sql_acl.h 6.79 KB
Newer Older
bk@work.mysql.com's avatar
bk@work.mysql.com committed
1
/* Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
monty@hundin.mysql.fi's avatar
monty@hundin.mysql.fi committed
2

bk@work.mysql.com's avatar
bk@work.mysql.com committed
3 4 5 6
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.
monty@hundin.mysql.fi's avatar
monty@hundin.mysql.fi committed
7

bk@work.mysql.com's avatar
bk@work.mysql.com committed
8 9 10 11
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
monty@hundin.mysql.fi's avatar
monty@hundin.mysql.fi committed
12

bk@work.mysql.com's avatar
bk@work.mysql.com committed
13 14 15 16
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA */

17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
#define SELECT_ACL	(1L << 0)
#define INSERT_ACL	(1L << 1)
#define UPDATE_ACL	(1L << 2)
#define DELETE_ACL	(1L << 3)
#define CREATE_ACL	(1L << 4)
#define DROP_ACL	(1L << 5)
#define RELOAD_ACL	(1L << 6)
#define SHUTDOWN_ACL	(1L << 7)
#define PROCESS_ACL	(1L << 8)
#define FILE_ACL	(1L << 9)
#define GRANT_ACL	(1L << 10)
#define REFERENCES_ACL	(1L << 11)
#define INDEX_ACL	(1L << 12)
#define ALTER_ACL	(1L << 13)
#define SHOW_DB_ACL	(1L << 14)
#define SUPER_ACL	(1L << 15)
#define CREATE_TMP_ACL	(1L << 16)
#define LOCK_TABLES_ACL	(1L << 17)
#define EXECUTE_ACL	(1L << 18)
#define REPL_SLAVE_ACL	(1L << 19)
#define REPL_CLIENT_ACL	(1L << 20)
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
38 39
#define CREATE_VIEW_ACL	(1L << 21)
#define SHOW_VIEW_ACL	(1L << 22)
40 41 42 43 44 45
/*
  don't forget to update
    static struct show_privileges_st sys_privileges[]
  in sql_show.cc when adding new privileges!
*/

46 47 48

#define DB_ACLS \
(UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
49 50
 GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | \
 LOCK_TABLES_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL)
51 52 53

#define TABLE_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
54 55
 GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | \
 SHOW_VIEW_ACL)
56 57 58 59 60 61 62 63 64

#define COL_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL)

#define GLOBAL_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
 RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \
 REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \
 CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
65
 EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL)
66 67 68

#define EXTRA_ACL	(1L << 29)
#define NO_ACCESS	(1L << 30)
bk@work.mysql.com's avatar
bk@work.mysql.com committed
69

70 71 72 73 74 75 76 77
/*
  Defines to change the above bits to how things are stored in tables
  This is needed as the 'host' and 'db' table is missing a few privileges
*/

/* Continius bit-segments that needs to be shifted */
#define DB_REL1 (RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL)
#define DB_REL2 (GRANT_ACL | REFERENCES_ACL)
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
78
#define DB_REL3 (INDEX_ACL | ALTER_ACL)
79 80 81 82

/* Privileges that needs to be reallocated (in continous chunks) */
#define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL)
#define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL)
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
83 84 85 86 87 88 89 90 91 92
#define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL)

#define fix_rights_for_db(A) (((A) & 63) | \
			      (((A) & DB_REL1) << 4) | \
			      (((A) & DB_REL2) << 6) | \
			      (((A) & DB_REL3) << 9))
#define get_rights_for_db(A) (((A) & 63) | \
			      (((A) & DB_CHUNK1) >> 4) | \
			      (((A) & DB_CHUNK2) >> 6) | \
			      (((A) & DB_CHUNK3) >> 9))
bk@work.mysql.com's avatar
bk@work.mysql.com committed
93 94
#define fix_rights_for_table(A) (((A) & 63) | (((A) & ~63) << 4))
#define get_rights_for_table(A) (((A) & 63) | (((A) & ~63) >> 4))
95 96
#define fix_rights_for_column(A) (((A) & 7) | (((A) & ~7) << 8))
#define get_rights_for_column(A) (((A) & 7) | ((A) >> 8))
bk@work.mysql.com's avatar
bk@work.mysql.com committed
97

peter@mysql.com's avatar
peter@mysql.com committed
98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129
/* Classes */

struct acl_host_and_ip
{
  char *hostname;
  long ip,ip_mask;                      // Used with masked ip:s
};


class ACL_ACCESS {
public:
  ulong sort;
  ulong access;
};


/* ACL_HOST is used if no host is specified */

class ACL_HOST :public ACL_ACCESS
{
public:
  acl_host_and_ip host;
  char *db;
};


class ACL_USER :public ACL_ACCESS
{
public:
  acl_host_and_ip host;
  uint hostname_length;
  USER_RESOURCES user_resource;
130 131 132
  char *user;
  uint8 salt[SCRAMBLE_LENGTH+1];       // scrambled password in binary form
  uint8 salt_len;        // 0 - no password, 4 - 3.20, 8 - 3.23, 20 - 4.1.1 
peter@mysql.com's avatar
peter@mysql.com committed
133 134 135 136 137 138 139 140 141 142 143 144
  enum SSL_type ssl_type;
  const char *ssl_cipher, *x509_issuer, *x509_subject;
};


class ACL_DB :public ACL_ACCESS
{
public:
  acl_host_and_ip host;
  char *user,*db;
};

bk@work.mysql.com's avatar
bk@work.mysql.com committed
145 146
/* prototypes */

hf@deer.(none)'s avatar
SCRUM  
hf@deer.(none) committed
147
bool hostname_requires_resolving(const char *hostname);
148
my_bool  acl_init(THD *thd, bool dont_read_acl_tables);
149
void acl_reload(THD *thd);
bk@work.mysql.com's avatar
bk@work.mysql.com committed
150
void acl_free(bool end=0);
151
ulong acl_get(const char *host, const char *ip,
152
	      const char *user, const char *db, my_bool db_is_pattern);
153 154
int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd,
                uint passwd_len);
155
int acl_getroot_no_password(THD *thd);
bk@work.mysql.com's avatar
bk@work.mysql.com committed
156
bool acl_check_host(const char *host, const char *ip);
157 158
bool check_change_password(THD *thd, const char *host, const char *user,
                           char *password);
bk@work.mysql.com's avatar
bk@work.mysql.com committed
159 160
bool change_password(THD *thd, const char *host, const char *user,
		     char *password);
161 162 163 164 165
bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list,
                 ulong rights, bool revoke);
bool mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list,
                       List <LEX_COLUMN> &column_list, ulong rights,
                       bool revoke);
166
my_bool grant_init(THD *thd);
bk@work.mysql.com's avatar
bk@work.mysql.com committed
167
void grant_free(void);
168
void grant_reload(THD *thd);
169
bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
bell@sanja.is.com.ua's avatar
bell@sanja.is.com.ua committed
170
		 uint show_command, uint number, bool dont_print_error);
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
171 172 173 174 175 176
bool check_grant_column (THD *thd, GRANT_INFO *grant,
			 char *db_name, char *table_name,
			 const char *name, uint length, uint show_command=0);
bool check_grant_all_columns(THD *thd, ulong want_access, GRANT_INFO *grant,
                             char* db_name, char *table_name,
                             Field_iterator *fields);
bk@work.mysql.com's avatar
bk@work.mysql.com committed
177
bool check_grant_db(THD *thd,const char *db);
178
ulong get_table_grant(THD *thd, TABLE_LIST *table);
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
179 180 181
ulong get_column_grant(THD *thd, GRANT_INFO *grant,
                       const char *db_name, const char *table_name,
                       const char *field_name);
182
bool mysql_show_grants(THD *thd, LEX_USER *user);
183
void get_privilege_desc(char *to, uint max_length, ulong access);
184
void get_mqh(const char *user, const char *host, USER_CONN *uc);
185
bool mysql_create_user(THD *thd, List <LEX_USER> &list);
186
bool mysql_drop_user(THD *thd, List <LEX_USER> &list);
187
bool mysql_rename_user(THD *thd, List <LEX_USER> &list);
188
bool mysql_revoke_all(THD *thd, List <LEX_USER> &list);
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
189 190
void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant,
                                     const char *db, const char *table);
hf@deer.(none)'s avatar
hf@deer.(none) committed
191

monty@mysql.com's avatar
monty@mysql.com committed
192
#ifdef NO_EMBEDDED_ACCESS_CHECKS
bell@sanja.is.com.ua's avatar
bell@sanja.is.com.ua committed
193
#define check_grant(A,B,C,D,E,F) 0
monty@mysql.com's avatar
monty@mysql.com committed
194 195
#define check_grant_db(A,B) 0
#endif