MDEV-21702 Add a data type for privileges

MariaDB · Feb 11, 2020 · 83e75b3 · 83e75b3
1 parent f79f537
commit 83e75b3
Show file tree

Hide file tree

Showing 41 changed files with 781 additions and 546 deletions.
diff --git a/libmysqld/lib_sql.cc b/libmysqld/lib_sql.cc
@@ -704,7 +704,7 @@ void *create_embedded_thd(int client_flag)
   thd->db= null_clex_str;
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
   thd->security_ctx->db_access= DB_ACLS;
-  thd->security_ctx->master_access= ~NO_ACCESS;
+  thd->security_ctx->master_access= ALL_KNOWN_ACL;
 #endif
   thd->cur_data= 0;
   thd->first_data= 0;

diff --git a/plugin/feedback/sender_thread.cc b/plugin/feedback/sender_thread.cc
@@ -106,7 +106,7 @@ static int prepare_for_fill(TABLE_LIST *tables)
   thd->db= null_clex_str;
   thd->security_ctx->host_or_ip= "";
   thd->security_ctx->db_access= DB_ACLS;
-  thd->security_ctx->master_access= ~NO_ACCESS;
+  thd->security_ctx->master_access= ALL_KNOWN_ACL;
   bzero((char*) &thd->net, sizeof(thd->net));
   lex_start(thd);
   mysql_init_select(thd->lex);

diff --git a/plugin/userstat/index_stats.cc b/plugin/userstat/index_stats.cc
@@ -29,7 +29,7 @@ static int index_stats_fill(THD *thd, TABLE_LIST *tables, COND *cond)
     tmp_table.db.length= strlen(index_stats->index);
     tmp_table.table_name.str= index_stats->index + tmp_table.db.length + 1;
     tmp_table.table_name.length= strlen(tmp_table.table_name.str);
-    tmp_table.grant.privilege= 0;
+    tmp_table.grant.privilege= NO_ACL;
     if (check_access(thd, SELECT_ACL, tmp_table.db.str,
                       &tmp_table.grant.privilege, NULL, 0, 1) ||
         check_grant(thd, SELECT_ACL, &tmp_table, 1, UINT_MAX, 1))

diff --git a/plugin/userstat/table_stats.cc b/plugin/userstat/table_stats.cc
@@ -34,7 +34,7 @@ static int table_stats_fill(THD *thd, TABLE_LIST *tables, COND *cond)
     tmp_table.db.length= schema_length;
     tmp_table.table_name.str= end_of_schema+1;
     tmp_table.table_name.length= table_name_length;
-    tmp_table.grant.privilege= 0;
+    tmp_table.grant.privilege= NO_ACL;
     if (check_access(thd, SELECT_ACL, tmp_table.db.str,
                      &tmp_table.grant.privilege, NULL, 0, 1) ||
         check_grant(thd, SELECT_ACL, &tmp_table, 1, UINT_MAX,

diff --git a/sql/event_data_objects.cc b/sql/event_data_objects.cc
@@ -1480,8 +1480,6 @@ Event_job_data::execute(THD *thd, bool drop)
       ret= 1;
     else
     {
-      ulong saved_master_access;
-
       thd->set_query(sp_sql.c_ptr_safe(), sp_sql.length());
 
       /*
@@ -1493,7 +1491,7 @@ Event_job_data::execute(THD *thd, bool drop)
         Temporarily reset it to read-write.
       */
 
-      saved_master_access= thd->security_ctx->master_access;
+      privilege_t saved_master_access(thd->security_ctx->master_access);
       thd->security_ctx->master_access |= SUPER_ACL;
       bool save_tx_read_only= thd->tx_read_only;
       thd->tx_read_only= false;

diff --git a/sql/event_scheduler.cc b/sql/event_scheduler.cc
@@ -177,8 +177,8 @@ pre_init_event_thread(THD* thd)
 
   set_current_thd(thd);
   thd->client_capabilities= 0;
-  thd->security_ctx->master_access= 0;
-  thd->security_ctx->db_access= 0;
+  thd->security_ctx->master_access= NO_ACL;
+  thd->security_ctx->db_access= NO_ACL;
   thd->security_ctx->host_or_ip= (char*)my_localhost;
   my_net_init(&thd->net, NULL, thd, MYF(MY_THREAD_SPECIFIC));
   thd->security_ctx->set_user((char*)"event_scheduler");

diff --git a/sql/events.cc b/sql/events.cc
@@ -1145,7 +1145,6 @@ Events::load_events_from_db(THD *thd)
   READ_RECORD read_record_info;
   bool ret= TRUE;
   uint count= 0;
-  ulong saved_master_access;
   DBUG_ENTER("Events::load_events_from_db");
   DBUG_PRINT("enter", ("thd: %p", thd));
 
@@ -1158,7 +1157,7 @@ Events::load_events_from_db(THD *thd)
     Temporarily reset it to read-write.
   */
 
-  saved_master_access= thd->security_ctx->master_access;
+  privilege_t saved_master_access(thd->security_ctx->master_access);
   thd->security_ctx->master_access |= SUPER_ACL;
   bool save_tx_read_only= thd->tx_read_only;
   thd->tx_read_only= false;

diff --git a/sql/grant.cc b/sql/grant.cc
@@ -20,7 +20,7 @@
 
 bool Grant_privilege::add_column_privilege(THD *thd,
                                            const Lex_ident_sys &name,
-                                           uint which_grant)
+                                           privilege_t which_grant)
 {
   String *new_str= new (thd->mem_root) String((const char*) name.str,
                                               name.length,
@@ -51,7 +51,7 @@ bool Grant_privilege::add_column_privilege(THD *thd,
 
 bool Grant_privilege::add_column_list_privilege(THD *thd,
                                                 List<Lex_ident_sys> &list,
-                                                uint privilege)
+                                                privilege_t privilege)
 {
   Lex_ident_sys *col;
   List_iterator<Lex_ident_sys> it(list);
@@ -64,22 +64,22 @@ bool Grant_privilege::add_column_list_privilege(THD *thd,
 }
 
 
-uint Grant_object_name::all_privileges_by_type() const
+privilege_t Grant_object_name::all_privileges_by_type() const
 {
   switch (m_type) {
   case STAR:        return DB_ACLS & ~GRANT_ACL;
   case IDENT_STAR:  return DB_ACLS & ~GRANT_ACL;
   case STAR_STAR:   return GLOBAL_ACLS & ~GRANT_ACL;
   case TABLE_IDENT: return TABLE_ACLS & ~GRANT_ACL;
   }
-  return 0;
+  return NO_ACL;
 }
 
 
 bool Grant_privilege::set_object_name(THD *thd,
                                       const Grant_object_name &ident,
                                       SELECT_LEX *sel,
-                                      uint with_grant_option)
+                                      privilege_t with_grant_option)
 {
   DBUG_ASSERT(!m_all_privileges || !m_columns.elements);
 

diff --git a/sql/grant.h b/sql/grant.h
@@ -18,6 +18,7 @@
 #define SQL_GRANT_INCLUDED
 
 #include "lex_string.h"
+#include "privilege.h"
 
 class LEX_COLUMN;
 class Lex_ident_sys;
@@ -50,7 +51,7 @@ class Grant_object_name
     m_table_ident(NULL),
     m_type(type)
   { }
-  uint all_privileges_by_type() const;
+  privilege_t all_privileges_by_type() const;
 };
 
 
@@ -65,30 +66,32 @@ class Grant_privilege
 protected:
   List<LEX_COLUMN> m_columns;
   Lex_cstring m_db;
-  uint m_object_privilege;
-  uint m_column_privilege_total;
+  privilege_t m_object_privilege;
+  privilege_t m_column_privilege_total;
   bool m_all_privileges;
 public:
   Grant_privilege()
-   :m_object_privilege(0), m_column_privilege_total(0), m_all_privileges(false)
+   :m_object_privilege(NO_ACL),
+    m_column_privilege_total(NO_ACL),
+    m_all_privileges(false)
   { }
-  Grant_privilege(uint privilege, bool all_privileges)
+  Grant_privilege(privilege_t privilege, bool all_privileges)
    :m_object_privilege(privilege),
-    m_column_privilege_total(0),
+    m_column_privilege_total(NO_ACL),
     m_all_privileges(all_privileges)
   { }
-  void add_object_privilege(uint privilege)
+  void add_object_privilege(privilege_t privilege)
   {
     m_object_privilege|= privilege;
   }
   bool add_column_privilege(THD *thd, const Lex_ident_sys &col,
-                            uint privilege);
+                            privilege_t privilege);
   bool add_column_list_privilege(THD *thd, List<Lex_ident_sys> &list,
-                                 uint privilege);
+                                 privilege_t privilege);
   bool set_object_name(THD *thd,
                        const Grant_object_name &ident,
                        SELECT_LEX *sel,
-                       uint with_grant_option);
+                       privilege_t with_grant_option);
   const List<LEX_COLUMN> & columns() const { return m_columns; }
 };
 

diff --git a/sql/item.cc b/sql/item.cc
@@ -2892,7 +2892,7 @@ Item_field::Item_field(THD *thd, Field *f)
   :Item_ident(thd, 0, null_clex_str,
               Lex_cstring_strlen(*f->table_name), f->field_name),
    item_equal(0),
-   have_privileges(0), any_privileges(0)
+   have_privileges(NO_ACL), any_privileges(0)
 {
   set_field(f);
   /*
@@ -2917,7 +2917,7 @@ Item_field::Item_field(THD *thd, Name_resolution_context *context_arg,
   :Item_ident(thd, context_arg, f->table->s->db,
               Lex_cstring_strlen(*f->table_name), f->field_name),
    item_equal(0),
-   have_privileges(0), any_privileges(0)
+   have_privileges(NO_ACL), any_privileges(0)
 {
   /*
     We always need to provide Item_field with a fully qualified field
@@ -2961,7 +2961,7 @@ Item_field::Item_field(THD *thd, Name_resolution_context *context_arg,
                        const LEX_CSTRING &field_name_arg)
   :Item_ident(thd, context_arg, db_arg, table_name_arg, field_name_arg),
    field(0), item_equal(0),
-   have_privileges(0), any_privileges(0)
+   have_privileges(NO_ACL), any_privileges(0)
 {
   SELECT_LEX *select= thd->lex->current_select;
   collation.set(DERIVATION_IMPLICIT);

diff --git a/sql/item.h b/sql/item.h
@@ -3290,7 +3290,7 @@ class Item_field :public Item_ident,
     if any_privileges set to TRUE then here real effective privileges will
     be stored
   */
-  uint have_privileges;
+  privilege_t have_privileges;
   /* field need any privileges (for VIEW creation) */
   bool any_privileges;
   Item_field(THD *thd, Name_resolution_context *context_arg,
@@ -6381,7 +6381,7 @@ class Item_trigger_field : public Item_field,
   Item_trigger_field(THD *thd, Name_resolution_context *context_arg,
                      row_version_type row_ver_arg,
                      const LEX_CSTRING &field_name_arg,
-                     ulong priv, const bool ro)
+                     privilege_t priv, const bool ro)
     :Item_field(thd, context_arg, field_name_arg),
      row_version(row_ver_arg), field_idx((uint)-1), original_privilege(priv),
      want_privilege(priv), table_grants(NULL), read_only (ro)
@@ -6423,8 +6423,8 @@ class Item_trigger_field : public Item_field,
     want_privilege and cleanup() is responsible for restoring of
     original want_privilege once parameter's value is updated).
   */
-  ulong original_privilege;
-  ulong want_privilege;
+  privilege_t original_privilege;
+  privilege_t want_privilege;
   GRANT_INFO *table_grants;
   /*
     Trigger field is read-only unless it belongs to the NEW row in a

diff --git a/sql/lock.cc b/sql/lock.cc
@@ -114,7 +114,7 @@ lock_tables_check(THD *thd, TABLE **tables, uint count, uint flags)
   DBUG_ENTER("lock_tables_check");
 
   system_count= 0;
-  is_superuser= thd->security_ctx->master_access & SUPER_ACL;
+  is_superuser= (thd->security_ctx->master_access & SUPER_ACL) != NO_ACL;
   log_table_write_query= (is_log_table_write_query(thd->lex->sql_command)
                          || ((flags & MYSQL_LOCK_LOG_TABLE) != 0));
 

diff --git a/sql/opt_trace.cc b/sql/opt_trace.cc
@@ -263,7 +263,7 @@ void opt_trace_disable_if_no_tables_access(THD *thd, TABLE_LIST *tbl)
 
       bool rc =
           check_table_access(thd, SELECT_ACL, t, false, 1, true) ||  // (1)
-          ((t->grant.privilege & SELECT_ACL) == 0);                  // (2)
+          ((t->grant.privilege & SELECT_ACL) == NO_ACL);             // (2)
       if (t->is_view())
       {
         /*