#pragma once /* * Copyright (c) 2016 MariaDB Corporation Ab * * Use of this software is governed by the Business Source License included * in the LICENSE.TXT file and at www.mariadb.com/bsl11. * * Change Date: 2023-01-01 * * On the date above, in accordance with the Business Source License, use * of this software will be governed by version 2 or later of the General * Public License. */ /** * @file adminusers.h - Administration users support routines */ #include #include #include MXS_BEGIN_DECLS /* Max length of fields in for admin users */ #define ADMIN_USER_MAXLEN 128 #define ADMIN_PASSWORD_MAXLEN 128 /** Default user for the administrative interface */ #define DEFAULT_ADMIN_USER "@DEFAULT_ADMIN_USER@" static const char INET_DEFAULT_USERNAME[] = "admin"; static const char INET_DEFAULT_PASSWORD[] = "mariadb"; /** Return values for the functions */ static const char *ADMIN_ERR_NOMEM = "Out of memory"; static const char *ADMIN_ERR_FILEOPEN = "Unable to create password file"; static const char *ADMIN_ERR_DUPLICATE = "Duplicate username specified"; static const char *ADMIN_ERR_USERNOTFOUND = "User not found"; static const char *ADMIN_ERR_AUTHENTICATION = "Authentication failed"; static const char *ADMIN_ERR_FILEAPPEND = "Unable to append to password file"; static const char *ADMIN_ERR_PWDFILEOPEN = "Failed to open password file"; static const char *ADMIN_ERR_TMPFILEOPEN = "Failed to open temporary password file"; static const char *ADMIN_ERR_PWDFILEACCESS = "Failed to access password file"; static const char *ADMIN_ERR_DELLASTUSER = "Deleting the last user is forbidden"; static const char *ADMIN_ERR_DELROOT = "Deleting the default admin user is forbidden"; static const char *ADMIN_SUCCESS = NULL; /** User types */ enum user_type { USER_TYPE_ALL, // Type that matches all users USER_TYPE_INET, // Network users USER_TYPE_UNIX // Linux accounts }; /* * MySQL session specific data * */ typedef struct admin_session { char user[ADMIN_USER_MAXLEN + 1]; /*< username */ bool validated; /* Was user validated? */ } ADMIN_session; void admin_users_init(); const char* admin_enable_linux_account(const char *uname, enum user_account_type type); const char* admin_disable_linux_account(const char *uname); bool admin_linux_account_enabled(const char *uname); const char* admin_add_inet_user(const char *uname, const char *password, enum user_account_type type); const char* admin_remove_inet_user(const char* uname); bool admin_inet_user_exists(const char *uname); bool admin_verify_inet_user(const char *uname, const char *password); bool admin_user_is_inet_admin(const char* username, const char *password); bool admin_user_is_unix_admin(const char* username); bool admin_have_admin(); bool admin_is_last_admin(const char* user); /** * @brief Convert all admin users to JSON * * @param host Hostname of this server * @param type USER_TYPE_INET for networks users, USER_TYPE_UNIX for unix accounts * or USER_TYPE_ALL for all users * * @return Collection of users resources */ json_t* admin_all_users_to_json(const char* host, enum user_type type); /** * @brief Convert an admin user into JSON * * @param host Hostname of this server * @param user Username to convert * @param type The type of user, either USER_TYPE_INET or USER_TYPE_UNIX * * @return The user converted to JSON */ json_t* admin_user_to_json(const char* host, const char* user, enum user_type type); /** * Check if user credentials are accepted by any of the configured REST API PAM services. By default, both * the read-only and read-write services are attempted. * * @param username Username * @param password Password * @param min_acc_type Minimum account type required. If BASIC, authentication succeeds if * either read-only or readwrite service succeeds. If ADMIN, only the readwrite service is attempted. * @return True if user & password logged in successfully */ bool admin_user_is_pam_account(const std::string& username, const std::string& password, user_account_type min_acc_type = USER_ACCOUNT_BASIC); void dcb_PrintAdminUsers(DCB *dcb); MXS_END_DECLS