privileges

package
v1.1.0-beta.0...-bd07e09 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 16, 2024 License: Apache-2.0 Imports: 47 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrNonexistingGrant = dbterror.ClassPrivilege.NewStd(mysql.ErrNonexistingGrant)

	ErrAccessDenied = dbterror.ClassPrivilege.NewStd(mysql.ErrAccessDenied)

	ErUserAccessDeniedForUserAccountBlockedByPasswordLock = dbterror.ClassPrivilege.NewStd(mysql.ErUserAccessDeniedForUserAccountBlockedByPasswordLock)
	ErrMustChangePasswordLogin                            = dbterror.ClassPrivilege.NewStd(mysql.ErrMustChangePasswordLogin)
)

error definitions.

View Source
var SkipWithGrant = false

SkipWithGrant causes the server to start without using the privilege system at all.

Functions

func BuildPasswordLockingJSON

func BuildPasswordLockingJSON(failedLoginAttempts int64,
	passwordLockTimeDays int64, autoAccountLocked string, failedLoginCount int64, autoLockedLastChanged string) string

BuildPasswordLockingJSON builds PasswordLocking JSON string.

func BuildSuccessPasswordLockingJSON

func BuildSuccessPasswordLockingJSON(failedLoginAttempts, passwordLockTimeDays int64) string

BuildSuccessPasswordLockingJSON builds success PasswordLocking JSON string.

func GenerateAccountAutoLockErr

func GenerateAccountAutoLockErr(failedLoginAttempts int64,
	user, host, lockTime, remainTime string) error

GenerateAccountAutoLockErr implements the Manager interface.

func GetDynamicPrivileges

func GetDynamicPrivileges() []string

GetDynamicPrivileges returns the list of registered DYNAMIC privileges for use in meta data commands (i.e. SHOW PRIVILEGES)

func PrivToString

func PrivToString(priv mysql.PrivilegeType, allPrivs []mysql.PrivilegeType, allPrivNames map[mysql.PrivilegeType]string) string

PrivToString converts the privileges to string.

func RegisterDynamicPrivilege

func RegisterDynamicPrivilege(privName string) error

RegisterDynamicPrivilege is used by plugins to add new privileges to TiDB

func RemoveDynamicPrivilege

func RemoveDynamicPrivilege(privName string) bool

RemoveDynamicPrivilege is used for test only

Types

type GlobalPrivValue

type GlobalPrivValue struct {
	SSLType     SSLType                   `json:"ssl_type,omitempty"`
	SSLCipher   string                    `json:"ssl_cipher,omitempty"`
	X509Issuer  string                    `json:"x509_issuer,omitempty"`
	X509Subject string                    `json:"x509_subject,omitempty"`
	SAN         string                    `json:"san,omitempty"`
	SANs        map[util.SANType][]string `json:"-"`
}

GlobalPrivValue is store json format for priv column in mysql.global_priv.

func (*GlobalPrivValue) RequireStr

func (g *GlobalPrivValue) RequireStr() string

RequireStr returns describe string after `REQUIRE` clause.

type Handle

type Handle struct {
	// contains filtered or unexported fields
}

Handle wraps MySQLPrivilege providing thread safe access.

func NewHandle

func NewHandle(sctx sqlexec.RestrictedSQLExecutor) *Handle

NewHandle returns a Handle.

func (*Handle) Get

func (h *Handle) Get() *MySQLPrivilege

Get the MySQLPrivilege for read.

func (*Handle) Update

func (h *Handle) Update(userList []string) error

Update loads the privilege info from kv storage for the list of users.

func (*Handle) UpdateAll

func (h *Handle) UpdateAll() error

UpdateAll loads all the active users' privilege info from kv storage.

type JWKSImpl

type JWKSImpl struct {
	// contains filtered or unexported fields
}

JWKSImpl contains a JSON Web Key Set (JWKS), and a filepath that stores the JWKS

var GlobalJWKS JWKSImpl

GlobalJWKS is the global JWKS for tidb-server

func (*JWKSImpl) LoadJWKS4AuthToken

func (jwks *JWKSImpl) LoadJWKS4AuthToken(ctx context.Context, wg *sync.WaitGroup, jwksPath string, interval time.Duration) error

LoadJWKS4AuthToken reload the jwks every auth-token-refresh-interval.

type MetadataInfo

type MetadataInfo struct {
	Email string
}

MetadataInfo is the User_attributes->>"$.metadata".

type MySQLPrivilege

type MySQLPrivilege struct {
	// contains filtered or unexported fields
}

MySQLPrivilege is the in-memory cache of mysql privilege tables.

func (*MySQLPrivilege) DBIsVisible

func (p *MySQLPrivilege) DBIsVisible(user, host, db string) bool

DBIsVisible checks whether the user can see the db.

func (*MySQLPrivilege) FindAllRole

func (p *MySQLPrivilege) FindAllRole(activeRoles []*auth.RoleIdentity) []*auth.RoleIdentity

FindAllRole is used to find all roles grant to this user.

func (*MySQLPrivilege) FindAllUserEffectiveRoles

func (p *MySQLPrivilege) FindAllUserEffectiveRoles(user, host string, activeRoles []*auth.RoleIdentity) []*auth.RoleIdentity

FindAllUserEffectiveRoles is used to find all effective roles grant to this user. This method will filter out the roles that are not granted to the user but are still in activeRoles

func (*MySQLPrivilege) FindRole

func (p *MySQLPrivilege) FindRole(user string, host string, role *auth.RoleIdentity) bool

FindRole is used to detect whether there is edges between users and roles.

func (*MySQLPrivilege) HasExplicitlyGrantedDynamicPrivilege

func (p *MySQLPrivilege) HasExplicitlyGrantedDynamicPrivilege(activeRoles []*auth.RoleIdentity, user, host, privName string, withGrant bool) bool

HasExplicitlyGrantedDynamicPrivilege checks if a user has a DYNAMIC privilege without accepting SUPER privilege as a fallback.

func (*MySQLPrivilege) LoadAll

LoadAll loads the tables from database to memory.

func (*MySQLPrivilege) LoadColumnsPrivTable

func (p *MySQLPrivilege) LoadColumnsPrivTable(ctx sqlexec.RestrictedSQLExecutor) error

LoadColumnsPrivTable loads the mysql.columns_priv table from database.

func (*MySQLPrivilege) LoadDBTable

func (p *MySQLPrivilege) LoadDBTable(ctx sqlexec.RestrictedSQLExecutor) error

LoadDBTable loads the mysql.db table from database.

func (*MySQLPrivilege) LoadDefaultRoles

func (p *MySQLPrivilege) LoadDefaultRoles(ctx sqlexec.RestrictedSQLExecutor) error

LoadDefaultRoles loads the mysql.columns_priv table from database.

func (*MySQLPrivilege) LoadGlobalGrantsTable

func (p *MySQLPrivilege) LoadGlobalGrantsTable(ctx sqlexec.RestrictedSQLExecutor) error

LoadGlobalGrantsTable loads the mysql.global_priv table from database.

func (*MySQLPrivilege) LoadGlobalPrivTable

func (p *MySQLPrivilege) LoadGlobalPrivTable(ctx sqlexec.RestrictedSQLExecutor) error

LoadGlobalPrivTable loads the mysql.global_priv table from database.

func (*MySQLPrivilege) LoadRoleGraph

func (p *MySQLPrivilege) LoadRoleGraph(ctx sqlexec.RestrictedSQLExecutor) error

LoadRoleGraph loads the mysql.role_edges table from database.

func (*MySQLPrivilege) LoadTablesPrivTable

func (p *MySQLPrivilege) LoadTablesPrivTable(ctx sqlexec.RestrictedSQLExecutor) error

LoadTablesPrivTable loads the mysql.tables_priv table from database.

func (*MySQLPrivilege) LoadUserTable

func (p *MySQLPrivilege) LoadUserTable(ctx sqlexec.RestrictedSQLExecutor) error

LoadUserTable loads the mysql.user table from database.

func (*MySQLPrivilege) RequestDynamicVerification

func (p *MySQLPrivilege) RequestDynamicVerification(activeRoles []*auth.RoleIdentity, user, host string, privName string, withGrant bool) bool

RequestDynamicVerification checks all roles for a specific DYNAMIC privilege.

func (*MySQLPrivilege) RequestVerification

func (p *MySQLPrivilege) RequestVerification(activeRoles []*auth.RoleIdentity, user, host, db, table, column string, priv mysql.PrivilegeType) bool

RequestVerification checks whether the user have sufficient privileges to do the operation.

func (MySQLPrivilege) SortUserTable

func (p MySQLPrivilege) SortUserTable()

SortUserTable sorts p.User in the MySQLPrivilege struct.

func (*MySQLPrivilege) UserPrivilegesTable

func (p *MySQLPrivilege) UserPrivilegesTable(activeRoles []*auth.RoleIdentity, user, host string) [][]types.Datum

UserPrivilegesTable provide data for INFORMATION_SCHEMA.USERS_PRIVILEGES table.

type PasswordLocking

type PasswordLocking struct {
	FailedLoginCount      int64
	PasswordLockTimeDays  int64
	AutoAccountLocked     bool
	AutoLockedLastChanged int64
	FailedLoginAttempts   int64
}

PasswordLocking is the User_attributes->>"$.Password_locking". It records information about failed-login tracking and temporary account locking.

func (*PasswordLocking) ParseJSON

func (passwordLocking *PasswordLocking) ParseJSON(passwordLockingJSON types.BinaryJSON) error

ParseJSON parses information about PasswordLocking.

type SSLType

type SSLType int

SSLType is enum value for GlobalPrivValue.SSLType. the value is compatible with MySQL storage json value.

const (
	// SslTypeNotSpecified indicates .
	SslTypeNotSpecified SSLType = iota - 1
	// SslTypeNone indicates not require use ssl.
	SslTypeNone
	// SslTypeAny indicates require use ssl but not validate cert.
	SslTypeAny
	// SslTypeX509 indicates require use ssl and validate cert.
	SslTypeX509
	// SslTypeSpecified indicates require use ssl and validate cert's subject or issuer.
	SslTypeSpecified
)

type UserAttributesInfo

type UserAttributesInfo struct {
	MetadataInfo
	PasswordLocking
}

UserAttributesInfo is the 'User_attributes' in privilege cache.

type UserPrivileges

type UserPrivileges struct {
	*Handle
	// contains filtered or unexported fields
}

UserPrivileges implements privilege.Manager interface. This is used to check privilege for the current user.

func NewUserPrivileges

func NewUserPrivileges(handle *Handle, extension *extension.Extensions) *UserPrivileges

NewUserPrivileges creates a new UserPrivileges

func (*UserPrivileges) ActiveRoles

func (p *UserPrivileges) ActiveRoles(ctx context.Context, sctx sessionctx.Context, roleList []*auth.RoleIdentity) (bool, string)

ActiveRoles implements privilege.Manager ActiveRoles interface.

func (*UserPrivileges) AuthSuccess

func (p *UserPrivileges) AuthSuccess(authUser, authHost string)

AuthSuccess is to make the permission take effect.

func (*UserPrivileges) CheckPasswordExpired

func (*UserPrivileges) CheckPasswordExpired(sessionVars *variable.SessionVars, record *UserRecord) (bool, error)

CheckPasswordExpired checks whether the password has been expired.

func (*UserPrivileges) ConnectionVerification

func (p *UserPrivileges) ConnectionVerification(user *auth.UserIdentity, authUser, authHost string, authentication, salt []byte, sessionVars *variable.SessionVars, authConn conn.AuthConn) (info privilege.VerificationInfo, err error)

ConnectionVerification implements the Manager interface.

func (*UserPrivileges) DBIsVisible

func (p *UserPrivileges) DBIsVisible(activeRoles []*auth.RoleIdentity, db string) bool

DBIsVisible implements the Manager interface.

func (*UserPrivileges) FindEdge

func (p *UserPrivileges) FindEdge(ctx context.Context, role *auth.RoleIdentity, user *auth.UserIdentity) bool

FindEdge implements privilege.Manager FindRelationship interface.

func (*UserPrivileges) GetAllRoles

func (p *UserPrivileges) GetAllRoles(user, host string) []*auth.RoleIdentity

GetAllRoles return all roles of user.

func (*UserPrivileges) GetAuthPlugin

func (p *UserPrivileges) GetAuthPlugin(ctx context.Context, user, host string) (string, error)

GetAuthPlugin gets the authentication plugin for the account identified by the user and host

func (*UserPrivileges) GetAuthPluginForConnection

func (p *UserPrivileges) GetAuthPluginForConnection(ctx context.Context, user, host string) (string, error)

GetAuthPluginForConnection gets the authentication plugin used in connection establishment.

func (*UserPrivileges) GetAuthWithoutVerification

func (p *UserPrivileges) GetAuthWithoutVerification(user, host string) (success bool)

GetAuthWithoutVerification implements the Manager interface.

func (*UserPrivileges) GetDefaultRoles

func (p *UserPrivileges) GetDefaultRoles(ctx context.Context, user, host string) []*auth.RoleIdentity

GetDefaultRoles returns all default roles for certain user.

func (*UserPrivileges) GetEncodedPassword

func (p *UserPrivileges) GetEncodedPassword(ctx context.Context, user, host string) string

GetEncodedPassword implements the Manager interface.

func (*UserPrivileges) HasExplicitlyGrantedDynamicPrivilege

func (p *UserPrivileges) HasExplicitlyGrantedDynamicPrivilege(activeRoles []*auth.RoleIdentity, privName string, grantable bool) bool

HasExplicitlyGrantedDynamicPrivilege checks if a user has a DYNAMIC privilege without accepting SUPER privilege as a fallback.

func (*UserPrivileges) IsAccountAutoLockEnabled

func (p *UserPrivileges) IsAccountAutoLockEnabled(user string, host string) bool

IsAccountAutoLockEnabled implements the Manager interface.

func (*UserPrivileges) IsDynamicPrivilege

func (p *UserPrivileges) IsDynamicPrivilege(privName string) bool

IsDynamicPrivilege returns true if the DYNAMIC privilege is built-in or has been registered by a plugin

func (*UserPrivileges) MatchIdentity

func (p *UserPrivileges) MatchIdentity(ctx context.Context, user, host string, skipNameResolve bool) (u string, h string, success bool)

MatchIdentity implements the Manager interface.

func (*UserPrivileges) MatchUserResourceGroupName

func (p *UserPrivileges) MatchUserResourceGroupName(exec sqlexec.RestrictedSQLExecutor, resourceGroupName string) (u string, success bool)

MatchUserResourceGroupName implements the Manager interface.

func (*UserPrivileges) RequestDynamicVerification

func (p *UserPrivileges) RequestDynamicVerification(activeRoles []*auth.RoleIdentity, privName string, grantable bool) bool

RequestDynamicVerification implements the Manager interface.

func (*UserPrivileges) RequestDynamicVerificationWithUser

func (p *UserPrivileges) RequestDynamicVerificationWithUser(ctx context.Context, privName string, grantable bool, user *auth.UserIdentity) bool

RequestDynamicVerificationWithUser implements the Manager interface.

func (*UserPrivileges) RequestVerification

func (p *UserPrivileges) RequestVerification(activeRoles []*auth.RoleIdentity, db, table, column string, priv mysql.PrivilegeType) bool

RequestVerification implements the Manager interface.

func (*UserPrivileges) RequestVerificationWithUser

func (p *UserPrivileges) RequestVerificationWithUser(ctx context.Context, db, table, column string, priv mysql.PrivilegeType, user *auth.UserIdentity) bool

RequestVerificationWithUser implements the Manager interface.

func (*UserPrivileges) ShowGrants

func (p *UserPrivileges) ShowGrants(ctx context.Context, sctx sessionctx.Context, user *auth.UserIdentity, roles []*auth.RoleIdentity) (grants []string, err error)

ShowGrants implements privilege.Manager ShowGrants interface.

func (*UserPrivileges) UserPrivilegesTable

func (p *UserPrivileges) UserPrivilegesTable(activeRoles []*auth.RoleIdentity, user, host string) [][]types.Datum

UserPrivilegesTable implements the Manager interface.

func (*UserPrivileges) VerifyAccountAutoLockInMemory

func (p *UserPrivileges) VerifyAccountAutoLockInMemory(user string, host string) (bool, error)

VerifyAccountAutoLockInMemory implements the Manager interface.

type UserRecord

type UserRecord struct {
	UserAttributesInfo

	AuthenticationString string
	Privileges           mysql.PrivilegeType
	AccountLocked        bool // A role record when this field is true
	AuthPlugin           string
	AuthTokenIssuer      string
	PasswordExpired      bool
	PasswordLastChanged  time.Time
	PasswordLifeTime     int64
	ResourceGroup        string
	// contains filtered or unexported fields
}

UserRecord is used to represent a user record in privilege cache.

func NewUserRecord

func NewUserRecord(host, user string) UserRecord

NewUserRecord return a UserRecord, only use for unit test.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL