MDEV-21702 Add a data type for privileges

2025-07-29 05:21:33 +03:00 · 2020-02-09 21:53:11 +04:00
parent f79f537f9f
commit 83e75b39b3
41 changed files with 781 additions and 546 deletions
--- a/sql/sql_acl.h
+++ b/sql/sql_acl.h
@ -22,144 +22,6 @@
 #include "grant.h"
 #include "sql_cmd.h"                            /* Sql_cmd */

-#define SELECT_ACL      (1UL << 0)
-#define INSERT_ACL      (1UL << 1)
-#define UPDATE_ACL      (1UL << 2)
-#define DELETE_ACL      (1UL << 3)
-#define CREATE_ACL      (1UL << 4)
-#define DROP_ACL        (1UL << 5)
-#define RELOAD_ACL      (1UL << 6)
-#define SHUTDOWN_ACL    (1UL << 7)
-#define PROCESS_ACL     (1UL << 8)
-#define FILE_ACL        (1UL << 9)
-#define GRANT_ACL       (1UL << 10)
-#define REFERENCES_ACL  (1UL << 11)
-#define INDEX_ACL       (1UL << 12)
-#define ALTER_ACL       (1UL << 13)
-#define SHOW_DB_ACL     (1UL << 14)
-#define SUPER_ACL       (1UL << 15)
-#define CREATE_TMP_ACL  (1UL << 16)
-#define LOCK_TABLES_ACL (1UL << 17)
-#define EXECUTE_ACL     (1UL << 18)
-#define REPL_SLAVE_ACL  (1UL << 19)
-#define REPL_CLIENT_ACL (1UL << 20)
-#define CREATE_VIEW_ACL (1UL << 21)
-#define SHOW_VIEW_ACL   (1UL << 22)
-#define CREATE_PROC_ACL (1UL << 23)
-#define ALTER_PROC_ACL  (1UL << 24)
-#define CREATE_USER_ACL (1UL << 25)
-#define EVENT_ACL       (1UL << 26)
-#define TRIGGER_ACL     (1UL << 27)
-#define CREATE_TABLESPACE_ACL (1UL << 28)
-#define DELETE_HISTORY_ACL (1UL << 29)
-/*
-  don't forget to update
-  1. static struct show_privileges_st sys_privileges[]
-  2. static const char *command_array[] and static uint command_lengths[]
-  3. mysql_system_tables.sql and mysql_system_tables_fix.sql
-  4. acl_init() or whatever - to define behaviour for old privilege tables
-  5. sql_yacc.yy - for GRANT/REVOKE to work
-*/
-#define NO_ACCESS       (1UL << 30)
-#define DB_ACLS \
-(UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
- GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | \
- LOCK_TABLES_ACL | EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
- CREATE_PROC_ACL | ALTER_PROC_ACL | EVENT_ACL | TRIGGER_ACL | \
- DELETE_HISTORY_ACL)
-
-#define TABLE_ACLS \
-(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
- GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | \
- SHOW_VIEW_ACL | TRIGGER_ACL | DELETE_HISTORY_ACL)
-
-#define COL_ACLS \
-(SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL)
-
-#define PROC_ACLS \
-(ALTER_PROC_ACL | EXECUTE_ACL | GRANT_ACL)
-
-#define SHOW_PROC_ACLS \
-(ALTER_PROC_ACL | EXECUTE_ACL | CREATE_PROC_ACL)
-
-#define GLOBAL_ACLS \
-(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
- RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \
- REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \
- CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \
- EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \
- ALTER_PROC_ACL | CREATE_USER_ACL | EVENT_ACL | TRIGGER_ACL | \
- CREATE_TABLESPACE_ACL | DELETE_HISTORY_ACL)
-
-#define DEFAULT_CREATE_PROC_ACLS \
-(ALTER_PROC_ACL | EXECUTE_ACL)
-
-#define SHOW_CREATE_TABLE_ACLS \
-(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \
- CREATE_ACL | DROP_ACL | ALTER_ACL | INDEX_ACL | \
- TRIGGER_ACL | REFERENCES_ACL | GRANT_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL)
-
-/**
-  Table-level privileges which are automatically "granted" to everyone on
-  existing temporary tables (CREATE_ACL is necessary for ALTER ... RENAME).
-*/
-#define TMP_TABLE_ACLS \
-(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
- INDEX_ACL | ALTER_ACL)
-
-/*
-  Defines to change the above bits to how things are stored in tables
-  This is needed as the 'host' and 'db' table is missing a few privileges
-*/
-
-/* Privileges that needs to be reallocated (in continous chunks) */
-#define DB_CHUNK0 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \
-                   CREATE_ACL | DROP_ACL)
-#define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL)
-#define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL)
-#define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
-                   CREATE_PROC_ACL | ALTER_PROC_ACL )
-#define DB_CHUNK4 (EXECUTE_ACL)
-#define DB_CHUNK5 (EVENT_ACL | TRIGGER_ACL)
-#define DB_CHUNK6 (DELETE_HISTORY_ACL)
-
-#define fix_rights_for_db(A)  (((A)       & DB_CHUNK0) | \
-                              (((A) << 4) & DB_CHUNK1) | \
-                              (((A) << 6) & DB_CHUNK2) | \
-                              (((A) << 9) & DB_CHUNK3) | \
-                              (((A) << 2) & DB_CHUNK4) | \
-                              (((A) << 9) & DB_CHUNK5) | \
-                              (((A) << 10) & DB_CHUNK6))
-#define get_rights_for_db(A)  (((A) & DB_CHUNK0)       | \
-                              (((A) & DB_CHUNK1) >> 4) | \
-                              (((A) & DB_CHUNK2) >> 6) | \
-                              (((A) & DB_CHUNK3) >> 9) | \
-                              (((A) & DB_CHUNK4) >> 2) | \
-                              (((A) & DB_CHUNK5) >> 9) | \
-                              (((A) & DB_CHUNK6) >> 10))
-#define TBL_CHUNK0 DB_CHUNK0
-#define TBL_CHUNK1 DB_CHUNK1
-#define TBL_CHUNK2 (CREATE_VIEW_ACL | SHOW_VIEW_ACL)
-#define TBL_CHUNK3 TRIGGER_ACL
-#define TBL_CHUNK4 (DELETE_HISTORY_ACL)
-#define fix_rights_for_table(A) (((A)        & TBL_CHUNK0) | \
-                                (((A) <<  4) & TBL_CHUNK1) | \
-                                (((A) << 11) & TBL_CHUNK2) | \
-                                (((A) << 15) & TBL_CHUNK3) | \
-                                (((A) << 16) & TBL_CHUNK4))
-#define get_rights_for_table(A) (((A) & TBL_CHUNK0)        | \
-                                (((A) & TBL_CHUNK1) >>  4) | \
-                                (((A) & TBL_CHUNK2) >> 11) | \
-                                (((A) & TBL_CHUNK3) >> 15) | \
-                                (((A) & TBL_CHUNK4) >> 16))
-#define fix_rights_for_column(A) (((A) & 7) | (((A) & ~7) << 8))
-#define get_rights_for_column(A) (((A) & 7) | ((A) >> 8))
-#define fix_rights_for_procedure(A) ((((A) << 18) & EXECUTE_ACL) | \
-                                     (((A) << 23) & ALTER_PROC_ACL) | \
-                                     (((A) << 8) & GRANT_ACL))
-#define get_rights_for_procedure(A) ((((A) & EXECUTE_ACL) >> 18) |  \
-                                     (((A) & ALTER_PROC_ACL) >> 23) | \
-                                     (((A) & GRANT_ACL) >> 8))

 enum mysql_db_table_field
 {
@ -214,8 +76,8 @@ bool hostname_requires_resolving(const char *hostname);
 bool  acl_init(bool dont_read_acl_tables);
 bool acl_reload(THD *thd);
 void acl_free(bool end=0);
-ulong acl_get(const char *host, const char *ip,
-              const char *user, const char *db, my_bool db_is_pattern);
+privilege_t acl_get(const char *host, const char *ip,
+                    const char *user, const char *db, my_bool db_is_pattern);
 bool acl_authenticate(THD *thd, uint com_change_user_pkt_len);
 bool acl_getroot(Security_context *sctx, const char *user, const char *host,
                 const char *ip, const char *db);
@ -225,37 +87,38 @@ bool change_password(THD *thd, LEX_USER *user);

 bool mysql_grant_role(THD *thd, List<LEX_USER> &user_list, bool revoke);
 bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list,
-                 ulong rights, bool revoke, bool is_proxy);
+                 privilege_t rights, bool revoke, bool is_proxy);
 int mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list,
-                       List <LEX_COLUMN> &column_list, ulong rights,
+                       List <LEX_COLUMN> &column_list, privilege_t rights,
                       bool revoke);
 bool mysql_routine_grant(THD *thd, TABLE_LIST *table, const Sp_handler *sph,
-                         List <LEX_USER> &user_list, ulong rights,
+                         List <LEX_USER> &user_list, privilege_t rights,
                         bool revoke, bool write_to_binlog);
 bool grant_init();
 void grant_free(void);
 bool grant_reload(THD *thd);
-bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
+bool check_grant(THD *thd, privilege_t want_access, TABLE_LIST *tables,
                 bool any_combination_will_do, uint number, bool no_errors);
 bool check_grant_column (THD *thd, GRANT_INFO *grant,
                         const char *db_name, const char *table_name,
                         const char *name, size_t length, Security_context *sctx);
 bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST * table_ref,
                                     const char *name, size_t length, Field *fld);
-bool check_grant_all_columns(THD *thd, ulong want_access,
+bool check_grant_all_columns(THD *thd, privilege_t want_access,
                             Field_iterator_table_ref *fields);
-bool check_grant_routine(THD *thd, ulong want_access,
+bool check_grant_routine(THD *thd, privilege_t want_access,
                         TABLE_LIST *procs, const Sp_handler *sph,
                         bool no_error);
 bool check_grant_db(THD *thd,const char *db);
-bool check_global_access(THD *thd, ulong want_access, bool no_errors= false);
-bool check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv,
+bool check_global_access(THD *thd, const privilege_t want_access, bool no_errors= false);
+bool check_access(THD *thd, privilege_t want_access,
+                  const char *db, privilege_t *save_priv,
                  GRANT_INTERNAL_INFO *grant_internal_info,
                  bool dont_check_global_grants, bool no_errors);
-ulong get_table_grant(THD *thd, TABLE_LIST *table);
-ulong get_column_grant(THD *thd, GRANT_INFO *grant,
-                       const char *db_name, const char *table_name,
-                       const char *field_name);
+privilege_t get_table_grant(THD *thd, TABLE_LIST *table);
+privilege_t get_column_grant(THD *thd, GRANT_INFO *grant,
+                             const char *db_name, const char *table_name,
+                             const char *field_name);
 bool get_show_user(THD *thd, LEX_USER *lex_user, const char **username,
                   const char **hostname, const char **rolename);
 void mysql_show_grants_get_fields(THD *thd, List<Item> *fields,
@ -264,7 +127,7 @@ bool mysql_show_grants(THD *thd, LEX_USER *user);
 bool mysql_show_create_user(THD *thd, LEX_USER *user);
 int fill_schema_enabled_roles(THD *thd, TABLE_LIST *tables, COND *cond);
 int fill_schema_applicable_roles(THD *thd, TABLE_LIST *tables, COND *cond);
-void get_privilege_desc(char *to, uint max_length, ulong access);
+void get_privilege_desc(char *to, uint max_length, privilege_t access);
 void get_mqh(const char *user, const char *host, USER_CONN *uc);
 bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role);
 bool mysql_drop_user(THD *thd, List <LEX_USER> &list, bool handle_as_role);
@ -345,8 +208,8 @@ public:
      privilege. Requested privileges that are granted, if any, are saved
      in save_priv.
  */
-  virtual ACL_internal_access_result check(ulong want_access,
-                                           ulong *save_priv) const= 0;
+  virtual ACL_internal_access_result check(privilege_t want_access,
+                                           privilege_t *save_priv) const= 0;
 };

 /**
@ -382,8 +245,8 @@ public:
      privilege. Requested privileges that are granted, if any, are saved
      in save_priv.
  */
-  virtual ACL_internal_access_result check(ulong want_access,
-                                           ulong *save_priv) const= 0;
+  virtual ACL_internal_access_result check(privilege_t want_access,
+                                           privilege_t *save_priv) const= 0;

  /**
    Search for per table ACL access rules by table name.
@ -417,8 +280,8 @@ get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info,

 bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user,
                                   bool with_grant);
-int acl_setrole(THD *thd, const char *rolename, ulonglong access);
-int acl_check_setrole(THD *thd, const char *rolename, ulonglong *access);
+int acl_setrole(THD *thd, const char *rolename, privilege_t access);
+int acl_check_setrole(THD *thd, const char *rolename, privilege_t *access);
 int acl_check_set_default_role(THD *thd, const char *host, const char *user);
 int acl_set_default_role(THD *thd, const char *host, const char *user,
                         const char *rolename);
@ -459,12 +322,12 @@ public:

 class Sql_cmd_grant_proxy: public Sql_cmd_grant
 {
-  uint m_grant_option;
+  privilege_t m_grant_option;
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
  bool check_access_proxy(THD *thd, List<LEX_USER> &list);
 #endif
 public:
-  Sql_cmd_grant_proxy(enum_sql_command command, uint grant_option)
+  Sql_cmd_grant_proxy(enum_sql_command command, privilege_t grant_option)
   :Sql_cmd_grant(command), m_grant_option(grant_option)
  { }
  bool execute(THD *thd);