Documentation ¶
Index ¶
- Variables
- func BuildPasswordLockingJSON(failedLoginAttempts int64, passwordLockTimeDays int64, ...) string
- func BuildSuccessPasswordLockingJSON(failedLoginAttempts, passwordLockTimeDays int64) string
- func GenerateAccountAutoLockErr(failedLoginAttempts int64, user, host, lockTime, remainTime string) error
- func GetDynamicPrivileges() []string
- func PrivToString(priv mysql.PrivilegeType, allPrivs []mysql.PrivilegeType, ...) string
- func RegisterDynamicPrivilege(privName string) error
- func RemoveDynamicPrivilege(privName string) bool
- type GlobalPrivValue
- type Handle
- type JWKSImpl
- type MetadataInfo
- type MySQLPrivilege
- func (p *MySQLPrivilege) DBIsVisible(user, host, db string) bool
- func (p *MySQLPrivilege) FindAllRole(activeRoles []*auth.RoleIdentity) []*auth.RoleIdentity
- func (p *MySQLPrivilege) FindAllUserEffectiveRoles(user, host string, activeRoles []*auth.RoleIdentity) []*auth.RoleIdentity
- func (p *MySQLPrivilege) FindRole(user string, host string, role *auth.RoleIdentity) bool
- func (p *MySQLPrivilege) HasExplicitlyGrantedDynamicPrivilege(activeRoles []*auth.RoleIdentity, user, host, privName string, withGrant bool) bool
- func (p *MySQLPrivilege) LoadAll(ctx sqlexec.RestrictedSQLExecutor) error
- func (p *MySQLPrivilege) LoadColumnsPrivTable(ctx sqlexec.RestrictedSQLExecutor) error
- func (p *MySQLPrivilege) LoadDBTable(ctx sqlexec.RestrictedSQLExecutor) error
- func (p *MySQLPrivilege) LoadDefaultRoles(ctx sqlexec.RestrictedSQLExecutor) error
- func (p *MySQLPrivilege) LoadGlobalGrantsTable(ctx sqlexec.RestrictedSQLExecutor) error
- func (p *MySQLPrivilege) LoadGlobalPrivTable(ctx sqlexec.RestrictedSQLExecutor) error
- func (p *MySQLPrivilege) LoadRoleGraph(ctx sqlexec.RestrictedSQLExecutor) error
- func (p *MySQLPrivilege) LoadTablesPrivTable(ctx sqlexec.RestrictedSQLExecutor) error
- func (p *MySQLPrivilege) LoadUserTable(ctx sqlexec.RestrictedSQLExecutor) error
- func (p *MySQLPrivilege) RequestDynamicVerification(activeRoles []*auth.RoleIdentity, user, host string, privName string, ...) bool
- func (p *MySQLPrivilege) RequestVerification(activeRoles []*auth.RoleIdentity, user, host, db, table, column string, ...) bool
- func (p *MySQLPrivilege) SetGlobalVarsAccessor(globalVars variable.GlobalVarAccessor)
- func (p MySQLPrivilege) SortUserTable()
- func (p *MySQLPrivilege) UserPrivilegesTable(activeRoles []*auth.RoleIdentity, user, host string) [][]types.Datum
- type PasswordLocking
- type SSLType
- type UserAttributesInfo
- type UserPrivileges
- func (p *UserPrivileges) ActiveRoles(ctx context.Context, sctx sessionctx.Context, roleList []*auth.RoleIdentity) (bool, string)
- func (p *UserPrivileges) AuthSuccess(authUser, authHost string)
- func (*UserPrivileges) CheckPasswordExpired(sessionVars *variable.SessionVars, record *UserRecord) (bool, error)
- func (p *UserPrivileges) ConnectionVerification(user *auth.UserIdentity, authUser, authHost string, ...) (info privilege.VerificationInfo, err error)
- func (p *UserPrivileges) DBIsVisible(activeRoles []*auth.RoleIdentity, db string) bool
- func (p *UserPrivileges) FindEdge(ctx context.Context, role *auth.RoleIdentity, user *auth.UserIdentity) bool
- func (p *UserPrivileges) GetAllRoles(user, host string) []*auth.RoleIdentity
- func (p *UserPrivileges) GetAuthPluginForConnection(ctx context.Context, user, host string) (string, error)
- func (p *UserPrivileges) GetAuthWithoutVerification(user, host string) (success bool)
- func (p *UserPrivileges) GetDefaultRoles(ctx context.Context, user, host string) []*auth.RoleIdentity
- func (p *UserPrivileges) HasExplicitlyGrantedDynamicPrivilege(activeRoles []*auth.RoleIdentity, privName string, grantable bool) bool
- func (p *UserPrivileges) IsAccountAutoLockEnabled(user string, host string) bool
- func (p *UserPrivileges) IsDynamicPrivilege(privName string) bool
- func (p *UserPrivileges) MatchIdentity(ctx context.Context, user, host string, skipNameResolve bool) (u string, h string, success bool)
- func (p *UserPrivileges) MatchUserResourceGroupName(exec sqlexec.RestrictedSQLExecutor, resourceGroupName string) (u string, success bool)
- func (p *UserPrivileges) RequestDynamicVerification(activeRoles []*auth.RoleIdentity, privName string, grantable bool) bool
- func (p *UserPrivileges) RequestDynamicVerificationWithUser(ctx context.Context, privName string, grantable bool, user *auth.UserIdentity) bool
- func (p *UserPrivileges) RequestVerification(activeRoles []*auth.RoleIdentity, db, table, column string, ...) bool
- func (p *UserPrivileges) RequestVerificationWithUser(ctx context.Context, db, table, column string, priv mysql.PrivilegeType, ...) bool
- func (p *UserPrivileges) ShowGrants(ctx context.Context, sctx sessionctx.Context, user *auth.UserIdentity, ...) (grants []string, err error)
- func (p *UserPrivileges) UserPrivilegesTable(activeRoles []*auth.RoleIdentity, user, host string) [][]types.Datum
- func (p *UserPrivileges) VerifyAccountAutoLockInMemory(user string, host string) (bool, error)
- type UserRecord
Constants ¶
This section is empty.
Variables ¶
var ( ErrNonexistingGrant = dbterror.ClassPrivilege.NewStd(mysql.ErrNonexistingGrant) ErrAccessDenied = dbterror.ClassPrivilege.NewStd(mysql.ErrAccessDenied) ErUserAccessDeniedForUserAccountBlockedByPasswordLock = dbterror.ClassPrivilege.NewStd(mysql.ErUserAccessDeniedForUserAccountBlockedByPasswordLock) ErrMustChangePasswordLogin = dbterror.ClassPrivilege.NewStd(mysql.ErrMustChangePasswordLogin) )
error definitions.
var SkipWithGrant = false
SkipWithGrant causes the server to start without using the privilege system at all.
Functions ¶
func BuildPasswordLockingJSON ¶
func BuildPasswordLockingJSON(failedLoginAttempts int64, passwordLockTimeDays int64, autoAccountLocked string, failedLoginCount int64, autoLockedLastChanged string) string
BuildPasswordLockingJSON builds PasswordLocking JSON string.
func BuildSuccessPasswordLockingJSON ¶
BuildSuccessPasswordLockingJSON builds success PasswordLocking JSON string.
func GenerateAccountAutoLockErr ¶
func GenerateAccountAutoLockErr(failedLoginAttempts int64, user, host, lockTime, remainTime string) error
GenerateAccountAutoLockErr implements the Manager interface.
func GetDynamicPrivileges ¶
func GetDynamicPrivileges() []string
GetDynamicPrivileges returns the list of registered DYNAMIC privileges for use in meta data commands (i.e. SHOW PRIVILEGES)
func PrivToString ¶
func PrivToString(priv mysql.PrivilegeType, allPrivs []mysql.PrivilegeType, allPrivNames map[mysql.PrivilegeType]string) string
PrivToString converts the privileges to string.
func RegisterDynamicPrivilege ¶
RegisterDynamicPrivilege is used by plugins to add new privileges to TiDB
func RemoveDynamicPrivilege ¶
RemoveDynamicPrivilege is used for test only
Types ¶
type GlobalPrivValue ¶
type GlobalPrivValue struct { SSLType SSLType `json:"ssl_type,omitempty"` SSLCipher string `json:"ssl_cipher,omitempty"` X509Issuer string `json:"x509_issuer,omitempty"` X509Subject string `json:"x509_subject,omitempty"` SAN string `json:"san,omitempty"` SANs map[util.SANType][]string `json:"-"` }
GlobalPrivValue is store json format for priv column in mysql.global_priv.
func (*GlobalPrivValue) RequireStr ¶
func (g *GlobalPrivValue) RequireStr() string
RequireStr returns describe string after `REQUIRE` clause.
type Handle ¶
type Handle struct {
// contains filtered or unexported fields
}
Handle wraps MySQLPrivilege providing thread safe access.
func NewHandle ¶
func NewHandle(sctx sqlexec.RestrictedSQLExecutor, globalVars variable.GlobalVarAccessor) *Handle
NewHandle returns a Handle.
type JWKSImpl ¶
type JWKSImpl struct {
// contains filtered or unexported fields
}
JWKSImpl contains a JSON Web Key Set (JWKS), and a filepath that stores the JWKS
var GlobalJWKS JWKSImpl
GlobalJWKS is the global JWKS for tidb-server
type MetadataInfo ¶
type MetadataInfo struct {
Email string
}
MetadataInfo is the User_attributes->>"$.metadata".
type MySQLPrivilege ¶
type MySQLPrivilege struct {
// contains filtered or unexported fields
}
MySQLPrivilege is the in-memory cache of mysql privilege tables.
func (*MySQLPrivilege) DBIsVisible ¶
func (p *MySQLPrivilege) DBIsVisible(user, host, db string) bool
DBIsVisible checks whether the user can see the db.
func (*MySQLPrivilege) FindAllRole ¶
func (p *MySQLPrivilege) FindAllRole(activeRoles []*auth.RoleIdentity) []*auth.RoleIdentity
FindAllRole is used to find all roles grant to this user.
func (*MySQLPrivilege) FindAllUserEffectiveRoles ¶
func (p *MySQLPrivilege) FindAllUserEffectiveRoles(user, host string, activeRoles []*auth.RoleIdentity) []*auth.RoleIdentity
FindAllUserEffectiveRoles is used to find all effective roles grant to this user. This method will filter out the roles that are not granted to the user but are still in activeRoles
func (*MySQLPrivilege) FindRole ¶
func (p *MySQLPrivilege) FindRole(user string, host string, role *auth.RoleIdentity) bool
FindRole is used to detect whether there is edges between users and roles.
func (*MySQLPrivilege) HasExplicitlyGrantedDynamicPrivilege ¶
func (p *MySQLPrivilege) HasExplicitlyGrantedDynamicPrivilege(activeRoles []*auth.RoleIdentity, user, host, privName string, withGrant bool) bool
HasExplicitlyGrantedDynamicPrivilege checks if a user has a DYNAMIC privilege without accepting SUPER privilege as a fallback.
func (*MySQLPrivilege) LoadAll ¶
func (p *MySQLPrivilege) LoadAll(ctx sqlexec.RestrictedSQLExecutor) error
LoadAll loads the tables from database to memory.
func (*MySQLPrivilege) LoadColumnsPrivTable ¶
func (p *MySQLPrivilege) LoadColumnsPrivTable(ctx sqlexec.RestrictedSQLExecutor) error
LoadColumnsPrivTable loads the mysql.columns_priv table from database.
func (*MySQLPrivilege) LoadDBTable ¶
func (p *MySQLPrivilege) LoadDBTable(ctx sqlexec.RestrictedSQLExecutor) error
LoadDBTable loads the mysql.db table from database.
func (*MySQLPrivilege) LoadDefaultRoles ¶
func (p *MySQLPrivilege) LoadDefaultRoles(ctx sqlexec.RestrictedSQLExecutor) error
LoadDefaultRoles loads the mysql.columns_priv table from database.
func (*MySQLPrivilege) LoadGlobalGrantsTable ¶
func (p *MySQLPrivilege) LoadGlobalGrantsTable(ctx sqlexec.RestrictedSQLExecutor) error
LoadGlobalGrantsTable loads the mysql.global_priv table from database.
func (*MySQLPrivilege) LoadGlobalPrivTable ¶
func (p *MySQLPrivilege) LoadGlobalPrivTable(ctx sqlexec.RestrictedSQLExecutor) error
LoadGlobalPrivTable loads the mysql.global_priv table from database.
func (*MySQLPrivilege) LoadRoleGraph ¶
func (p *MySQLPrivilege) LoadRoleGraph(ctx sqlexec.RestrictedSQLExecutor) error
LoadRoleGraph loads the mysql.role_edges table from database.
func (*MySQLPrivilege) LoadTablesPrivTable ¶
func (p *MySQLPrivilege) LoadTablesPrivTable(ctx sqlexec.RestrictedSQLExecutor) error
LoadTablesPrivTable loads the mysql.tables_priv table from database.
func (*MySQLPrivilege) LoadUserTable ¶
func (p *MySQLPrivilege) LoadUserTable(ctx sqlexec.RestrictedSQLExecutor) error
LoadUserTable loads the mysql.user table from database.
func (*MySQLPrivilege) RequestDynamicVerification ¶
func (p *MySQLPrivilege) RequestDynamicVerification(activeRoles []*auth.RoleIdentity, user, host string, privName string, withGrant bool) bool
RequestDynamicVerification checks all roles for a specific DYNAMIC privilege.
func (*MySQLPrivilege) RequestVerification ¶
func (p *MySQLPrivilege) RequestVerification(activeRoles []*auth.RoleIdentity, user, host, db, table, column string, priv mysql.PrivilegeType) bool
RequestVerification checks whether the user have sufficient privileges to do the operation.
func (*MySQLPrivilege) SetGlobalVarsAccessor ¶
func (p *MySQLPrivilege) SetGlobalVarsAccessor(globalVars variable.GlobalVarAccessor)
SetGlobalVarsAccessor is only used for test.
func (MySQLPrivilege) SortUserTable ¶
func (p MySQLPrivilege) SortUserTable()
SortUserTable sorts p.User in the MySQLPrivilege struct.
func (*MySQLPrivilege) UserPrivilegesTable ¶
func (p *MySQLPrivilege) UserPrivilegesTable(activeRoles []*auth.RoleIdentity, user, host string) [][]types.Datum
UserPrivilegesTable provide data for INFORMATION_SCHEMA.USERS_PRIVILEGES table.
type PasswordLocking ¶
type PasswordLocking struct { FailedLoginCount int64 PasswordLockTimeDays int64 AutoAccountLocked bool AutoLockedLastChanged int64 FailedLoginAttempts int64 }
PasswordLocking is the User_attributes->>"$.Password_locking". It records information about failed-login tracking and temporary account locking.
func (*PasswordLocking) ParseJSON ¶
func (passwordLocking *PasswordLocking) ParseJSON(passwordLockingJSON types.BinaryJSON) error
ParseJSON parses information about PasswordLocking.
type SSLType ¶
type SSLType int
SSLType is enum value for GlobalPrivValue.SSLType. the value is compatible with MySQL storage json value.
const ( // SslTypeNotSpecified indicates . SslTypeNotSpecified SSLType = iota - 1 // SslTypeNone indicates not require use ssl. SslTypeNone // SslTypeAny indicates require use ssl but not validate cert. SslTypeAny // SslTypeX509 indicates require use ssl and validate cert. SslTypeX509 // SslTypeSpecified indicates require use ssl and validate cert's subject or issuer. SslTypeSpecified )
type UserAttributesInfo ¶
type UserAttributesInfo struct { MetadataInfo PasswordLocking }
UserAttributesInfo is the 'User_attributes' in privilege cache.
type UserPrivileges ¶
type UserPrivileges struct { *Handle // contains filtered or unexported fields }
UserPrivileges implements privilege.Manager interface. This is used to check privilege for the current user.
func NewUserPrivileges ¶
func NewUserPrivileges(handle *Handle, extension *extension.Extensions) *UserPrivileges
NewUserPrivileges creates a new UserPrivileges
func (*UserPrivileges) ActiveRoles ¶
func (p *UserPrivileges) ActiveRoles(ctx context.Context, sctx sessionctx.Context, roleList []*auth.RoleIdentity) (bool, string)
ActiveRoles implements privilege.Manager ActiveRoles interface.
func (*UserPrivileges) AuthSuccess ¶
func (p *UserPrivileges) AuthSuccess(authUser, authHost string)
AuthSuccess is to make the permission take effect.
func (*UserPrivileges) CheckPasswordExpired ¶
func (*UserPrivileges) CheckPasswordExpired(sessionVars *variable.SessionVars, record *UserRecord) (bool, error)
CheckPasswordExpired checks whether the password has been expired.
func (*UserPrivileges) ConnectionVerification ¶
func (p *UserPrivileges) ConnectionVerification(user *auth.UserIdentity, authUser, authHost string, authentication, salt []byte, sessionVars *variable.SessionVars, authConn conn.AuthConn) (info privilege.VerificationInfo, err error)
ConnectionVerification implements the Manager interface.
func (*UserPrivileges) DBIsVisible ¶
func (p *UserPrivileges) DBIsVisible(activeRoles []*auth.RoleIdentity, db string) bool
DBIsVisible implements the Manager interface.
func (*UserPrivileges) FindEdge ¶
func (p *UserPrivileges) FindEdge(ctx context.Context, role *auth.RoleIdentity, user *auth.UserIdentity) bool
FindEdge implements privilege.Manager FindRelationship interface.
func (*UserPrivileges) GetAllRoles ¶
func (p *UserPrivileges) GetAllRoles(user, host string) []*auth.RoleIdentity
GetAllRoles return all roles of user.
func (*UserPrivileges) GetAuthPluginForConnection ¶
func (p *UserPrivileges) GetAuthPluginForConnection(ctx context.Context, user, host string) (string, error)
GetAuthPluginForConnection gets the authentication plugin used in connection establishment.
func (*UserPrivileges) GetAuthWithoutVerification ¶
func (p *UserPrivileges) GetAuthWithoutVerification(user, host string) (success bool)
GetAuthWithoutVerification implements the Manager interface.
func (*UserPrivileges) GetDefaultRoles ¶
func (p *UserPrivileges) GetDefaultRoles(ctx context.Context, user, host string) []*auth.RoleIdentity
GetDefaultRoles returns all default roles for certain user.
func (*UserPrivileges) HasExplicitlyGrantedDynamicPrivilege ¶
func (p *UserPrivileges) HasExplicitlyGrantedDynamicPrivilege(activeRoles []*auth.RoleIdentity, privName string, grantable bool) bool
HasExplicitlyGrantedDynamicPrivilege checks if a user has a DYNAMIC privilege without accepting SUPER privilege as a fallback.
func (*UserPrivileges) IsAccountAutoLockEnabled ¶
func (p *UserPrivileges) IsAccountAutoLockEnabled(user string, host string) bool
IsAccountAutoLockEnabled implements the Manager interface.
func (*UserPrivileges) IsDynamicPrivilege ¶
func (p *UserPrivileges) IsDynamicPrivilege(privName string) bool
IsDynamicPrivilege returns true if the DYNAMIC privilege is built-in or has been registered by a plugin
func (*UserPrivileges) MatchIdentity ¶
func (p *UserPrivileges) MatchIdentity(ctx context.Context, user, host string, skipNameResolve bool) (u string, h string, success bool)
MatchIdentity implements the Manager interface.
func (*UserPrivileges) MatchUserResourceGroupName ¶
func (p *UserPrivileges) MatchUserResourceGroupName(exec sqlexec.RestrictedSQLExecutor, resourceGroupName string) (u string, success bool)
MatchUserResourceGroupName implements the Manager interface.
func (*UserPrivileges) RequestDynamicVerification ¶
func (p *UserPrivileges) RequestDynamicVerification(activeRoles []*auth.RoleIdentity, privName string, grantable bool) bool
RequestDynamicVerification implements the Manager interface.
func (*UserPrivileges) RequestDynamicVerificationWithUser ¶
func (p *UserPrivileges) RequestDynamicVerificationWithUser(ctx context.Context, privName string, grantable bool, user *auth.UserIdentity) bool
RequestDynamicVerificationWithUser implements the Manager interface.
func (*UserPrivileges) RequestVerification ¶
func (p *UserPrivileges) RequestVerification(activeRoles []*auth.RoleIdentity, db, table, column string, priv mysql.PrivilegeType) bool
RequestVerification implements the Manager interface.
func (*UserPrivileges) RequestVerificationWithUser ¶
func (p *UserPrivileges) RequestVerificationWithUser(ctx context.Context, db, table, column string, priv mysql.PrivilegeType, user *auth.UserIdentity) bool
RequestVerificationWithUser implements the Manager interface.
func (*UserPrivileges) ShowGrants ¶
func (p *UserPrivileges) ShowGrants(ctx context.Context, sctx sessionctx.Context, user *auth.UserIdentity, roles []*auth.RoleIdentity) (grants []string, err error)
ShowGrants implements privilege.Manager ShowGrants interface.
func (*UserPrivileges) UserPrivilegesTable ¶
func (p *UserPrivileges) UserPrivilegesTable(activeRoles []*auth.RoleIdentity, user, host string) [][]types.Datum
UserPrivilegesTable implements the Manager interface.
func (*UserPrivileges) VerifyAccountAutoLockInMemory ¶
func (p *UserPrivileges) VerifyAccountAutoLockInMemory(user string, host string) (bool, error)
VerifyAccountAutoLockInMemory implements the Manager interface.
type UserRecord ¶
type UserRecord struct { UserAttributesInfo AuthenticationString string Privileges mysql.PrivilegeType AccountLocked bool // A role record when this field is true AuthPlugin string AuthTokenIssuer string PasswordExpired bool PasswordLastChanged time.Time PasswordLifeTime int64 ResourceGroup string // contains filtered or unexported fields }
UserRecord is used to represent a user record in privilege cache.
func NewUserRecord ¶
func NewUserRecord(host, user string) UserRecord
NewUserRecord return a UserRecord, only use for unit test.