hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2163 Add function for checking Clustrix table permissions

Browse Source
This commit is contained in:
Johan Wikman
2018-11-27 14:36:45 +02:00
parent 79db52c30e
commit 194e751fb2
1 changed files with 114 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
server/modules/authenticator/MySQLAuth/dbusers.cc
View File

@ -636,6 +636,76 @@ retblock:
return rc; return rc;
} }
/**
* @brief Check permissions for a particular table.
*
* @param mysql A valid MySQL connection.
* @param service The service in question.
* @param user The user in question.
* @param table The table whose permissions are checked.
* @param query The query using which the table permissions are checked.
* @param log_priority The priority using which a possible ER_TABLE_ACCESS_DENIED_ERROR
* should be logged.
*
* @return True if the table could accessed or if the priority is less than LOG_ERR,
* false otherwise.
*/
static bool check_table_permissions(MYSQL* mysql,
SERVICE* service,
const char* user,
const char* table,
const char* query,
int log_priority)
{
bool rval = true;
if (mxs_mysql_query(mysql, query) != 0)
{
if (mysql_errno(mysql) == ER_TABLEACCESS_DENIED_ERROR)
{
if (log_priority >= LOG_ERR)
{
rval = false;
}
MXS_LOG_MESSAGE(log_priority,
"[%s] User '%s' is missing SELECT privileges "
"on %s table. MySQL error message: %s",
service->name,
user,
table,
mysql_error(mysql));
}
else
{
MXS_ERROR("[%s] Failed to query from %s table."
" MySQL error message: %s",
service->name,
table,
mysql_error(mysql));
}
}
else
{
MYSQL_RES* res = mysql_use_result(mysql);
if (res == NULL)
{
MXS_ERROR("[%s] Result retrieval failed when checking for permissions to "
"the %s table: %s",
service->name,
table,
mysql_error(mysql));
}
else
{
mysql_free_result(res);
}
}
return rval;
}
/** /**
* @brief Check table permissions on MySQL/MariaDB server * @brief Check table permissions on MySQL/MariaDB server
* *
@ -784,6 +854,39 @@ static bool check_default_table_permissions(MYSQL* mysql,
return rval; return rval;
} }
/**
* @brief Check table permissions on a Clustrix server
*
* @return True if the table permissions are OK, false otherwise.
*/
static bool check_clustrix_table_permissions(MYSQL* mysql,
SERVICE* service,
SERVER* server,
const char* user)
{
bool rval = true;
if (!check_table_permissions(mysql, service, user,
"system.users",
"SELECT username, host, password FROM system.users LIMIT 1",
LOG_ERR))
{
rval = false;
}
if (!check_table_permissions(mysql, service, user,
"system.user_acl",
"SELECT privileges, role FROM system.user_acl LIMIT 1",
LOG_ERR))
{
rval = false;
}
// TODO: SHOW DATABASES privilege is not checked.
return rval;
}
/** /**
* @brief Check service permissions on one server * @brief Check service permissions on one server
* *
@ -838,7 +941,17 @@ static bool check_server_permissions(SERVICE* service,
mxs_mysql_update_server_version(mysql, server); mxs_mysql_update_server_version(mysql, server);
} }
bool rval = check_default_table_permissions(mysql, service, server, user); bool is_clustrix = (strcasestr(server->version_string, "clustrix") != nullptr);
bool rval = true;
if (is_clustrix)
{
rval = check_clustrix_table_permissions(mysql, service, server, user);
}
else
{
rval = check_default_table_permissions(mysql, service, server, user);
}
mysql_close(mysql); mysql_close(mysql);