diff options
author | Vicențiu Ciorbaru <cvicentiu@gmail.com> | 2022-06-10 16:43:09 +0300 |
---|---|---|
committer | Vicențiu Ciorbaru <cvicentiu@gmail.com> | 2022-06-12 17:26:28 +0300 |
commit | a3df71dc602ef13156c6a67be43348b78f4352ca (patch) | |
tree | b1eba34499695a0ccf40cb1120491f54cc040928 | |
parent | 90ea711141b5ddd112b4c73ef4afdca9a9425e95 (diff) | |
download | mariadb-git-a3df71dc602ef13156c6a67be43348b78f4352ca.tar.gz |
WIP Denies with stored procedures working
-rw-r--r-- | sql/sql_acl.cc | 34 |
1 files changed, 30 insertions, 4 deletions
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 1b9e551ddba..5de7d5a29f5 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -10461,7 +10461,9 @@ static bool check_grant_routine(THD *thd, privilege_t want_access, char *role= sctx->priv_role; DBUG_ENTER("check_grant_routine"); - want_access&= ~sctx->master_access; + /* This shortcut only works if there are denies only on the global level. */ + if (!(sctx->denies_active & ~GLOBAL_PRIV)) + want_access&= ~sctx->master_access; if (!want_access) DBUG_RETURN(0); // ok @@ -10539,12 +10541,18 @@ bool check_routine_level_acl(THD *thd, bool no_routine_acl= 1; GRANT_NAME *grant_proc; Security_context *sctx= thd->security_ctx; + + privilege_t deny_mask= + acl_get_effective_deny_mask_impl(thd->security_context(), + db, name, + get_corresponding_object_type(sph)); + mysql_rwlock_rdlock(&LOCK_grant); if ((grant_proc= routine_hash_search(sctx->priv_host, sctx->ip, db.str, sctx->priv_user, name.str, sph, 0))) - no_routine_acl= !(grant_proc->privs & SHOW_PROC_ACLS); + no_routine_acl= !((grant_proc->privs & SHOW_PROC_ACLS) & ~deny_mask); if (no_routine_acl && sctx->priv_role[0]) /* current set role check */ { @@ -10552,7 +10560,7 @@ bool check_routine_level_acl(THD *thd, NULL, db.str, sctx->priv_role, name.str, sph, 0))) - no_routine_acl= !(grant_proc->privs & SHOW_PROC_ACLS); + no_routine_acl= !((grant_proc->privs & SHOW_PROC_ACLS) & ~deny_mask); } mysql_rwlock_unlock(&LOCK_grant); return no_routine_acl; @@ -14003,7 +14011,11 @@ static bool maria_deny(THD *thd, const User_table &user_table, bool result= false; DBUG_ENTER("maria_deny"); - /* Only allow DB level denies. */ + /* + TODO(cvicentiu) make this privilege checking uniform across + GRANT/REVOKE commands. - One place for all. + */ + /* Only allow db level denies for database denies. */ if (priv_spec.spec_type == DATABASE_PRIV && (priv_spec.access & DB_ACLS) != priv_spec.access) { @@ -14011,6 +14023,20 @@ static bool maria_deny(THD *thd, const User_table &user_table, DBUG_RETURN(true); } + /* Only allow table level denies for table denies. */ + if (priv_spec.spec_type == TABLE_PRIV && + (priv_spec.access & TABLE_ACLS) != priv_spec.access) + { + my_message(ER_ILLEGAL_GRANT_FOR_TABLE, + ER_THD(thd, ER_ILLEGAL_GRANT_FOR_TABLE), + MYF(0)); + DBUG_RETURN(true); + } + /* + TODO(cvicentiu) column-level checks, routine level checks, etc. + Write tests for these too. + */ + /* go through users in user_list */ for (LEX_USER *user= it++; user != NULL; user= it++) { |