1
/* Copyright (C) 2000-2006 MySQL AB
3
This program is free software; you can redistribute it and/or modify
4
it under the terms of the GNU General Public License as published by
5
the Free Software Foundation; version 2 of the License.
7
This program is distributed in the hope that it will be useful,
8
but WITHOUT ANY WARRANTY; without even the implied warranty of
9
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10
GNU General Public License for more details.
12
You should have received a copy of the GNU General Public License
13
along with this program; if not, write to the Free Software
14
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
16
#include "slave.h" // for tables_ok(), rpl_filter
18
#define SELECT_ACL (1L << 0)
19
#define INSERT_ACL (1L << 1)
20
#define UPDATE_ACL (1L << 2)
21
#define DELETE_ACL (1L << 3)
22
#define CREATE_ACL (1L << 4)
23
#define DROP_ACL (1L << 5)
24
#define RELOAD_ACL (1L << 6)
25
#define SHUTDOWN_ACL (1L << 7)
26
#define PROCESS_ACL (1L << 8)
27
#define FILE_ACL (1L << 9)
28
#define GRANT_ACL (1L << 10)
29
#define REFERENCES_ACL (1L << 11)
30
#define INDEX_ACL (1L << 12)
31
#define ALTER_ACL (1L << 13)
32
#define SHOW_DB_ACL (1L << 14)
33
#define SUPER_ACL (1L << 15)
34
#define CREATE_TMP_ACL (1L << 16)
35
#define LOCK_TABLES_ACL (1L << 17)
36
#define EXECUTE_ACL (1L << 18)
37
#define REPL_SLAVE_ACL (1L << 19)
38
#define REPL_CLIENT_ACL (1L << 20)
39
#define CREATE_VIEW_ACL (1L << 21)
40
#define SHOW_VIEW_ACL (1L << 22)
41
#define CREATE_PROC_ACL (1L << 23)
42
#define ALTER_PROC_ACL (1L << 24)
43
#define CREATE_USER_ACL (1L << 25)
44
#define EVENT_ACL (1L << 26)
45
#define TRIGGER_ACL (1L << 27)
47
don't forget to update
48
1. static struct show_privileges_st sys_privileges[]
49
2. static const char *command_array[] and static uint command_lengths[]
50
3. mysql_system_tables.sql and mysql_system_tables_fix.sql
51
4. acl_init() or whatever - to define behaviour for old privilege tables
52
5. sql_yacc.yy - for GRANT/REVOKE to work
54
#define EXTRA_ACL (1L << 29)
55
#define NO_ACCESS (1L << 30)
57
(UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
58
GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | \
59
LOCK_TABLES_ACL | EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
60
CREATE_PROC_ACL | ALTER_PROC_ACL | EVENT_ACL | TRIGGER_ACL)
63
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
64
GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | \
65
SHOW_VIEW_ACL | TRIGGER_ACL)
68
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL)
71
(ALTER_PROC_ACL | EXECUTE_ACL | GRANT_ACL)
73
#define SHOW_PROC_ACLS \
74
(ALTER_PROC_ACL | EXECUTE_ACL | CREATE_PROC_ACL)
77
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
78
RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \
79
REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \
80
CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \
81
EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \
82
ALTER_PROC_ACL | CREATE_USER_ACL | EVENT_ACL | TRIGGER_ACL)
84
#define DEFAULT_CREATE_PROC_ACLS \
85
(ALTER_PROC_ACL | EXECUTE_ACL)
88
Defines to change the above bits to how things are stored in tables
89
This is needed as the 'host' and 'db' table is missing a few privileges
92
/* Privileges that needs to be reallocated (in continous chunks) */
93
#define DB_CHUNK0 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \
94
CREATE_ACL | DROP_ACL)
95
#define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL)
96
#define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL)
97
#define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
98
CREATE_PROC_ACL | ALTER_PROC_ACL )
99
#define DB_CHUNK4 (EXECUTE_ACL)
100
#define DB_CHUNK5 (EVENT_ACL | TRIGGER_ACL)
102
#define fix_rights_for_db(A) (((A) & DB_CHUNK0) | \
103
(((A) << 4) & DB_CHUNK1) | \
104
(((A) << 6) & DB_CHUNK2) | \
105
(((A) << 9) & DB_CHUNK3) | \
106
(((A) << 2) & DB_CHUNK4))| \
107
(((A) << 9) & DB_CHUNK5)
108
#define get_rights_for_db(A) (((A) & DB_CHUNK0) | \
109
(((A) & DB_CHUNK1) >> 4) | \
110
(((A) & DB_CHUNK2) >> 6) | \
111
(((A) & DB_CHUNK3) >> 9) | \
112
(((A) & DB_CHUNK4) >> 2))| \
113
(((A) & DB_CHUNK5) >> 9)
114
#define TBL_CHUNK0 DB_CHUNK0
115
#define TBL_CHUNK1 DB_CHUNK1
116
#define TBL_CHUNK2 (CREATE_VIEW_ACL | SHOW_VIEW_ACL)
117
#define TBL_CHUNK3 TRIGGER_ACL
118
#define fix_rights_for_table(A) (((A) & TBL_CHUNK0) | \
119
(((A) << 4) & TBL_CHUNK1) | \
120
(((A) << 11) & TBL_CHUNK2) | \
121
(((A) << 15) & TBL_CHUNK3))
122
#define get_rights_for_table(A) (((A) & TBL_CHUNK0) | \
123
(((A) & TBL_CHUNK1) >> 4) | \
124
(((A) & TBL_CHUNK2) >> 11) | \
125
(((A) & TBL_CHUNK3) >> 15))
126
#define fix_rights_for_column(A) (((A) & 7) | (((A) & ~7) << 8))
127
#define get_rights_for_column(A) (((A) & 7) | ((A) >> 8))
128
#define fix_rights_for_procedure(A) ((((A) << 18) & EXECUTE_ACL) | \
129
(((A) << 23) & ALTER_PROC_ACL) | \
130
(((A) << 8) & GRANT_ACL))
131
#define get_rights_for_procedure(A) ((((A) & EXECUTE_ACL) >> 18) | \
132
(((A) & ALTER_PROC_ACL) >> 23) | \
133
(((A) & GRANT_ACL) >> 8))
135
enum mysql_db_table_field
137
MYSQL_DB_FIELD_HOST = 0,
140
MYSQL_DB_FIELD_SELECT_PRIV,
141
MYSQL_DB_FIELD_INSERT_PRIV,
142
MYSQL_DB_FIELD_UPDATE_PRIV,
143
MYSQL_DB_FIELD_DELETE_PRIV,
144
MYSQL_DB_FIELD_CREATE_PRIV,
145
MYSQL_DB_FIELD_DROP_PRIV,
146
MYSQL_DB_FIELD_GRANT_PRIV,
147
MYSQL_DB_FIELD_REFERENCES_PRIV,
148
MYSQL_DB_FIELD_INDEX_PRIV,
149
MYSQL_DB_FIELD_ALTER_PRIV,
150
MYSQL_DB_FIELD_CREATE_TMP_TABLE_PRIV,
151
MYSQL_DB_FIELD_LOCK_TABLES_PRIV,
152
MYSQL_DB_FIELD_CREATE_VIEW_PRIV,
153
MYSQL_DB_FIELD_SHOW_VIEW_PRIV,
154
MYSQL_DB_FIELD_CREATE_ROUTINE_PRIV,
155
MYSQL_DB_FIELD_ALTER_ROUTINE_PRIV,
156
MYSQL_DB_FIELD_EXECUTE_PRIV,
157
MYSQL_DB_FIELD_EVENT_PRIV,
158
MYSQL_DB_FIELD_TRIGGER_PRIV,
162
extern const TABLE_FIELD_DEF mysql_db_table_def;
166
struct acl_host_and_ip
169
long ip,ip_mask; // Used with masked ip:s
180
/* ACL_HOST is used if no host is specified */
182
class ACL_HOST :public ACL_ACCESS
185
acl_host_and_ip host;
190
class ACL_USER :public ACL_ACCESS
193
acl_host_and_ip host;
194
uint hostname_length;
195
USER_RESOURCES user_resource;
197
uint8 salt[SCRAMBLE_LENGTH+1]; // scrambled password in binary form
198
uint8 salt_len; // 0 - no password, 4 - 3.20, 8 - 3.23, 20 - 4.1.1
199
enum SSL_type ssl_type;
200
const char *ssl_cipher, *x509_issuer, *x509_subject;
204
class ACL_DB :public ACL_ACCESS
207
acl_host_and_ip host;
213
bool hostname_requires_resolving(const char *hostname);
214
my_bool acl_init(bool dont_read_acl_tables);
215
my_bool acl_reload(THD *thd);
216
void acl_free(bool end=0);
217
ulong acl_get(const char *host, const char *ip,
218
const char *user, const char *db, my_bool db_is_pattern);
219
int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd,
221
bool acl_getroot_no_password(Security_context *sctx, char *user, char *host,
223
bool acl_check_host(const char *host, const char *ip);
224
int check_change_password(THD *thd, const char *host, const char *user,
225
char *password, uint password_len);
226
bool change_password(THD *thd, const char *host, const char *user,
228
bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list,
229
ulong rights, bool revoke);
230
int mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list,
231
List <LEX_COLUMN> &column_list, ulong rights,
233
bool mysql_routine_grant(THD *thd, TABLE_LIST *table, bool is_proc,
234
List <LEX_USER> &user_list, ulong rights,
235
bool revoke, bool write_to_binlog);
236
my_bool grant_init();
237
void grant_free(void);
238
my_bool grant_reload(THD *thd);
239
bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
240
uint show_command, uint number, bool dont_print_error);
241
bool check_grant_column (THD *thd, GRANT_INFO *grant,
242
const char *db_name, const char *table_name,
243
const char *name, uint length, Security_context *sctx);
244
bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST * table_ref,
245
const char *name, uint length);
246
bool check_grant_all_columns(THD *thd, ulong want_access,
247
Field_iterator_table_ref *fields);
248
bool check_grant_routine(THD *thd, ulong want_access,
249
TABLE_LIST *procs, bool is_proc, bool no_error);
250
bool check_grant_db(THD *thd,const char *db);
251
ulong get_table_grant(THD *thd, TABLE_LIST *table);
252
ulong get_column_grant(THD *thd, GRANT_INFO *grant,
253
const char *db_name, const char *table_name,
254
const char *field_name);
255
bool mysql_show_grants(THD *thd, LEX_USER *user);
256
void get_privilege_desc(char *to, uint max_length, ulong access);
257
void get_mqh(const char *user, const char *host, USER_CONN *uc);
258
bool mysql_create_user(THD *thd, List <LEX_USER> &list);
259
bool mysql_drop_user(THD *thd, List <LEX_USER> &list);
260
bool mysql_rename_user(THD *thd, List <LEX_USER> &list);
261
bool mysql_revoke_all(THD *thd, List <LEX_USER> &list);
262
void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant,
263
const char *db, const char *table);
264
bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name,
266
bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name,
268
bool check_routine_level_acl(THD *thd, const char *db, const char *name,
270
bool is_acl_user(const char *host, const char *user);
271
#ifdef NO_EMBEDDED_ACCESS_CHECKS
272
#define check_grant(A,B,C,D,E,F) 0
273
#define check_grant_db(A,B) 0