diff options
Diffstat (limited to 'sql/sql_acl.h')
| -rw-r--r-- | sql/sql_acl.h | 159 |
1 files changed, 154 insertions, 5 deletions
diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 5078c80cedf..2a62b605678 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -1,4 +1,7 @@ -/* Copyright (C) 2000-2006 MySQL AB +#ifndef SQL_ACL_INCLUDED +#define SQL_ACL_INCLUDED + +/* Copyright (C) 2000-2006 MySQL AB, 2008-2009 Sun Microsystems, Inc This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -13,7 +16,9 @@ along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#include "slave.h" // for tables_ok(), rpl_filter +#include "my_global.h" /* NO_EMBEDDED_ACCESS_CHECKS */ +#include "violite.h" /* SSL_type */ +#include "sql_class.h" /* LEX_COLUMN */ #define SELECT_ACL (1L << 0) #define INSERT_ACL (1L << 1) @@ -43,6 +48,7 @@ #define CREATE_USER_ACL (1L << 25) #define EVENT_ACL (1L << 26) #define TRIGGER_ACL (1L << 27) +#define CREATE_TABLESPACE_ACL (1L << 28) /* don't forget to update 1. static struct show_privileges_st sys_privileges[] @@ -51,7 +57,6 @@ 4. acl_init() or whatever - to define behaviour for old privilege tables 5. sql_yacc.yy - for GRANT/REVOKE to work */ -#define EXTRA_ACL (1L << 29) #define NO_ACCESS (1L << 30) #define DB_ACLS \ (UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ @@ -79,11 +84,17 @@ REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \ CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \ EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \ - ALTER_PROC_ACL | CREATE_USER_ACL | EVENT_ACL | TRIGGER_ACL) + ALTER_PROC_ACL | CREATE_USER_ACL | EVENT_ACL | TRIGGER_ACL | \ + CREATE_TABLESPACE_ACL) #define DEFAULT_CREATE_PROC_ACLS \ (ALTER_PROC_ACL | EXECUTE_ACL) +#define SHOW_CREATE_TABLE_ACLS \ +(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \ + CREATE_ACL | DROP_ACL | ALTER_ACL | INDEX_ACL | \ + TRIGGER_ACL | REFERENCES_ACL | GRANT_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL) + /* Defines to change the above bits to how things are stored in tables This is needed as the 'host' and 'db' table is missing a few privileges @@ -160,6 +171,7 @@ enum mysql_db_table_field }; extern const TABLE_FIELD_DEF mysql_db_table_def; +extern bool mysql_user_table_is_in_short_password_format; /* prototypes */ @@ -189,7 +201,7 @@ my_bool grant_init(); void grant_free(void); my_bool grant_reload(THD *thd); bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables, - uint show_command, uint number, bool dont_print_error); + bool any_combination_will_do, uint number, bool no_errors); bool check_grant_column (THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *name, uint length, Security_context *sctx); @@ -220,7 +232,144 @@ bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name, bool check_routine_level_acl(THD *thd, const char *db, const char *name, bool is_proc); bool is_acl_user(const char *host, const char *user); +int fill_schema_user_privileges(THD *thd, TABLE_LIST *tables, COND *cond); +int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, COND *cond); +int fill_schema_table_privileges(THD *thd, TABLE_LIST *tables, COND *cond); +int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, COND *cond); +int wild_case_compare(CHARSET_INFO *cs, const char *str,const char *wildstr); + #ifdef NO_EMBEDDED_ACCESS_CHECKS #define check_grant(A,B,C,D,E,F) 0 #define check_grant_db(A,B) 0 #endif + +/** + Result of an access check for an internal schema or table. + Internal ACL checks are always performed *before* using + the grant tables. + This mechanism enforces that the server implementation has full + control on its internal tables. + Depending on the internal check result, the server implementation + can choose to: + - always allow access, + - always deny access, + - delegate the decision to the database administrator, + by using the grant tables. +*/ +enum ACL_internal_access_result +{ + /** + Access granted for all the requested privileges, + do not use the grant tables. + This flag is used only for the INFORMATION_SCHEMA privileges, + for compatibility reasons. + */ + ACL_INTERNAL_ACCESS_GRANTED, + /** Access denied, do not use the grant tables. */ + ACL_INTERNAL_ACCESS_DENIED, + /** No decision yet, use the grant tables. */ + ACL_INTERNAL_ACCESS_CHECK_GRANT +}; + +/** + Per internal table ACL access rules. + This class is an interface. + Per table(s) specific access rule should be implemented in a subclass. + @sa ACL_internal_schema_access +*/ +class ACL_internal_table_access +{ +public: + ACL_internal_table_access() + {} + + virtual ~ACL_internal_table_access() + {} + + /** + Check access to an internal table. + When a privilege is granted, this method add the requested privilege + to save_priv. + @param want_access the privileges requested + @param [in, out] save_priv the privileges granted + @return + @retval ACL_INTERNAL_ACCESS_GRANTED All the requested privileges + are granted, and saved in save_priv. + @retval ACL_INTERNAL_ACCESS_DENIED At least one of the requested + privileges was denied. + @retval ACL_INTERNAL_ACCESS_CHECK_GRANT No requested privilege + was denied, and grant should be checked for at least one + privilege. Requested privileges that are granted, if any, are saved + in save_priv. + */ + virtual ACL_internal_access_result check(ulong want_access, + ulong *save_priv) const= 0; +}; + +/** + Per internal schema ACL access rules. + This class is an interface. + Each per schema specific access rule should be implemented + in a different subclass, and registered. + Per schema access rules can control: + - every schema privileges on schema.* + - every table privileges on schema.table + @sa ACL_internal_schema_registry +*/ +class ACL_internal_schema_access +{ +public: + ACL_internal_schema_access() + {} + + virtual ~ACL_internal_schema_access() + {} + + /** + Check access to an internal schema. + @param want_access the privileges requested + @param [in, out] save_priv the privileges granted + @return + @retval ACL_INTERNAL_ACCESS_GRANTED All the requested privileges + are granted, and saved in save_priv. + @retval ACL_INTERNAL_ACCESS_DENIED At least one of the requested + privileges was denied. + @retval ACL_INTERNAL_ACCESS_CHECK_GRANT No requested privilege + was denied, and grant should be checked for at least one + privilege. Requested privileges that are granted, if any, are saved + in save_priv. + */ + virtual ACL_internal_access_result check(ulong want_access, + ulong *save_priv) const= 0; + + /** + Search for per table ACL access rules by table name. + @param name the table name + @return per table access rules, or NULL + */ + virtual const ACL_internal_table_access *lookup(const char *name) const= 0; +}; + +/** + A registry for per internal schema ACL. + An 'internal schema' is a database schema maintained by the + server implementation, such as 'performance_schema' and 'INFORMATION_SCHEMA'. +*/ +class ACL_internal_schema_registry +{ +public: + static void register_schema(const LEX_STRING *name, + const ACL_internal_schema_access *access); + static const ACL_internal_schema_access *lookup(const char *name); +}; + +const ACL_internal_schema_access * +get_cached_schema_access(GRANT_INTERNAL_INFO *grant_internal_info, + const char *schema_name); + +const ACL_internal_table_access * +get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info, + const char *schema_name, + const char *table_name); + +#endif /* SQL_ACL_INCLUDED */ |