sql_acl.h 8.2 KB
Newer Older
bk@work.mysql.com's avatar
bk@work.mysql.com committed
1
/* Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
monty@hundin.mysql.fi's avatar
monty@hundin.mysql.fi committed
2

bk@work.mysql.com's avatar
bk@work.mysql.com committed
3 4 5 6
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.
monty@hundin.mysql.fi's avatar
monty@hundin.mysql.fi committed
7

bk@work.mysql.com's avatar
bk@work.mysql.com committed
8 9 10 11
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
monty@hundin.mysql.fi's avatar
monty@hundin.mysql.fi committed
12

bk@work.mysql.com's avatar
bk@work.mysql.com committed
13 14 15 16
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA */

17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
#define SELECT_ACL	(1L << 0)
#define INSERT_ACL	(1L << 1)
#define UPDATE_ACL	(1L << 2)
#define DELETE_ACL	(1L << 3)
#define CREATE_ACL	(1L << 4)
#define DROP_ACL	(1L << 5)
#define RELOAD_ACL	(1L << 6)
#define SHUTDOWN_ACL	(1L << 7)
#define PROCESS_ACL	(1L << 8)
#define FILE_ACL	(1L << 9)
#define GRANT_ACL	(1L << 10)
#define REFERENCES_ACL	(1L << 11)
#define INDEX_ACL	(1L << 12)
#define ALTER_ACL	(1L << 13)
#define SHOW_DB_ACL	(1L << 14)
#define SUPER_ACL	(1L << 15)
#define CREATE_TMP_ACL	(1L << 16)
#define LOCK_TABLES_ACL	(1L << 17)
#define EXECUTE_ACL	(1L << 18)
#define REPL_SLAVE_ACL	(1L << 19)
#define REPL_CLIENT_ACL	(1L << 20)
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
38 39
#define CREATE_VIEW_ACL	(1L << 21)
#define SHOW_VIEW_ACL	(1L << 22)
40 41
#define CREATE_PROC_ACL	(1L << 23)
#define ALTER_PROC_ACL  (1L << 24)
42 43 44 45 46 47
/*
  don't forget to update
    static struct show_privileges_st sys_privileges[]
  in sql_show.cc when adding new privileges!
*/

48 49 50

#define DB_ACLS \
(UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
51
 GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | \
52 53
 LOCK_TABLES_ACL | EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
 CREATE_PROC_ACL | ALTER_PROC_ACL)
54 55 56

#define TABLE_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
57 58
 GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | \
 SHOW_VIEW_ACL)
59 60 61 62

#define COL_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL)

63 64 65
#define PROC_ACLS \
(ALTER_PROC_ACL | EXECUTE_ACL | GRANT_ACL)

66 67 68
#define SHOW_PROC_ACLS \
(ALTER_PROC_ACL | EXECUTE_ACL | CREATE_PROC_ACL)

69 70 71 72 73
#define GLOBAL_ACLS \
(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
 RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \
 REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \
 CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \
74 75
 EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \
 ALTER_PROC_ACL )
76 77 78

#define EXTRA_ACL	(1L << 29)
#define NO_ACCESS	(1L << 30)
bk@work.mysql.com's avatar
bk@work.mysql.com committed
79

80 81 82
#define DEFAULT_CREATE_PROC_ACLS \
(ALTER_PROC_ACL | EXECUTE_ACL)

83 84 85 86 87 88
/*
  Defines to change the above bits to how things are stored in tables
  This is needed as the 'host' and 'db' table is missing a few privileges
*/

/* Continius bit-segments that needs to be shifted */
89 90 91 92
#define DB_REL1 ((1L << 6) | (1L << 7) | (1L << 8) | (1L << 9))
#define DB_REL2 ((1L << 10) | (1L << 11))
#define DB_REL3 ((1L << 12) | (1L << 13) | (1L << 14) | (1L << 15))
#define DB_REL4 ((1L << 16))
93 94 95 96

/* Privileges that needs to be reallocated (in continous chunks) */
#define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL)
#define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL)
97 98 99
#define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
		   CREATE_PROC_ACL | ALTER_PROC_ACL )
#define DB_CHUNK4 (EXECUTE_ACL)
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
100 101 102 103

#define fix_rights_for_db(A) (((A) & 63) | \
			      (((A) & DB_REL1) << 4) | \
			      (((A) & DB_REL2) << 6) | \
104 105
			      (((A) & DB_REL3) << 9) | \
			      (((A) & DB_REL4) << 2))
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
106 107 108
#define get_rights_for_db(A) (((A) & 63) | \
			      (((A) & DB_CHUNK1) >> 4) | \
			      (((A) & DB_CHUNK2) >> 6) | \
109 110
			      (((A) & DB_CHUNK3) >> 9) | \
			      (((A) & DB_CHUNK4) >> 2))
bk@work.mysql.com's avatar
bk@work.mysql.com committed
111 112
#define fix_rights_for_table(A) (((A) & 63) | (((A) & ~63) << 4))
#define get_rights_for_table(A) (((A) & 63) | (((A) & ~63) >> 4))
113 114
#define fix_rights_for_column(A) (((A) & 7) | (((A) & ~7) << 8))
#define get_rights_for_column(A) (((A) & 7) | ((A) >> 8))
115 116 117 118 119 120
#define fix_rights_for_procedure(A) ((((A) << 18) & EXECUTE_ACL) | \
				     (((A) << 23) & ALTER_PROC_ACL) | \
				     (((A) << 8) & GRANT_ACL))
#define get_rights_for_procedure(A) ((((A) & EXECUTE_ACL) >> 18) |  \
				     (((A) & ALTER_PROC_ACL) >> 23) | \
				     (((A) & GRANT_ACL) >> 8))
bk@work.mysql.com's avatar
bk@work.mysql.com committed
121

peter@mysql.com's avatar
peter@mysql.com committed
122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153
/* Classes */

struct acl_host_and_ip
{
  char *hostname;
  long ip,ip_mask;                      // Used with masked ip:s
};


class ACL_ACCESS {
public:
  ulong sort;
  ulong access;
};


/* ACL_HOST is used if no host is specified */

class ACL_HOST :public ACL_ACCESS
{
public:
  acl_host_and_ip host;
  char *db;
};


class ACL_USER :public ACL_ACCESS
{
public:
  acl_host_and_ip host;
  uint hostname_length;
  USER_RESOURCES user_resource;
154 155 156
  char *user;
  uint8 salt[SCRAMBLE_LENGTH+1];       // scrambled password in binary form
  uint8 salt_len;        // 0 - no password, 4 - 3.20, 8 - 3.23, 20 - 4.1.1 
peter@mysql.com's avatar
peter@mysql.com committed
157 158 159 160 161 162 163 164 165 166 167 168
  enum SSL_type ssl_type;
  const char *ssl_cipher, *x509_issuer, *x509_subject;
};


class ACL_DB :public ACL_ACCESS
{
public:
  acl_host_and_ip host;
  char *user,*db;
};

bk@work.mysql.com's avatar
bk@work.mysql.com committed
169 170
/* prototypes */

hf@deer.(none)'s avatar
SCRUM  
hf@deer.(none) committed
171
bool hostname_requires_resolving(const char *hostname);
172
my_bool  acl_init(THD *thd, bool dont_read_acl_tables);
173
void acl_reload(THD *thd);
bk@work.mysql.com's avatar
bk@work.mysql.com committed
174
void acl_free(bool end=0);
175
ulong acl_get(const char *host, const char *ip,
176
	      const char *user, const char *db, my_bool db_is_pattern);
177 178
int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd,
                uint passwd_len);
179
int acl_getroot_no_password(THD *thd);
bk@work.mysql.com's avatar
bk@work.mysql.com committed
180
bool acl_check_host(const char *host, const char *ip);
181
bool check_change_password(THD *thd, const char *host, const char *user,
182
                           char *password, uint password_len);
bk@work.mysql.com's avatar
bk@work.mysql.com committed
183 184
bool change_password(THD *thd, const char *host, const char *user,
		     char *password);
185 186 187 188 189
bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list,
                 ulong rights, bool revoke);
bool mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list,
                       List <LEX_COLUMN> &column_list, ulong rights,
                       bool revoke);
190 191 192
bool mysql_procedure_grant(THD *thd, TABLE_LIST *table, 
			   List <LEX_USER> &user_list, ulong rights,
			   bool revoke, bool no_error);
193 194
ACL_USER *check_acl_user(LEX_USER *user_name,
			 uint *acl_acl_userdx);
195
my_bool grant_init(THD *thd);
bk@work.mysql.com's avatar
bk@work.mysql.com committed
196
void grant_free(void);
197
void grant_reload(THD *thd);
198
bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
bell@sanja.is.com.ua's avatar
bell@sanja.is.com.ua committed
199
		 uint show_command, uint number, bool dont_print_error);
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
200
bool check_grant_column (THD *thd, GRANT_INFO *grant,
201
			 const char *db_name, const char *table_name,
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
202 203
			 const char *name, uint length, uint show_command=0);
bool check_grant_all_columns(THD *thd, ulong want_access, GRANT_INFO *grant,
204
                             const char* db_name, const char *table_name,
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
205
                             Field_iterator *fields);
206 207
bool check_grant_procedure(THD *thd, ulong want_access, 
			   TABLE_LIST *procs, bool no_error);
bk@work.mysql.com's avatar
bk@work.mysql.com committed
208
bool check_grant_db(THD *thd,const char *db);
209
ulong get_table_grant(THD *thd, TABLE_LIST *table);
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
210 211 212
ulong get_column_grant(THD *thd, GRANT_INFO *grant,
                       const char *db_name, const char *table_name,
                       const char *field_name);
213
bool mysql_show_grants(THD *thd, LEX_USER *user);
214
void get_privilege_desc(char *to, uint max_length, ulong access);
215
void get_mqh(const char *user, const char *host, USER_CONN *uc);
216
bool mysql_create_user(THD *thd, List <LEX_USER> &list);
217
bool mysql_drop_user(THD *thd, List <LEX_USER> &list);
218
bool mysql_rename_user(THD *thd, List <LEX_USER> &list);
219
bool mysql_revoke_all(THD *thd, List <LEX_USER> &list);
bell@sanja.is.com.ua's avatar
VIEW  
bell@sanja.is.com.ua committed
220 221
void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant,
                                     const char *db, const char *table);
222 223
bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name);
bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name);
224
bool check_routine_level_acl(THD *thd, const char *db, const char *name);
hf@deer.(none)'s avatar
hf@deer.(none) committed
225

monty@mysql.com's avatar
monty@mysql.com committed
226
#ifdef NO_EMBEDDED_ACCESS_CHECKS
bell@sanja.is.com.ua's avatar
bell@sanja.is.com.ua committed
227
#define check_grant(A,B,C,D,E,F) 0
monty@mysql.com's avatar
monty@mysql.com committed
228 229
#define check_grant_db(A,B) 0
#endif