summaryrefslogtreecommitdiff
path: root/sql/sql_acl.cc
diff options
context:
space:
mode:
Diffstat (limited to 'sql/sql_acl.cc')
-rw-r--r--sql/sql_acl.cc76
1 files changed, 36 insertions, 40 deletions
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index f323c7871c9..d168529df37 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -1,5 +1,5 @@
-/* Copyright (c) 2000, 2013, Oracle and/or its affiliates.
- Copyright (c) 2009, 2014, SkySQL Ab.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates.
+ Copyright (c) 2009, 2016, MariaDB
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -745,9 +745,8 @@ static ACL_USER *find_user_wild(const char *host, const char *user, const char *
static ACL_ROLE *find_acl_role(const char *user);
static ROLE_GRANT_PAIR *find_role_grant_pair(const LEX_STRING *u, const LEX_STRING *h, const LEX_STRING *r);
static ACL_USER_BASE *find_acl_user_base(const char *user, const char *host);
-static bool update_user_table(THD *thd, TABLE *table, const char *host,
- const char *user, const char *new_password,
- uint new_password_len);
+static bool update_user_table(THD *, TABLE *, const char *, const char *, const
+ char *, uint);
static bool acl_load(THD *thd, TABLE_LIST *tables);
static bool grant_load(THD *thd, TABLE_LIST *tables);
static inline void get_grantor(THD *thd, char* grantor);
@@ -1206,7 +1205,6 @@ static bool acl_load(THD *thd, TABLE_LIST *tables)
grant_version++; /* Privileges updated */
init_sql_alloc(&acl_memroot, ACL_ALLOC_BLOCK_SIZE, 0, MYF(0));
- (void) my_init_dynamic_array(&acl_hosts,sizeof(ACL_HOST), 20, 50, MYF(0));
if ((table= tables[HOST_TABLE].table)) // "host" table may not exist (e.g. in MySQL 5.6.7+)
{
if (init_read_record(&read_record_info, thd, table, NULL, 1, 1, FALSE))
@@ -1263,12 +1261,11 @@ static bool acl_load(THD *thd, TABLE_LIST *tables)
}
freeze_size(&acl_hosts);
- (void) my_init_dynamic_array(&acl_users,sizeof(ACL_USER), 50, 100, MYF(0));
- (void) my_hash_init2(&acl_roles,50, &my_charset_utf8_bin,
- 0, 0, 0, (my_hash_get_key) acl_role_get_key, 0,
- (void (*)(void *))free_acl_role, 0);
+ if (init_read_record(&read_record_info, thd, table=tables[USER_TABLE].table,
+ NULL, 1, 1, FALSE))
+ goto end;
+ table->use_all_columns();
- table= tables[USER_TABLE].table,
username_char_length= MY_MIN(table->field[1]->char_length(),
USERNAME_CHAR_LENGTH);
password_length= table->field[2]->field_length /
@@ -1280,10 +1277,6 @@ static bool acl_load(THD *thd, TABLE_LIST *tables)
goto end;
}
- if (init_read_record(&read_record_info, thd, table, NULL, 1, 1, FALSE))
- goto end;
- table->use_all_columns();
-
DBUG_PRINT("info",("user table fields: %d, password length: %d",
table->s->fields, password_length));
@@ -1295,7 +1288,6 @@ static bool acl_load(THD *thd, TABLE_LIST *tables)
mysql_mutex_unlock(&LOCK_global_system_variables);
sql_print_error("Fatal error: mysql.user table is in old format, "
"but server started with --secure-auth option.");
- end_read_record(&read_record_info);
goto end;
}
mysql_user_table_is_in_short_password_format= true;
@@ -1531,7 +1523,6 @@ static bool acl_load(THD *thd, TABLE_LIST *tables)
NULL, 1, 1, FALSE))
goto end;
table->use_all_columns();
- (void) my_init_dynamic_array(&acl_dbs,sizeof(ACL_DB), 50, 100, MYF(0));
while (!(read_record_info.read_record(&read_record_info)))
{
ACL_DB db;
@@ -1593,8 +1584,6 @@ static bool acl_load(THD *thd, TABLE_LIST *tables)
end_read_record(&read_record_info);
freeze_size(&acl_dbs);
- (void) my_init_dynamic_array(&acl_proxy_users, sizeof(ACL_PROXY_USER),
- 50, 100, MYF(0));
if ((table= tables[PROXIES_PRIV_TABLE].table))
{
if (init_read_record(&read_record_info, thd, table,
@@ -1630,10 +1619,7 @@ static bool acl_load(THD *thd, TABLE_LIST *tables)
if (init_read_record(&read_record_info, thd, table, NULL, 1, 1, FALSE))
goto end;
table->use_all_columns();
- /* account for every role mapping */
- (void) my_hash_init2(&acl_roles_mappings, 50, system_charset_info, 0, 0, 0,
- (my_hash_get_key) acl_role_map_get_key, 0, 0, 0);
MEM_ROOT temp_root;
init_alloc_root(&temp_root, ACL_ALLOC_BLOCK_SIZE, 0, MYF(0));
while (!(read_record_info.read_record(&read_record_info)))
@@ -1672,6 +1658,7 @@ static bool acl_load(THD *thd, TABLE_LIST *tables)
return_val= FALSE;
end:
+ end_read_record(&read_record_info);
thd->variables.sql_mode= old_sql_mode;
DBUG_RETURN(return_val);
}
@@ -1688,12 +1675,12 @@ void acl_free(bool end)
delete_dynamic(&acl_proxy_users);
my_hash_free(&acl_check_hosts);
my_hash_free(&acl_roles_mappings);
- plugin_unlock(0, native_password_plugin);
- plugin_unlock(0, old_password_plugin);
if (!end)
acl_cache->clear(1); /* purecov: inspected */
else
{
+ plugin_unlock(0, native_password_plugin);
+ plugin_unlock(0, old_password_plugin);
delete acl_cache;
acl_cache=0;
}
@@ -1755,6 +1742,15 @@ bool acl_reload(THD *thd)
old_acl_roles_mappings= acl_roles_mappings;
old_acl_proxy_users= acl_proxy_users;
old_acl_dbs= acl_dbs;
+ my_init_dynamic_array(&acl_hosts, sizeof(ACL_HOST), 20, 50, MYF(0));
+ my_init_dynamic_array(&acl_users, sizeof(ACL_USER), 50, 100, MYF(0));
+ my_init_dynamic_array(&acl_dbs, sizeof(ACL_DB), 50, 100, MYF(0));
+ my_init_dynamic_array(&acl_proxy_users, sizeof(ACL_PROXY_USER), 50, 100, MYF(0));
+ my_hash_init2(&acl_roles,50, &my_charset_utf8_bin,
+ 0, 0, 0, (my_hash_get_key) acl_role_get_key, 0,
+ (void (*)(void *))free_acl_role, 0);
+ my_hash_init2(&acl_roles_mappings, 50, system_charset_info, 0, 0, 0,
+ (my_hash_get_key) acl_role_map_get_key, 0, 0, 0);
old_mem= acl_memroot;
delete_dynamic(&acl_wild_hosts);
my_hash_free(&acl_check_hosts);
@@ -7647,7 +7643,8 @@ ulong get_column_grant(THD *thd, GRANT_INFO *grant,
if (!grant_column)
priv|= (grant->privilege | grant_table_role->privs);
else
- priv|= (grant->privilege | grant_table->privs | grant_column->rights);
+ priv|= (grant->privilege | grant_table_role->privs |
+ grant_column->rights);
}
}
mysql_rwlock_unlock(&LOCK_grant);
@@ -7777,9 +7774,6 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
DBUG_RETURN(TRUE);
}
- mysql_rwlock_rdlock(&LOCK_grant);
- mysql_mutex_lock(&acl_cache->lock);
-
if (lex_user->user.str == current_user.str)
{
username= thd->security_ctx->priv_user;
@@ -7797,23 +7791,28 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
}
else
{
- lex_user= get_current_user(thd, lex_user, false);
+ Security_context *sctx= thd->security_ctx;
+ bool do_check_access;
+
+ lex_user= get_current_user(thd, lex_user);
if (!lex_user)
- {
- mysql_mutex_unlock(&acl_cache->lock);
- mysql_rwlock_unlock(&LOCK_grant);
DBUG_RETURN(TRUE);
- }
if (lex_user->is_role())
{
rolename= lex_user->user.str;
+ do_check_access= strcmp(rolename, sctx->priv_role);
}
else
{
username= lex_user->user.str;
hostname= lex_user->host.str;
+ do_check_access= strcmp(username, sctx->priv_user) ||
+ strcmp(hostname, sctx->priv_host);
}
+
+ if (do_check_access && check_access(thd, SELECT_ACL, "mysql", 0, 0, 1, 0))
+ DBUG_RETURN(TRUE);
}
DBUG_ASSERT(rolename || username);
@@ -7826,14 +7825,11 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
mysql_show_grants_get_fields(thd, &field_list, buff);
if (protocol->send_result_set_metadata(&field_list,
- Protocol::SEND_NUM_ROWS |
- Protocol::SEND_EOF))
- {
- mysql_mutex_unlock(&acl_cache->lock);
- mysql_rwlock_unlock(&LOCK_grant);
-
+ Protocol::SEND_NUM_ROWS | Protocol::SEND_EOF))
DBUG_RETURN(TRUE);
- }
+
+ mysql_rwlock_rdlock(&LOCK_grant);
+ mysql_mutex_lock(&acl_cache->lock);
if (username)
{
View Lorry Controller Status