MXS-1167: Skip permission checks for internal services

If a server points to a local MaxScale listener, the permission checks for that server are skipped. This allows permission checks to be used with a mix of external servers and internal services.
2017-03-17 07:48:59 +02:00 · 2017-03-17 07:48:59 +02:00 · 0b5d164855
commit 0b5d164855
parent 2e6e8574a4
5 changed files with 63 additions and 1 deletions
--- a/include/maxscale/server.h
+++ b/include/maxscale/server.h
@ -254,6 +254,14 @@ void server_add_parameter(SERVER *server, const char *name, const char *value);
 */
 bool server_remove_parameter(SERVER *server, const char *name);

+/**
+ * @brief Check if a server points to a local MaxScale service
+ *
+ * @param server Server to check
+ * @return True if the server points to a local MaxScale service
+ */
+bool server_is_mxs_service(const SERVER *server);
+
 extern int server_free(SERVER *server);
 extern SERVER *server_find_by_unique_name(const char *name);
 extern SERVER *server_find(const char *servname, unsigned short port);
--- a/include/maxscale/service.h
+++ b/include/maxscale/service.h
@ -241,6 +241,14 @@ bool serviceHasBackend(SERVICE *service, SERVER *server);
 bool serviceHasListener(SERVICE *service, const char *protocol,
                        const char* address, unsigned short port);

+/**
+ * @brief Check if a MaxScale service listens on a port
+ *
+ * @param port The port to check
+ * @return True if a MaxScale service uses the port
+ */
+bool service_port_is_used(unsigned short port);
+
 int   serviceGetUser(SERVICE *service, char **user, char **auth);
 int   serviceSetUser(SERVICE *service, char *user, char *auth);
 bool  serviceSetFilters(SERVICE *service, char *filters);
--- a/server/core/server.c
+++ b/server/core/server.c
@ -1341,3 +1341,22 @@ void server_clear_status(SERVER *server, int bit)
    }
    spinlock_release(&server->lock);
 }
+
+bool server_is_mxs_service(const SERVER *server)
+{
+    bool rval = false;
+
+    /** Do a coarse check for local server pointing to a MaxScale service */
+    if (strcmp(server->name, "127.0.0.1") == 0 ||
+        strcmp(server->name, "::1") == 0 ||
+        strcmp(server->name, "localhost") == 0 ||
+        strcmp(server->name, "localhost.localdomain") == 0)
+    {
+        if (service_port_is_used(server->port))
+        {
+            rval = true;
+        }
+    }
+
+    return rval;
+}
--- a/server/core/service.c
+++ b/server/core/service.c
@ -2296,3 +2296,29 @@ void service_print_users(DCB *dcb, const SERVICE *service)
        }
    }
 }
+
+bool service_port_is_used(unsigned short port)
+{
+    bool rval = false;
+    spinlock_acquire(&service_spin);
+
+    for (SERVICE *service = allServices; service && !rval; service = service->next)
+    {
+        spinlock_acquire(&service->spin);
+
+        for (SERV_LISTENER *proto = service->ports; proto; proto = proto->next)
+        {
+            if (proto->port == port)
+            {
+                rval = true;
+                break;
+            }
+        }
+
+        spinlock_release(&service->spin);
+    }
+
+    spinlock_release(&service_spin);
+
+    return rval;
+}
--- a/server/modules/authenticator/MySQLAuth/dbusers.c
+++ b/server/modules/authenticator/MySQLAuth/dbusers.c
@ -635,7 +635,8 @@ bool check_service_permissions(SERVICE* service)

    for (SERVER_REF *server = service->dbref; server; server = server->next)
    {
-        if (check_server_permissions(service, server->server, user, dpasswd))
+        if (server_is_mxs_service(server->server) ||
+            check_server_permissions(service, server->server, user, dpasswd))
        {
            rval = true;
        }