Fixed searching after ssl directories.

Fixed that GRANT ... REQUIRE options are not forgot when doing new GRANT Changed fn_ext to point at first '.' after directory. FLUSH LOGS removed numerical extension for all future update logs. Fixed the mysqld --help reports right values for --datadir and --bind-address --log-binary=a.b.c now properly strips of .b.c Fix that one can DROP UDF functions that was not loaded at startup Made AND optional in REQUIRE Added REQUIRE NONE BitKeeper/deleted/.del-CodingStyle~1ba7ff62d4cd0ea: Delete: vio/docs/CodingStyle BitKeeper/deleted/.del-COPYING.dbug~ca0c017a4d7e8609: Delete: vio/docs/COPYING.dbug BitKeeper/deleted/.del-COPYING.mysql~471498c82977cd3a: Delete: vio/docs/COPYING.mysql BitKeeper/deleted/.del-README~947354991dc882f8: Delete: vio/docs/README Docs/manual.texi: Changelog acinclude.m4: Fixed searching after ssl directories. client/Makefile.am: Moved openssl include to avoid problem with installed readline include/Makefile.am: Install my_global.h include/violite.h: Fixed that GRANT ... REQUIRE options are not forgot when doing new grant libmysqld/examples/Makefile.am: Moved openssl include to avoid problem with installed readline mysql-test/mysql-test-run.sh: Improved 'which' handling to give error if command is not found mysys/mf_fn_ext.c: Changed fn_ext to point at first '.' after directory. sql/Makefile.am: More comments sql/lex.h: Added NONE as keyword sql/log.cc: FLUSH LOGS removed numerical extension for all future update logs. Simple code cleanup sql/mysqld.cc: Fixed the --help reports right values for --datadir and --bind-address --log-binary=a.b.c now properly strips of .b.c Removed option --skip-external-locking (not needed as this is automatic) sql/repl_failsafe.cc: Moved some common THD initalization to store_globals() sql/slave.cc: Moved openssl include to avoid problem with installed readline sql/sql_acl.cc: Moved openssl include to avoid problem with installed readline sql/sql_acl.h: Updated function prototypes sql/sql_base.cc: Added comment sql/sql_class.cc: Moved openssl include to avoid problem with installed readline. Changed THD::thd to make things work for main thread. sql/sql_class.h: Fixed wrongly removed line (fixes compiler problem on MacOSX) sql/sql_insert.cc: Moved openssl include to avoid problem with installed readline sql/sql_lex.cc: Moved save_to_cache_query=0 to udf detection function to make sql_yacc.yy simpler sql/sql_lex.h: Indentation cleanup sql/sql_parse.cc: Moved openssl include to avoid problem with installed readline. Added THD argument to acl_reload() sql/sql_repl.h: Made opt_bin_logname static sql/sql_udf.cc: Fix that one can DROP UDF functions that was not loaded at startup sql/sql_yacc.yy: made AND optional in REQUIRE Added REQUIRE NONE Fixed that old SSL options are not forgotten when doing new GRANT. sql/udf_example.cc: Improved comments
2025-07-30 16:24:05 +03:00 · 2002-09-05 16:17:08 +03:00
parent 34f299d408
commit 8f2482d283
33 changed files with 356 additions and 479 deletions
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@ -64,10 +64,8 @@ public:
  USER_RESOURCES user_resource;
  char *user,*password;
  ulong salt[2];
-#ifdef HAVE_OPENSSL  
  enum SSL_type ssl_type;
  const char *ssl_cipher, *x509_issuer, *x509_subject;
-#endif /* HAVE_OPENSSL */ 
 };


@ -142,12 +140,27 @@ static void init_update_queries(void)
  uc_update_queries[SQLCOM_MULTI_UPDATE]=1;
 }

-int acl_init(bool dont_read_acl_tables)
+/*
+  Read grant privileges from the privilege tables in the 'mysql' database.
+
+  SYNOPSIS
+    acl_init()
+    dont_read_acl_tables	Set to 1 if run with --skip-grant
+
+  RETURN VALUES
+    0	ok
+    1	Could not initialize grant's
+*/
+
+
+my_bool acl_init(bool dont_read_acl_tables)
 {
-  THD  *thd;
+  THD  *thd, *org_thd;
  TABLE_LIST tables[3];
  TABLE *table;
  READ_RECORD read_record_info;
+  MYSQL_LOCK *lock;
+  my_bool return_val=1;
  DBUG_ENTER("acl_init");

  if (!acl_cache)
@ -157,13 +170,15 @@ int acl_init(bool dont_read_acl_tables)
  if (dont_read_acl_tables)
    DBUG_RETURN(0); /* purecov: tested */

+  /*
+    To be able to run this from boot, we allocate a temporary THD
+  */
+  org_thd=current_thd;				// Save for restore
  if (!(thd=new THD))
    DBUG_RETURN(1); /* purecov: inspected */
+  thd->store_globals();
+
  acl_cache->clear(1);				// Clear locked hostname cache
-  thd->version=refresh_version;
-  thd->mysys_var=my_thread_var;
-  thd->current_tablenr=0;
-  thd->open_tables=0;
  thd->db= my_strdup("mysql",MYF(0));
  thd->db_length=5;				// Safety
  bzero((char*) &tables,sizeof(tables));
@ -176,22 +191,13 @@ int acl_init(bool dont_read_acl_tables)
  tables[0].db=tables[1].db=tables[2].db=thd->db;

  if (open_tables(thd,tables))
-  {
-    close_thread_tables(thd); /* purecov: inspected */
-    delete thd; /* purecov: inspected */
-    DBUG_RETURN(1); /* purecov: inspected */
-  }
+    goto end;
  TABLE *ptr[3];				// Lock tables for quick update
  ptr[0]= tables[0].table;
  ptr[1]= tables[1].table;
  ptr[2]= tables[2].table;
-  MYSQL_LOCK *lock=mysql_lock_tables(thd,ptr,3);
-  if (!lock)
-  {
-    close_thread_tables(thd); /* purecov: inspected */
-    delete thd; /* purecov: inspected */
-    DBUG_RETURN(1); /* purecov: inspected */
-  }
+  if (!(lock=mysql_lock_tables(thd,ptr,3)))
+    goto end;

  init_sql_alloc(&mem,1024,0);
  init_read_record(&read_record_info,thd,table= tables[0].table,NULL,1,0);
@ -259,7 +265,6 @@ int acl_init(bool dont_read_acl_tables)
 			   (uint) strlen(user.host.hostname) : 0);
    if (table->fields >= 31)     /* Starting from 4.0.2 we have more fields */
    {
-#ifdef HAVE_OPENSSL
      char *ssl_type=get_field(&mem, table, 24);
      if (!ssl_type)
 	user.ssl_type=SSL_TYPE_NONE;
@ -273,7 +278,7 @@ int acl_init(bool dont_read_acl_tables)
      user.ssl_cipher=   get_field(&mem, table, 25);
      user.x509_issuer=  get_field(&mem, table, 26);
      user.x509_subject= get_field(&mem, table, 27);
-#endif
+
      char *ptr = get_field(&mem, table, 28);
      user.user_resource.questions=atoi(ptr);
      ptr = get_field(&mem, table, 29);
@ -286,9 +291,7 @@ int acl_init(bool dont_read_acl_tables)
    }
    else
    {
-#ifdef HAVE_OPENSSL
      user.ssl_type=SSL_TYPE_NONE;
-#endif
      bzero(&(user.user_resource),sizeof(user.user_resource));
 #ifndef TO_BE_REMOVED
      if (table->fields <= 13)
@ -346,12 +349,17 @@ int acl_init(bool dont_read_acl_tables)
  init_check_host();

  mysql_unlock_tables(thd, lock);
+  initialized=1;
  init_update_queries();
  thd->version--;				// Force close to free memory
+  return_val=0;
+
+end:
  close_thread_tables(thd);
  delete thd;
-  initialized=1;
-  DBUG_RETURN(0);
+  if (org_thd)
+    org_thd->store_globals();			/* purecov: inspected */
+  DBUG_RETURN(return_val);
 }


@ -374,18 +382,18 @@ void acl_free(bool end)

 	/* Reload acl list if possible */

-void acl_reload(void)
+void acl_reload(THD *thd)
 {
  DYNAMIC_ARRAY old_acl_hosts,old_acl_users,old_acl_dbs;
  MEM_ROOT old_mem;
  bool old_initialized;
  DBUG_ENTER("acl_reload");

-  if (current_thd && current_thd->locked_tables)
+  if (thd && thd->locked_tables)
  {					// Can't have locked tables here
-    current_thd->lock=current_thd->locked_tables;
-    current_thd->locked_tables=0;
-    close_thread_tables(current_thd);
+    thd->lock=thd->locked_tables;
+    thd->locked_tables=0;
+    close_thread_tables(thd);
  }
  if ((old_initialized=initialized))
    VOID(pthread_mutex_lock(&acl_cache->lock));
@ -399,7 +407,7 @@ void acl_reload(void)

  if (acl_init(0))
  {					// Error. Revert to old list
-    acl_free();					/* purecov: inspected */
+    acl_free();				/* purecov: inspected */
    acl_hosts=old_acl_hosts;
    acl_users=old_acl_users;
    acl_dbs=old_acl_dbs;
@ -536,6 +544,7 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
 	    if X509 certificate attributes are OK 
 	  */
          switch (acl_user->ssl_type) {
+	  case SSL_TYPE_NOT_SPECIFIED:		// Impossible
          case SSL_TYPE_NONE: /* SSL is not required to connect */
 	    user_access=acl_user->access;
 	    break;
@ -559,15 +568,17 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
 	      use.
 	    */
 	    if (acl_user->ssl_cipher)
+	    {
 	      DBUG_PRINT("info",("comparing ciphers: '%s' and '%s'",
 				 acl_user->ssl_cipher,
 				 SSL_get_cipher(vio->ssl_)));
-	    if (!strcmp(acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_)))
-	      user_access=acl_user->access;
-	    else
-	    {
-	      user_access=NO_ACCESS;
-	      break;
+	      if (!strcmp(acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_)))
+		user_access=acl_user->access;
+	      else
+	      {
+		user_access=NO_ACCESS;
+		break;
+	      }
 	    }
 	    /* Prepare certificate (if exists) */
 	    DBUG_PRINT("info",("checkpoint 1"));
@ -661,12 +672,16 @@ static void acl_update_user(const char *user, const char *host,
 	  acl_user->user_resource.updates=mqh->updates;
 	if (mqh->bits & 4)
 	  acl_user->user_resource.connections=mqh->connections;
-#ifdef HAVE_OPENSSL  
-	acl_user->ssl_type=ssl_type;
-        acl_user->ssl_cipher=ssl_cipher;
-	acl_user->x509_issuer=x509_issuer;
-	acl_user->x509_subject=x509_subject;
-#endif /* HAVE_OPENSSL */
+	if (ssl_type != SSL_TYPE_NOT_SPECIFIED)
+	{
+	  acl_user->ssl_type= ssl_type;
+	  acl_user->ssl_cipher= (ssl_cipher ? strdup_root(&mem,ssl_cipher) :
+				 0);
+	  acl_user->x509_issuer= (x509_issuer ? strdup_root(&mem,x509_issuer) :
+				  0);
+	  acl_user->x509_subject= (x509_subject ?
+				   strdup_root(&mem,x509_subject) : 0);
+	}
 	if (password)
 	{
 	  if (!password[0])
@ -701,12 +716,11 @@ static void acl_insert_user(const char *user, const char *host,
  acl_user.user_resource = *mqh;
  acl_user.sort=get_sort(2,acl_user.host.hostname,acl_user.user);
  acl_user.hostname_length=(uint) strlen(acl_user.host.hostname);
-#ifdef HAVE_OPENSSL
-  acl_user.ssl_type=ssl_type;
-  acl_user.ssl_cipher=ssl_cipher;
-  acl_user.x509_issuer=x509_issuer;
-  acl_user.x509_subject=x509_subject;
-#endif /* HAVE_OPENSSL */
+  acl_user.ssl_type= (ssl_type != SSL_TYPE_NOT_SPECIFIED ?
+		      ssl_type : SSL_TYPE_NONE);
+  acl_user.ssl_cipher=	ssl_cipher   ? strdup_root(&mem,ssl_cipher) : 0;
+  acl_user.x509_issuer= x509_issuer  ? strdup_root(&mem,x509_issuer) : 0;
+  acl_user.x509_subject=x509_subject ? strdup_root(&mem,x509_subject) : 0;
  if (password)
  {
    acl_user.password=(char*) "";		// Just point at something
@ -1295,7 +1309,6 @@ static int replace_user_table(THD *thd, TABLE *table, const LEX_USER &combo,
  DBUG_PRINT("info",("table->fields: %d",table->fields));
  if (table->fields >= 31)		/* From 4.0.0 we have more fields */
  {
-#ifdef HAVE_OPENSSL
    /* We write down SSL related ACL stuff */
    table->field[25]->store("",0);
    table->field[26]->store("",0);
@ -1322,7 +1335,6 @@ static int replace_user_table(THD *thd, TABLE *table, const LEX_USER &combo,
    default:
      table->field[24]->store("",0);
    }
-#endif /* HAVE_OPENSSL */

    USER_RESOURCES mqh = thd->lex.mqh;
    if (mqh.bits & 1)
@ -2234,11 +2246,12 @@ void  grant_free(void)

 /* Init grant array if possible */

-int  grant_init (void)
+my_bool grant_init(void)
 {
-  THD  *thd;
+  THD  *thd, *org_thd;
  TABLE_LIST tables[2];
-  int error = 0;
+  MYSQL_LOCK *lock;
+  my_bool return_val= 1;
  TABLE *t_table, *c_table;
  DBUG_ENTER("grant_init");

@ -2247,15 +2260,14 @@ int  grant_init (void)
 		   (hash_free_key) free_grant_table,0);
  init_sql_alloc(&memex,1024,0);

+  /* Don't do anything if running with --skip-grant */
  if (!initialized)
    DBUG_RETURN(0);				/* purecov: tested */
+
+  org_thd=current_thd;
  if (!(thd=new THD))
    DBUG_RETURN(1);				/* purecov: deadcode */
-
-  thd->version=refresh_version;
-  thd->mysys_var=my_thread_var;
-  thd->current_tablenr=0;
-  thd->open_tables=0;
+  thd->store_globals();
  thd->db= my_strdup("mysql",MYF(0));
  thd->db_length=5;				// Safety
  bzero((char*) &tables,sizeof(tables));
@ -2266,60 +2278,51 @@ int  grant_init (void)
  tables[0].db=tables[1].db=thd->db;

  if (open_tables(thd,tables))
-  {						// No grant tables
-    close_thread_tables(thd);			/* purecov: deadcode */
-    delete thd;					/* purecov: deadcode */
-    DBUG_RETURN(1);				/* purecov: deadcode */
-  }
+    goto end;
+
  TABLE *ptr[2];				// Lock tables for quick update
  ptr[0]= tables[0].table;
  ptr[1]= tables[1].table;
-  MYSQL_LOCK *lock=mysql_lock_tables(thd,ptr,2);
-  if (!lock)
-  {
-    close_thread_tables(thd);			/* purecov: deadcode */
-    delete thd;					/* purecov: deadcode */
-    DBUG_RETURN(1);				/* purecov: deadcode */
-  }
+  if (!(lock=mysql_lock_tables(thd,ptr,2)))
+    goto end;

  t_table = tables[0].table; c_table = tables[1].table;
  t_table->file->index_init(0);
  if (t_table->file->index_first(t_table->record[0]))
  {
    t_table->file->index_end();
-    mysql_unlock_tables(thd, lock);
-    thd->version--;				// Force close to free memory
-    close_thread_tables(thd);
-    delete thd;
-    DBUG_RETURN(0);				// Empty table is ok!
+    goto end_unlock;
  }
  grant_option= TRUE;
  t_table->file->index_end();

-  MEM_ROOT *old_root=my_pthread_getspecific_ptr(MEM_ROOT*,THR_MALLOC);
+  /* Will be restored by org_thd->store_globals() */
  my_pthread_setspecific_ptr(THR_MALLOC,&memex);
-  while (!error)
+  do
  {
    GRANT_TABLE *mem_check;
    if (!(mem_check=new GRANT_TABLE(t_table,c_table)) ||
 	mem_check->ok() && hash_insert(&hash_tables,(byte*) mem_check))
    {
      /* This could only happen if we are out memory */
-      my_pthread_setspecific_ptr(THR_MALLOC,old_root); /* purecov: deadcode */
      grant_option = FALSE;			/* purecov: deadcode */
-      mysql_unlock_tables(thd, lock);		/* purecov: deadcode */
-      close_thread_tables(thd);			/* purecov: deadcode */
-      delete thd;				/* purecov: deadcode */
-      DBUG_RETURN(1);				/* purecov: deadcode */
+      goto end_unlock;
    }
-    error = t_table->file->index_next(t_table->record[0]);
  }
-  my_pthread_setspecific_ptr(THR_MALLOC,old_root);
+  while (!t_table->file->index_next(t_table->record[0]));
+
+  return_val=0;					// Return ok
+
+end_unlock:
  mysql_unlock_tables(thd, lock);
  thd->version--;				// Force close to free memory
+
+end:
  close_thread_tables(thd);
  delete thd;
-  DBUG_RETURN(0);
+  if (org_thd)
+    org_thd->store_globals();
+  DBUG_RETURN(return_val);
 }


@ -2720,7 +2723,8 @@ int mysql_show_grants(THD *thd,LEX_USER *lex_user)
  VOID(pthread_mutex_lock(&acl_cache->lock));

  /* Add first global access grants */
-  if (acl_user->access || acl_user->password)
+  if (acl_user->access || acl_user->password ||
+      acl_user->ssl_type != SSL_TYPE_NONE)
  {
    want_access=acl_user->access;
    String global(buff,sizeof(buff));
@ -2759,7 +2763,6 @@ int mysql_show_grants(THD *thd,LEX_USER *lex_user)
      global.append(passd_buff);
      global.append('\'');
    }
-#ifdef HAVE_OPENSSL    
    /* "show grants" SSL related stuff */
    if (acl_user->ssl_type == SSL_TYPE_ANY)
      global.append(" REQUIRE SSL",12);
@ -2772,28 +2775,27 @@ int mysql_show_grants(THD *thd,LEX_USER *lex_user)
      if (acl_user->x509_issuer)
      {
        ssl_options++;
-        global.append("ISSUER \"",8);
+        global.append("ISSUER \'",8);
        global.append(acl_user->x509_issuer,strlen(acl_user->x509_issuer));
 	global.append('\'');
      }
      if (acl_user->x509_subject)
      {
        if (ssl_options++)
-          global.append(" AND ",5);
-        global.append("SUBJECT \"",9);
+          global.append(' ');
+        global.append("SUBJECT \'",9);
        global.append(acl_user->x509_subject,strlen(acl_user->x509_subject));
 	global.append('\'');
      }
      if (acl_user->ssl_cipher)
      {
        if (ssl_options++)
-          global.append(" AND ",5);
+          global.append(' ');
        global.append("CIPHER '",8);
        global.append(acl_user->ssl_cipher,strlen(acl_user->ssl_cipher));
 	global.append('\'');
      }
    }
-#endif /* HAVE_OPENSSL */
    if ((want_access & GRANT_ACL) ||
 	(acl_user->user_resource.questions | acl_user->user_resource.updates |
 	 acl_user->user_resource.connections))