Service are not started if user permissions are inadequate.
Also cleaned up code and error messages.
This commit is contained in:
Markus Makela
@ -92,7 +92,7 @@ static void global_defaults();
|
|||||||
static void feedback_defaults();
|
static void feedback_defaults();
|
||||||
static void check_config_objects(CONFIG_CONTEXT *context);
|
static void check_config_objects(CONFIG_CONTEXT *context);
|
||||||
int config_truth_value(char *str);
|
int config_truth_value(char *str);
|
||||||
int internalService(char *router);
|
int isInternalService(char *router);
|
||||||
int config_get_ifaddr(unsigned char *output);
|
int config_get_ifaddr(unsigned char *output);
|
||||||
int config_get_release_string(char* release);
|
int config_get_release_string(char* release);
|
||||||
FEEDBACK_CONF * config_get_feedback_data();
|
FEEDBACK_CONF * config_get_feedback_data();
|
||||||
@ -898,7 +898,7 @@ process_config_context(CONFIG_CONTEXT *context)
|
|||||||
s = strtok_r(NULL, ",", &lasts);
|
s = strtok_r(NULL, ",", &lasts);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else if (servers == NULL && internalService(router) == 0)
|
else if (servers == NULL && isInternalService(router) == 0)
|
||||||
{
|
{
|
||||||
LOGIF(LE, (skygw_log_write_flush(
|
LOGIF(LE, (skygw_log_write_flush(
|
||||||
LOGFILE_ERROR,
|
LOGFILE_ERROR,
|
||||||
@ -1107,7 +1107,7 @@ process_config_context(CONFIG_CONTEXT *context)
|
|||||||
monitorAddUser(obj->element,
|
monitorAddUser(obj->element,
|
||||||
user,
|
user,
|
||||||
passwd);
|
passwd);
|
||||||
valid_monitor_permissions(obj->element);
|
check_monitor_permissions(obj->element);
|
||||||
}
|
}
|
||||||
else if (obj->element && user)
|
else if (obj->element && user)
|
||||||
{
|
{
|
||||||
@ -2231,7 +2231,7 @@ static char *InternalRouters[] = {
|
|||||||
* @return Non-zero if the router is in the InternalRouters table
|
* @return Non-zero if the router is in the InternalRouters table
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
internalService(char *router)
|
isInternalService(char *router)
|
||||||
{
|
{
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
|
|||||||
@ -2323,30 +2323,32 @@ int add_wildcard_users(USERS *users, char* name, char* host, char* password, cha
|
|||||||
* is logged.
|
* is logged.
|
||||||
* @param service Service to inspect
|
* @param service Service to inspect
|
||||||
*/
|
*/
|
||||||
void valid_service_permissions(SERVICE* service)
|
bool check_service_permissions(SERVICE* service)
|
||||||
{
|
{
|
||||||
MYSQL* mysql;
|
MYSQL* mysql;
|
||||||
MYSQL_RES* res;
|
MYSQL_RES* res;
|
||||||
char *user,*password,*dpasswd;
|
char *user,*password,*dpasswd;
|
||||||
SERVER_REF* server;
|
SERVER_REF* server;
|
||||||
int conn_timeout = 1;
|
int conn_timeout = 1;
|
||||||
|
bool rval = true;
|
||||||
|
|
||||||
if(internalService(service->routerModule))
|
if(isInternalService(service->routerModule))
|
||||||
return;
|
return true;
|
||||||
|
|
||||||
if(service->dbref == NULL)
|
if(service->dbref == NULL)
|
||||||
{
|
{
|
||||||
skygw_log_write(LE,"[%s] Error: Service is missing the servers parameter.",service->name);
|
skygw_log_write(LE,"%s: Error: Service is missing the servers parameter.",service->name);
|
||||||
return;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
server = service->dbref;
|
server = service->dbref;
|
||||||
|
|
||||||
if (serviceGetUser(service, &user, &password) == 0)
|
if (serviceGetUser(service, &user, &password) == 0)
|
||||||
{
|
{
|
||||||
skygw_log_write(LE,"[%s] Error: Service %s is missing the user credentials for authentication.",
|
skygw_log_write(LE,
|
||||||
__FUNCTION__,service->name);
|
"%s: Error: Service is missing the user credentials for authentication.",
|
||||||
return;
|
service->name);
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
dpasswd = decryptPassword(password);
|
dpasswd = decryptPassword(password);
|
||||||
@ -2355,7 +2357,7 @@ void valid_service_permissions(SERVICE* service)
|
|||||||
{
|
{
|
||||||
skygw_log_write(LE,"[%s] Error: MySQL connection initialization failed.",__FUNCTION__);
|
skygw_log_write(LE,"[%s] Error: MySQL connection initialization failed.",__FUNCTION__);
|
||||||
free(dpasswd);
|
free(dpasswd);
|
||||||
return;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_options(mysql,MYSQL_OPT_USE_REMOTE_CONNECTION,NULL);
|
mysql_options(mysql,MYSQL_OPT_USE_REMOTE_CONNECTION,NULL);
|
||||||
@ -2365,7 +2367,7 @@ void valid_service_permissions(SERVICE* service)
|
|||||||
|
|
||||||
if(mysql_real_connect(mysql,server->server->name,user,dpasswd,NULL,server->server->port,NULL,0) == NULL)
|
if(mysql_real_connect(mysql,server->server->name,user,dpasswd,NULL,server->server->port,NULL,0) == NULL)
|
||||||
{
|
{
|
||||||
skygw_log_write(LE,"[%s] Error: Failed to connect to server %s(%s:%d) when"
|
skygw_log_write(LE,"%s: Error: Failed to connect to server %s(%s:%d) when"
|
||||||
" checking authentication user credentials and permissions.",
|
" checking authentication user credentials and permissions.",
|
||||||
service->name,
|
service->name,
|
||||||
server->server->unique_name,
|
server->server->unique_name,
|
||||||
@ -2373,46 +2375,64 @@ void valid_service_permissions(SERVICE* service)
|
|||||||
server->server->port);
|
server->server->port);
|
||||||
mysql_close(mysql);
|
mysql_close(mysql);
|
||||||
free(dpasswd);
|
free(dpasswd);
|
||||||
return;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(mysql_query(mysql,"SELECT user, host, password,Select_priv FROM mysql.user limit 1") != 0)
|
if(mysql_query(mysql,"SELECT user, host, password,Select_priv FROM mysql.user limit 1") != 0)
|
||||||
{
|
{
|
||||||
if(mysql_errno(mysql) == ER_TABLEACCESS_DENIED_ERROR)
|
if(mysql_errno(mysql) == ER_TABLEACCESS_DENIED_ERROR)
|
||||||
{
|
{
|
||||||
skygw_log_write(LE,"[%s] Error: User '%s' is missing SELECT privileges on mysql.user table. MySQL error message: %s",
|
skygw_log_write(LE,"%s: Error: User '%s' is missing SELECT privileges"
|
||||||
|
" on mysql.user table. MySQL error message: %s",
|
||||||
service->name,user,mysql_error(mysql));
|
service->name,user,mysql_error(mysql));
|
||||||
|
rval = false;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
skygw_log_write(LE,"[%s] Error: Failed to query from mysql.user table. MySQL error message: %s",
|
skygw_log_write(LE,"%s: Error: Failed to query from mysql.user table."
|
||||||
|
" MySQL error message: %s",
|
||||||
service->name,mysql_error(mysql));
|
service->name,mysql_error(mysql));
|
||||||
}
|
}
|
||||||
mysql_close(mysql);
|
|
||||||
free(dpasswd);
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_free_result(mysql_use_result(mysql));
|
if((res = mysql_use_result(mysql)) == NULL)
|
||||||
|
{
|
||||||
|
skygw_log_write(LE,"%s: Error: Result retrieval failed when checking for"
|
||||||
|
" permissions to the mysql.user table: %s",
|
||||||
|
service->name,mysql_error(mysql));
|
||||||
|
mysql_close(mysql);
|
||||||
|
free(dpasswd);
|
||||||
|
return rval;
|
||||||
|
}
|
||||||
|
|
||||||
|
mysql_free_result(res);
|
||||||
|
|
||||||
if(mysql_query(mysql,"SELECT user, host, db FROM mysql.db limit 1") != 0)
|
if(mysql_query(mysql,"SELECT user, host, db FROM mysql.db limit 1") != 0)
|
||||||
{
|
{
|
||||||
if(mysql_errno(mysql) == ER_TABLEACCESS_DENIED_ERROR)
|
if(mysql_errno(mysql) == ER_TABLEACCESS_DENIED_ERROR)
|
||||||
{
|
{
|
||||||
skygw_log_write(LE,"[%s] Error: User '%s' is missing SELECT privileges on mysql.db table. MySQL error message: %s",
|
skygw_log_write(LE,"%s: Error: User '%s' is missing SELECT privileges on mysql.db table. MySQL error message: %s",
|
||||||
service->name,user,mysql_error(mysql));
|
service->name,user,mysql_error(mysql));
|
||||||
|
rval = false;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
skygw_log_write(LE,"[%s] Error: Failed to query from mysql.user table. MySQL error message: %s",
|
skygw_log_write(LE,"%s: Error: Failed to query from mysql.db table. MySQL error message: %s",
|
||||||
service->name,mysql_error(mysql));
|
service->name,mysql_error(mysql));
|
||||||
}
|
}
|
||||||
mysql_close(mysql);
|
|
||||||
free(dpasswd);
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
mysql_free_result(mysql_use_result(mysql));
|
if((res = mysql_use_result(mysql)) == NULL)
|
||||||
|
{
|
||||||
|
skygw_log_write(LE,"%s: Error: Result retrieval failed when checking for permissions to the mysql.db table: %s",
|
||||||
|
service->name,mysql_error(mysql));
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
mysql_free_result(res);
|
||||||
|
}
|
||||||
|
|
||||||
mysql_close(mysql);
|
mysql_close(mysql);
|
||||||
free(dpasswd);
|
free(dpasswd);
|
||||||
|
return rval;
|
||||||
}
|
}
|
||||||
@ -51,8 +51,6 @@ extern __thread log_info_t tls_log_info;
|
|||||||
static MONITOR *allMonitors = NULL;
|
static MONITOR *allMonitors = NULL;
|
||||||
static SPINLOCK monLock = SPINLOCK_INIT;
|
static SPINLOCK monLock = SPINLOCK_INIT;
|
||||||
|
|
||||||
void valid_monitor_permissions(MONITOR* monitor);
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Allocate a new monitor, load the associated module for the monitor
|
* Allocate a new monitor, load the associated module for the monitor
|
||||||
* and start execution on the monitor.
|
* and start execution on the monitor.
|
||||||
@ -458,13 +456,14 @@ int *data;
|
|||||||
* this checks for REPLICATION CLIENT permissions
|
* this checks for REPLICATION CLIENT permissions
|
||||||
* @param service Monitor to inspect
|
* @param service Monitor to inspect
|
||||||
*/
|
*/
|
||||||
void valid_monitor_permissions(MONITOR* monitor)
|
bool check_monitor_permissions(MONITOR* monitor)
|
||||||
{
|
{
|
||||||
MYSQL* mysql;
|
MYSQL* mysql;
|
||||||
MYSQL_RES* res;
|
MYSQL_RES* res;
|
||||||
char *user,*dpasswd;
|
char *user,*dpasswd;
|
||||||
SERVER* server;
|
SERVER* server;
|
||||||
int conn_timeout = 1;
|
int conn_timeout = 1;
|
||||||
|
bool rval = true;
|
||||||
|
|
||||||
user = monitor->user;
|
user = monitor->user;
|
||||||
dpasswd = decryptPassword(monitor->password);
|
dpasswd = decryptPassword(monitor->password);
|
||||||
@ -473,7 +472,7 @@ void valid_monitor_permissions(MONITOR* monitor)
|
|||||||
{
|
{
|
||||||
skygw_log_write(LE,"[%s] Error: MySQL connection initialization failed.",__FUNCTION__);
|
skygw_log_write(LE,"[%s] Error: MySQL connection initialization failed.",__FUNCTION__);
|
||||||
free(dpasswd);
|
free(dpasswd);
|
||||||
return;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
server = monitor->databases->server;
|
server = monitor->databases->server;
|
||||||
@ -484,7 +483,7 @@ void valid_monitor_permissions(MONITOR* monitor)
|
|||||||
* user permissions. */
|
* user permissions. */
|
||||||
if(mysql_real_connect(mysql,server->name,user,dpasswd,NULL,server->port,NULL,0) == NULL)
|
if(mysql_real_connect(mysql,server->name,user,dpasswd,NULL,server->port,NULL,0) == NULL)
|
||||||
{
|
{
|
||||||
skygw_log_write(LE,"[%s] Error: Failed to connect to server %s(%s:%d) when"
|
skygw_log_write(LE,"%s: Error: Failed to connect to server %s(%s:%d) when"
|
||||||
" checking monitor user credentials and permissions.",
|
" checking monitor user credentials and permissions.",
|
||||||
monitor->name,
|
monitor->name,
|
||||||
server->unique_name,
|
server->unique_name,
|
||||||
@ -492,27 +491,36 @@ void valid_monitor_permissions(MONITOR* monitor)
|
|||||||
server->port);
|
server->port);
|
||||||
mysql_close(mysql);
|
mysql_close(mysql);
|
||||||
free(dpasswd);
|
free(dpasswd);
|
||||||
return;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(mysql_query(mysql,"show slave status") != 0)
|
if(mysql_query(mysql,"show slave status") != 0)
|
||||||
{
|
{
|
||||||
if(mysql_errno(mysql) == ER_SPECIFIC_ACCESS_DENIED_ERROR)
|
if(mysql_errno(mysql) == ER_SPECIFIC_ACCESS_DENIED_ERROR)
|
||||||
{
|
{
|
||||||
skygw_log_write(LE,"[%s] Error: User '%s' is missing REPLICATION CLIENT privileges. MySQL error message: %s",
|
skygw_log_write(LE,"%s: Error: User '%s' is missing REPLICATION CLIENT privileges. MySQL error message: %s",
|
||||||
monitor->name,mysql_error(mysql));
|
monitor->name,mysql_error(mysql));
|
||||||
|
rval = false;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
skygw_log_write(LE,"[%s] Error: Monitor failed to query for slave status. MySQL error message: %s",
|
skygw_log_write(LE,"%s: Error: Monitor failed to query for slave status. MySQL error message: %s",
|
||||||
monitor->name,mysql_error(mysql));
|
monitor->name,mysql_error(mysql));
|
||||||
}
|
}
|
||||||
mysql_close(mysql);
|
|
||||||
free(dpasswd);
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
else
|
||||||
mysql_free_result(mysql_use_result(mysql));
|
{
|
||||||
|
if((res = mysql_use_result(mysql)) == NULL)
|
||||||
|
{
|
||||||
|
skygw_log_write(LE,"%s: Error: Result retrieval failed when checking for REPLICATION CLIENT permissions: %s",
|
||||||
|
monitor->name,mysql_error(mysql));
|
||||||
|
free(dpasswd);
|
||||||
|
mysql_close(mysql);
|
||||||
|
return rval;
|
||||||
|
}
|
||||||
|
mysql_free_result(res);
|
||||||
|
}
|
||||||
mysql_close(mysql);
|
mysql_close(mysql);
|
||||||
free(dpasswd);
|
free(dpasswd);
|
||||||
|
return rval;
|
||||||
}
|
}
|
||||||
@ -417,6 +417,16 @@ serviceStart(SERVICE *service)
|
|||||||
SERV_PROTOCOL *port;
|
SERV_PROTOCOL *port;
|
||||||
int listeners = 0;
|
int listeners = 0;
|
||||||
|
|
||||||
|
|
||||||
|
if(!check_service_permissions(service))
|
||||||
|
{
|
||||||
|
skygw_log_write_flush(LE,
|
||||||
|
"%s: Inadequate user permissions for service. Service not started.",
|
||||||
|
service->name);
|
||||||
|
service->state = SERVICE_STATE_FAILED;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
if(service->ssl_mode != SSL_DISABLED)
|
if(service->ssl_mode != SSL_DISABLED)
|
||||||
{
|
{
|
||||||
if(serviceInitSSL(service) != 0)
|
if(serviceInitSSL(service) != 0)
|
||||||
@ -438,8 +448,6 @@ if(service->ssl_mode != SSL_DISABLED)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
valid_service_permissions(service);
|
|
||||||
|
|
||||||
port = service->ports;
|
port = service->ports;
|
||||||
while (!service->svc_do_shutdown && port)
|
while (!service->svc_do_shutdown && port)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -68,5 +68,5 @@ extern char *mysql_users_fetch(USERS *users, MYSQL_USER_HOST *key);
|
|||||||
extern int replace_mysql_users(SERVICE *service);
|
extern int replace_mysql_users(SERVICE *service);
|
||||||
extern int dbusers_save(USERS *, char *);
|
extern int dbusers_save(USERS *, char *);
|
||||||
extern int dbusers_load(USERS *, char *);
|
extern int dbusers_load(USERS *, char *);
|
||||||
void valid_service_permissions(SERVICE* service);
|
bool check_service_permissions(SERVICE* service);
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@ -146,5 +146,5 @@ void config_enable_feedback_task(void);
|
|||||||
void config_disable_feedback_task(void);
|
void config_disable_feedback_task(void);
|
||||||
unsigned long config_get_gateway_id(void);
|
unsigned long config_get_gateway_id(void);
|
||||||
GATEWAY_CONF* config_get_global_options();
|
GATEWAY_CONF* config_get_global_options();
|
||||||
int internalService(char *router);
|
int isInternalService(char *router);
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@ -169,5 +169,5 @@ extern void monitorList(DCB *);
|
|||||||
extern void monitorSetInterval (MONITOR *, unsigned long);
|
extern void monitorSetInterval (MONITOR *, unsigned long);
|
||||||
extern void monitorSetNetworkTimeout(MONITOR *, int, int);
|
extern void monitorSetNetworkTimeout(MONITOR *, int, int);
|
||||||
extern RESULTSET *monitorGetList();
|
extern RESULTSET *monitorGetList();
|
||||||
void valid_monitor_permissions(MONITOR* monitor);
|
bool check_monitor_permissions(MONITOR* monitor);
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
Reference in New Issue
Block a user