009 00010 This program is distributed in the hope that it will be useful, 00011 but WITHOUT ANY WARRANTY; without even the implied warranty of 00012 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00013 GNU General Public License for more details. 00014 00015 You should have received a copy of the GNU General Public License 00016 along with this program; if not, write to the Free Software Foundation, 00017 51 Franklin Street, Suite 500, Boston, MA 02110-1335 USA */ 00018 00019 #include "my_global.h" /* NO_EMBEDDED_ACCESS_CHECKS */ 00020 #include "violite.h" /* SSL_type */ 00021 #include "sql_class.h" /* LEX_COLUMN */ 00022 00023 #define SELECT_ACL (1L << 0) 00024 #define INSERT_ACL (1L << 1) 00025 #define UPDATE_ACL (1L << 2) 00026 #define DELETE_ACL (1L << 3) 00027 #define CREATE_ACL (1L << 4) 00028 #define DROP_ACL (1L << 5) 00029 #define RELOAD_ACL (1L << 6) 00030 #define SHUTDOWN_ACL (1L << 7) 00031 #define PROCESS_ACL (1L << 8) 00032 #define FILE_ACL (1L << 9) 00033 #define GRANT_ACL (1L << 10) 00034 #define REFERENCES_ACL (1L << 11) 00035 #define INDEX_ACL (1L << 12) 00036 #define ALTER_ACL (1L << 13) 00037 #define SHOW_DB_ACL (1L << 14) 00038 #define SUPER_ACL (1L << 15) 00039 #define CREATE_TMP_ACL (1L << 16) 00040 #define LOCK_TABLES_ACL (1L << 17) 00041 #define EXECUTE_ACL (1L << 18) 00042 #define REPL_SLAVE_ACL (1L << 19) 00043 #define REPL_CLIENT_ACL (1L << 20) 00044 #define CREATE_VIEW_ACL (1L << 21) 00045 #define SHOW_VIEW_ACL (1L << 22) 00046 #define CREATE_PROC_ACL (1L << 23) 00047 #define ALTER_PROC_ACL (1L << 24) 00048 #define CREATE_USER_ACL (1L << 25) 00049 #define EVENT_ACL (1L << 26) 00050 #define TRIGGER_ACL (1L << 27) 00051 #define CREATE_TABLESPACE_ACL (1L << 28) 00052 /* 00053 don't forget to update 00054 1. static struct show_privileges_st sys_privileges[] 00055 2. static const char *command_array[] and static uint command_lengths[] 00056 3. mysql_system_tables.sql and mysql_system_tables_fix.sql 00057 4. acl_init() or whatever - to define behaviour for old privilege tables 00058 5. sql_yacc.yy - for GRANT/REVOKE to work 00059 */ 00060 #define NO_ACCESS (1L << 30) 00061 #define DB_ACLS \ 00062 (UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ 00063 GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | \ 00064 LOCK_TABLES_ACL | EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | \ 00065 CREATE_PROC_ACL | ALTER_PROC_ACL | EVENT_ACL | TRIGGER_ACL) 00066 00067 #define TABLE_ACLS \ 00068 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ 00069 GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | \ 00070 SHOW_VIEW_ACL | TRIGGER_ACL) 00071 00072 #define COL_ACLS \ 00073 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL) 00074 00075 #define PROC_ACLS \ 00076 (ALTER_PROC_ACL | EXECUTE_ACL | GRANT_ACL) 00077 00078 #define SHOW_PROC_ACLS \ 00079 (ALTER_PROC_ACL | EXECUTE_ACL | CREATE_PROC_ACL) 00080 00081 #define GLOBAL_ACLS \ 00082 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ 00083 RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \ 00084 REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \ 00085 CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \ 00086 EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \ 00087 ALTER_PROC_ACL | CREATE_USER_ACL | EVENT_ACL | TRIGGER_ACL | \ 00088 CREATE_TABLESPACE_ACL) 00089 00090 #define DEFAULT_CREATE_PROC_ACLS \ 00091 (ALTER_PROC_ACL | EXECUTE_ACL) 00092 00093 #define SHOW_CREATE_TABLE_ACLS \ 00094 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \ 00095 CREATE_ACL | DROP_ACL | ALTER_ACL | INDEX_ACL | \ 00096 TRIGGER_ACL | REFERENCES_ACL | GRANT_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL) 00097 00102 #define TMP_TABLE_ACLS \ 00103 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ 00104 INDEX_ACL | ALTER_ACL) 00105 00106 /* 00107 Defines to change the above bits to how things are stored in tables 00108 This is needed as the 'host' and 'db' table is missing a few privileges 00109 */ 00110 00111 /* Privileges that needs to be reallocated (in continous chunks) */ 00112 #define DB_CHUNK0 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \ 00113 CREATE_ACL | DROP_ACL) 00114 #define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL) 00115 #define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL) 00116 #define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \ 00117 CREATE_PROC_ACL | ALTER_PROC_ACL ) 00118 #define DB_CHUNK4 (EXECUTE_ACL) 00119 #define DB_CHUNK5 (EVENT_ACL | TRIGGER_ACL) 00120 00121 #define fix_rights_for_db(A) (((A) & DB_CHUNK0) | \ 00122 (((A) << 4) & DB_CHUNK1) | \ 00123 (((A) << 6) & DB_CHUNK2) | \ 00124 (((A) << 9) & DB_CHUNK3) | \ 00125 (((A) << 2) & DB_CHUNK4))| \ 00126 (((A) << 9) & DB_CHUNK5) 00127 #define get_rights_for_db(A) (((A) & DB_CHUNK0) | \ 00128 (((A) & DB_CHUNK1) >> 4) | \ 00129 (((A) & DB_CHUNK2) >> 6) | \ 00130 (((A) & DB_CHUNK3) >> 9) | \ 00131 (((A) & DB_CHUNK4) >> 2))| \ 00132 (((A) & DB_CHUNK5) >> 9) 00133 #define TBL_CHUNK0 DB_CHUNK0 00134 #define TBL_CHUNK1 DB_CHUNK1 00135 #define TBL_CHUNK2 (CREATE_VIEW_ACL | SHOW_VIEW_ACL) 00136 #define TBL_CHUNK3 TRIGGER_ACL 00137 #define fix_rights_for_table(A) (((A) & TBL_CHUNK0) | \ 00138 (((A) << 4) & TBL_CHUNK1) | \ 00139 (((A) << 11) & TBL_CHUNK2) | \ 00140 (((A) << 15) & TBL_CHUNK3)) 00141 #define get_rights_for_table(A) (((A) & TBL_CHUNK0) | \ 00142 (((A) & TBL_CHUNK1) >> 4) | \ 00143 (((A) & TBL_CHUNK2) >> 11) | \ 00144 (((A) & TBL_CHUNK3) >> 15)) 00145 #define fix_rights_for_column(A) (((A) & 7) | (((A) & ~7) << 8)) 00146 #define get_rights_for_column(A) (((A) & 7) | ((A) >> 8)) 00147 #define fix_rights_for_procedure(A) ((((A) << 18) & EXECUTE_ACL) | \ 00148 (((A) << 23) & ALTER_PROC_ACL) | \ 00149 (((A) << 8) & GRANT_ACL)) 00150 #define get_rights_for_procedure(A) ((((A) & EXECUTE_ACL) >> 18) | \ 00151 (((A) & ALTER_PROC_ACL) >> 23) | \ 00152 (((A) & GRANT_ACL) >> 8)) 00153 00154 enum mysql_db_table_field 00155 { 00156 MYSQL_DB_FIELD_HOST = 0, 00157 MYSQL_DB_FIELD_DB, 00158 MYSQL_DB_FIELD_USER, 00159 MYSQL_DB_FIELD_SELECT_PRIV, 00160 MYSQL_DB_FIELD_INSERT_PRIV, 00161 MYSQL_DB_FIELD_UPDATE_PRIV, 00162 MYSQL_DB_FIELD_DELETE_PRIV, 00163 MYSQL_DB_FIELD_CREATE_PRIV, 00164 MYSQL_DB_FIELD_DROP_PRIV, 00165 MYSQL_DB_FIELD_GRANT_PRIV, 00166 MYSQL_DB_FIELD_REFERENCES_PRIV, 00167 MYSQL_DB_FIELD_INDEX_PRIV, 00168 MYSQL_DB_FIELD_ALTER_PRIV, 00169 MYSQL_DB_FIELD_CREATE_TMP_TABLE_PRIV, 00170 MYSQL_DB_FIELD_LOCK_TABLES_PRIV, 00171 MYSQL_DB_FIELD_CREATE_VIEW_PRIV, 00172 MYSQL_DB_FIELD_SHOW_VIEW_PRIV, 00173 MYSQL_DB_FIELD_CREATE_ROUTINE_PRIV, 00174 MYSQL_DB_FIELD_ALTER_ROUTINE_PRIV, 00175 MYSQL_DB_FIELD_EXECUTE_PRIV, 00176 MYSQL_DB_FIELD_EVENT_PRIV, 00177 MYSQL_DB_FIELD_TRIGGER_PRIV, 00178 MYSQL_DB_FIELD_COUNT 00179 }; 00180 00181 enum mysql_user_table_field 00182 { 00183 MYSQL_USER_FIELD_HOST= 0, 00184 MYSQL_USER_FIELD_USER, 00185 MYSQL_USER_FIELD_PASSWORD, 00186 MYSQL_USER_FIELD_SELECT_PRIV, 00187 MYSQL_USER_FIELD_INSERT_PRIV, 00188 MYSQL_USER_FIELD_UPDATE_PRIV, 00189 MYSQL_USER_FIELD_DELETE_PRIV, 00190 MYSQL_USER_FIELD_CREATE_PRIV, 00191 MYSQL_USER_FIELD_DROP_PRIV, 00192 MYSQL_USER_FIELD_RELOAD_PRIV, 00193 MYSQL_USER_FIELD_SHUTDOWN_PRIV, 00194 MYSQL_USER_FIELD_PROCESS_PRIV, 00195 MYSQL_USER_FIELD_FILE_PRIV, 00196 MYSQL_USER_FIELD_GRANT_PRIV, 00197 MYSQL_USER_FIELD_REFERENCES_PRIV, 00198 MYSQL_USER_FIELD_INDEX_PRIV, 00199 MYSQL_USER_FIELD_ALTER_PRIV, 00200 MYSQL_USER_FIELD_SHOW_DB_PRIV, 00201 MYSQL_USER_FIELD_SUPER_PRIV, 00202 MYSQL_USER_FIELD_CREATE_TMP_TABLE_PRIV, 00203 MYSQL_USER_FIELD_LOCK_TABLES_PRIV, 00204 MYSQL_USER_FIELD_EXECUTE_PRIV, 00205 MYSQL_USER_FIELD_REPL_SLAVE_PRIV, 00206 MYSQL_USER_FIELD_REPL_CLIENT_PRIV, 00207 MYSQL_USER_FIELD_CREATE_VIEW_PRIV, 00208 MYSQL_USER_FIELD_SHOW_VIEW_PRIV, 00209 MYSQL_USER_FIELD_CREATE_ROUTINE_PRIV, 00210 MYSQL_USER_FIELD_ALTER_ROUTINE_PRIV, 00211 MYSQL_USER_FIELD_CREATE_USER_PRIV, 00212 MYSQL_USER_FIELD_EVENT_PRIV, 00213 MYSQL_USER_FIELD_TRIGGER_PRIV, 00214 MYSQL_USER_FIELD_CREATE_TABLESPACE_PRIV, 00215 MYSQL_USER_FIELD_SSL_TYPE, 00216 MYSQL_USER_FIELD_SSL_CIPHER, 00217 MYSQL_USER_FIELD_X509_ISSUER, 00218 MYSQL_USER_FIELD_X509_SUBJECT, 00219 MYSQL_USER_FIELD_MAX_QUESTIONS, 00220 MYSQL_USER_FIELD_MAX_UPDATES, 00221 MYSQL_USER_FIELD_MAX_CONNECTIONS, 00222 MYSQL_USER_FIELD_MAX_USER_CONNECTIONS, 00223 MYSQL_USER_FIELD_PLUGIN, 00224 MYSQL_USER_FIELD_AUTHENTICATION_STRING, 00225 MYSQL_USER_FIELD_PASSWORD_EXPIRED, 00226 MYSQL_USER_FIELD_COUNT 00227 }; 00228 00229 extern const TABLE_FIELD_DEF mysql_db_table_def; 00230 extern bool mysql_user_table_is_in_short_password_format; 00231 extern my_bool disconnect_on_expired_password; 00232 extern const char *command_array[]; 00233 extern uint command_lengths[]; 00234 00235 00236 /* prototypes */ 00237 00238 bool hostname_requires_resolving(const char *hostname); 00239 void append_user(THD *thd, String *str, LEX_USER *user, bool comma, 00240 bool passwd); 00241 my_bool acl_init(bool dont_read_acl_tables); 00242 my_bool acl_reload(THD *thd); 00243 void acl_free(bool end=0); 00244 ulong acl_get(const char *host, const char *ip, 00245 const char *user, const char *db, my_bool db_is_pattern); 00246 int acl_authenticate(THD *thd, uint com_change_user_pkt_len); 00247 bool acl_getroot(Security_context *sctx, char *user, char *host, 00248 char *ip, char *db); 00249 bool acl_check_host(const char *host, const char *ip); 00250 int check_change_password(THD *thd, const char *host, const char *user, 00251 char *password, uint password_len); 00252 bool change_password(THD *thd, const char *host, const char *user, 00253 char *password); 00254 bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list, 00255 ulong rights, bool revoke, bool is_proxy); 00256 int mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list, 00257 List <LEX_COLUMN> &column_list, ulong rights, 00258 bool revoke); 00259 bool mysql_routine_grant(THD *thd, TABLE_LIST *table, bool is_proc, 00260 List <LEX_USER> &user_list, ulong rights, 00261 bool revoke, bool write_to_binlog); 00262 my_bool grant_init(); 00263 void grant_free(void); 00264 my_bool grant_reload(THD *thd); 00265 bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables, 00266 bool any_combination_will_do, uint number, bool no_errors); 00267 bool check_grant_column (THD *thd, GRANT_INFO *grant, 00268 const char *db_name, const char *table_name, 00269 const char *name, uint length, Security_context *sctx); 00270 bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST * table_ref, 00271 const char *name, uint length); 00272 bool check_grant_all_columns(THD *thd, ulong want_access, 00273 Field_iterator_table_ref *fields); 00274 bool check_grant_routine(THD *thd, ulong want_access, 00275 TABLE_LIST *procs, bool is_proc, bool no_error); 00276 bool check_grant_db(THD *thd,const char *db); 00277 ulong get_table_grant(THD *thd, TABLE_LIST *table); 00278 ulong get_column_grant(THD *thd, GRANT_INFO *grant, 00279 const char *db_name, const char *table_name, 00280 const char *field_name); 00281 bool mysql_show_grants(THD *thd, LEX_USER *user); 00282 void get_privilege_desc(char *to, uint max_length, ulong access); 00283 void get_mqh(const char *user, const char *host, USER_CONN *uc); 00284 bool mysql_create_user(THD *thd, List <LEX_USER> &list); 00285 bool mysql_drop_user(THD *thd, List <LEX_USER> &list); 00286 bool mysql_rename_user(THD *thd, List <LEX_USER> &list); 00287 bool mysql_user_password_expire(THD *thd, List <LEX_USER> &list); 00288 bool mysql_revoke_all(THD *thd, List <LEX_USER> &list); 00289 void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant, 00290 const char *db, const char *table); 00291 bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name, 00292 bool is_proc); 00293 bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name, 00294 bool is_proc); 00295 bool check_routine_level_acl(THD *thd, const char *db, const char *name, 00296 bool is_proc); 00297 bool is_acl_user(const char *host, const char *user); 00298 int fill_schema_user_privileges(THD *thd, TABLE_LIST *tables, Item *cond); 00299 int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, Item *cond); 00300 int fill_schema_table_privileges(THD *thd, TABLE_LIST *tables, Item *cond); 00301 int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, Item *cond); 00302 int wild_case_compare(CHARSET_INFO *cs, const char *str,const char *wildstr); 00303 int digest_password(THD *thd, LEX_USER *user_record); 00304 int check_password_strength(String *password); 00305 int check_password_policy(String *password); 00306 #ifdef NO_EMBEDDED_ACCESS_CHECKS 00307 #define check_grant(A,B,C,D,E,F) 0 00308 #define check_grant_db(A,B) 0 00309 #endif 00310 void close_acl_tables(THD *thd); 00311 00325 enum ACL_internal_access_result 00326 { 00333 ACL_INTERNAL_ACCESS_GRANTED, 00335 ACL_INTERNAL_ACCESS_DENIED, 00337 ACL_INTERNAL_ACCESS_CHECK_GRANT 00338 }; 00339 00346 class ACL_internal_table_access 00347 { 00348 public: 00349 ACL_internal_table_access() 00350 {} 00351 00352 virtual ~ACL_internal_table_access() 00353 {} 00354 00371 virtual ACL_internal_access_result check(ulong want_access, 00372 ulong *save_priv) const= 0; 00373 }; 00374 00385 class ACL_internal_schema_access 00386 { 00387 public: 00388 ACL_internal_schema_access() 00389 {} 00390 00391 virtual ~ACL_internal_schema_access() 00392 {} 00393 00408 virtual ACL_internal_access_result check(ulong want_access, 00409 ulong *save_priv) const= 0; 00410 00416 virtual const ACL_internal_table_access *lookup(const char *name) const= 0; 00417 }; 00418 00424 class ACL_internal_schema_registry 00425 { 00426 public: 00427 static void register_schema(const LEX_STRING *name, 00428 const ACL_internal_schema_access *access); 00429 static const ACL_internal_schema_access *lookup(const char *name); 00430 }; 00431 00432 const ACL_internal_schema_access * 00433 get_cached_schema_access(GRANT_INTERNAL_INFO *grant_internal_info, 00434 const char *schema_name); 00435 00436 const ACL_internal_table_access * 00437 get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info, 00438 const char *schema_name, 00439 const char *table_name); 00440 00441 bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user, 00442 bool with_grant); 00443 00444 void init_default_auth_plugin(); 00445 int set_default_auth_plugin(char *, int); 00446 00448 extern my_bool validate_user_plugins; 00449 00450 #endif /* SQL_ACL_INCLUDED */
1.7.6.1
