import "github.com/pingcap/tidb/privilege/privileges"
cache.go errors.go privileges.go
var (
ErrNonexistingGrant = dbterror.ClassPrivilege.NewStd(mysql.ErrNonexistingGrant)
)error definitions.
SkipWithGrant causes the server to start without using the privilege system at all.
type GlobalPrivValue struct {
SSLType SSLType `json:"ssl_type,omitempty"`
SSLCipher string `json:"ssl_cipher,omitempty"`
X509Issuer string `json:"x509_issuer,omitempty"`
X509Subject string `json:"x509_subject,omitempty"`
SAN string `json:"san,omitempty"`
SANs map[util.SANType][]string `json:"-"`
}GlobalPrivValue is store json format for priv column in mysql.global_priv.
func (g *GlobalPrivValue) RequireStr() string
RequireStr returns describe string after `REQUIRE` clause.
type Handle struct {
// contains filtered or unexported fields
}Handle wraps MySQLPrivilege providing thread safe access.
NewHandle returns a Handle.
func (h *Handle) Get() *MySQLPrivilege
Get the MySQLPrivilege for read.
func (h *Handle) Update(ctx sessionctx.Context) error
Update loads all the privilege info from kv storage.
type MySQLPrivilege struct {
// This helps in the case that there are a number of users with
// non-full privileges (i.e. user.db entries).
User []UserRecord
UserMap map[string][]UserRecord // Accelerate User searching
Global map[string][]globalPrivRecord
DB []dbRecord
DBMap map[string][]dbRecord // Accelerate DB searching
TablesPriv []tablesPrivRecord
TablesPrivMap map[string][]tablesPrivRecord // Accelerate TablesPriv searching
ColumnsPriv []columnsPrivRecord
DefaultRoles []defaultRoleRecord
RoleGraph map[string]roleGraphEdgesTable
}MySQLPrivilege is the in-memory cache of mysql privilege tables.
func (p *MySQLPrivilege) DBIsVisible(user, host, db string) bool
DBIsVisible checks whether the user can see the db.
func (p *MySQLPrivilege) FindAllRole(activeRoles []*auth.RoleIdentity) []*auth.RoleIdentity
FindAllRole is used to find all roles grant to this user.
func (p *MySQLPrivilege) FindRole(user string, host string, role *auth.RoleIdentity) bool
FindRole is used to detect whether there is edges between users and roles.
func (p *MySQLPrivilege) LoadAll(ctx sessionctx.Context) error
LoadAll loads the tables from database to memory.
func (p *MySQLPrivilege) LoadColumnsPrivTable(ctx sessionctx.Context) error
LoadColumnsPrivTable loads the mysql.columns_priv table from database.
func (p *MySQLPrivilege) LoadDBTable(ctx sessionctx.Context) error
LoadDBTable loads the mysql.db table from database.
func (p *MySQLPrivilege) LoadDefaultRoles(ctx sessionctx.Context) error
LoadDefaultRoles loads the mysql.columns_priv table from database.
func (p *MySQLPrivilege) LoadGlobalPrivTable(ctx sessionctx.Context) error
LoadGlobalPrivTable loads the mysql.global_priv table from database.
func (p *MySQLPrivilege) LoadRoleGraph(ctx sessionctx.Context) error
LoadRoleGraph loads the mysql.role_edges table from database.
func (p *MySQLPrivilege) LoadTablesPrivTable(ctx sessionctx.Context) error
LoadTablesPrivTable loads the mysql.tables_priv table from database.
func (p *MySQLPrivilege) LoadUserTable(ctx sessionctx.Context) error
LoadUserTable loads the mysql.user table from database.
func (p *MySQLPrivilege) RequestVerification(activeRoles []*auth.RoleIdentity, user, host, db, table, column string, priv mysql.PrivilegeType) bool
RequestVerification checks whether the user have sufficient privileges to do the operation.
func (p MySQLPrivilege) SortUserTable()
SortUserTable sorts p.User in the MySQLPrivilege struct.
func (p *MySQLPrivilege) UserPrivilegesTable() [][]types.Datum
UserPrivilegesTable provide data for INFORMATION_SCHEMA.USERS_PRIVILEGE table.
SSLType is enum value for GlobalPrivValue.SSLType. the value is compatible with MySQL storage json value.
const (
// SslTypeNotSpecified indicates .
SslTypeNotSpecified SSLType = iota - 1
// SslTypeNone indicates not require use ssl.
SslTypeNone
// SslTypeAny indicates require use ssl but not validate cert.
SslTypeAny
// SslTypeX509 indicates require use ssl and validate cert.
SslTypeX509
// SslTypeSpecified indicates require use ssl and validate cert's subject or issuer.
SslTypeSpecified
)UserPrivileges implements privilege.Manager interface. This is used to check privilege for the current user.
func (p *UserPrivileges) ActiveRoles(ctx sessionctx.Context, roleList []*auth.RoleIdentity) (bool, string)
ActiveRoles implements privilege.Manager ActiveRoles interface.
func (p *UserPrivileges) ConnectionVerification(user, host string, authentication, salt []byte, tlsState *tls.ConnectionState) (u string, h string, success bool)
ConnectionVerification implements the Manager interface.
func (p *UserPrivileges) DBIsVisible(activeRoles []*auth.RoleIdentity, db string) bool
DBIsVisible implements the Manager interface.
func (p *UserPrivileges) FindEdge(ctx sessionctx.Context, role *auth.RoleIdentity, user *auth.UserIdentity) bool
FindEdge implements privilege.Manager FindRelationship interface.
func (p *UserPrivileges) GetAllRoles(user, host string) []*auth.RoleIdentity
GetAllRoles return all roles of user.
func (p *UserPrivileges) GetAuthWithoutVerification(user, host string) (u string, h string, success bool)
GetAuthWithoutVerification implements the Manager interface.
func (p *UserPrivileges) GetDefaultRoles(user, host string) []*auth.RoleIdentity
GetDefaultRoles returns all default roles for certain user.
func (p *UserPrivileges) GetEncodedPassword(user, host string) string
GetEncodedPassword implements the Manager interface.
func (p *UserPrivileges) RequestVerification(activeRoles []*auth.RoleIdentity, db, table, column string, priv mysql.PrivilegeType) bool
RequestVerification implements the Manager interface.
func (p *UserPrivileges) RequestVerificationWithUser(db, table, column string, priv mysql.PrivilegeType, user *auth.UserIdentity) bool
RequestVerificationWithUser implements the Manager interface.
func (p *UserPrivileges) ShowGrants(ctx sessionctx.Context, user *auth.UserIdentity, roles []*auth.RoleIdentity) (grants []string, err error)
ShowGrants implements privilege.Manager ShowGrants interface.
func (p *UserPrivileges) UserPrivilegesTable() [][]types.Datum
UserPrivilegesTable implements the Manager interface.
type UserRecord struct {
AuthenticationString string
Privileges mysql.PrivilegeType
AccountLocked bool // A role record when this field is true
// contains filtered or unexported fields
}UserRecord is used to represent a user record in privilege cache.
func NewUserRecord(host, user string) UserRecord
NewUserRecord return a UserRecord, only use for unit test.
Package privileges imports 30 packages (graph) and is imported by 121 packages. Updated 2021-01-27. Refresh now. Tools for package owners.