privileges

package
v7.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 30, 2023 License: Apache-2.0 Imports: 44 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrNonexistingGrant = dbterror.ClassPrivilege.NewStd(mysql.ErrNonexistingGrant)

	ErrAccessDenied = dbterror.ClassPrivilege.NewStd(mysql.ErrAccessDenied)

	ErUserAccessDeniedForUserAccountBlockedByPasswordLock = dbterror.ClassPrivilege.NewStd(mysql.ErUserAccessDeniedForUserAccountBlockedByPasswordLock)
	ErrMustChangePasswordLogin                            = dbterror.ClassPrivilege.NewStd(mysql.ErrMustChangePasswordLogin)
)

error definitions.

View Source 
var SkipWithGrant = false

SkipWithGrant causes the server to start without using the privilege system at all.

Functions

func BuildPasswordLockingJSON 

func BuildPasswordLockingJSON(failedLoginAttempts int64,
	passwordLockTimeDays int64, autoAccountLocked string, failedLoginCount int64, autoLockedLastChanged string) string

BuildPasswordLockingJSON builds PasswordLocking JSON string.

func BuildSuccessPasswordLockingJSON 

func BuildSuccessPasswordLockingJSON(failedLoginAttempts, passwordLockTimeDays int64) string

BuildSuccessPasswordLockingJSON builds success PasswordLocking JSON string.

func GenerateAccountAutoLockErr 

func GenerateAccountAutoLockErr(failedLoginAttempts int64,
	user, host, lockTime, remainTime string) error

GenerateAccountAutoLockErr implements the Manager interface.

func GetDynamicPrivileges 

func GetDynamicPrivileges() []string

GetDynamicPrivileges returns the list of registered DYNAMIC privileges for use in meta data commands (i.e. SHOW PRIVILEGES)

func PrivToString 

func PrivToString(priv mysql.PrivilegeType, allPrivs []mysql.PrivilegeType, allPrivNames map[mysql.PrivilegeType]string) string

PrivToString converts the privileges to string.

func RegisterDynamicPrivilege 

func RegisterDynamicPrivilege(privName string) error

RegisterDynamicPrivilege is used by plugins to add new privileges to TiDB

func RemoveDynamicPrivilege 

func RemoveDynamicPrivilege(privName string) bool

RemoveDynamicPrivilege is used for test only

Types

type GlobalPrivValue 

type GlobalPrivValue struct {
	SSLType     SSLType                   `json:"ssl_type,omitempty"`
	SSLCipher   string                    `json:"ssl_cipher,omitempty"`
	X509Issuer  string                    `json:"x509_issuer,omitempty"`
	X509Subject string                    `json:"x509_subject,omitempty"`
	SAN         string                    `json:"san,omitempty"`
	SANs        map[util.SANType][]string `json:"-"`
}

GlobalPrivValue is store json format for priv column in mysql.global_priv.

func (*GlobalPrivValue) RequireStr 

func (g *GlobalPrivValue) RequireStr() string

RequireStr returns describe string after `REQUIRE` clause.

type Handle 

type Handle struct {
	// contains filtered or unexported fields
}

Handle wraps MySQLPrivilege providing thread safe access.

func NewHandle 

func NewHandle() *Handle

NewHandle returns a Handle.

func (*Handle) Get 

func (h *Handle) Get() *MySQLPrivilege

Get the MySQLPrivilege for read.

func (*Handle) Update 

func (h *Handle) Update(ctx sessionctx.Context) error

Update loads all the privilege info from kv storage.

type JWKSImpl 

type JWKSImpl struct {
	// contains filtered or unexported fields
}

JWKSImpl contains a JSON Web Key Set (JWKS), and a filepath that stores the JWKS 

var GlobalJWKS JWKSImpl

GlobalJWKS is the global JWKS for tidb-server

func (*JWKSImpl) LoadJWKS4AuthToken 

func (jwks *JWKSImpl) LoadJWKS4AuthToken(ctx context.Context, wg *sync.WaitGroup, jwksPath string, interval time.Duration) error

LoadJWKS4AuthToken reload the jwks every auth-token-refresh-interval.

type MetadataInfo 

type MetadataInfo struct {
	Email string
}

MetadataInfo is the User_attributes->>"$.metadata".

type MySQLPrivilege 

type MySQLPrivilege struct {

	// This helps in the case that there are a number of users with
	// non-full privileges (i.e. user.db entries).
	User          []UserRecord
	UserMap       map[string][]UserRecord // Accelerate User searching
	Global        map[string][]globalPrivRecord
	Dynamic       map[string][]dynamicPrivRecord
	DB            []dbRecord
	DBMap         map[string][]dbRecord // Accelerate DB searching
	TablesPriv    []tablesPrivRecord
	TablesPrivMap map[string][]tablesPrivRecord // Accelerate TablesPriv searching
	ColumnsPriv   []columnsPrivRecord
	DefaultRoles  []defaultRoleRecord
	RoleGraph     map[string]roleGraphEdgesTable
}

MySQLPrivilege is the in-memory cache of mysql privilege tables.

func (*MySQLPrivilege) DBIsVisible 

func (p *MySQLPrivilege) DBIsVisible(user, host, db string) bool

DBIsVisible checks whether the user can see the db.

func (*MySQLPrivilege) FindAllRole 

func (p *MySQLPrivilege) FindAllRole(activeRoles []*auth.RoleIdentity) []*auth.RoleIdentity

FindAllRole is used to find all roles grant to this user.

func (*MySQLPrivilege) FindAllUserEffectiveRoles 

func (p *MySQLPrivilege) FindAllUserEffectiveRoles(user, host string, activeRoles []*auth.RoleIdentity) []*auth.RoleIdentity

FindAllUserEffectiveRoles is used to find all effective roles grant to this user. This method will filter out the roles that are not granted to the user but are still in activeRoles

func (*MySQLPrivilege) FindRole 

func (p *MySQLPrivilege) FindRole(user string, host string, role *auth.RoleIdentity) bool

FindRole is used to detect whether there is edges between users and roles.

func (*MySQLPrivilege) HasExplicitlyGrantedDynamicPrivilege 

func (p *MySQLPrivilege) HasExplicitlyGrantedDynamicPrivilege(activeRoles []*auth.RoleIdentity, user, host, privName string, withGrant bool) bool

HasExplicitlyGrantedDynamicPrivilege checks if a user has a DYNAMIC privilege without accepting SUPER privilege as a fallback.

func (*MySQLPrivilege) LoadAll 

func (p *MySQLPrivilege) LoadAll(ctx sessionctx.Context) error

LoadAll loads the tables from database to memory.

func (*MySQLPrivilege) LoadColumnsPrivTable 

func (p *MySQLPrivilege) LoadColumnsPrivTable(ctx sessionctx.Context) error

LoadColumnsPrivTable loads the mysql.columns_priv table from database.

func (*MySQLPrivilege) LoadDBTable 

func (p *MySQLPrivilege) LoadDBTable(ctx sessionctx.Context) error

LoadDBTable loads the mysql.db table from database.

func (*MySQLPrivilege) LoadDefaultRoles 

func (p *MySQLPrivilege) LoadDefaultRoles(ctx sessionctx.Context) error

LoadDefaultRoles loads the mysql.columns_priv table from database.

func (*MySQLPrivilege) LoadGlobalGrantsTable 

func (p *MySQLPrivilege) LoadGlobalGrantsTable(ctx sessionctx.Context) error

LoadGlobalGrantsTable loads the mysql.global_priv table from database.

func (*MySQLPrivilege) LoadGlobalPrivTable 

func (p *MySQLPrivilege) LoadGlobalPrivTable(ctx sessionctx.Context) error

LoadGlobalPrivTable loads the mysql.global_priv table from database.

func (*MySQLPrivilege) LoadRoleGraph 

func (p *MySQLPrivilege) LoadRoleGraph(ctx sessionctx.Context) error

LoadRoleGraph loads the mysql.role_edges table from database.

func (*MySQLPrivilege) LoadTablesPrivTable 

func (p *MySQLPrivilege) LoadTablesPrivTable(ctx sessionctx.Context) error

LoadTablesPrivTable loads the mysql.tables_priv table from database.

func (*MySQLPrivilege) LoadUserTable 

func (p *MySQLPrivilege) LoadUserTable(ctx sessionctx.Context) error

LoadUserTable loads the mysql.user table from database.

func (*MySQLPrivilege) RequestDynamicVerification 

func (p *MySQLPrivilege) RequestDynamicVerification(activeRoles []*auth.RoleIdentity, user, host, privName string, withGrant bool) bool

RequestDynamicVerification checks all roles for a specific DYNAMIC privilege.

func (*MySQLPrivilege) RequestVerification 

func (p *MySQLPrivilege) RequestVerification(activeRoles []*auth.RoleIdentity, user, host, db, table, column string, priv mysql.PrivilegeType) bool

RequestVerification checks whether the user have sufficient privileges to do the operation.

func (MySQLPrivilege) SortUserTable 

func (p MySQLPrivilege) SortUserTable()

SortUserTable sorts p.User in the MySQLPrivilege struct.

func (*MySQLPrivilege) UserPrivilegesTable 

func (p *MySQLPrivilege) UserPrivilegesTable(activeRoles []*auth.RoleIdentity, user, host string) [][]types.Datum

UserPrivilegesTable provide data for INFORMATION_SCHEMA.USERS_PRIVILEGES table.

type PasswordLocking 

type PasswordLocking struct {
	FailedLoginCount      int64
	PasswordLockTimeDays  int64
	AutoAccountLocked     bool
	AutoLockedLastChanged int64
	FailedLoginAttempts   int64
}

PasswordLocking is the User_attributes->>"$.Password_locking". It records information about failed-login tracking and temporary account locking.

func (*PasswordLocking) ParseJSON 

func (passwordLocking *PasswordLocking) ParseJSON(passwordLockingJSON types.BinaryJSON) error

ParseJSON parses information about PasswordLocking.

type SSLType 

type SSLType int

SSLType is enum value for GlobalPrivValue.SSLType. the value is compatible with MySQL storage json value. 

const (
	// SslTypeNotSpecified indicates .
	SslTypeNotSpecified SSLType = iota - 1
	// SslTypeNone indicates not require use ssl.
	SslTypeNone
	// SslTypeAny indicates require use ssl but not validate cert.
	SslTypeAny
	// SslTypeX509 indicates require use ssl and validate cert.
	SslTypeX509
	// SslTypeSpecified indicates require use ssl and validate cert's subject or issuer.
	SslTypeSpecified
)

type UserAttributesInfo 

type UserAttributesInfo struct {
	MetadataInfo
	PasswordLocking
}

UserAttributesInfo is the 'User_attributes' in privilege cache.

type UserPrivileges 

type UserPrivileges struct {
	*Handle
	// contains filtered or unexported fields
}

UserPrivileges implements privilege.Manager interface. This is used to check privilege for the current user.

func NewUserPrivileges 

func NewUserPrivileges(handle *Handle, extension *extension.Extensions) *UserPrivileges

NewUserPrivileges creates a new UserPrivileges

func (*UserPrivileges) ActiveRoles 

func (p *UserPrivileges) ActiveRoles(ctx sessionctx.Context, roleList []*auth.RoleIdentity) (bool, string)

ActiveRoles implements privilege.Manager ActiveRoles interface.

func (*UserPrivileges) AuthSuccess 

func (p *UserPrivileges) AuthSuccess(authUser, authHost string)

AuthSuccess is to make the permission take effect.

func (*UserPrivileges) CheckPasswordExpired 

func (*UserPrivileges) CheckPasswordExpired(sessionVars *variable.SessionVars, record *UserRecord) (bool, error)

CheckPasswordExpired checks whether the password has been expired.

func (*UserPrivileges) ConnectionVerification 

func (p *UserPrivileges) ConnectionVerification(user *auth.UserIdentity, authUser, authHost string, authentication, salt []byte, sessionVars *variable.SessionVars) (info privilege.VerificationInfo, err error)

ConnectionVerification implements the Manager interface.

func (*UserPrivileges) DBIsVisible 

func (p *UserPrivileges) DBIsVisible(activeRoles []*auth.RoleIdentity, db string) bool

DBIsVisible implements the Manager interface.

func (*UserPrivileges) FindEdge 

func (p *UserPrivileges) FindEdge(ctx sessionctx.Context, role *auth.RoleIdentity, user *auth.UserIdentity) bool

FindEdge implements privilege.Manager FindRelationship interface.

func (*UserPrivileges) GetAllRoles 

func (p *UserPrivileges) GetAllRoles(user, host string) []*auth.RoleIdentity

GetAllRoles return all roles of user.

func (*UserPrivileges) GetAuthPlugin 

func (p *UserPrivileges) GetAuthPlugin(user, host string) (string, error)

GetAuthPlugin gets the authentication plugin for the account identified by the user and host

func (*UserPrivileges) GetAuthPluginForConnection 

func (p *UserPrivileges) GetAuthPluginForConnection(user, host string) (string, error)

GetAuthPluginForConnection gets the authentication plugin used in connection establishment.

func (*UserPrivileges) GetAuthWithoutVerification 

func (p *UserPrivileges) GetAuthWithoutVerification(user, host string) (success bool)

GetAuthWithoutVerification implements the Manager interface.

func (*UserPrivileges) GetDefaultRoles 

func (p *UserPrivileges) GetDefaultRoles(user, host string) []*auth.RoleIdentity

GetDefaultRoles returns all default roles for certain user.

func (*UserPrivileges) GetEncodedPassword 

func (p *UserPrivileges) GetEncodedPassword(user, host string) string

GetEncodedPassword implements the Manager interface.

func (*UserPrivileges) HasExplicitlyGrantedDynamicPrivilege 

func (p *UserPrivileges) HasExplicitlyGrantedDynamicPrivilege(activeRoles []*auth.RoleIdentity, privName string, grantable bool) bool

HasExplicitlyGrantedDynamicPrivilege checks if a user has a DYNAMIC privilege without accepting SUPER privilege as a fallback.

func (*UserPrivileges) IsAccountAutoLockEnabled 

func (p *UserPrivileges) IsAccountAutoLockEnabled(user string, host string) bool

IsAccountAutoLockEnabled implements the Manager interface.

func (*UserPrivileges) IsDynamicPrivilege 

func (p *UserPrivileges) IsDynamicPrivilege(privName string) bool

IsDynamicPrivilege returns true if the DYNAMIC privilege is built-in or has been registered by a plugin

func (*UserPrivileges) MatchIdentity 

func (p *UserPrivileges) MatchIdentity(user, host string, skipNameResolve bool) (u string, h string, success bool)

MatchIdentity implements the Manager interface.

func (*UserPrivileges) MatchUserResourceGroupName 

func (p *UserPrivileges) MatchUserResourceGroupName(resourceGroupName string) (u string, success bool)

MatchUserResourceGroupName implements the Manager interface.

func (*UserPrivileges) RequestDynamicVerification 

func (p *UserPrivileges) RequestDynamicVerification(activeRoles []*auth.RoleIdentity, privName string, grantable bool) bool

RequestDynamicVerification implements the Manager interface.

func (*UserPrivileges) RequestDynamicVerificationWithUser 

func (p *UserPrivileges) RequestDynamicVerificationWithUser(privName string, grantable bool, user *auth.UserIdentity) bool

RequestDynamicVerificationWithUser implements the Manager interface.

func (*UserPrivileges) RequestVerification 

func (p *UserPrivileges) RequestVerification(activeRoles []*auth.RoleIdentity, db, table, column string, priv mysql.PrivilegeType) bool

RequestVerification implements the Manager interface.

func (*UserPrivileges) RequestVerificationWithUser 

func (p *UserPrivileges) RequestVerificationWithUser(db, table, column string, priv mysql.PrivilegeType, user *auth.UserIdentity) bool

RequestVerificationWithUser implements the Manager interface.

func (*UserPrivileges) ShowGrants 

func (p *UserPrivileges) ShowGrants(ctx sessionctx.Context, user *auth.UserIdentity, roles []*auth.RoleIdentity) (grants []string, err error)

ShowGrants implements privilege.Manager ShowGrants interface.

func (*UserPrivileges) UserPrivilegesTable 

func (p *UserPrivileges) UserPrivilegesTable(activeRoles []*auth.RoleIdentity, user, host string) [][]types.Datum

UserPrivilegesTable implements the Manager interface.

func (*UserPrivileges) VerifyAccountAutoLockInMemory 

func (p *UserPrivileges) VerifyAccountAutoLockInMemory(user string, host string) (bool, error)

VerifyAccountAutoLockInMemory implements the Manager interface.

type UserRecord 

type UserRecord struct {
	UserAttributesInfo

	AuthenticationString string
	Privileges           mysql.PrivilegeType
	AccountLocked        bool // A role record when this field is true
	AuthPlugin           string
	AuthTokenIssuer      string
	PasswordExpired      bool
	PasswordLastChanged  time.Time
	PasswordLifeTime     int64
	ResourceGroup        string
	// contains filtered or unexported fields
}

UserRecord is used to represent a user record in privilege cache.

func NewUserRecord 

func NewUserRecord(host, user string) UserRecord

NewUserRecord return a UserRecord, only use for unit test.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.