Added acl_setrole function. The function enables/disables role privileges to
the current user via the current security_context
This commit is contained in:
parent
6680bb14a4
commit
7ec24435b3
@ -1672,6 +1672,67 @@ bool acl_getroot(Security_context *sctx, char *user, char *host,
|
|||||||
DBUG_RETURN(res);
|
DBUG_RETURN(res);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool acl_setrole(THD *thd, char *rolename)
|
||||||
|
{
|
||||||
|
bool is_granted;
|
||||||
|
int result= 0;
|
||||||
|
|
||||||
|
/* clear role privileges */
|
||||||
|
mysql_mutex_lock(&acl_cache->lock);
|
||||||
|
|
||||||
|
ACL_USER *role= find_acl_role(rolename);
|
||||||
|
ACL_USER *acl_user;
|
||||||
|
|
||||||
|
if (!strcasecmp(rolename, "NONE")) {
|
||||||
|
/* have to clear the privileges */
|
||||||
|
/* get the current user */
|
||||||
|
acl_user= find_acl_user(thd->security_ctx->host, thd->security_ctx->user,
|
||||||
|
FALSE);
|
||||||
|
if (acl_user == NULL)
|
||||||
|
result= -1;
|
||||||
|
else
|
||||||
|
thd->security_ctx->master_access= acl_user->access;
|
||||||
|
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (role == NULL) {
|
||||||
|
result= -1;
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (uint i=0 ; i < role->role_grants.elements ; i++)
|
||||||
|
{
|
||||||
|
acl_user= *(dynamic_element(&role->role_grants, i, ACL_USER**));
|
||||||
|
if ((!acl_user->user.str && !thd->security_ctx->user[0]) ||
|
||||||
|
(acl_user->user.str && !strcmp(thd->security_ctx->user,
|
||||||
|
acl_user->user.str)))
|
||||||
|
{
|
||||||
|
if (compare_hostname(&acl_user->host, thd->security_ctx->host,
|
||||||
|
thd->security_ctx->host))
|
||||||
|
{
|
||||||
|
is_granted= TRUE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!is_granted)
|
||||||
|
{
|
||||||
|
result= 1;
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* merge the privileges */
|
||||||
|
thd->security_ctx->master_access= acl_user->access | role->access;
|
||||||
|
/* mark the current role */
|
||||||
|
strcpy(thd->security_ctx->priv_role, rolename);
|
||||||
|
|
||||||
|
end:
|
||||||
|
mysql_mutex_unlock(&acl_cache->lock);
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
static uchar* check_get_key(ACL_USER *buff, size_t *length,
|
static uchar* check_get_key(ACL_USER *buff, size_t *length,
|
||||||
my_bool not_used __attribute__((unused)))
|
my_bool not_used __attribute__((unused)))
|
||||||
{
|
{
|
||||||
|
@ -382,4 +382,5 @@ get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info,
|
|||||||
|
|
||||||
bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user,
|
bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user,
|
||||||
bool with_grant);
|
bool with_grant);
|
||||||
|
bool acl_setrole(THD *thd, char *rolename);
|
||||||
#endif /* SQL_ACL_INCLUDED */
|
#endif /* SQL_ACL_INCLUDED */
|
||||||
|
@ -3647,7 +3647,7 @@ void Security_context::init()
|
|||||||
{
|
{
|
||||||
host= user= ip= external_user= 0;
|
host= user= ip= external_user= 0;
|
||||||
host_or_ip= "connecting host";
|
host_or_ip= "connecting host";
|
||||||
priv_user[0]= priv_host[0]= proxy_user[0]= '\0';
|
priv_user[0]= priv_host[0]= proxy_user[0]= priv_role[0]= '\0';
|
||||||
master_access= 0;
|
master_access= 0;
|
||||||
#ifndef NO_EMBEDDED_ACCESS_CHECKS
|
#ifndef NO_EMBEDDED_ACCESS_CHECKS
|
||||||
db_access= NO_ACCESS;
|
db_access= NO_ACCESS;
|
||||||
|
@ -1041,6 +1041,8 @@ public:
|
|||||||
char proxy_user[USERNAME_LENGTH + MAX_HOSTNAME + 5];
|
char proxy_user[USERNAME_LENGTH + MAX_HOSTNAME + 5];
|
||||||
/* The host privilege we are using */
|
/* The host privilege we are using */
|
||||||
char priv_host[MAX_HOSTNAME];
|
char priv_host[MAX_HOSTNAME];
|
||||||
|
/* The role privilege we are using */
|
||||||
|
char priv_role[USERNAME_LENGTH];
|
||||||
/* The external user (if available) */
|
/* The external user (if available) */
|
||||||
char *external_user;
|
char *external_user;
|
||||||
/* points to host if host is available, otherwise points to ip */
|
/* points to host if host is available, otherwise points to ip */
|
||||||
|
Loading…
x
Reference in New Issue
Block a user