sql_acl.h 8.94 KB
Newer Older
unknown's avatar
unknown committed
1
/* Copyright (C) 2000-2006 MySQL AB
unknown's avatar
unknown committed
2

unknown's avatar
unknown committed
3 4
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
unknown's avatar
unknown committed
5
   the Free Software Foundation; version 2 of the License.
unknown's avatar
unknown committed
6

unknown's avatar
unknown committed
7 8 9 10
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
unknown's avatar
unknown committed
11

unknown's avatar
unknown committed
12 13 14 15
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA */

unknown's avatar
unknown committed
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
#define SELECT_ACL	(1L << 0)
#define INSERT_ACL	(1L << 1)
#define UPDATE_ACL	(1L << 2)
#define DELETE_ACL	(1L << 3)
#define CREATE_ACL	(1L << 4)
#define DROP_ACL	(1L << 5)
#define RELOAD_ACL	(1L << 6)
#define SHUTDOWN_ACL	(1L << 7)
#define PROCESS_ACL	(1L << 8)
#define FILE_ACL	(1L << 9)
#define GRANT_ACL	(1L << 10)
#define REFERENCES_ACL	(1L << 11)
#define INDEX_ACL	(1L << 12)
#define ALTER_ACL	(1L << 13)
#define SHOW_DB_ACL	(1L << 14)
#define SUPER_ACL	(1L << 15)
#define CREATE_TMP_ACL	(1L << 16)
#define LOCK_TABLES_ACL	(1L << 17)
#define EXECUTE_ACL	(1L << 18)
#define REPL_SLAVE_ACL	(1L << 19)
#define REPL_CLIENT_ACL	(1L << 20)
unknown's avatar
VIEW  
unknown committed
37 38
#define CREATE_VIEW_ACL	(1L << 21)
#define SHOW_VIEW_ACL	(1L << 22)
39 40
#define CREATE_PROC_ACL	(1L << 23)
#define ALTER_PROC_ACL  (1L << 24)
41
#define CREATE_USER_ACL (1L << 25)
unknown's avatar
unknown committed
42 43
/*
  don't forget to update
44 45
  1. static struct show_privileges_st sys_privileges[]
  2. static const char *command_array[] and static uint command_lengths[]
46
  3. mysql_system_tables.sql and mysql_system_tables_fix.sql
47 48
  4. acl_init() or whatever - to define behaviour for old privilege tables
  5. sql_yacc.yy - for GRANT/REVOKE to work
unknown's avatar
unknown committed
49
*/
50 51
#define EXTRA_ACL	(1L << 29)
#define NO_ACCESS	(1L << 30)
unknown's avatar
unknown committed
52 53 54

#define DB_ACLS \
(UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
unknown's avatar
VIEW  
unknown committed
55
 GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | \
56 57
 LOCK_TABLES_ACL | EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
 CREATE_PROC_ACL | ALTER_PROC_ACL)
unknown's avatar
unknown committed
58 59 60

#define TABLE_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
unknown's avatar
VIEW  
unknown committed
61 62
 GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | \
 SHOW_VIEW_ACL)
unknown's avatar
unknown committed
63 64 65 66

#define COL_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL)

67 68 69
#define PROC_ACLS \
(ALTER_PROC_ACL | EXECUTE_ACL | GRANT_ACL)

70 71 72
#define SHOW_PROC_ACLS \
(ALTER_PROC_ACL | EXECUTE_ACL | CREATE_PROC_ACL)

unknown's avatar
unknown committed
73 74 75 76 77
#define GLOBAL_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
 RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \
 REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \
 CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \
78
 EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \
79
 ALTER_PROC_ACL | CREATE_USER_ACL)
unknown's avatar
unknown committed
80

81 82 83
#define DEFAULT_CREATE_PROC_ACLS \
(ALTER_PROC_ACL | EXECUTE_ACL)

84 85 86 87 88 89
/*
  Defines to change the above bits to how things are stored in tables
  This is needed as the 'host' and 'db' table is missing a few privileges
*/

/* Privileges that needs to be reallocated (in continous chunks) */
90 91
#define DB_CHUNK0 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \
                   CREATE_ACL | DROP_ACL)
92 93
#define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL)
#define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL)
94 95 96
#define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
		   CREATE_PROC_ACL | ALTER_PROC_ACL )
#define DB_CHUNK4 (EXECUTE_ACL)
unknown's avatar
VIEW  
unknown committed
97

98 99 100 101 102 103
#define fix_rights_for_db(A)  (((A)       & DB_CHUNK0) | \
			      (((A) << 4) & DB_CHUNK1) | \
			      (((A) << 6) & DB_CHUNK2) | \
			      (((A) << 9) & DB_CHUNK3) | \
			      (((A) << 2) & DB_CHUNK4))
#define get_rights_for_db(A)  (((A) & DB_CHUNK0)       | \
unknown's avatar
VIEW  
unknown committed
104 105
			      (((A) & DB_CHUNK1) >> 4) | \
			      (((A) & DB_CHUNK2) >> 6) | \
106 107
			      (((A) & DB_CHUNK3) >> 9) | \
			      (((A) & DB_CHUNK4) >> 2))
108 109 110 111 112 113 114 115 116
#define TBL_CHUNK0 DB_CHUNK0
#define TBL_CHUNK1 DB_CHUNK1
#define TBL_CHUNK2 (CREATE_VIEW_ACL | SHOW_VIEW_ACL)
#define fix_rights_for_table(A) (((A)        & TBL_CHUNK0) | \
                                (((A) <<  4) & TBL_CHUNK1) | \
                                (((A) << 11) & TBL_CHUNK2))
#define get_rights_for_table(A) (((A) & TBL_CHUNK0)        | \
                                (((A) & TBL_CHUNK1) >>  4) | \
                                (((A) & TBL_CHUNK2) >> 11))
117 118
#define fix_rights_for_column(A) (((A) & 7) | (((A) & ~7) << 8))
#define get_rights_for_column(A) (((A) & 7) | ((A) >> 8))
119 120 121 122 123 124
#define fix_rights_for_procedure(A) ((((A) << 18) & EXECUTE_ACL) | \
				     (((A) << 23) & ALTER_PROC_ACL) | \
				     (((A) << 8) & GRANT_ACL))
#define get_rights_for_procedure(A) ((((A) & EXECUTE_ACL) >> 18) |  \
				     (((A) & ALTER_PROC_ACL) >> 23) | \
				     (((A) & GRANT_ACL) >> 8))
unknown's avatar
unknown committed
125

unknown's avatar
unknown committed
126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157
/* Classes */

struct acl_host_and_ip
{
  char *hostname;
  long ip,ip_mask;                      // Used with masked ip:s
};


class ACL_ACCESS {
public:
  ulong sort;
  ulong access;
};


/* ACL_HOST is used if no host is specified */

class ACL_HOST :public ACL_ACCESS
{
public:
  acl_host_and_ip host;
  char *db;
};


class ACL_USER :public ACL_ACCESS
{
public:
  acl_host_and_ip host;
  uint hostname_length;
  USER_RESOURCES user_resource;
158 159 160
  char *user;
  uint8 salt[SCRAMBLE_LENGTH+1];       // scrambled password in binary form
  uint8 salt_len;        // 0 - no password, 4 - 3.20, 8 - 3.23, 20 - 4.1.1 
unknown's avatar
unknown committed
161 162 163 164 165 166 167 168 169 170 171 172
  enum SSL_type ssl_type;
  const char *ssl_cipher, *x509_issuer, *x509_subject;
};


class ACL_DB :public ACL_ACCESS
{
public:
  acl_host_and_ip host;
  char *user,*db;
};

unknown's avatar
unknown committed
173 174
/* prototypes */

unknown's avatar
SCRUM  
unknown committed
175
bool hostname_requires_resolving(const char *hostname);
176 177
my_bool  acl_init(bool dont_read_acl_tables);
my_bool acl_reload(THD *thd);
unknown's avatar
unknown committed
178
void acl_free(bool end=0);
179
ulong acl_get(const char *host, const char *ip,
180
	      const char *user, const char *db, my_bool db_is_pattern);
181 182
int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd,
                uint passwd_len);
183 184
bool acl_getroot_no_password(Security_context *sctx, char *user, char *host,
                             char *ip, char *db);
unknown's avatar
unknown committed
185
bool acl_check_host(const char *host, const char *ip);
186
bool check_change_password(THD *thd, const char *host, const char *user,
187
                           char *password, uint password_len);
unknown's avatar
unknown committed
188 189
bool change_password(THD *thd, const char *host, const char *user,
		     char *password);
unknown's avatar
unknown committed
190 191 192 193 194
bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list,
                 ulong rights, bool revoke);
bool mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list,
                       List <LEX_COLUMN> &column_list, ulong rights,
                       bool revoke);
195 196 197
bool mysql_routine_grant(THD *thd, TABLE_LIST *table, bool is_proc,
			 List <LEX_USER> &user_list, ulong rights,
			 bool revoke, bool no_error);
198
my_bool grant_init();
unknown's avatar
unknown committed
199
void grant_free(void);
200
my_bool grant_reload(THD *thd);
unknown's avatar
unknown committed
201
bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
unknown's avatar
unknown committed
202
		 uint show_command, uint number, bool dont_print_error);
unknown's avatar
VIEW  
unknown committed
203
bool check_grant_column (THD *thd, GRANT_INFO *grant,
204
			 const char *db_name, const char *table_name,
205 206 207
			 const char *name, uint length, Security_context *sctx);
bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST * table_ref,
                                     const char *name, uint length);
unknown's avatar
VIEW  
unknown committed
208
bool check_grant_all_columns(THD *thd, ulong want_access, GRANT_INFO *grant,
209
                             const char* db_name, const char *table_name,
unknown's avatar
VIEW  
unknown committed
210
                             Field_iterator *fields);
211 212
bool check_grant_routine(THD *thd, ulong want_access,
			 TABLE_LIST *procs, bool is_proc, bool no_error);
unknown's avatar
unknown committed
213
bool check_grant_db(THD *thd,const char *db);
unknown's avatar
unknown committed
214
ulong get_table_grant(THD *thd, TABLE_LIST *table);
unknown's avatar
VIEW  
unknown committed
215 216 217
ulong get_column_grant(THD *thd, GRANT_INFO *grant,
                       const char *db_name, const char *table_name,
                       const char *field_name);
unknown's avatar
unknown committed
218
bool mysql_show_grants(THD *thd, LEX_USER *user);
unknown's avatar
unknown committed
219
void get_privilege_desc(char *to, uint max_length, ulong access);
220
void get_mqh(const char *user, const char *host, USER_CONN *uc);
221
bool mysql_create_user(THD *thd, List <LEX_USER> &list);
unknown's avatar
unknown committed
222
bool mysql_drop_user(THD *thd, List <LEX_USER> &list);
223
bool mysql_rename_user(THD *thd, List <LEX_USER> &list);
unknown's avatar
unknown committed
224
bool mysql_revoke_all(THD *thd, List <LEX_USER> &list);
unknown's avatar
VIEW  
unknown committed
225 226
void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant,
                                     const char *db, const char *table);
227 228 229 230 231 232
bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name,
                          bool is_proc);
bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name,
                         bool is_proc);
bool check_routine_level_acl(THD *thd, const char *db, const char *name,
                             bool is_proc);
233
bool is_acl_user(const char *host, const char *user);
unknown's avatar
unknown committed
234
#ifdef NO_EMBEDDED_ACCESS_CHECKS
unknown's avatar
unknown committed
235
#define check_grant(A,B,C,D,E,F) 0
unknown's avatar
unknown committed
236 237
#define check_grant_db(A,B) 0
#endif