Commit 7ec24435 authored by Vicențiu Ciorbaru's avatar Vicențiu Ciorbaru Committed by Sergei Golubchik

Added acl_setrole function. The function enables/disables role privileges to

the current user via the current security_context
parent 6680bb14
......@@ -1672,6 +1672,67 @@ bool acl_getroot(Security_context *sctx, char *user, char *host,
DBUG_RETURN(res);
}
bool acl_setrole(THD *thd, char *rolename)
{
bool is_granted;
int result= 0;
/* clear role privileges */
mysql_mutex_lock(&acl_cache->lock);
ACL_USER *role= find_acl_role(rolename);
ACL_USER *acl_user;
if (!strcasecmp(rolename, "NONE")) {
/* have to clear the privileges */
/* get the current user */
acl_user= find_acl_user(thd->security_ctx->host, thd->security_ctx->user,
FALSE);
if (acl_user == NULL)
result= -1;
else
thd->security_ctx->master_access= acl_user->access;
goto end;
}
if (role == NULL) {
result= -1;
goto end;
}
for (uint i=0 ; i < role->role_grants.elements ; i++)
{
acl_user= *(dynamic_element(&role->role_grants, i, ACL_USER**));
if ((!acl_user->user.str && !thd->security_ctx->user[0]) ||
(acl_user->user.str && !strcmp(thd->security_ctx->user,
acl_user->user.str)))
{
if (compare_hostname(&acl_user->host, thd->security_ctx->host,
thd->security_ctx->host))
{
is_granted= TRUE;
break;
}
}
}
if (!is_granted)
{
result= 1;
goto end;
}
/* merge the privileges */
thd->security_ctx->master_access= acl_user->access | role->access;
/* mark the current role */
strcpy(thd->security_ctx->priv_role, rolename);
end:
mysql_mutex_unlock(&acl_cache->lock);
return result;
}
static uchar* check_get_key(ACL_USER *buff, size_t *length,
my_bool not_used __attribute__((unused)))
{
......
......@@ -382,4 +382,5 @@ get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info,
bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user,
bool with_grant);
bool acl_setrole(THD *thd, char *rolename);
#endif /* SQL_ACL_INCLUDED */
......@@ -3647,7 +3647,7 @@ void Security_context::init()
{
host= user= ip= external_user= 0;
host_or_ip= "connecting host";
priv_user[0]= priv_host[0]= proxy_user[0]= '\0';
priv_user[0]= priv_host[0]= proxy_user[0]= priv_role[0]= '\0';
master_access= 0;
#ifndef NO_EMBEDDED_ACCESS_CHECKS
db_access= NO_ACCESS;
......
......@@ -1041,6 +1041,8 @@ class Security_context {
char proxy_user[USERNAME_LENGTH + MAX_HOSTNAME + 5];
/* The host privilege we are using */
char priv_host[MAX_HOSTNAME];
/* The role privilege we are using */
char priv_role[USERNAME_LENGTH];
/* The external user (if available) */
char *external_user;
/* points to host if host is available, otherwise points to ip */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment