diff options
Diffstat (limited to 'sql')
-rw-r--r-- | sql/sql_acl.cc | 195 | ||||
-rw-r--r-- | sql/sql_acl.h | 2 | ||||
-rw-r--r-- | sql/sql_parse.cc | 4 | ||||
-rw-r--r-- | sql/sql_yacc.yy | 4 |
4 files changed, 185 insertions, 20 deletions
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 42f03ed8b84..fdc6516ec9a 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -2741,6 +2741,62 @@ int add_role_user_mapping(ROLE_GRANT_PAIR *mapping) return result; } +int remove_role_user_mapping(ROLE_GRANT_PAIR *mapping) +{ + ACL_USER_BASE *user= find_user_no_anon((mapping->u_hname) ? mapping->u_hname: "", + (mapping->u_uname) ? mapping->u_uname: "", + TRUE); + ACL_ROLE *role= find_acl_role(mapping->r_uname ? mapping->r_uname: ""); + + + int result= 0; + uint idx_user, idx_role; + bool deleted_role= FALSE, deleted_user= FALSE; + + if (user == NULL || role == NULL) + { + /* There still exists the possibility that the user is actually a role */ + if (user == NULL && role && (!mapping->u_hname || !mapping->u_hname[0]) + && /* in this case the grantee is a role */ + ((user= find_acl_role(mapping->u_uname ? mapping->u_uname: "")))) + { + result= 1; + } + else + { + DBUG_PRINT("warning", ("Invalid remove_role_user_mapping '%s'@'%s' %s %p %p", + mapping->u_uname, mapping->u_hname, + mapping->r_uname, user, role)); + + return -1; + } + } + + /* scan both arrays to find and delete both links */ + for (idx_user=0; idx_user < user->role_grants.elements; idx_user++) + { + if (role == *dynamic_element(&user->role_grants, idx_user, ACL_ROLE**)) + { + delete_dynamic_element(&user->role_grants, idx_user); + deleted_user= TRUE; + } + } + + for (idx_role=0; idx_role < role->parent_grantee.elements; idx_role++) + { + if (user == *dynamic_element(&role->parent_grantee, idx_role, + ACL_USER_BASE**)) + { + delete_dynamic_element(&role->parent_grantee, idx_role); + deleted_role= TRUE; + } + } + + /* we should always get to delete from both arrays */ + DBUG_ASSERT(deleted_role && deleted_user); + return result; +} + /* Rebuild the role grants every time the acl_users is modified @@ -3695,6 +3751,60 @@ abort: DBUG_RETURN(-1); } +static int +replace_roles_mapping_table(TABLE *table, ROLE_GRANT_PAIR *pair, + bool revoke_grant) +{ + DBUG_ENTER("replace_roles_mapping_table"); + + uchar row_key[MAX_KEY_LENGTH]; + int error; + table->use_all_columns(); + table->field[0]->store(pair->u_hname, strlen(pair->u_hname), + system_charset_info); + table->field[1]->store(pair->u_uname, strlen(pair->u_uname), + system_charset_info); + table->field[2]->store(pair->r_uname, strlen(pair->r_uname), + system_charset_info); + key_copy(row_key, table->record[0], table->key_info, + table->key_info->key_length); + + if (table->file->ha_index_read_idx_map(table->record[0], 0, row_key, + HA_WHOLE_KEY, HA_READ_KEY_EXACT)) + { + /* No match */ + if (revoke_grant) + { + DBUG_RETURN(1); + } + } + if (revoke_grant) + { + if ((error= table->file->ha_delete_row(table->record[0]))) + { + DBUG_PRINT("info", ("error deleting row '%s' '%s' '%s'", + pair->u_hname, pair->u_uname, pair->r_uname)); + goto table_error; + } + } + else + { + if ((error= table->file->ha_write_row(table->record[0]))) + { + DBUG_PRINT("info", ("error inserting row '%s' '%s' '%s'", + pair->u_hname, pair->u_uname, pair->r_uname)); + goto table_error; + } + } + + /* all ok */ + DBUG_RETURN(0); + +table_error: + DBUG_PRINT("info", ("table error")); + table->file->print_error(error, MYF(0)); + DBUG_RETURN(1); +} static void acl_update_proxy_user(ACL_PROXY_USER *new_value, bool is_revoke) @@ -5183,7 +5293,7 @@ static void append_user(String *str, const char *u, const char *h, } -bool mysql_grant_role(THD *thd, List <LEX_USER> &list) +bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke) { DBUG_ENTER("mysql_grant_role"); /* @@ -5215,16 +5325,29 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list) rolename= granted_role->user.str; } + TABLE_LIST tables; + tables.init_one_table(C_STRING_WITH_LEN("mysql"), + C_STRING_WITH_LEN("roles_mapping"), + "roles_mapping", TL_WRITE); + mysql_rwlock_wrlock(&LOCK_grant); mysql_mutex_lock(&acl_cache->lock); if (!(role= find_acl_role(rolename))) { - my_error(ER_INVALID_ROLE, MYF(0), rolename); mysql_mutex_unlock(&acl_cache->lock); mysql_rwlock_unlock(&LOCK_grant); + my_error(ER_INVALID_ROLE, MYF(0), rolename); DBUG_RETURN(TRUE); } + if (open_and_lock_tables(thd, &tables, FALSE, MYSQL_LOCK_IGNORE_TIMEOUT)) + { // Should never happen + mysql_mutex_unlock(&acl_cache->lock); + mysql_rwlock_unlock(&LOCK_grant); + my_error(ER_NO_SUCH_TABLE, MYF(0), "mysql", "roles_mapping"); + DBUG_RETURN(TRUE); /* purecov: deadcode */ + } + while ((user= user_list++)) { role_as_user= NULL; @@ -5244,6 +5367,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list) result= 1; continue; } + /* can not grant current_role to current_role */ if (granted_role->user.str == current_role.str) { @@ -5264,31 +5388,69 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list) ROLE_GRANT_PAIR *mapping= (ROLE_GRANT_PAIR *) alloc_root(&mem, sizeof(ROLE_GRANT_PAIR)); - /* TODO write into roles_mapping table */ init_role_grant_pair(&mem, mapping, username, hostname, rolename); - int res= add_role_user_mapping(mapping); - if (res == -1) + + if (!revoke) { - append_user(&wrong_users, username, hostname, role_as_user != NULL); - result= 1; - continue; + int res= add_role_user_mapping(mapping); + /* role or user does not exist*/ + if (res == -1) + { + append_user(&wrong_users, username, hostname, role_as_user != NULL); + result= 1; + continue; + } + + /* + Check if this grant would cause a cycle. It only needs to be run + if we're granting a role to a role + */ + if (role_as_user && + traverse_role_graph(role, NULL, NULL, NULL, role_explore_detect_cycle, + NULL) == 2) + { + append_user(&wrong_users, username, hostname, TRUE); + result= 1; + /* need to rollback the mapping added previously */ + remove_role_user_mapping(mapping); + continue; + } + } + else + { + /* revoke a role grant */ + int res= remove_role_user_mapping(mapping); + if (res == -1) + { + append_user(&wrong_users, username, hostname, role_as_user != NULL); + result= 1; + continue; + } } - /* - Check if this grant would cause a cycle. It only needs to be run - if we're granting a role to a role - */ - if (role_as_user && - traverse_role_graph(role, NULL, NULL, NULL, role_explore_detect_cycle, - NULL) == 2) + /* write into the roles_mapping table */ + if (replace_roles_mapping_table(tables.table, mapping, revoke)) { append_user(&wrong_users, username, hostname, TRUE); result= 1; + if (!revoke) + { + /* need to rollback the mapping added previously */ + remove_role_user_mapping(mapping); + } + else + { + /* need to rollback the mapping deleted previously */ + add_role_user_mapping(mapping); + } continue; } - /* only need to propagate grants when granting a role to a role */ + /* + Only need to propagate grants when granting/revoking a role to/from + a role + */ if (role_as_user) { acl_update_role_entry(role_as_user, role_as_user->initial_role_access); @@ -5302,7 +5464,6 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list) rolename, wrong_users.c_ptr_safe()); - DBUG_RETURN(result); } diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 506a1fe4d40..91add84a066 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -204,7 +204,7 @@ int check_change_password(THD *thd, const char *host, const char *user, bool change_password(THD *thd, const char *host, const char *user, char *password); -bool mysql_grant_role(THD *thd, List<LEX_USER> &user_list); +bool mysql_grant_role(THD *thd, List<LEX_USER> &user_list, bool revoke); bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list, ulong rights, bool revoke, bool is_proxy); int mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list, diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 24b4fd0fc27..7aecdff761a 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -3894,7 +3894,9 @@ end_with_restore_list: if (thd->security_ctx->user) // If not replication { - if (!(res= mysql_grant_role(thd, lex->users_list))) + if (!(res= mysql_grant_role(thd, lex->users_list, + lex->sql_command == SQLCOM_GRANT_ROLE ? 0 : 1 + ))) my_ok(thd); } else diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy index cd176ded1c0..756a6bf5ca4 100644 --- a/sql/sql_yacc.yy +++ b/sql/sql_yacc.yy @@ -14251,7 +14251,9 @@ revoke_command: { LEX *lex= Lex; lex->sql_command= SQLCOM_REVOKE_ROLE; - lex->type= 0; + /* The first role is the one that is revoked */ + if (Lex->users_list.push_front($1)) + MYSQL_YYABORT; } ; |