Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
MariaDB
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
nexedi
MariaDB
Commits
02bd2cf0
Commit
02bd2cf0
authored
May 17, 2005
by
msvensson@neptunus.(none)
Browse files
Options
Browse Files
Download
Plain Diff
Merge bk-internal.mysql.com:/home/bk/mysql-5.0
into neptunus.(none):/home/msvensson/mysql/mysql-5.0
parents
02a3295a
1b87bf51
Changes
15
Hide whitespace changes
Inline
Side-by-side
Showing
15 changed files
with
342 additions
and
185 deletions
+342
-185
mysql-test/r/sp-security.result
mysql-test/r/sp-security.result
+24
-24
mysql-test/r/system_mysql_db.result
mysql-test/r/system_mysql_db.result
+3
-2
mysql-test/t/sp-security.test
mysql-test/t/sp-security.test
+14
-14
scripts/mysql_create_system_tables.sh
scripts/mysql_create_system_tables.sh
+3
-2
scripts/mysql_fix_privilege_tables.sql
scripts/mysql_fix_privilege_tables.sql
+7
-2
sql/ha_innodb.cc
sql/ha_innodb.cc
+34
-27
sql/ha_innodb.h
sql/ha_innodb.h
+0
-1
sql/item_func.cc
sql/item_func.cc
+4
-4
sql/mysql_priv.h
sql/mysql_priv.h
+3
-3
sql/sp_head.cc
sql/sp_head.cc
+2
-1
sql/sql_acl.cc
sql/sql_acl.cc
+131
-67
sql/sql_acl.h
sql/sql_acl.h
+11
-8
sql/sql_parse.cc
sql/sql_parse.cc
+31
-22
sql/sql_show.cc
sql/sql_show.cc
+2
-1
sql/sql_yacc.yy
sql/sql_yacc.yy
+73
-7
No files found.
mysql-test/r/sp-security.result
View file @
02bd2cf0
...
...
@@ -23,10 +23,10 @@ root@localhost 1
select db();
db()
db1_secret
grant execute on db1_secret.stamp to user1@'%';
grant execute on db1_secret.db to user1@'%';
grant execute on db1_secret.stamp to ''@'%';
grant execute on db1_secret.db to ''@'%';
grant execute on
procedure
db1_secret.stamp to user1@'%';
grant execute on
function
db1_secret.db to user1@'%';
grant execute on
procedure
db1_secret.stamp to ''@'%';
grant execute on
function
db1_secret.db to ''@'%';
call db1_secret.stamp(2);
select db1_secret.db();
db1_secret.db()
...
...
@@ -105,8 +105,8 @@ select * from t2;
s1
0
2
grant usage on db2.q to user2@localhost with grant option;
grant execute on db2.q to user1@localhost;
grant usage on
procedure
db2.q to user2@localhost with grant option;
grant execute on
procedure
db2.q to user1@localhost;
use db2;
call q();
select * from t2;
...
...
@@ -117,9 +117,9 @@ s1
alter procedure p modifies sql data;
drop procedure p;
alter procedure q modifies sql data;
ERROR 42000: alter
procedur
e command denied to user 'user1'@'localhost' for routine 'db2.q'
ERROR 42000: alter
routin
e command denied to user 'user1'@'localhost' for routine 'db2.q'
drop procedure q;
ERROR 42000: alter
procedur
e command denied to user 'user1'@'localhost' for routine 'db2.q'
ERROR 42000: alter
routin
e command denied to user 'user1'@'localhost' for routine 'db2.q'
use db2;
alter procedure q modifies sql data;
drop procedure q;
...
...
@@ -141,52 +141,52 @@ create database sptest;
create table t1 ( u varchar(64), i int );
create procedure sptest.p1(i int) insert into test.t1 values (user(), i);
grant insert on t1 to usera@localhost;
grant execute on sptest.p1 to usera@localhost;
grant execute on
procedure
sptest.p1 to usera@localhost;
show grants for usera@localhost;
Grants for usera@localhost
GRANT USAGE ON *.* TO 'usera'@'localhost'
GRANT INSERT ON `test`.`t1` TO 'usera'@'localhost'
GRANT EXECUTE ON `sptest`.`p1` TO 'usera'@'localhost'
grant execute on sptest.p1 to userc@localhost with grant option;
GRANT EXECUTE ON
PROCEDURE
`sptest`.`p1` TO 'usera'@'localhost'
grant execute on
procedure
sptest.p1 to userc@localhost with grant option;
show grants for userc@localhost;
Grants for userc@localhost
GRANT USAGE ON *.* TO 'userc'@'localhost'
GRANT EXECUTE ON `sptest`.`p1` TO 'userc'@'localhost' WITH GRANT OPTION
GRANT EXECUTE ON
PROCEDURE
`sptest`.`p1` TO 'userc'@'localhost' WITH GRANT OPTION
call sptest.p1(1);
grant execute on sptest.p1 to userb@localhost;
grant execute on
procedure
sptest.p1 to userb@localhost;
ERROR 42000: grant command denied to user 'usera'@'localhost' for routine 'sptest.p1'
drop procedure sptest.p1;
ERROR 42000: alter
procedur
e command denied to user 'usera'@'localhost' for routine 'sptest.p1'
ERROR 42000: alter
routin
e command denied to user 'usera'@'localhost' for routine 'sptest.p1'
call sptest.p1(2);
ERROR 42000: execute command denied to user 'userb'@'localhost' for routine 'sptest.p1'
grant execute on sptest.p1 to userb@localhost;
grant execute on
procedure
sptest.p1 to userb@localhost;
ERROR 42000: execute command denied to user 'userb'@'localhost' for routine 'sptest.p1'
drop procedure sptest.p1;
ERROR 42000: alter
procedur
e command denied to user 'userb'@'localhost' for routine 'sptest.p1'
ERROR 42000: alter
routin
e command denied to user 'userb'@'localhost' for routine 'sptest.p1'
call sptest.p1(3);
grant execute on sptest.p1 to userb@localhost;
grant execute on
procedure
sptest.p1 to userb@localhost;
drop procedure sptest.p1;
ERROR 42000: alter
procedur
e command denied to user 'userc'@'localhost' for routine 'sptest.p1'
ERROR 42000: alter
routin
e command denied to user 'userc'@'localhost' for routine 'sptest.p1'
call sptest.p1(4);
grant execute on sptest.p1 to userb@localhost;
grant execute on
procedure
sptest.p1 to userb@localhost;
ERROR 42000: grant command denied to user 'userb'@'localhost' for routine 'sptest.p1'
drop procedure sptest.p1;
ERROR 42000: alter
procedur
e command denied to user 'userb'@'localhost' for routine 'sptest.p1'
ERROR 42000: alter
routin
e command denied to user 'userb'@'localhost' for routine 'sptest.p1'
select * from t1;
u i
usera@localhost 1
userc@localhost 3
userb@localhost 4
grant all privileges on sptest.p1 to userc@localhost;
grant all privileges on
procedure
sptest.p1 to userc@localhost;
show grants for userc@localhost;
Grants for userc@localhost
GRANT USAGE ON *.* TO 'userc'@'localhost'
GRANT EXECUTE, ALTER ROUTINE ON `sptest`.`p1` TO 'userc'@'localhost' WITH GRANT OPTION
GRANT EXECUTE, ALTER ROUTINE ON
PROCEDURE
`sptest`.`p1` TO 'userc'@'localhost' WITH GRANT OPTION
show grants for userb@localhost;
Grants for userb@localhost
GRANT USAGE ON *.* TO 'userb'@'localhost'
GRANT EXECUTE ON `sptest`.`p1` TO 'userb'@'localhost'
revoke all privileges on sptest.p1 from userb@localhost;
GRANT EXECUTE ON
PROCEDURE
`sptest`.`p1` TO 'userb'@'localhost'
revoke all privileges on
procedure
sptest.p1 from userb@localhost;
show grants for userb@localhost;
Grants for userb@localhost
GRANT USAGE ON *.* TO 'userb'@'localhost'
...
...
mysql-test/r/system_mysql_db.result
View file @
02bd2cf0
...
...
@@ -152,10 +152,11 @@ procs_priv CREATE TABLE `procs_priv` (
`Db` char(64) collate utf8_bin NOT NULL default '',
`User` char(16) collate utf8_bin NOT NULL default '',
`Routine_name` char(64) collate utf8_bin NOT NULL default '',
`Routine_type` enum('FUNCTION','PROCEDURE') collate utf8_bin NOT NULL default 'FUNCTION',
`Grantor` char(77) collate utf8_bin NOT NULL default '',
`Timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
`Proc_priv` set('Execute','Alter Routine','Grant') character set utf8 NOT NULL default '',
PRIMARY KEY (`Host`,`Db`,`User`,`Routine_name`),
`Timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
PRIMARY KEY (`Host`,`Db`,`User`,`Routine_name`,`Routine_type`),
KEY `Grantor` (`Grantor`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT='Procedure privileges'
show create table proc;
...
...
mysql-test/t/sp-security.test
View file @
02bd2cf0
...
...
@@ -43,10 +43,10 @@ call stamp(1);
select
*
from
t1
;
select
db
();
grant
execute
on
db1_secret
.
stamp
to
user1
@
'%'
;
grant
execute
on
db1_secret
.
db
to
user1
@
'%'
;
grant
execute
on
db1_secret
.
stamp
to
''
@
'%'
;
grant
execute
on
db1_secret
.
db
to
''
@
'%'
;
grant
execute
on
procedure
db1_secret
.
stamp
to
user1
@
'%'
;
grant
execute
on
function
db1_secret
.
db
to
user1
@
'%'
;
grant
execute
on
procedure
db1_secret
.
stamp
to
''
@
'%'
;
grant
execute
on
function
db1_secret
.
db
to
''
@
'%'
;
connect
(
con2user1
,
localhost
,
user1
,,);
connect
(
con3anon
,
localhost
,
anon
,,);
...
...
@@ -183,10 +183,10 @@ call q();
select
*
from
t2
;
connection
con1root
;
grant
usage
on
db2
.
q
to
user2
@
localhost
with
grant
option
;
grant
usage
on
procedure
db2
.
q
to
user2
@
localhost
with
grant
option
;
connection
con4user2
;
grant
execute
on
db2
.
q
to
user1
@
localhost
;
grant
execute
on
procedure
db2
.
q
to
user1
@
localhost
;
connection
con2user1
;
use
db2
;
...
...
@@ -245,9 +245,9 @@ create database sptest;
create
table
t1
(
u
varchar
(
64
),
i
int
);
create
procedure
sptest
.
p1
(
i
int
)
insert
into
test
.
t1
values
(
user
(),
i
);
grant
insert
on
t1
to
usera
@
localhost
;
grant
execute
on
sptest
.
p1
to
usera
@
localhost
;
grant
execute
on
procedure
sptest
.
p1
to
usera
@
localhost
;
show
grants
for
usera
@
localhost
;
grant
execute
on
sptest
.
p1
to
userc
@
localhost
with
grant
option
;
grant
execute
on
procedure
sptest
.
p1
to
userc
@
localhost
with
grant
option
;
show
grants
for
userc
@
localhost
;
connect
(
con2usera
,
localhost
,
usera
,,);
...
...
@@ -257,7 +257,7 @@ connect (con4userc,localhost,userc,,);
connection
con2usera
;
call
sptest
.
p1
(
1
);
--
error
1370
grant
execute
on
sptest
.
p1
to
userb
@
localhost
;
grant
execute
on
procedure
sptest
.
p1
to
userb
@
localhost
;
--
error
1370
drop
procedure
sptest
.
p1
;
...
...
@@ -265,32 +265,32 @@ connection con3userb;
--
error
1370
call
sptest
.
p1
(
2
);
--
error
1370
grant
execute
on
sptest
.
p1
to
userb
@
localhost
;
grant
execute
on
procedure
sptest
.
p1
to
userb
@
localhost
;
--
error
1370
drop
procedure
sptest
.
p1
;
connection
con4userc
;
call
sptest
.
p1
(
3
);
grant
execute
on
sptest
.
p1
to
userb
@
localhost
;
grant
execute
on
procedure
sptest
.
p1
to
userb
@
localhost
;
--
error
1370
drop
procedure
sptest
.
p1
;
connection
con3userb
;
call
sptest
.
p1
(
4
);
--
error
1370
grant
execute
on
sptest
.
p1
to
userb
@
localhost
;
grant
execute
on
procedure
sptest
.
p1
to
userb
@
localhost
;
--
error
1370
drop
procedure
sptest
.
p1
;
connection
con1root
;
select
*
from
t1
;
grant
all
privileges
on
sptest
.
p1
to
userc
@
localhost
;
grant
all
privileges
on
procedure
sptest
.
p1
to
userc
@
localhost
;
show
grants
for
userc
@
localhost
;
show
grants
for
userb
@
localhost
;
connection
con4userc
;
revoke
all
privileges
on
sptest
.
p1
from
userb
@
localhost
;
revoke
all
privileges
on
procedure
sptest
.
p1
from
userb
@
localhost
;
connection
con1root
;
show
grants
for
userb
@
localhost
;
...
...
scripts/mysql_create_system_tables.sh
View file @
02bd2cf0
...
...
@@ -255,10 +255,11 @@ then
c_pp
=
"
$c_pp
Db char(64) binary DEFAULT '' NOT NULL,"
c_pp
=
"
$c_pp
User char(16) binary DEFAULT '' NOT NULL,"
c_pp
=
"
$c_pp
Routine_name char(64) binary DEFAULT '' NOT NULL,"
c_pp
=
"
$c_pp
Routine_type enum('FUNCTION','PROCEDURE') NOT NULL,"
c_pp
=
"
$c_pp
Grantor char(77) DEFAULT '' NOT NULL,"
c_pp
=
"
$c_pp
Timestamp timestamp(14),"
c_pp
=
"
$c_pp
Proc_priv set('Execute','Alter Routine','Grant') COLLATE utf8_general_ci DEFAULT '' NOT NULL,"
c_pp
=
"
$c_pp
PRIMARY KEY (Host,Db,User,Routine_name),"
c_pp
=
"
$c_pp
Timestamp timestamp(14),"
c_pp
=
"
$c_pp
PRIMARY KEY (Host,Db,User,Routine_name,Routine_type),"
c_pp
=
"
$c_pp
KEY Grantor (Grantor)"
c_pp
=
"
$c_pp
) engine=MyISAM"
c_pp
=
"
$c_pp
CHARACTER SET utf8 COLLATE utf8_bin"
...
...
scripts/mysql_fix_privilege_tables.sql
View file @
02bd2cf0
...
...
@@ -67,6 +67,10 @@ ALTER TABLE tables_priv
ALTER
TABLE
procs_priv
ENGINE
=
MyISAM
,
CONVERT
TO
CHARACTER
SET
utf8
COLLATE
utf8_bin
;
ALTER
TABLE
procs_priv
modify
Proc_priv
set
(
'Execute'
,
'Alter Routine'
,
'Grant'
)
COLLATE
utf8_general_ci
DEFAULT
''
NOT
NULL
;
ALTER
TABLE
procs_priv
add
Routine_type
enum
(
'FUNCTION'
,
'PROCEDURE'
)
COLLATE
utf8_general_ci
NOT
NULL
AFTER
Routine_name
;
ALTER
TABLE
procs_priv
modify
Timestamp
timestamp
(
14
)
AFTER
Proc_priv
;
CREATE
TABLE
IF
NOT
EXISTS
columns_priv
(
Host
char
(
60
)
DEFAULT
''
NOT
NULL
,
...
...
@@ -316,10 +320,11 @@ Host char(60) binary DEFAULT '' NOT NULL,
Db
char
(
64
)
binary
DEFAULT
''
NOT
NULL
,
User
char
(
16
)
binary
DEFAULT
''
NOT
NULL
,
Routine_name
char
(
64
)
binary
DEFAULT
''
NOT
NULL
,
Routine_type
enum
(
'FUNCTION'
,
'PROCEDURE'
)
NOT
NULL
,
Grantor
char
(
77
)
DEFAULT
''
NOT
NULL
,
Timestamp
timestamp
(
14
),
Proc_priv
set
(
'Execute'
,
'Alter Routine'
,
'Grant'
)
COLLATE
utf8_general_ci
DEFAULT
''
NOT
NULL
,
PRIMARY
KEY
(
Host
,
Db
,
User
,
Routine_name
),
Timestamp
timestamp
(
14
),
PRIMARY
KEY
(
Host
,
Db
,
User
,
Routine_name
,
Routine_type
),
KEY
Grantor
(
Grantor
)
)
CHARACTER
SET
utf8
COLLATE
utf8_bin
comment
=
'Procedure privileges'
;
...
...
sql/ha_innodb.cc
View file @
02bd2cf0
...
...
@@ -3170,12 +3170,28 @@ ha_innobase::write_row(
prebuilt
->
sql_stat_start
=
TRUE
;
}
/*
We must use the handler code to update the auto-increment
value to be sure that increment it correctly.
*/
/* We have to use the transactional lock mechanism on the
auto-inc counter of the table to ensure that replication and
roll-forward of the binlog exactly imitates also the given
auto-inc values. The lock is released at each SQL statement's
end. This lock also prevents a race where two threads would
call ::get_auto_increment() simultaneously. */
error
=
row_lock_table_autoinc_for_mysql
(
prebuilt
);
if
(
error
!=
DB_SUCCESS
)
{
/* Deadlock or lock wait timeout */
error
=
convert_error_code_to_mysql
(
error
,
user_thd
);
goto
func_exit
;
}
/* We must use the handler code to update the auto-increment
value to be sure that we increment it correctly. */
update_auto_increment
();
auto_inc_used
=
1
;
auto_inc_used
=
1
;
}
...
...
@@ -3198,24 +3214,9 @@ ha_innobase::write_row(
auto_inc
=
table
->
next_number_field
->
val_int
();
if
(
auto_inc
!=
0
)
{
/* This call will calculate the max of the current
value and the value supplied by the user and
update the counter accordingly */
/* We have to use the transactional lock mechanism
on the auto-inc counter of the table to ensure
that replication and roll-forward of the binlog
exactly imitates also the given auto-inc values.
The lock is released at each SQL statement's
end. */
error
=
row_lock_table_autoinc_for_mysql
(
prebuilt
);
if
(
error
!=
DB_SUCCESS
)
{
error
=
convert_error_code_to_mysql
(
error
,
user_thd
);
goto
func_exit
;
}
/* This call will update the counter according to the
value that was inserted in the table */
dict_table_autoinc_update
(
prebuilt
->
table
,
auto_inc
);
}
}
...
...
@@ -5795,7 +5796,6 @@ ha_innobase::start_stmt(
read_view_close_for_mysql
(
trx
);
}
auto_inc_counter_for_this_stat
=
0
;
prebuilt
->
sql_stat_start
=
TRUE
;
prebuilt
->
hint_need_to_fetch_extra_cols
=
0
;
prebuilt
->
read_just_key
=
0
;
...
...
@@ -5985,7 +5985,7 @@ ha_innobase::external_lock(
trx
->
n_mysql_tables_in_use
--
;
prebuilt
->
mysql_has_locked
=
FALSE
;
auto_inc_counter_for_this_stat
=
0
;
if
(
trx
->
n_lock_table_exp
)
{
row_unlock_tables_for_mysql
(
trx
);
}
...
...
@@ -6505,7 +6505,7 @@ ha_innobase::store_lock(
/***********************************************************************
This function initializes the auto-inc counter if it has not been
initialized yet. This function does not change the value of the auto-inc
counter if it already has been initialized. In paramete ret returns
counter if it already has been initialized. In paramete
r
ret returns
the value of the auto-inc counter. */
int
...
...
@@ -6624,7 +6624,14 @@ ha_innobase::get_auto_increment()
error
=
innobase_read_and_init_auto_inc
(
&
nr
);
if
(
error
)
{
/* This should never happen in the current (5.0.6) code, since
we call this function only after the counter has been
initialized. */
ut_print_timestamp
(
stderr
);
fprintf
(
stderr
,
" InnoDB: Error: error %lu in ::get_auto_increment()
\n
"
,
(
ulong
)
error
);
return
(
~
(
ulonglong
)
0
);
}
...
...
sql/ha_innodb.h
View file @
02bd2cf0
...
...
@@ -70,7 +70,6 @@ class ha_innobase: public handler
ROW_SEL_EXACT, ROW_SEL_EXACT_PREFIX,
or undefined */
uint
num_write_row
;
/* number of write_row() calls */
longlong
auto_inc_counter_for_this_stat
;
ulong
max_supported_row_length
(
const
byte
*
buf
);
uint
store_key_val_for_row
(
uint
keynr
,
char
*
buff
,
uint
buff_len
,
...
...
sql/item_func.cc
View file @
02bd2cf0
...
...
@@ -4771,13 +4771,13 @@ Item_func_sp::execute(Item **itp)
#endif
#ifndef NO_EMBEDDED_ACCESS_CHECKS
if
(
check_
procedur
e_access
(
thd
,
EXECUTE_ACL
,
m_sp
->
m_db
.
str
,
m_sp
->
m_name
.
str
,
0
))
if
(
check_
routin
e_access
(
thd
,
EXECUTE_ACL
,
m_sp
->
m_db
.
str
,
m_sp
->
m_name
.
str
,
0
,
0
))
DBUG_RETURN
(
-
1
);
sp_change_security_context
(
thd
,
m_sp
,
&
save_ctx
);
if
(
save_ctx
.
changed
&&
check_
procedur
e_access
(
thd
,
EXECUTE_ACL
,
m_sp
->
m_db
.
str
,
m_sp
->
m_name
.
str
,
0
))
check_
routin
e_access
(
thd
,
EXECUTE_ACL
,
m_sp
->
m_db
.
str
,
m_sp
->
m_name
.
str
,
0
,
0
))
{
sp_restore_security_context
(
thd
,
m_sp
,
&
save_ctx
);
thd
->
client_capabilities
|=
old_client_capabilites
&
CLIENT_MULTI_RESULTS
;
...
...
sql/mysql_priv.h
View file @
02bd2cf0
...
...
@@ -473,12 +473,12 @@ void close_thread_tables(THD *thd, bool locked=0, bool skip_derived=0,
TABLE
*
stopper
=
0
);
bool
check_one_table_access
(
THD
*
thd
,
ulong
privilege
,
TABLE_LIST
*
tables
);
bool
check_
procedur
e_access
(
THD
*
thd
,
ulong
want_access
,
char
*
db
,
char
*
name
,
bool
no_errors
);
bool
check_
routin
e_access
(
THD
*
thd
,
ulong
want_access
,
char
*
db
,
char
*
name
,
bool
is_proc
,
bool
no_errors
);
bool
check_some_access
(
THD
*
thd
,
ulong
want_access
,
TABLE_LIST
*
table
);
bool
check_merge_table_access
(
THD
*
thd
,
char
*
db
,
TABLE_LIST
*
table_list
);
bool
check_some_routine_access
(
THD
*
thd
,
const
char
*
db
,
const
char
*
name
);
bool
check_some_routine_access
(
THD
*
thd
,
const
char
*
db
,
const
char
*
name
,
bool
is_proc
);
bool
multi_update_precheck
(
THD
*
thd
,
TABLE_LIST
*
tables
);
bool
multi_delete_precheck
(
THD
*
thd
,
TABLE_LIST
*
tables
,
uint
*
table_count
);
bool
mysql_multi_update_prepare
(
THD
*
thd
);
...
...
sql/sp_head.cc
View file @
02bd2cf0
...
...
@@ -1111,7 +1111,8 @@ bool check_show_routine_access(THD *thd, sp_head *sp, bool *full_access)
(
!
strcmp
(
sp
->
m_definer_user
.
str
,
thd
->
priv_user
)
&&
!
strcmp
(
sp
->
m_definer_host
.
str
,
thd
->
priv_host
)));
if
(
!*
full_access
)
return
check_some_routine_access
(
thd
,
sp
->
m_db
.
str
,
sp
->
m_name
.
str
);
return
check_some_routine_access
(
thd
,
sp
->
m_db
.
str
,
sp
->
m_name
.
str
,
sp
->
m_type
==
TYPE_ENUM_PROCEDURE
);
return
0
;
}
...
...
sql/sql_acl.cc
View file @
02bd2cf0
...
...
@@ -60,7 +60,7 @@ static DYNAMIC_ARRAY acl_hosts,acl_users,acl_dbs;
static
MEM_ROOT
mem
,
memex
;
static
bool
initialized
=
0
;
static
bool
allow_all_hosts
=
1
;
static
HASH
acl_check_hosts
,
column_priv_hash
,
proc_priv_hash
;
static
HASH
acl_check_hosts
,
column_priv_hash
,
proc_priv_hash
,
func_priv_hash
;
static
DYNAMIC_ARRAY
acl_wild_hosts
;
static
hash_filo
*
acl_cache
;
static
uint
grant_version
=
0
;
/* Version of priv tables. incremented by acl_init */
...
...
@@ -2136,11 +2136,12 @@ static GRANT_NAME *name_hash_search(HASH *name_hash,
inline
GRANT_NAME
*
proc
_hash_search
(
const
char
*
host
,
const
char
*
ip
,
const
char
*
db
,
const
char
*
user
,
const
char
*
tname
,
bool
exact
)
routine
_hash_search
(
const
char
*
host
,
const
char
*
ip
,
const
char
*
db
,
const
char
*
user
,
const
char
*
tname
,
bool
proc
,
bool
exact
)
{
return
(
GRANT_TABLE
*
)
name_hash_search
(
&
proc_priv_hash
,
host
,
ip
,
db
,
user
,
tname
,
exact
);
return
(
GRANT_TABLE
*
)
name_hash_search
(
proc
?
&
proc_priv_hash
:
&
func_priv_hash
,
host
,
ip
,
db
,
user
,
tname
,
exact
);
}
...
...
@@ -2466,16 +2467,17 @@ static int replace_table_table(THD *thd, GRANT_TABLE *grant_table,
}
static
int
replace_
proc
_table
(
THD
*
thd
,
GRANT_NAME
*
grant_name
,
static
int
replace_
routine
_table
(
THD
*
thd
,
GRANT_NAME
*
grant_name
,
TABLE
*
table
,
const
LEX_USER
&
combo
,
const
char
*
db
,
const
char
*
proc
_name
,
ulong
rights
,
bool
revoke_grant
)
const
char
*
db
,
const
char
*
routine
_name
,
bool
is_proc
,
ulong
rights
,
bool
revoke_grant
)
{
char
grantor
[
HOSTNAME_LENGTH
+
USERNAME_LENGTH
+
2
];
int
old_row_exists
=
1
;
int
error
=
0
;
ulong
store_proc_rights
;
DBUG_ENTER
(
"replace_proc_table"
);
byte
*
key
;
DBUG_ENTER
(
"replace_routine_table"
);
if
(
!
initialized
)
{
...
...
@@ -2499,7 +2501,10 @@ static int replace_proc_table(THD *thd, GRANT_NAME *grant_name,
table
->
field
[
0
]
->
store
(
combo
.
host
.
str
,
combo
.
host
.
length
,
&
my_charset_latin1
);
table
->
field
[
1
]
->
store
(
db
,(
uint
)
strlen
(
db
),
&
my_charset_latin1
);
table
->
field
[
2
]
->
store
(
combo
.
user
.
str
,
combo
.
user
.
length
,
&
my_charset_latin1
);
table
->
field
[
3
]
->
store
(
proc_name
,(
uint
)
strlen
(
proc_name
),
&
my_charset_latin1
);
table
->
field
[
3
]
->
store
(
routine_name
,(
uint
)
strlen
(
routine_name
),
&
my_charset_latin1
);
table
->
field
[
4
]
->
store
((
longlong
)(
is_proc
?
TYPE_ENUM_PROCEDURE
:
TYPE_ENUM_FUNCTION
));
store_record
(
table
,
record
[
1
]);
// store at pos 1
if
(
table
->
file
->
index_read_idx
(
table
->
record
[
0
],
0
,
...
...
@@ -2514,7 +2519,7 @@ static int replace_proc_table(THD *thd, GRANT_NAME *grant_name,
if
(
revoke_grant
)
{
// no row, no revoke
my_error
(
ER_NONEXISTING_PROC_GRANT
,
MYF
(
0
),
combo
.
user
.
str
,
combo
.
host
.
str
,
proc
_name
);
combo
.
user
.
str
,
combo
.
host
.
str
,
routine
_name
);
DBUG_RETURN
(
-
1
);
}
old_row_exists
=
0
;
...
...
@@ -2539,7 +2544,7 @@ static int replace_proc_table(THD *thd, GRANT_NAME *grant_name,
}
}
table
->
field
[
4
]
->
store
(
grantor
,(
uint
)
strlen
(
grantor
),
&
my_charset_latin1
);
table
->
field
[
5
]
->
store
(
grantor
,(
uint
)
strlen
(
grantor
),
&
my_charset_latin1
);
table
->
field
[
6
]
->
store
((
longlong
)
store_proc_rights
);
rights
=
fix_rights_for_procedure
(
store_proc_rights
);
...
...
@@ -2566,7 +2571,7 @@ static int replace_proc_table(THD *thd, GRANT_NAME *grant_name,
}
else
{
hash_delete
(
&
pro
c_priv_hash
,(
byte
*
)
grant_name
);
hash_delete
(
is_proc
?
&
proc_priv_hash
:
&
fun
c_priv_hash
,(
byte
*
)
grant_name
);
}
DBUG_RETURN
(
0
);
...
...
@@ -2841,12 +2846,13 @@ bool mysql_table_grant(THD *thd, TABLE_LIST *table_list,
/*
Store
procedur
e level grants in the privilege tables
Store
routin
e level grants in the privilege tables
SYNOPSIS
mysql_
procedur
e_grant()
mysql_
routin
e_grant()
thd Thread handle
table_list List of procedures to give grant
table_list List of routines to give grant
is_proc true indicates routine list are procedures
user_list List of users to give grant
rights Table level grant
revoke_grant Set to 1 if this is a REVOKE command
...
...
@@ -2856,16 +2862,16 @@ bool mysql_table_grant(THD *thd, TABLE_LIST *table_list,
1 error
*/
bool
mysql_
procedure_grant
(
THD
*
thd
,
TABLE_LIST
*
table_list
,
List
<
LEX_USER
>
&
user_list
,
ulong
rights
,
bool
revoke_grant
,
bool
no_error
)
bool
mysql_
routine_grant
(
THD
*
thd
,
TABLE_LIST
*
table_list
,
bool
is_proc
,
List
<
LEX_USER
>
&
user_list
,
ulong
rights
,
bool
revoke_grant
,
bool
no_error
)
{
List_iterator
<
LEX_USER
>
str_list
(
user_list
);
LEX_USER
*
Str
;
TABLE_LIST
tables
[
2
];
bool
create_new_users
=
0
,
result
=
0
;
char
*
db_name
,
*
table_name
;
DBUG_ENTER
(
"mysql_
procedur
e_grant"
);
DBUG_ENTER
(
"mysql_
routin
e_grant"
);
if
(
!
initialized
)
{
...
...
@@ -2884,7 +2890,7 @@ bool mysql_procedure_grant(THD *thd, TABLE_LIST *table_list,
if
(
!
revoke_grant
)
{
if
(
sp_exists_routine
(
thd
,
table_list
,
0
,
no_error
)
<
0
)
if
(
sp_exists_routine
(
thd
,
table_list
,
is_proc
,
no_error
)
<
0
)
DBUG_RETURN
(
TRUE
);
}
...
...
@@ -2957,8 +2963,8 @@ bool mysql_procedure_grant(THD *thd, TABLE_LIST *table_list,
db_name
=
table_list
->
db
;
table_name
=
table_list
->
table_name
;
grant_name
=
proc
_hash_search
(
Str
->
host
.
str
,
NullS
,
db_name
,
Str
->
user
.
str
,
table_name
,
1
);
grant_name
=
routine
_hash_search
(
Str
->
host
.
str
,
NullS
,
db_name
,
Str
->
user
.
str
,
table_name
,
is_proc
,
1
);
if
(
!
grant_name
)
{
if
(
revoke_grant
)
...
...
@@ -2977,11 +2983,11 @@ bool mysql_procedure_grant(THD *thd, TABLE_LIST *table_list,
result
=
TRUE
;
continue
;
}
my_hash_insert
(
&
pro
c_priv_hash
,(
byte
*
)
grant_name
);
my_hash_insert
(
is_proc
?
&
proc_priv_hash
:
&
fun
c_priv_hash
,(
byte
*
)
grant_name
);
}
if
(
replace_
proc
_table
(
thd
,
grant_name
,
tables
[
1
].
table
,
*
Str
,
db_name
,
table_name
,
rights
,
revoke_grant
))
if
(
replace_
routine
_table
(
thd
,
grant_name
,
tables
[
1
].
table
,
*
Str
,
db_name
,
table_name
,
is_proc
,
rights
,
revoke_grant
))
{
result
=
TRUE
;
continue
;
...
...
@@ -3133,6 +3139,9 @@ my_bool grant_init(THD *org_thd)
(
void
)
hash_init
(
&
proc_priv_hash
,
system_charset_info
,
0
,
0
,
0
,
(
hash_get_key
)
get_grant_table
,
0
,
0
);
(
void
)
hash_init
(
&
func_priv_hash
,
system_charset_info
,
0
,
0
,
0
,
(
hash_get_key
)
get_grant_table
,
0
,
0
);
init_sql_alloc
(
&
memex
,
ACL_ALLOC_BLOCK_SIZE
,
0
);
/* Don't do anything if running with --skip-grant */
...
...
@@ -3206,6 +3215,8 @@ my_bool grant_init(THD *org_thd)
do
{
GRANT_NAME
*
mem_check
;
longlong
proc_type
;
HASH
*
hash
;
if
(
!
(
mem_check
=
new
GRANT_NAME
(
p_table
)))
{
/* This could only happen if we are out memory */
...
...
@@ -3224,11 +3235,27 @@ my_bool grant_init(THD *org_thd)
continue
;
}
}
if
(
p_table
->
field
[
4
]
->
val_int
()
==
TYPE_ENUM_PROCEDURE
)
{
hash
=
&
proc_priv_hash
;
}
else
if
(
p_table
->
field
[
4
]
->
val_int
()
==
TYPE_ENUM_FUNCTION
)
{
hash
=
&
func_priv_hash
;
}
else
{
sql_print_warning
(
"'procs_priv' entry '%s' "
"ignored, bad routine type"
,
mem_check
->
tname
);
continue
;
}
mem_check
->
privs
=
fix_rights_for_procedure
(
mem_check
->
privs
);
if
(
!
mem_check
->
ok
())
delete
mem_check
;
else
if
(
my_hash_insert
(
&
proc_priv_hash
,
(
byte
*
)
mem_check
))
else
if
(
my_hash_insert
(
hash
,
(
byte
*
)
mem_check
))
{
delete
mem_check
;
grant_option
=
FALSE
;
...
...
@@ -3272,7 +3299,7 @@ my_bool grant_init(THD *org_thd)
void
grant_reload
(
THD
*
thd
)
{
HASH
old_column_priv_hash
,
old_proc_priv_hash
;
HASH
old_column_priv_hash
,
old_proc_priv_hash
,
old_func_priv_hash
;
bool
old_grant_option
;
MEM_ROOT
old_mem
;
DBUG_ENTER
(
"grant_reload"
);
...
...
@@ -3281,6 +3308,7 @@ void grant_reload(THD *thd)
grant_version
++
;
old_column_priv_hash
=
column_priv_hash
;
old_proc_priv_hash
=
proc_priv_hash
;
old_func_priv_hash
=
func_priv_hash
;
old_grant_option
=
grant_option
;
old_mem
=
memex
;
...
...
@@ -3290,6 +3318,7 @@ void grant_reload(THD *thd)
grant_free
();
/* purecov: deadcode */
column_priv_hash
=
old_column_priv_hash
;
/* purecov: deadcode */
proc_priv_hash
=
old_proc_priv_hash
;
func_priv_hash
=
old_func_priv_hash
;
grant_option
=
old_grant_option
;
/* purecov: deadcode */
memex
=
old_mem
;
/* purecov: deadcode */
}
...
...
@@ -3297,6 +3326,7 @@ void grant_reload(THD *thd)
{
hash_free
(
&
old_column_priv_hash
);
hash_free
(
&
old_proc_priv_hash
);
hash_free
(
&
old_func_priv_hash
);
free_root
(
&
old_mem
,
MYF
(
0
));
}
rw_unlock
(
&
LOCK_grant
);
...
...
@@ -3540,13 +3570,14 @@ bool check_grant_db(THD *thd,const char *db)
/****************************************************************************
Check
procedur
e level grants
Check
routin
e level grants
SYNPOSIS
bool check_grant_
procedur
e()
bool check_grant_
routin
e()
thd Thread handler
want_access Bits of privileges user needs to have
procs List of procedures to check. The user should have 'want_access'
procs List of routines to check. The user should have 'want_access'
is_proc True if the list is all procedures, else functions
no_errors If 0 then we write an error. The error is sent directly to
the client
...
...
@@ -3555,13 +3586,13 @@ bool check_grant_db(THD *thd,const char *db)
1 Error: User did not have the requested privielges
****************************************************************************/
bool
check_grant_
procedur
e
(
THD
*
thd
,
ulong
want_access
,
TABLE_LIST
*
procs
,
bool
no_errors
)
bool
check_grant_
routin
e
(
THD
*
thd
,
ulong
want_access
,
TABLE_LIST
*
procs
,
bool
is_proc
,
bool
no_errors
)
{
TABLE_LIST
*
table
;
char
*
user
=
thd
->
priv_user
;
char
*
host
=
thd
->
priv_host
;
DBUG_ENTER
(
"check_grant_
procedur
e"
);
DBUG_ENTER
(
"check_grant_
routin
e"
);
want_access
&=
~
thd
->
master_access
;
if
(
!
want_access
)
...
...
@@ -3571,8 +3602,8 @@ bool check_grant_procedure(THD *thd, ulong want_access,
for
(
table
=
procs
;
table
;
table
=
table
->
next_global
)
{
GRANT_NAME
*
grant_proc
;
if
((
grant_proc
=
proc_hash_search
(
host
,
thd
->
ip
,
table
->
db
,
user
,
table
->
table_name
,
0
)))
if
((
grant_proc
=
routine_hash_search
(
host
,
thd
->
ip
,
table
->
db
,
user
,
table
->
table_name
,
is_proc
,
0
)))
table
->
grant
.
privilege
|=
grant_proc
->
privs
;
if
(
want_access
&
~
table
->
grant
.
privilege
)
...
...
@@ -3594,7 +3625,7 @@ bool check_grant_procedure(THD *thd, ulong want_access,
if
(
want_access
&
EXECUTE_ACL
)
command
=
"execute"
;
else
if
(
want_access
&
ALTER_PROC_ACL
)
command
=
"alter
procedur
e"
;
command
=
"alter
routin
e"
;
else
if
(
want_access
&
GRANT_ACL
)
command
=
"grant"
;
my_error
(
ER_PROCACCESS_DENIED_ERROR
,
MYF
(
0
),
...
...
@@ -3606,7 +3637,7 @@ bool check_grant_procedure(THD *thd, ulong want_access,
/*
Check if routine has any of the
procedur
e level grants
routin
e level grants
SYNPOSIS
bool check_routine_level_acl()
...
...
@@ -3619,15 +3650,15 @@ bool check_grant_procedure(THD *thd, ulong want_access,
1 error
*/
bool
check_routine_level_acl
(
THD
*
thd
,
const
char
*
db
,
const
char
*
name
)
bool
check_routine_level_acl
(
THD
*
thd
,
const
char
*
db
,
const
char
*
name
,
bool
is_proc
)
{
bool
no_routine_acl
=
1
;
if
(
grant_option
)
{
GRANT_NAME
*
grant_proc
;
rw_rdlock
(
&
LOCK_grant
);
if
((
grant_proc
=
proc
_hash_search
(
thd
->
priv_host
,
thd
->
ip
,
db
,
thd
->
priv_user
,
name
,
0
)))
if
((
grant_proc
=
routine
_hash_search
(
thd
->
priv_host
,
thd
->
ip
,
db
,
thd
->
priv_user
,
name
,
is_proc
,
0
)))
no_routine_acl
=
!
(
grant_proc
->
privs
&
SHOW_PROC_ACLS
);
rw_unlock
(
&
LOCK_grant
);
}
...
...
@@ -3730,6 +3761,11 @@ static uint command_lengths[]=
};
static
int
show_routine_grants
(
THD
*
thd
,
LEX_USER
*
lex_user
,
HASH
*
hash
,
const
char
*
type
,
int
typelen
,
char
*
buff
,
int
buffsize
);
/*
SHOW GRANTS; Send grants for a user to the client
...
...
@@ -4076,12 +4112,40 @@ bool mysql_show_grants(THD *thd,LEX_USER *lex_user)
}
}
/* Add procedure access */
for
(
index
=
0
;
index
<
proc_priv_hash
.
records
;
index
++
)
if
(
show_routine_grants
(
thd
,
lex_user
,
&
proc_priv_hash
,
"PROCEDURE"
,
9
,
buff
,
sizeof
(
buff
)))
{
error
=
-
1
;
goto
end
;
}
if
(
show_routine_grants
(
thd
,
lex_user
,
&
func_priv_hash
,
"FUNCTION"
,
8
,
buff
,
sizeof
(
buff
)))
{
error
=
-
1
;
goto
end
;
}
end:
VOID
(
pthread_mutex_unlock
(
&
acl_cache
->
lock
));
rw_unlock
(
&
LOCK_grant
);
send_eof
(
thd
);
DBUG_RETURN
(
error
);
}
static
int
show_routine_grants
(
THD
*
thd
,
LEX_USER
*
lex_user
,
HASH
*
hash
,
const
char
*
type
,
int
typelen
,
char
*
buff
,
int
buffsize
)
{
uint
counter
,
index
;
int
error
=
0
;
Protocol
*
protocol
=
thd
->
protocol
;
/* Add routine access */
for
(
index
=
0
;
index
<
hash
->
records
;
index
++
)
{
const
char
*
user
;
GRANT_NAME
*
grant_proc
=
(
GRANT_NAME
*
)
hash_element
(
&
proc_priv_hash
,
index
);
GRANT_NAME
*
grant_proc
=
(
GRANT_NAME
*
)
hash_element
(
hash
,
index
);
if
(
!
(
user
=
grant_proc
->
user
))
user
=
""
;
...
...
@@ -4093,7 +4157,7 @@ bool mysql_show_grants(THD *thd,LEX_USER *lex_user)
ulong
proc_access
=
grant_proc
->
privs
;
if
(
proc_access
!=
0
)
{
String
global
(
buff
,
sizeof
(
buff
)
,
system_charset_info
);
String
global
(
buff
,
buffsize
,
system_charset_info
);
ulong
test_access
=
proc_access
&
~
GRANT_ACL
;
global
.
length
(
0
);
...
...
@@ -4119,6 +4183,8 @@ bool mysql_show_grants(THD *thd,LEX_USER *lex_user)
}
}
global
.
append
(
" ON "
,
4
);
global
.
append
(
type
,
typelen
);
global
.
append
(
' '
);
append_identifier
(
thd
,
&
global
,
grant_proc
->
db
,
strlen
(
grant_proc
->
db
));
global
.
append
(
'.'
);
...
...
@@ -4143,15 +4209,9 @@ bool mysql_show_grants(THD *thd,LEX_USER *lex_user)
}
}
}
end:
VOID
(
pthread_mutex_unlock
(
&
acl_cache
->
lock
));
rw_unlock
(
&
LOCK_grant
);
send_eof
(
thd
);
DBUG_RETURN
(
error
);
return
error
;
}
/*
Make a clear-text version of the requested privilege.
*/
...
...
@@ -4977,7 +5037,7 @@ bool mysql_rename_user(THD *thd, List <LEX_USER> &list)
bool
mysql_revoke_all
(
THD
*
thd
,
List
<
LEX_USER
>
&
list
)
{
uint
counter
,
revoked
;
uint
counter
,
revoked
,
is_proc
;
int
result
;
ACL_DB
*
acl_db
;
TABLE_LIST
tables
[
GRANT_TABLES
];
...
...
@@ -5092,12 +5152,12 @@ bool mysql_revoke_all(THD *thd, List <LEX_USER> &list)
}
while
(
revoked
);
/* Remove procedure access */
do
{
for
(
counter
=
0
,
revoked
=
0
;
counter
<
proc_priv_hash
.
records
;
)
for
(
is_proc
=
0
;
is_proc
<
2
;
is_proc
++
)
do
{
HASH
*
hash
=
is_proc
?
&
proc_priv_hash
:
&
func_priv_hash
;
for
(
counter
=
0
,
revoked
=
0
;
counter
<
hash
->
records
;
)
{
const
char
*
user
,
*
host
;
GRANT_NAME
*
grant_proc
=
(
GRANT_NAME
*
)
hash_element
(
&
proc_priv_hash
,
counter
);
GRANT_NAME
*
grant_proc
=
(
GRANT_NAME
*
)
hash_element
(
hash
,
counter
);
if
(
!
(
user
=
grant_proc
->
user
))
user
=
""
;
if
(
!
(
host
=
grant_proc
->
host
.
hostname
))
...
...
@@ -5106,9 +5166,10 @@ bool mysql_revoke_all(THD *thd, List <LEX_USER> &list)
if
(
!
strcmp
(
lex_user
->
user
.
str
,
user
)
&&
!
my_strcasecmp
(
system_charset_info
,
lex_user
->
host
.
str
,
host
))
{
if
(
!
replace_
proc
_table
(
thd
,
grant_proc
,
tables
[
4
].
table
,
*
lex_user
,
if
(
!
replace_
routine
_table
(
thd
,
grant_proc
,
tables
[
4
].
table
,
*
lex_user
,
grant_proc
->
db
,
grant_proc
->
tname
,
is_proc
,
~
0
,
1
))
{
revoked
=
1
;
...
...
@@ -5146,11 +5207,13 @@ bool mysql_revoke_all(THD *thd, List <LEX_USER> &list)
< 0 Error. Error message not yet sent.
*/
bool
sp_revoke_privileges
(
THD
*
thd
,
const
char
*
sp_db
,
const
char
*
sp_name
)
bool
sp_revoke_privileges
(
THD
*
thd
,
const
char
*
sp_db
,
const
char
*
sp_name
,
bool
is_proc
)
{
uint
counter
,
revoked
;
int
result
;
TABLE_LIST
tables
[
GRANT_TABLES
];
HASH
*
hash
=
is_proc
?
&
proc_priv_hash
:
&
func_priv_hash
;
DBUG_ENTER
(
"sp_revoke_privileges"
);
if
((
result
=
open_grant_tables
(
thd
,
tables
)))
...
...
@@ -5162,10 +5225,9 @@ bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name)
/* Remove procedure access */
do
{
for
(
counter
=
0
,
revoked
=
0
;
counter
<
proc_priv_hash
.
records
;
)
for
(
counter
=
0
,
revoked
=
0
;
counter
<
hash
->
records
;
)
{
GRANT_NAME
*
grant_proc
=
(
GRANT_NAME
*
)
hash_element
(
&
proc_priv_hash
,
counter
);
GRANT_NAME
*
grant_proc
=
(
GRANT_NAME
*
)
hash_element
(
hash
,
counter
);
if
(
!
my_strcasecmp
(
system_charset_info
,
grant_proc
->
db
,
sp_db
)
&&
!
my_strcasecmp
(
system_charset_info
,
grant_proc
->
tname
,
sp_name
))
{
...
...
@@ -5174,8 +5236,9 @@ bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name)
lex_user
.
user
.
length
=
strlen
(
grant_proc
->
user
);
lex_user
.
host
.
str
=
grant_proc
->
host
.
hostname
;
lex_user
.
host
.
length
=
strlen
(
grant_proc
->
host
.
hostname
);
if
(
!
replace_proc_table
(
thd
,
grant_proc
,
tables
[
4
].
table
,
lex_user
,
grant_proc
->
db
,
grant_proc
->
tname
,
~
0
,
1
))
if
(
!
replace_routine_table
(
thd
,
grant_proc
,
tables
[
4
].
table
,
lex_user
,
grant_proc
->
db
,
grant_proc
->
tname
,
is_proc
,
~
0
,
1
))
{
revoked
=
1
;
continue
;
...
...
@@ -5211,7 +5274,8 @@ bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name)
< 0 Error. Error message not yet sent.
*/
bool
sp_grant_privileges
(
THD
*
thd
,
const
char
*
sp_db
,
const
char
*
sp_name
)
bool
sp_grant_privileges
(
THD
*
thd
,
const
char
*
sp_db
,
const
char
*
sp_name
,
bool
is_proc
)
{
LEX_USER
*
combo
;
TABLE_LIST
tables
[
1
];
...
...
@@ -5249,7 +5313,7 @@ bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name)
thd
->
lex
->
ssl_type
=
SSL_TYPE_NOT_SPECIFIED
;
bzero
((
char
*
)
&
thd
->
lex
->
mqh
,
sizeof
(
thd
->
lex
->
mqh
));
result
=
mysql_
procedure_grant
(
thd
,
tables
,
user_list
,
result
=
mysql_
routine_grant
(
thd
,
tables
,
is_proc
,
user_list
,
DEFAULT_CREATE_PROC_ACLS
,
0
,
1
);
DBUG_RETURN
(
result
);
}
...
...
sql/sql_acl.h
View file @
02bd2cf0
...
...
@@ -185,9 +185,9 @@ bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list,
bool
mysql_table_grant
(
THD
*
thd
,
TABLE_LIST
*
table
,
List
<
LEX_USER
>
&
user_list
,
List
<
LEX_COLUMN
>
&
column_list
,
ulong
rights
,
bool
revoke
);
bool
mysql_
procedure_grant
(
THD
*
thd
,
TABLE_LIST
*
table
,
List
<
LEX_USER
>
&
user_list
,
ulong
rights
,
bool
revoke
,
bool
no_error
);
bool
mysql_
routine_grant
(
THD
*
thd
,
TABLE_LIST
*
table
,
bool
is_proc
,
List
<
LEX_USER
>
&
user_list
,
ulong
rights
,
bool
revoke
,
bool
no_error
);
ACL_USER
*
check_acl_user
(
LEX_USER
*
user_name
,
uint
*
acl_acl_userdx
);
my_bool
grant_init
(
THD
*
thd
);
void
grant_free
(
void
);
...
...
@@ -200,8 +200,8 @@ bool check_grant_column (THD *thd, GRANT_INFO *grant,
bool
check_grant_all_columns
(
THD
*
thd
,
ulong
want_access
,
GRANT_INFO
*
grant
,
const
char
*
db_name
,
const
char
*
table_name
,
Field_iterator
*
fields
);
bool
check_grant_
procedure
(
THD
*
thd
,
ulong
want_access
,
TABLE_LIST
*
procs
,
bool
no_error
);
bool
check_grant_
routine
(
THD
*
thd
,
ulong
want_access
,
TABLE_LIST
*
procs
,
bool
is_proc
,
bool
no_error
);
bool
check_grant_db
(
THD
*
thd
,
const
char
*
db
);
ulong
get_table_grant
(
THD
*
thd
,
TABLE_LIST
*
table
);
ulong
get_column_grant
(
THD
*
thd
,
GRANT_INFO
*
grant
,
...
...
@@ -216,9 +216,12 @@ bool mysql_rename_user(THD *thd, List <LEX_USER> &list);
bool
mysql_revoke_all
(
THD
*
thd
,
List
<
LEX_USER
>
&
list
);
void
fill_effective_table_privileges
(
THD
*
thd
,
GRANT_INFO
*
grant
,
const
char
*
db
,
const
char
*
table
);
bool
sp_revoke_privileges
(
THD
*
thd
,
const
char
*
sp_db
,
const
char
*
sp_name
);
bool
sp_grant_privileges
(
THD
*
thd
,
const
char
*
sp_db
,
const
char
*
sp_name
);
bool
check_routine_level_acl
(
THD
*
thd
,
const
char
*
db
,
const
char
*
name
);
bool
sp_revoke_privileges
(
THD
*
thd
,
const
char
*
sp_db
,
const
char
*
sp_name
,
bool
is_proc
);
bool
sp_grant_privileges
(
THD
*
thd
,
const
char
*
sp_db
,
const
char
*
sp_name
,
bool
is_proc
);
bool
check_routine_level_acl
(
THD
*
thd
,
const
char
*
db
,
const
char
*
name
,
bool
is_proc
);
#ifdef NO_EMBEDDED_ACCESS_CHECKS
#define check_grant(A,B,C,D,E,F) 0
...
...
sql/sql_parse.cc
View file @
02bd2cf0
...
...
@@ -3669,17 +3669,20 @@ mysql_execute_command(THD *thd)
}
if
(
first_table
)
{
if
(
!
lex
->
columns
.
elements
&&
sp_exists_routine
(
thd
,
all_tables
,
1
,
1
)
)
if
(
lex
->
type
==
TYPE_ENUM_PROCEDURE
||
lex
->
type
==
TYPE_ENUM_FUNCTION
)
{
uint
grants
=
lex
->
all_privileges
?
(
PROC_ACLS
&
~
GRANT_ACL
)
|
(
lex
->
grant
&
GRANT_ACL
)
:
lex
->
grant
;
if
(
grant_option
&&
check_grant_procedure
(
thd
,
grants
|
GRANT_ACL
,
all_tables
,
0
))
check_grant_routine
(
thd
,
grants
|
GRANT_ACL
,
all_tables
,
lex
->
type
==
TYPE_ENUM_PROCEDURE
,
0
))
goto
error
;
res
=
mysql_procedure_grant
(
thd
,
all_tables
,
lex
->
users_list
,
grants
,
lex
->
sql_command
==
SQLCOM_REVOKE
,
0
);
res
=
mysql_routine_grant
(
thd
,
all_tables
,
lex
->
type
==
TYPE_ENUM_PROCEDURE
,
lex
->
users_list
,
grants
,
lex
->
sql_command
==
SQLCOM_REVOKE
,
0
);
}
else
{
...
...
@@ -3701,7 +3704,7 @@ mysql_execute_command(THD *thd)
}
else
{
if
(
lex
->
columns
.
elements
)
if
(
lex
->
columns
.
elements
||
lex
->
type
)
{
my_message
(
ER_ILLEGAL_GRANT_FOR_TABLE
,
ER
(
ER_ILLEGAL_GRANT_FOR_TABLE
),
MYF
(
0
));
...
...
@@ -3983,11 +3986,13 @@ mysql_execute_command(THD *thd)
#ifndef NO_EMBEDDED_ACCESS_CHECKS
/* only add privileges if really neccessary */
if
(
sp_automatic_privileges
&&
check_procedure_access
(
thd
,
DEFAULT_CREATE_PROC_ACLS
,
db
,
name
,
1
))
check_routine_access
(
thd
,
DEFAULT_CREATE_PROC_ACLS
,
db
,
name
,
lex
->
sql_command
==
SQLCOM_CREATE_PROCEDURE
,
1
))
{
close_thread_tables
(
thd
);
if
(
sp_grant_privileges
(
thd
,
db
,
name
))
if
(
sp_grant_privileges
(
thd
,
db
,
name
,
lex
->
sql_command
==
SQLCOM_CREATE_PROCEDURE
))
push_warning
(
thd
,
MYSQL_ERROR
::
WARN_LEVEL_WARN
,
ER_PROC_AUTO_GRANT_FAIL
,
ER
(
ER_PROC_AUTO_GRANT_FAIL
));
...
...
@@ -4072,8 +4077,8 @@ mysql_execute_command(THD *thd)
}
#ifndef NO_EMBEDDED_ACCESS_CHECKS
if
(
check_
procedur
e_access
(
thd
,
EXECUTE_ACL
,
sp
->
m_db
.
str
,
sp
->
m_name
.
str
,
0
))
if
(
check_
routin
e_access
(
thd
,
EXECUTE_ACL
,
sp
->
m_db
.
str
,
sp
->
m_name
.
str
,
TRUE
,
0
))
{
#ifndef EMBEDDED_LIBRARY
thd
->
net
.
no_send_ok
=
nsok
;
...
...
@@ -4082,8 +4087,8 @@ mysql_execute_command(THD *thd)
}
sp_change_security_context
(
thd
,
sp
,
&
save_ctx
);
if
(
save_ctx
.
changed
&&
check_
procedur
e_access
(
thd
,
EXECUTE_ACL
,
sp
->
m_db
.
str
,
sp
->
m_name
.
str
,
0
))
check_
routin
e_access
(
thd
,
EXECUTE_ACL
,
sp
->
m_db
.
str
,
sp
->
m_name
.
str
,
TRUE
,
0
))
{
#ifndef EMBEDDED_LIBRARY
thd
->
net
.
no_send_ok
=
nsok
;
...
...
@@ -4185,8 +4190,9 @@ mysql_execute_command(THD *thd)
}
else
{
if
(
check_procedure_access
(
thd
,
ALTER_PROC_ACL
,
sp
->
m_db
.
str
,
sp
->
m_name
.
str
,
0
))
if
(
check_routine_access
(
thd
,
ALTER_PROC_ACL
,
sp
->
m_db
.
str
,
sp
->
m_name
.
str
,
lex
->
sql_command
==
SQLCOM_ALTER_PROCEDURE
,
0
))
goto
error
;
memcpy
(
&
lex
->
sp_chistics
,
&
chistics
,
sizeof
(
lex
->
sp_chistics
));
if
(
!
trust_routine_creators
&&
mysql_bin_log
.
is_open
()
&&
...
...
@@ -4244,11 +4250,13 @@ mysql_execute_command(THD *thd)
{
db
=
thd
->
strdup
(
sp
->
m_db
.
str
);
name
=
thd
->
strdup
(
sp
->
m_name
.
str
);
if
(
check_procedure_access
(
thd
,
ALTER_PROC_ACL
,
db
,
name
,
0
))
if
(
check_routine_access
(
thd
,
ALTER_PROC_ACL
,
db
,
name
,
lex
->
sql_command
==
SQLCOM_DROP_PROCEDURE
,
0
))
goto
error
;
#ifndef NO_EMBEDDED_ACCESS_CHECKS
if
(
sp_automatic_privileges
&&
sp_revoke_privileges
(
thd
,
db
,
name
))
sp_revoke_privileges
(
thd
,
db
,
name
,
lex
->
sql_command
==
SQLCOM_DROP_PROCEDURE
))
{
push_warning
(
thd
,
MYSQL_ERROR
::
WARN_LEVEL_WARN
,
ER_PROC_AUTO_REVOKE_FAIL
,
...
...
@@ -4832,8 +4840,8 @@ check_table_access(THD *thd, ulong want_access,TABLE_LIST *tables,
bool
check_
procedur
e_access
(
THD
*
thd
,
ulong
want_access
,
char
*
db
,
char
*
name
,
bool
no_errors
)
check_
routin
e_access
(
THD
*
thd
,
ulong
want_access
,
char
*
db
,
char
*
name
,
bool
is_proc
,
bool
no_errors
)
{
TABLE_LIST
tables
[
1
];
...
...
@@ -4849,7 +4857,7 @@ check_procedure_access(THD *thd, ulong want_access,char *db, char *name,
#ifndef NO_EMBEDDED_ACCESS_CHECKS
if
(
grant_option
)
return
check_grant_
procedure
(
thd
,
want_access
,
tables
,
no_errors
);
return
check_grant_
routine
(
thd
,
want_access
,
tables
,
is_proc
,
no_errors
);
#endif
return
FALSE
;
...
...
@@ -4870,7 +4878,8 @@ check_procedure_access(THD *thd, ulong want_access,char *db, char *name,
1 error
*/
bool
check_some_routine_access
(
THD
*
thd
,
const
char
*
db
,
const
char
*
name
)
bool
check_some_routine_access
(
THD
*
thd
,
const
char
*
db
,
const
char
*
name
,
bool
is_proc
)
{
ulong
save_priv
;
if
(
thd
->
master_access
&
SHOW_PROC_ACLS
)
...
...
@@ -4878,7 +4887,7 @@ bool check_some_routine_access(THD *thd, const char *db, const char *name)
if
(
!
check_access
(
thd
,
SHOW_PROC_ACLS
,
db
,
&
save_priv
,
0
,
1
)
||
(
save_priv
&
SHOW_PROC_ACLS
))
return
FALSE
;
return
check_routine_level_acl
(
thd
,
db
,
name
);
return
check_routine_level_acl
(
thd
,
db
,
name
,
is_proc
);
}
...
...
sql/sql_show.cc
View file @
02bd2cf0
...
...
@@ -2625,7 +2625,8 @@ bool store_schema_proc(THD *thd, TABLE *table, TABLE *proc_table,
definer
=
get_field
(
thd
->
mem_root
,
proc_table
->
field
[
11
]);
if
(
!
full_access
)
full_access
=
!
strcmp
(
sp_user
,
definer
);
if
(
!
full_access
&&
check_some_routine_access
(
thd
,
sp_db
,
sp_name
))
if
(
!
full_access
&&
check_some_routine_access
(
thd
,
sp_db
,
sp_name
,
proc_table
->
field
[
2
]
->
val_int
()
==
TYPE_ENUM_PROCEDURE
))
return
0
;
if
(
lex
->
orig_sql_command
==
SQLCOM_SHOW_STATUS_PROC
&&
...
...
sql/sql_yacc.yy
View file @
02bd2cf0
...
...
@@ -804,7 +804,7 @@ bool my_yyoverflow(short **a, YYSTYPE **b, ulong *yystacksize);
opt_delete_options opt_delete_option varchar nchar nvarchar
opt_outer table_list table_name opt_option opt_place
opt_attribute opt_attribute_list attribute column_list column_list_id
opt_column_list grant_privileges
opt_table
grant_list grant_option
opt_column_list grant_privileges
grant_ident
grant_list grant_option
object_privilege object_privilege_list user_list rename_list
clear_privileges flush_options flush_option
equal optional_braces opt_key_definition key_usage_list2
...
...
@@ -7907,9 +7907,36 @@ revoke:
;
revoke_command:
grant_privileges ON opt_table FROM grant_list
grant_privileges ON opt_table
grant_ident
FROM grant_list
{
Lex->sql_command = SQLCOM_REVOKE;
LEX *lex= Lex;
lex->sql_command= SQLCOM_REVOKE;
lex->type= 0;
}
|
grant_privileges ON FUNCTION_SYM grant_ident FROM grant_list
{
LEX *lex= Lex;
if (lex->columns.elements)
{
yyerror(ER(ER_SYNTAX_ERROR));
YYABORT;
}
lex->sql_command= SQLCOM_REVOKE;
lex->type= TYPE_ENUM_FUNCTION;
}
|
grant_privileges ON PROCEDURE grant_ident FROM grant_list
{
LEX *lex= Lex;
if (lex->columns.elements)
{
yyerror(ER(ER_SYNTAX_ERROR));
YYABORT;
}
lex->sql_command= SQLCOM_REVOKE;
lex->type= TYPE_ENUM_PROCEDURE;
}
|
ALL opt_privileges ',' GRANT OPTION FROM grant_list
...
...
@@ -7919,11 +7946,50 @@ revoke_command:
;
grant:
GRANT clear_privileges grant_privileges ON opt_table TO_SYM grant_list
GRANT clear_privileges grant_command
{}
;
grant_command:
grant_privileges ON opt_table grant_ident TO_SYM grant_list
require_clause grant_options
{ Lex->sql_command= SQLCOM_GRANT; }
;
{
LEX *lex= Lex;
lex->sql_command= SQLCOM_GRANT;
lex->type= 0;
}
|
grant_privileges ON FUNCTION_SYM grant_ident TO_SYM grant_list
require_clause grant_options
{
LEX *lex= Lex;
if (lex->columns.elements)
{
yyerror(ER(ER_SYNTAX_ERROR));
YYABORT;
}
lex->sql_command= SQLCOM_GRANT;
lex->type= TYPE_ENUM_FUNCTION;
}
|
grant_privileges ON PROCEDURE grant_ident TO_SYM grant_list
require_clause grant_options
{
LEX *lex= Lex;
if (lex->columns.elements)
{
yyerror(ER(ER_SYNTAX_ERROR));
YYABORT;
}
lex->sql_command= SQLCOM_GRANT;
lex->type= TYPE_ENUM_PROCEDURE;
}
;
opt_table:
/* Empty */
| TABLE_SYM ;
grant_privileges:
object_privilege_list { }
| ALL opt_privileges
...
...
@@ -8016,7 +8082,7 @@ require_list_element:
}
;
opt_table
:
grant_ident
:
'*'
{
LEX *lex= Lex;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment