diff options
author | Vicențiu Ciorbaru <cvicentiu@gmail.com> | 2022-03-08 16:51:00 +0200 |
---|---|---|
committer | Vicențiu Ciorbaru <cvicentiu@gmail.com> | 2022-03-08 16:51:00 +0200 |
commit | 0518d2ba0ef40e70a933f9dc52cedb97c51749d6 (patch) | |
tree | 63368bf6c59e0e9596e8b384bab5ec3531a52820 | |
parent | 17417d53bde5e2e3f1132432a37aa2873568e21d (diff) | |
download | mariadb-git-0518d2ba0ef40e70a933f9dc52cedb97c51749d6.tar.gz |
MDEV-14443: get_column_grant: Apply global and database level denies
-rw-r--r-- | sql/sql_acl.cc | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 1fb57f97b38..f0d22846dc9 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -9382,6 +9382,8 @@ bool check_grant(THD *thd, privilege_t want_access, TABLE_LIST *tables, const bool no_grant_table_role_rights= !grant_table_role || !((grant_table_role->privs | grant_table_role->cols) & ~deny_mask); + //TODO(cvicentiu) column level deny_mask needs to be computed separately + //per-column. This will have to be done as an extra step. if (no_grant_table_rights && no_grant_table_role_rights) { @@ -10034,12 +10036,20 @@ privilege_t get_column_grant(THD *thd, GRANT_INFO *grant, GRANT_TABLE *grant_table_role; GRANT_COLUMN *grant_column; privilege_t priv(NO_ACL); + privilege_t deny_mask(NO_ACL); mysql_rwlock_rdlock(&LOCK_grant); + + /* TODO(cvicentiu) save this alongside grant->version to speed lookup. */ + DBUG_ASSERT(db_name); + deny_mask= acl_get_effective_deny_mask(thd->security_ctx, + {db_name, strlen(db_name)}); + /* reload table if someone has modified any grants */ if (grant->version != grant_version) { Security_context *sctx= thd->security_ctx; + grant->grant_table_user= table_hash_search(sctx->host, sctx->ip, db_name, sctx->priv_user, @@ -10080,7 +10090,9 @@ privilege_t get_column_grant(THD *thd, GRANT_INFO *grant, } } mysql_rwlock_unlock(&LOCK_grant); - return priv; + /* TODO(cvicentiu) This mask only covers global & database denies. Table and + column level denies need dedicated handling. */ + return priv & ~deny_mask; } |