wangwei
/
aiforge
Not watched
1
0
Fork 0
Code
Releases 128 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: ea46aa1422
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ea46aa1422'
${ noResults }
aiforge/vendor/github.com/pingcap/tidb/privilege/privileges/privileges.go

382 lines
9.6 kB
Raw Blame History 

  1. // Copyright 2015 PingCAP, Inc.

  2. //

  3. // Licensed under the Apache License, Version 2.0 (the "License");

  4. // you may not use this file except in compliance with the License.

  5. // You may obtain a copy of the License at

  6. //

  7. //     http://www.apache.org/licenses/LICENSE-2.0

  8. //

  9. // Unless required by applicable law or agreed to in writing, software

  10. // distributed under the License is distributed on an "AS IS" BASIS,

  11. // See the License for the specific language governing permissions and

  12. // limitations under the License.

  13. 

  14. package privileges

  15. 

  16. import (

  17. 	"fmt"

  18. 	"strings"

  19. 

  20. 	"github.com/juju/errors"

  21. 	"github.com/pingcap/tidb/ast"

  22. 	"github.com/pingcap/tidb/context"

  23. 	"github.com/pingcap/tidb/model"

  24. 	"github.com/pingcap/tidb/mysql"

  25. 	"github.com/pingcap/tidb/privilege"

  26. 	"github.com/pingcap/tidb/sessionctx/variable"

  27. 	"github.com/pingcap/tidb/util/sqlexec"

  28. 	"github.com/pingcap/tidb/util/types"

  29. )

  30. 

  31. var _ privilege.Checker = (*UserPrivileges)(nil)

  32. 

  33. type privileges struct {

  34. 	Level ast.GrantLevelType

  35. 	privs map[mysql.PrivilegeType]bool

  36. }

  37. 

  38. func (ps *privileges) contain(p mysql.PrivilegeType) bool {

  39. 	if ps.privs == nil {

  40. 		return false

  41. 	}

  42. 	_, ok := ps.privs[p]

  43. 	return ok

  44. }

  45. 

  46. func (ps *privileges) add(p mysql.PrivilegeType) {

  47. 	if ps.privs == nil {

  48. 		ps.privs = make(map[mysql.PrivilegeType]bool)

  49. 	}

  50. 	ps.privs[p] = true

  51. }

  52. 

  53. func (ps *privileges) String() string {

  54. 	switch ps.Level {

  55. 	case ast.GrantLevelGlobal:

  56. 		return ps.globalPrivToString()

  57. 	case ast.GrantLevelDB:

  58. 		return ps.dbPrivToString()

  59. 	case ast.GrantLevelTable:

  60. 		return ps.tablePrivToString()

  61. 	}

  62. 	return ""

  63. }

  64. 

  65. func (ps *privileges) globalPrivToString() string {

  66. 	if len(ps.privs) == len(mysql.AllGlobalPrivs) {

  67. 		return mysql.AllPrivilegeLiteral

  68. 	}

  69. 	pstrs := make([]string, 0, len(ps.privs))

  70. 	// Iterate AllGlobalPrivs to get stable order result.

  71. 	for _, p := range mysql.AllGlobalPrivs {

  72. 		_, ok := ps.privs[p]

  73. 		if !ok {

  74. 			continue

  75. 		}

  76. 		s, _ := mysql.Priv2Str[p]

  77. 		pstrs = append(pstrs, s)

  78. 	}

  79. 	return strings.Join(pstrs, ",")

  80. }

  81. 

  82. func (ps *privileges) dbPrivToString() string {

  83. 	if len(ps.privs) == len(mysql.AllDBPrivs) {

  84. 		return mysql.AllPrivilegeLiteral

  85. 	}

  86. 	pstrs := make([]string, 0, len(ps.privs))

  87. 	// Iterate AllDBPrivs to get stable order result.

  88. 	for _, p := range mysql.AllDBPrivs {

  89. 		_, ok := ps.privs[p]

  90. 		if !ok {

  91. 			continue

  92. 		}

  93. 		s, _ := mysql.Priv2SetStr[p]

  94. 		pstrs = append(pstrs, s)

  95. 	}

  96. 	return strings.Join(pstrs, ",")

  97. }

  98. 

  99. func (ps *privileges) tablePrivToString() string {

  100. 	if len(ps.privs) == len(mysql.AllTablePrivs) {

  101. 		return mysql.AllPrivilegeLiteral

  102. 	}

  103. 	pstrs := make([]string, 0, len(ps.privs))

  104. 	// Iterate AllTablePrivs to get stable order result.

  105. 	for _, p := range mysql.AllTablePrivs {

  106. 		_, ok := ps.privs[p]

  107. 		if !ok {

  108. 			continue

  109. 		}

  110. 		s, _ := mysql.Priv2Str[p]

  111. 		pstrs = append(pstrs, s)

  112. 	}

  113. 	return strings.Join(pstrs, ",")

  114. }

  115. 

  116. type userPrivileges struct {

  117. 	User string

  118. 	Host string

  119. 	// Global privileges

  120. 	GlobalPrivs *privileges

  121. 	// DBName-privileges

  122. 	DBPrivs map[string]*privileges

  123. 	// DBName-TableName-privileges

  124. 	TablePrivs map[string]map[string]*privileges

  125. }

  126. 

  127. func (ps *userPrivileges) ShowGrants() []string {

  128. 	gs := []string{}

  129. 	// Show global grants

  130. 	g := ps.GlobalPrivs.String()

  131. 	if len(g) > 0 {

  132. 		s := fmt.Sprintf(`GRANT %s ON *.* TO '%s'@'%s'`, g, ps.User, ps.Host)

  133. 		gs = append(gs, s)

  134. 	}

  135. 	// Show db scope grants

  136. 	for d, p := range ps.DBPrivs {

  137. 		g := p.String()

  138. 		if len(g) > 0 {

  139. 			s := fmt.Sprintf(`GRANT %s ON %s.* TO '%s'@'%s'`, g, d, ps.User, ps.Host)

  140. 			gs = append(gs, s)

  141. 		}

  142. 	}

  143. 	// Show table scope grants

  144. 	for d, dps := range ps.TablePrivs {

  145. 		for t, p := range dps {

  146. 			g := p.String()

  147. 			if len(g) > 0 {

  148. 				s := fmt.Sprintf(`GRANT %s ON %s.%s TO '%s'@'%s'`, g, d, t, ps.User, ps.Host)

  149. 				gs = append(gs, s)

  150. 			}

  151. 		}

  152. 	}

  153. 	return gs

  154. }

  155. 

  156. // UserPrivileges implements privilege.Checker interface.

  157. // This is used to check privilege for the current user.

  158. type UserPrivileges struct {

  159. 	User  string

  160. 	privs *userPrivileges

  161. }

  162. 

  163. // Check implements Checker.Check interface.

  164. func (p *UserPrivileges) Check(ctx context.Context, db *model.DBInfo, tbl *model.TableInfo, privilege mysql.PrivilegeType) (bool, error) {

  165. 	if p.privs == nil {

  166. 		// Lazy load

  167. 		if len(p.User) == 0 {

  168. 			// User current user

  169. 			p.User = variable.GetSessionVars(ctx).User

  170. 			if len(p.User) == 0 {

  171. 				// In embedded db mode, user does not need to login. So we do not have username.

  172. 				// TODO: remove this check latter.

  173. 				return true, nil

  174. 			}

  175. 		}

  176. 		err := p.loadPrivileges(ctx)

  177. 		if err != nil {

  178. 			return false, errors.Trace(err)

  179. 		}

  180. 	}

  181. 	// Check global scope privileges.

  182. 	ok := p.privs.GlobalPrivs.contain(privilege)

  183. 	if ok {

  184. 		return true, nil

  185. 	}

  186. 	// Check db scope privileges.

  187. 	dbp, ok := p.privs.DBPrivs[db.Name.O]

  188. 	if ok {

  189. 		ok = dbp.contain(privilege)

  190. 		if ok {

  191. 			return true, nil

  192. 		}

  193. 	}

  194. 	if tbl == nil {

  195. 		return false, nil

  196. 	}

  197. 	// Check table scope privileges.

  198. 	dbTbl, ok := p.privs.TablePrivs[db.Name.O]

  199. 	if !ok {

  200. 		return false, nil

  201. 	}

  202. 	tblp, ok := dbTbl[tbl.Name.O]

  203. 	if !ok {

  204. 		return false, nil

  205. 	}

  206. 	return tblp.contain(privilege), nil

  207. }

  208. 

  209. func (p *UserPrivileges) loadPrivileges(ctx context.Context) error {

  210. 	strs := strings.Split(p.User, "@")

  211. 	if len(strs) != 2 {

  212. 		return errors.Errorf("Wrong username format: %s", p.User)

  213. 	}

  214. 	username, host := strs[0], strs[1]

  215. 	p.privs = &userPrivileges{

  216. 		User: username,

  217. 		Host: host,

  218. 	}

  219. 	// Load privileges from mysql.User/DB/Table_privs/Column_privs table

  220. 	err := p.loadGlobalPrivileges(ctx)

  221. 	if err != nil {

  222. 		return errors.Trace(err)

  223. 	}

  224. 	err = p.loadDBScopePrivileges(ctx)

  225. 	if err != nil {

  226. 		return errors.Trace(err)

  227. 	}

  228. 	err = p.loadTableScopePrivileges(ctx)

  229. 	if err != nil {

  230. 		return errors.Trace(err)

  231. 	}

  232. 	// TODO: consider column scope privilege latter.

  233. 	return nil

  234. }

  235. 

  236. // mysql.User/mysql.DB table privilege columns start from index 3.

  237. // See: booststrap.go CreateUserTable/CreateDBPrivTable

  238. const userTablePrivColumnStartIndex = 3

  239. const dbTablePrivColumnStartIndex = 3

  240. 

  241. func (p *UserPrivileges) loadGlobalPrivileges(ctx context.Context) error {

  242. 	sql := fmt.Sprintf(`SELECT * FROM %s.%s WHERE User="%s" AND (Host="%s" OR Host="%%");`,

  243. 		mysql.SystemDB, mysql.UserTable, p.privs.User, p.privs.Host)

  244. 	rs, err := ctx.(sqlexec.RestrictedSQLExecutor).ExecRestrictedSQL(ctx, sql)

  245. 	if err != nil {

  246. 		return errors.Trace(err)

  247. 	}

  248. 	defer rs.Close()

  249. 	ps := &privileges{Level: ast.GrantLevelGlobal}

  250. 	fs, err := rs.Fields()

  251. 	if err != nil {

  252. 		return errors.Trace(err)

  253. 	}

  254. 	for {

  255. 		row, err := rs.Next()

  256. 		if err != nil {

  257. 			return errors.Trace(err)

  258. 		}

  259. 		if row == nil {

  260. 			break

  261. 		}

  262. 		for i := userTablePrivColumnStartIndex; i < len(fs); i++ {

  263. 			d := row.Data[i]

  264. 			if d.Kind() != types.KindMysqlEnum {

  265. 				return errors.Errorf("Privilege should be mysql.Enum: %v(%T)", d, d)

  266. 			}

  267. 			ed := d.GetMysqlEnum()

  268. 			if ed.String() != "Y" {

  269. 				continue

  270. 			}

  271. 			f := fs[i]

  272. 			p, ok := mysql.Col2PrivType[f.ColumnAsName.O]

  273. 			if !ok {

  274. 				return errors.New("Unknown Privilege Type!")

  275. 			}

  276. 			ps.add(p)

  277. 		}

  278. 	}

  279. 	p.privs.GlobalPrivs = ps

  280. 	return nil

  281. }

  282. 

  283. func (p *UserPrivileges) loadDBScopePrivileges(ctx context.Context) error {

  284. 	sql := fmt.Sprintf(`SELECT * FROM %s.%s WHERE User="%s" AND (Host="%s" OR Host="%%");`,

  285. 		mysql.SystemDB, mysql.DBTable, p.privs.User, p.privs.Host)

  286. 	rs, err := ctx.(sqlexec.RestrictedSQLExecutor).ExecRestrictedSQL(ctx, sql)

  287. 	if err != nil {

  288. 		return errors.Trace(err)

  289. 	}

  290. 	defer rs.Close()

  291. 	ps := make(map[string]*privileges)

  292. 	fs, err := rs.Fields()

  293. 	if err != nil {

  294. 		return errors.Trace(err)

  295. 	}

  296. 	for {

  297. 		row, err := rs.Next()

  298. 		if err != nil {

  299. 			return errors.Trace(err)

  300. 		}

  301. 		if row == nil {

  302. 			break

  303. 		}

  304. 		// DB

  305. 		dbStr := row.Data[1].GetString()

  306. 		ps[dbStr] = &privileges{Level: ast.GrantLevelDB}

  307. 		for i := dbTablePrivColumnStartIndex; i < len(fs); i++ {

  308. 			d := row.Data[i]

  309. 			if d.Kind() != types.KindMysqlEnum {

  310. 				return errors.Errorf("Privilege should be mysql.Enum: %v(%T)", d, d)

  311. 			}

  312. 			ed := d.GetMysqlEnum()

  313. 			if ed.String() != "Y" {

  314. 				continue

  315. 			}

  316. 			f := fs[i]

  317. 			p, ok := mysql.Col2PrivType[f.ColumnAsName.O]

  318. 			if !ok {

  319. 				return errors.New("Unknown Privilege Type!")

  320. 			}

  321. 			ps[dbStr].add(p)

  322. 		}

  323. 	}

  324. 	p.privs.DBPrivs = ps

  325. 	return nil

  326. }

  327. 

  328. func (p *UserPrivileges) loadTableScopePrivileges(ctx context.Context) error {

  329. 	sql := fmt.Sprintf(`SELECT * FROM %s.%s WHERE User="%s" AND (Host="%s" OR Host="%%");`,

  330. 		mysql.SystemDB, mysql.TablePrivTable, p.privs.User, p.privs.Host)

  331. 	rs, err := ctx.(sqlexec.RestrictedSQLExecutor).ExecRestrictedSQL(ctx, sql)

  332. 	if err != nil {

  333. 		return errors.Trace(err)

  334. 	}

  335. 	defer rs.Close()

  336. 	ps := make(map[string]map[string]*privileges)

  337. 	for {

  338. 		row, err := rs.Next()

  339. 		if err != nil {

  340. 			return errors.Trace(err)

  341. 		}

  342. 		if row == nil {

  343. 			break

  344. 		}

  345. 		// DB

  346. 		dbStr := row.Data[1].GetString()

  347. 		// Table_name

  348. 		tblStr := row.Data[3].GetString()

  349. 		_, ok := ps[dbStr]

  350. 		if !ok {

  351. 			ps[dbStr] = make(map[string]*privileges)

  352. 		}

  353. 		ps[dbStr][tblStr] = &privileges{Level: ast.GrantLevelTable}

  354. 		// Table_priv

  355. 		tblPrivs := row.Data[6].GetMysqlSet()

  356. 		pvs := strings.Split(tblPrivs.Name, ",")

  357. 		for _, d := range pvs {

  358. 			p, ok := mysql.SetStr2Priv[d]

  359. 			if !ok {

  360. 				return errors.New("Unknown Privilege Type!")

  361. 			}

  362. 			ps[dbStr][tblStr].add(p)

  363. 		}

  364. 	}

  365. 	p.privs.TablePrivs = ps

  366. 	return nil

  367. }

  368. 

  369. // ShowGrants implements privilege.Checker ShowGrants interface.

  370. func (p *UserPrivileges) ShowGrants(ctx context.Context, user string) ([]string, error) {

  371. 	// If user is current user

  372. 	if user == p.User {

  373. 		return p.privs.ShowGrants(), nil

  374. 	}

  375. 	userp := &UserPrivileges{User: user}

  376. 	err := userp.loadPrivileges(ctx)

  377. 	if err != nil {

  378. 		return nil, errors.Trace(err)

  379. 	}

  380. 	return userp.privs.ShowGrants(), nil

  381. }