MySQL 5.6.14 Source Code Document
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Groups Pages
sql_acl.h
1 #ifndef SQL_ACL_INCLUDED
2 #define SQL_ACL_INCLUDED
3 
4 /* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
5 
6  This program is free software; you can redistribute it and/or modify
7  it under the terms of the GNU General Public License as published by
8  the Free Software Foundation; version 2 of the License.
9 
10  This program is distributed in the hope that it will be useful,
11  but WITHOUT ANY WARRANTY; without even the implied warranty of
12  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13  GNU General Public License for more details.
14 
15  You should have received a copy of the GNU General Public License
16  along with this program; if not, write to the Free Software Foundation,
17  51 Franklin Street, Suite 500, Boston, MA 02110-1335 USA */
18 
19 #include "my_global.h" /* NO_EMBEDDED_ACCESS_CHECKS */
20 #include "violite.h" /* SSL_type */
21 #include "sql_class.h" /* LEX_COLUMN */
22 
23 #define SELECT_ACL (1L << 0)
24 #define INSERT_ACL (1L << 1)
25 #define UPDATE_ACL (1L << 2)
26 #define DELETE_ACL (1L << 3)
27 #define CREATE_ACL (1L << 4)
28 #define DROP_ACL (1L << 5)
29 #define RELOAD_ACL (1L << 6)
30 #define SHUTDOWN_ACL (1L << 7)
31 #define PROCESS_ACL (1L << 8)
32 #define FILE_ACL (1L << 9)
33 #define GRANT_ACL (1L << 10)
34 #define REFERENCES_ACL (1L << 11)
35 #define INDEX_ACL (1L << 12)
36 #define ALTER_ACL (1L << 13)
37 #define SHOW_DB_ACL (1L << 14)
38 #define SUPER_ACL (1L << 15)
39 #define CREATE_TMP_ACL (1L << 16)
40 #define LOCK_TABLES_ACL (1L << 17)
41 #define EXECUTE_ACL (1L << 18)
42 #define REPL_SLAVE_ACL (1L << 19)
43 #define REPL_CLIENT_ACL (1L << 20)
44 #define CREATE_VIEW_ACL (1L << 21)
45 #define SHOW_VIEW_ACL (1L << 22)
46 #define CREATE_PROC_ACL (1L << 23)
47 #define ALTER_PROC_ACL (1L << 24)
48 #define CREATE_USER_ACL (1L << 25)
49 #define EVENT_ACL (1L << 26)
50 #define TRIGGER_ACL (1L << 27)
51 #define CREATE_TABLESPACE_ACL (1L << 28)
52 /*
53  don't forget to update
54  1. static struct show_privileges_st sys_privileges[]
55  2. static const char *command_array[] and static uint command_lengths[]
56  3. mysql_system_tables.sql and mysql_system_tables_fix.sql
57  4. acl_init() or whatever - to define behaviour for old privilege tables
58  5. sql_yacc.yy - for GRANT/REVOKE to work
59 */
60 #define NO_ACCESS (1L << 30)
61 #define DB_ACLS \
62 (UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
63  GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | \
64  LOCK_TABLES_ACL | EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
65  CREATE_PROC_ACL | ALTER_PROC_ACL | EVENT_ACL | TRIGGER_ACL)
66 
67 #define TABLE_ACLS \
68 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
69  GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | \
70  SHOW_VIEW_ACL | TRIGGER_ACL)
71 
72 #define COL_ACLS \
73 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL)
74 
75 #define PROC_ACLS \
76 (ALTER_PROC_ACL | EXECUTE_ACL | GRANT_ACL)
77 
78 #define SHOW_PROC_ACLS \
79 (ALTER_PROC_ACL | EXECUTE_ACL | CREATE_PROC_ACL)
80 
81 #define GLOBAL_ACLS \
82 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
83  RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \
84  REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \
85  CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \
86  EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \
87  ALTER_PROC_ACL | CREATE_USER_ACL | EVENT_ACL | TRIGGER_ACL | \
88  CREATE_TABLESPACE_ACL)
89 
90 #define DEFAULT_CREATE_PROC_ACLS \
91 (ALTER_PROC_ACL | EXECUTE_ACL)
92 
93 #define SHOW_CREATE_TABLE_ACLS \
94 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \
95  CREATE_ACL | DROP_ACL | ALTER_ACL | INDEX_ACL | \
96  TRIGGER_ACL | REFERENCES_ACL | GRANT_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL)
97 
102 #define TMP_TABLE_ACLS \
103 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
104  INDEX_ACL | ALTER_ACL)
105 
106 /*
107  Defines to change the above bits to how things are stored in tables
108  This is needed as the 'host' and 'db' table is missing a few privileges
109 */
110 
111 /* Privileges that needs to be reallocated (in continous chunks) */
112 #define DB_CHUNK0 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \
113  CREATE_ACL | DROP_ACL)
114 #define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL)
115 #define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL)
116 #define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
117  CREATE_PROC_ACL | ALTER_PROC_ACL )
118 #define DB_CHUNK4 (EXECUTE_ACL)
119 #define DB_CHUNK5 (EVENT_ACL | TRIGGER_ACL)
120 
121 #define fix_rights_for_db(A) (((A) & DB_CHUNK0) | \
122  (((A) << 4) & DB_CHUNK1) | \
123  (((A) << 6) & DB_CHUNK2) | \
124  (((A) << 9) & DB_CHUNK3) | \
125  (((A) << 2) & DB_CHUNK4))| \
126  (((A) << 9) & DB_CHUNK5)
127 #define get_rights_for_db(A) (((A) & DB_CHUNK0) | \
128  (((A) & DB_CHUNK1) >> 4) | \
129  (((A) & DB_CHUNK2) >> 6) | \
130  (((A) & DB_CHUNK3) >> 9) | \
131  (((A) & DB_CHUNK4) >> 2))| \
132  (((A) & DB_CHUNK5) >> 9)
133 #define TBL_CHUNK0 DB_CHUNK0
134 #define TBL_CHUNK1 DB_CHUNK1
135 #define TBL_CHUNK2 (CREATE_VIEW_ACL | SHOW_VIEW_ACL)
136 #define TBL_CHUNK3 TRIGGER_ACL
137 #define fix_rights_for_table(A) (((A) & TBL_CHUNK0) | \
138  (((A) << 4) & TBL_CHUNK1) | \
139  (((A) << 11) & TBL_CHUNK2) | \
140  (((A) << 15) & TBL_CHUNK3))
141 #define get_rights_for_table(A) (((A) & TBL_CHUNK0) | \
142  (((A) & TBL_CHUNK1) >> 4) | \
143  (((A) & TBL_CHUNK2) >> 11) | \
144  (((A) & TBL_CHUNK3) >> 15))
145 #define fix_rights_for_column(A) (((A) & 7) | (((A) & ~7) << 8))
146 #define get_rights_for_column(A) (((A) & 7) | ((A) >> 8))
147 #define fix_rights_for_procedure(A) ((((A) << 18) & EXECUTE_ACL) | \
148  (((A) << 23) & ALTER_PROC_ACL) | \
149  (((A) << 8) & GRANT_ACL))
150 #define get_rights_for_procedure(A) ((((A) & EXECUTE_ACL) >> 18) | \
151  (((A) & ALTER_PROC_ACL) >> 23) | \
152  (((A) & GRANT_ACL) >> 8))
153 
154 enum mysql_db_table_field
155 {
156  MYSQL_DB_FIELD_HOST = 0,
157  MYSQL_DB_FIELD_DB,
158  MYSQL_DB_FIELD_USER,
159  MYSQL_DB_FIELD_SELECT_PRIV,
160  MYSQL_DB_FIELD_INSERT_PRIV,
161  MYSQL_DB_FIELD_UPDATE_PRIV,
162  MYSQL_DB_FIELD_DELETE_PRIV,
163  MYSQL_DB_FIELD_CREATE_PRIV,
164  MYSQL_DB_FIELD_DROP_PRIV,
165  MYSQL_DB_FIELD_GRANT_PRIV,
166  MYSQL_DB_FIELD_REFERENCES_PRIV,
167  MYSQL_DB_FIELD_INDEX_PRIV,
168  MYSQL_DB_FIELD_ALTER_PRIV,
169  MYSQL_DB_FIELD_CREATE_TMP_TABLE_PRIV,
170  MYSQL_DB_FIELD_LOCK_TABLES_PRIV,
171  MYSQL_DB_FIELD_CREATE_VIEW_PRIV,
172  MYSQL_DB_FIELD_SHOW_VIEW_PRIV,
173  MYSQL_DB_FIELD_CREATE_ROUTINE_PRIV,
174  MYSQL_DB_FIELD_ALTER_ROUTINE_PRIV,
175  MYSQL_DB_FIELD_EXECUTE_PRIV,
176  MYSQL_DB_FIELD_EVENT_PRIV,
177  MYSQL_DB_FIELD_TRIGGER_PRIV,
178  MYSQL_DB_FIELD_COUNT
179 };
180 
181 enum mysql_user_table_field
182 {
183  MYSQL_USER_FIELD_HOST= 0,
184  MYSQL_USER_FIELD_USER,
185  MYSQL_USER_FIELD_PASSWORD,
186  MYSQL_USER_FIELD_SELECT_PRIV,
187  MYSQL_USER_FIELD_INSERT_PRIV,
188  MYSQL_USER_FIELD_UPDATE_PRIV,
189  MYSQL_USER_FIELD_DELETE_PRIV,
190  MYSQL_USER_FIELD_CREATE_PRIV,
191  MYSQL_USER_FIELD_DROP_PRIV,
192  MYSQL_USER_FIELD_RELOAD_PRIV,
193  MYSQL_USER_FIELD_SHUTDOWN_PRIV,
194  MYSQL_USER_FIELD_PROCESS_PRIV,
195  MYSQL_USER_FIELD_FILE_PRIV,
196  MYSQL_USER_FIELD_GRANT_PRIV,
197  MYSQL_USER_FIELD_REFERENCES_PRIV,
198  MYSQL_USER_FIELD_INDEX_PRIV,
199  MYSQL_USER_FIELD_ALTER_PRIV,
200  MYSQL_USER_FIELD_SHOW_DB_PRIV,
201  MYSQL_USER_FIELD_SUPER_PRIV,
202  MYSQL_USER_FIELD_CREATE_TMP_TABLE_PRIV,
203  MYSQL_USER_FIELD_LOCK_TABLES_PRIV,
204  MYSQL_USER_FIELD_EXECUTE_PRIV,
205  MYSQL_USER_FIELD_REPL_SLAVE_PRIV,
206  MYSQL_USER_FIELD_REPL_CLIENT_PRIV,
207  MYSQL_USER_FIELD_CREATE_VIEW_PRIV,
208  MYSQL_USER_FIELD_SHOW_VIEW_PRIV,
209  MYSQL_USER_FIELD_CREATE_ROUTINE_PRIV,
210  MYSQL_USER_FIELD_ALTER_ROUTINE_PRIV,
211  MYSQL_USER_FIELD_CREATE_USER_PRIV,
212  MYSQL_USER_FIELD_EVENT_PRIV,
213  MYSQL_USER_FIELD_TRIGGER_PRIV,
214  MYSQL_USER_FIELD_CREATE_TABLESPACE_PRIV,
215  MYSQL_USER_FIELD_SSL_TYPE,
216  MYSQL_USER_FIELD_SSL_CIPHER,
217  MYSQL_USER_FIELD_X509_ISSUER,
218  MYSQL_USER_FIELD_X509_SUBJECT,
219  MYSQL_USER_FIELD_MAX_QUESTIONS,
220  MYSQL_USER_FIELD_MAX_UPDATES,
221  MYSQL_USER_FIELD_MAX_CONNECTIONS,
222  MYSQL_USER_FIELD_MAX_USER_CONNECTIONS,
223  MYSQL_USER_FIELD_PLUGIN,
224  MYSQL_USER_FIELD_AUTHENTICATION_STRING,
225  MYSQL_USER_FIELD_PASSWORD_EXPIRED,
226  MYSQL_USER_FIELD_COUNT
227 };
228 
229 extern const TABLE_FIELD_DEF mysql_db_table_def;
230 extern bool mysql_user_table_is_in_short_password_format;
231 extern my_bool disconnect_on_expired_password;
232 extern const char *command_array[];
233 extern uint command_lengths[];
234 
235 
236 /* prototypes */
237 
238 bool hostname_requires_resolving(const char *hostname);
239 void append_user(THD *thd, String *str, LEX_USER *user, bool comma,
240  bool passwd);
241 my_bool acl_init(bool dont_read_acl_tables);
242 my_bool acl_reload(THD *thd);
243 void acl_free(bool end=0);
244 ulong acl_get(const char *host, const char *ip,
245  const char *user, const char *db, my_bool db_is_pattern);
246 int acl_authenticate(THD *thd, uint com_change_user_pkt_len);
247 bool acl_getroot(Security_context *sctx, char *user, char *host,
248  char *ip, char *db);
249 bool acl_check_host(const char *host, const char *ip);
250 int check_change_password(THD *thd, const char *host, const char *user,
251  char *password, uint password_len);
252 bool change_password(THD *thd, const char *host, const char *user,
253  char *password);
254 bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list,
255  ulong rights, bool revoke, bool is_proxy);
256 int mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list,
257  List <LEX_COLUMN> &column_list, ulong rights,
258  bool revoke);
259 bool mysql_routine_grant(THD *thd, TABLE_LIST *table, bool is_proc,
260  List <LEX_USER> &user_list, ulong rights,
261  bool revoke, bool write_to_binlog);
262 my_bool grant_init();
263 void grant_free(void);
264 my_bool grant_reload(THD *thd);
265 bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
266  bool any_combination_will_do, uint number, bool no_errors);
267 bool check_grant_column (THD *thd, GRANT_INFO *grant,
268  const char *db_name, const char *table_name,
269  const char *name, uint length, Security_context *sctx);
270 bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST * table_ref,
271  const char *name, uint length);
272 bool check_grant_all_columns(THD *thd, ulong want_access,
273  Field_iterator_table_ref *fields);
274 bool check_grant_routine(THD *thd, ulong want_access,
275  TABLE_LIST *procs, bool is_proc, bool no_error);
276 bool check_grant_db(THD *thd,const char *db);
277 ulong get_table_grant(THD *thd, TABLE_LIST *table);
278 ulong get_column_grant(THD *thd, GRANT_INFO *grant,
279  const char *db_name, const char *table_name,
280  const char *field_name);
281 bool mysql_show_grants(THD *thd, LEX_USER *user);
282 void get_privilege_desc(char *to, uint max_length, ulong access);
283 void get_mqh(const char *user, const char *host, USER_CONN *uc);
284 bool mysql_create_user(THD *thd, List <LEX_USER> &list);
285 bool mysql_drop_user(THD *thd, List <LEX_USER> &list);
286 bool mysql_rename_user(THD *thd, List <LEX_USER> &list);
287 bool mysql_user_password_expire(THD *thd, List <LEX_USER> &list);
288 bool mysql_revoke_all(THD *thd, List <LEX_USER> &list);
289 void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant,
290  const char *db, const char *table);
291 bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name,
292  bool is_proc);
293 bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name,
294  bool is_proc);
295 bool check_routine_level_acl(THD *thd, const char *db, const char *name,
296  bool is_proc);
297 bool is_acl_user(const char *host, const char *user);
298 int fill_schema_user_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
299 int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
300 int fill_schema_table_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
301 int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, Item *cond);
302 int wild_case_compare(CHARSET_INFO *cs, const char *str,const char *wildstr);
303 int digest_password(THD *thd, LEX_USER *user_record);
304 int check_password_strength(String *password);
305 int check_password_policy(String *password);
306 #ifdef NO_EMBEDDED_ACCESS_CHECKS
307 #define check_grant(A,B,C,D,E,F) 0
308 #define check_grant_db(A,B) 0
309 #endif
310 void close_acl_tables(THD *thd);
311 
325 enum ACL_internal_access_result
326 {
333  ACL_INTERNAL_ACCESS_GRANTED,
335  ACL_INTERNAL_ACCESS_DENIED,
337  ACL_INTERNAL_ACCESS_CHECK_GRANT
338 };
339 
346 class ACL_internal_table_access
347 {
348 public:
349  ACL_internal_table_access()
350  {}
351 
352  virtual ~ACL_internal_table_access()
353  {}
354 
371  virtual ACL_internal_access_result check(ulong want_access,
372  ulong *save_priv) const= 0;
373 };
374 
385 class ACL_internal_schema_access
386 {
387 public:
388  ACL_internal_schema_access()
389  {}
390 
391  virtual ~ACL_internal_schema_access()
392  {}
393 
408  virtual ACL_internal_access_result check(ulong want_access,
409  ulong *save_priv) const= 0;
410 
416  virtual const ACL_internal_table_access *lookup(const char *name) const= 0;
417 };
418 
424 class ACL_internal_schema_registry
425 {
426 public:
427  static void register_schema(const LEX_STRING *name,
428  const ACL_internal_schema_access *access);
429  static const ACL_internal_schema_access *lookup(const char *name);
430 };
431 
432 const ACL_internal_schema_access *
433 get_cached_schema_access(GRANT_INTERNAL_INFO *grant_internal_info,
434  const char *schema_name);
435 
436 const ACL_internal_table_access *
437 get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info,
438  const char *schema_name,
439  const char *table_name);
440 
441 bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user,
442  bool with_grant);
443 
444 void init_default_auth_plugin();
445 int set_default_auth_plugin(char *, int);
446 
448 extern my_bool validate_user_plugins;
449 
450 #endif /* SQL_ACL_INCLUDED */