sql_acl.h 8.92 KB
Newer Older
unknown's avatar
unknown committed
1
/* Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
unknown's avatar
unknown committed
2

unknown's avatar
unknown committed
3 4 5 6
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.
unknown's avatar
unknown committed
7

unknown's avatar
unknown committed
8 9 10 11
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
unknown's avatar
unknown committed
12

unknown's avatar
unknown committed
13 14 15 16
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA */

17 18
#include "slave.h" // for tables_ok(), rpl_filter

unknown's avatar
unknown committed
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
#define SELECT_ACL	(1L << 0)
#define INSERT_ACL	(1L << 1)
#define UPDATE_ACL	(1L << 2)
#define DELETE_ACL	(1L << 3)
#define CREATE_ACL	(1L << 4)
#define DROP_ACL	(1L << 5)
#define RELOAD_ACL	(1L << 6)
#define SHUTDOWN_ACL	(1L << 7)
#define PROCESS_ACL	(1L << 8)
#define FILE_ACL	(1L << 9)
#define GRANT_ACL	(1L << 10)
#define REFERENCES_ACL	(1L << 11)
#define INDEX_ACL	(1L << 12)
#define ALTER_ACL	(1L << 13)
#define SHOW_DB_ACL	(1L << 14)
#define SUPER_ACL	(1L << 15)
#define CREATE_TMP_ACL	(1L << 16)
#define LOCK_TABLES_ACL	(1L << 17)
#define EXECUTE_ACL	(1L << 18)
#define REPL_SLAVE_ACL	(1L << 19)
#define REPL_CLIENT_ACL	(1L << 20)
unknown's avatar
VIEW  
unknown committed
40 41
#define CREATE_VIEW_ACL	(1L << 21)
#define SHOW_VIEW_ACL	(1L << 22)
42 43
#define CREATE_PROC_ACL	(1L << 23)
#define ALTER_PROC_ACL  (1L << 24)
44
#define CREATE_USER_ACL (1L << 25)
unknown's avatar
unknown committed
45 46
/*
  don't forget to update
47 48 49 50 51
  1. static struct show_privileges_st sys_privileges[]
  2. static const char *command_array[] and static uint command_lengths[]
  3. mysql_create_system_tables.sh, mysql_fix_privilege_tables.sql
  4. acl_init() or whatever - to define behaviour for old privilege tables
  5. sql_yacc.yy - for GRANT/REVOKE to work
unknown's avatar
unknown committed
52
*/
53 54
#define EXTRA_ACL	(1L << 29)
#define NO_ACCESS	(1L << 30)
unknown's avatar
unknown committed
55 56
#define DB_ACLS \
(UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
unknown's avatar
VIEW  
unknown committed
57
 GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | \
58 59
 LOCK_TABLES_ACL | EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
 CREATE_PROC_ACL | ALTER_PROC_ACL)
unknown's avatar
unknown committed
60 61 62

#define TABLE_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
unknown's avatar
VIEW  
unknown committed
63 64
 GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | \
 SHOW_VIEW_ACL)
unknown's avatar
unknown committed
65 66 67 68

#define COL_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL)

69 70 71
#define PROC_ACLS \
(ALTER_PROC_ACL | EXECUTE_ACL | GRANT_ACL)

72 73 74
#define SHOW_PROC_ACLS \
(ALTER_PROC_ACL | EXECUTE_ACL | CREATE_PROC_ACL)

unknown's avatar
unknown committed
75 76 77 78 79
#define GLOBAL_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
 RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \
 REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \
 CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \
80
 EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \
81
 ALTER_PROC_ACL | CREATE_USER_ACL)
unknown's avatar
unknown committed
82

83 84 85
#define DEFAULT_CREATE_PROC_ACLS \
(ALTER_PROC_ACL | EXECUTE_ACL)

86 87 88 89 90 91
/*
  Defines to change the above bits to how things are stored in tables
  This is needed as the 'host' and 'db' table is missing a few privileges
*/

/* Privileges that needs to be reallocated (in continous chunks) */
92 93
#define DB_CHUNK0 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \
                   CREATE_ACL | DROP_ACL)
94 95
#define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL)
#define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL)
96 97 98
#define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
		   CREATE_PROC_ACL | ALTER_PROC_ACL )
#define DB_CHUNK4 (EXECUTE_ACL)
unknown's avatar
VIEW  
unknown committed
99

100 101 102 103 104 105
#define fix_rights_for_db(A)  (((A)       & DB_CHUNK0) | \
			      (((A) << 4) & DB_CHUNK1) | \
			      (((A) << 6) & DB_CHUNK2) | \
			      (((A) << 9) & DB_CHUNK3) | \
			      (((A) << 2) & DB_CHUNK4))
#define get_rights_for_db(A)  (((A) & DB_CHUNK0)       | \
unknown's avatar
VIEW  
unknown committed
106 107
			      (((A) & DB_CHUNK1) >> 4) | \
			      (((A) & DB_CHUNK2) >> 6) | \
108 109
			      (((A) & DB_CHUNK3) >> 9) | \
			      (((A) & DB_CHUNK4) >> 2))
110 111 112 113 114 115 116 117 118
#define TBL_CHUNK0 DB_CHUNK0
#define TBL_CHUNK1 DB_CHUNK1
#define TBL_CHUNK2 (CREATE_VIEW_ACL | SHOW_VIEW_ACL)
#define fix_rights_for_table(A) (((A)        & TBL_CHUNK0) | \
                                (((A) <<  4) & TBL_CHUNK1) | \
                                (((A) << 11) & TBL_CHUNK2))
#define get_rights_for_table(A) (((A) & TBL_CHUNK0)        | \
                                (((A) & TBL_CHUNK1) >>  4) | \
                                (((A) & TBL_CHUNK2) >> 11))
119 120
#define fix_rights_for_column(A) (((A) & 7) | (((A) & ~7) << 8))
#define get_rights_for_column(A) (((A) & 7) | ((A) >> 8))
121 122 123 124 125 126
#define fix_rights_for_procedure(A) ((((A) << 18) & EXECUTE_ACL) | \
				     (((A) << 23) & ALTER_PROC_ACL) | \
				     (((A) << 8) & GRANT_ACL))
#define get_rights_for_procedure(A) ((((A) & EXECUTE_ACL) >> 18) |  \
				     (((A) & ALTER_PROC_ACL) >> 23) | \
				     (((A) & GRANT_ACL) >> 8))
unknown's avatar
unknown committed
127

unknown's avatar
unknown committed
128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159
/* Classes */

struct acl_host_and_ip
{
  char *hostname;
  long ip,ip_mask;                      // Used with masked ip:s
};


class ACL_ACCESS {
public:
  ulong sort;
  ulong access;
};


/* ACL_HOST is used if no host is specified */

class ACL_HOST :public ACL_ACCESS
{
public:
  acl_host_and_ip host;
  char *db;
};


class ACL_USER :public ACL_ACCESS
{
public:
  acl_host_and_ip host;
  uint hostname_length;
  USER_RESOURCES user_resource;
160 161 162
  char *user;
  uint8 salt[SCRAMBLE_LENGTH+1];       // scrambled password in binary form
  uint8 salt_len;        // 0 - no password, 4 - 3.20, 8 - 3.23, 20 - 4.1.1 
unknown's avatar
unknown committed
163 164 165 166 167 168 169 170 171 172 173 174
  enum SSL_type ssl_type;
  const char *ssl_cipher, *x509_issuer, *x509_subject;
};


class ACL_DB :public ACL_ACCESS
{
public:
  acl_host_and_ip host;
  char *user,*db;
};

unknown's avatar
unknown committed
175 176
/* prototypes */

unknown's avatar
SCRUM  
unknown committed
177
bool hostname_requires_resolving(const char *hostname);
178 179
my_bool  acl_init(bool dont_read_acl_tables);
my_bool acl_reload(THD *thd);
unknown's avatar
unknown committed
180
void acl_free(bool end=0);
181
ulong acl_get(const char *host, const char *ip,
182
	      const char *user, const char *db, my_bool db_is_pattern);
183 184
int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd,
                uint passwd_len);
185
int acl_getroot_no_password(THD *thd);
unknown's avatar
unknown committed
186
bool acl_check_host(const char *host, const char *ip);
187
bool check_change_password(THD *thd, const char *host, const char *user,
188
                           char *password, uint password_len);
unknown's avatar
unknown committed
189 190
bool change_password(THD *thd, const char *host, const char *user,
		     char *password);
unknown's avatar
unknown committed
191 192 193 194 195
bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list,
                 ulong rights, bool revoke);
bool mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list,
                       List <LEX_COLUMN> &column_list, ulong rights,
                       bool revoke);
196 197 198
bool mysql_routine_grant(THD *thd, TABLE_LIST *table, bool is_proc,
			 List <LEX_USER> &user_list, ulong rights,
			 bool revoke, bool no_error);
199
ACL_USER *check_acl_user(LEX_USER *user_name, uint *acl_acl_userdx);
200
my_bool grant_init();
unknown's avatar
unknown committed
201
void grant_free(void);
202
my_bool grant_reload(THD *thd);
unknown's avatar
unknown committed
203
bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
unknown's avatar
unknown committed
204
		 uint show_command, uint number, bool dont_print_error);
unknown's avatar
VIEW  
unknown committed
205
bool check_grant_column (THD *thd, GRANT_INFO *grant,
206
			 const char *db_name, const char *table_name,
unknown's avatar
VIEW  
unknown committed
207 208
			 const char *name, uint length, uint show_command=0);
bool check_grant_all_columns(THD *thd, ulong want_access, GRANT_INFO *grant,
209
                             const char* db_name, const char *table_name,
unknown's avatar
VIEW  
unknown committed
210
                             Field_iterator *fields);
211 212
bool check_grant_routine(THD *thd, ulong want_access,
			 TABLE_LIST *procs, bool is_proc, bool no_error);
unknown's avatar
unknown committed
213
bool check_grant_db(THD *thd,const char *db);
unknown's avatar
unknown committed
214
ulong get_table_grant(THD *thd, TABLE_LIST *table);
unknown's avatar
VIEW  
unknown committed
215 216 217
ulong get_column_grant(THD *thd, GRANT_INFO *grant,
                       const char *db_name, const char *table_name,
                       const char *field_name);
unknown's avatar
unknown committed
218
bool mysql_show_grants(THD *thd, LEX_USER *user);
unknown's avatar
unknown committed
219
void get_privilege_desc(char *to, uint max_length, ulong access);
220
void get_mqh(const char *user, const char *host, USER_CONN *uc);
221
bool mysql_create_user(THD *thd, List <LEX_USER> &list);
unknown's avatar
unknown committed
222
bool mysql_drop_user(THD *thd, List <LEX_USER> &list);
223
bool mysql_rename_user(THD *thd, List <LEX_USER> &list);
unknown's avatar
unknown committed
224
bool mysql_revoke_all(THD *thd, List <LEX_USER> &list);
unknown's avatar
VIEW  
unknown committed
225 226
void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant,
                                     const char *db, const char *table);
227 228 229 230 231 232
bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name,
                          bool is_proc);
bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name,
                         bool is_proc);
bool check_routine_level_acl(THD *thd, const char *db, const char *name,
                             bool is_proc);
233
bool is_acl_user(const char *host, const char *user);
unknown's avatar
unknown committed
234
#ifdef NO_EMBEDDED_ACCESS_CHECKS
unknown's avatar
unknown committed
235
#define check_grant(A,B,C,D,E,F) 0
unknown's avatar
unknown committed
236 237
#define check_grant_db(A,B) 0
#endif