hcq/oceanbase
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
88a8862b77508c40a37410ca8abccec90657e2ac
oceanbase/src/sql/resolver/dcl/ob_create_user_resolver.cpp

291 lines
14 KiB
C++
Raw Blame History

/**
* Copyright (c) 2021 OceanBase
* OceanBase CE is licensed under Mulan PubL v2.
* You can use this software according to the terms and conditions of the Mulan PubL v2.
* You may obtain a copy of Mulan PubL v2 at:
* http://license.coscl.org.cn/MulanPubL-2.0
* THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
* EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
* MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
* See the Mulan PubL v2 for more details.
*/
#define USING_LOG_PREFIX SQL_RESV
#include "sql/resolver/dcl/ob_create_user_resolver.h"
#include "sql/resolver/ddl/ob_database_resolver.h"
#include "sql/resolver/dcl/ob_set_password_resolver.h"
#include "sql/session/ob_sql_session_info.h"
#include "sql/parser/ob_item_type.h"
using namespace oceanbase::sql;
using namespace oceanbase::common;
using namespace oceanbase::share;
using namespace oceanbase::share::schema;
ObCreateUserResolver::ObCreateUserResolver(ObResolverParams& params) : ObDCLResolver(params)
{}
ObCreateUserResolver::~ObCreateUserResolver()
{}
int ObCreateUserResolver::resolve(const ParseNode& parse_tree)
{
int ret = OB_SUCCESS;
ObCreateUserStmt* create_user_stmt = NULL;
if (OB_UNLIKELY(share::is_oracle_mode() && 5 != parse_tree.num_child_) ||
OB_UNLIKELY(share::is_mysql_mode() && 4 != parse_tree.num_child_) ||
OB_UNLIKELY(T_CREATE_USER != parse_tree.type_)) {
ret = OB_INVALID_ARGUMENT;
LOG_WARN("expect 4 child in mysql mode and 5 child in oracle mode, create user type",
"actual_num",
parse_tree.num_child_,
"type",
parse_tree.type_,
K(ret));
} else if (OB_ISNULL(params_.session_info_) || OB_ISNULL(schema_checker_)) {
ret = OB_NOT_INIT;
LOG_WARN("Session info or schema checker should not be NULL", K(ret));
} else if (OB_ISNULL(create_user_stmt = create_stmt<ObCreateUserStmt>())) {
ret = OB_ALLOCATE_MEMORY_FAILED;
LOG_ERROR("Failed to create ObCreateUserStmt", K(ret));
} else {
stmt_ = create_user_stmt;
ParseNode* if_not_exist = const_cast<ParseNode*>(parse_tree.children_[0]);
ParseNode* users = const_cast<ParseNode*>(parse_tree.children_[1]);
ParseNode* require_info = const_cast<ParseNode*>(parse_tree.children_[2]);
ParseNode* resource_options = !share::is_oracle_mode() ? const_cast<ParseNode*>(parse_tree.children_[3]) : NULL;
ParseNode* profile = share::is_oracle_mode() ? const_cast<ParseNode*>(parse_tree.children_[3]) : NULL;
ParseNode* primary_zone = share::is_oracle_mode() ? const_cast<ParseNode*>(parse_tree.children_[4]) : NULL;
ParseNode* ssl_infos = NULL;
create_user_stmt->set_tenant_id(params_.session_info_->get_effective_tenant_id());
// resolve if_not_exists
if (OB_SUCC(ret)) {
if (NULL != if_not_exist) {
if (T_IF_NOT_EXISTS != if_not_exist->type_) {
ret = OB_INVALID_ARGUMENT;
LOG_WARN("invalid argument", K(if_not_exist->type_), K(ret));
} else {
create_user_stmt->set_if_not_exists(true);
}
}
}
// resolve users' specs
if (OB_FAIL(ret)) {
// bypass
} else if (OB_ISNULL(users) || OB_UNLIKELY(T_USERS != users->type_) || OB_UNLIKELY(users->num_child_ <= 0)) {
ret = OB_INVALID_ARGUMENT;
LOG_WARN("Create user ParseNode error", K(ret));
} else {
for (int i = 0; i < users->num_child_ && OB_SUCCESS == ret; ++i) {
ParseNode* user_pass = users->children_[i];
if (OB_ISNULL(user_pass)) {
ret = OB_ERR_PARSE_SQL;
LOG_WARN("The child of parseNode should not be NULL", K(ret), K(i));
} else if (4 != user_pass->num_child_) {
ret = OB_ERR_PARSE_SQL;
LOG_WARN("sql_parser parse user_identification error", K(ret));
} else if (OB_ISNULL(user_pass->children_[0])) {
ret = OB_INVALID_ARGUMENT;
LOG_WARN("Child 0 of user_pass should not be NULL", K(ret));
} else {
ObString user_name(user_pass->children_[0]->str_len_, user_pass->children_[0]->str_value_);
ObString host_name;
ObCollationType client_cs_type = session_info_->get_local_collation_connection();
if (user_pass->children_[0]->type_ != T_IDENT &&
OB_FAIL(ObSQLUtils::copy_and_convert_string_charset(
*allocator_, user_name, user_name, client_cs_type, CS_TYPE_UTF8MB4_BIN))) {
LOG_WARN(
"fail to convert user name to utf8", K(ret), K(user_name), KPHEX(user_name.ptr(), user_name.length()));
} else if (!session_info_->is_inner() && (0 == user_name.case_compare(OB_RESTORE_USER_NAME))) {
ret = OB_ERR_NO_PRIVILEGE;
LOG_WARN("__oceanbase_inner_restore_user is reserved", K(ret));
} else if (NULL == user_pass->children_[3]) {
host_name.assign_ptr(OB_DEFAULT_HOST_NAME, static_cast<int32_t>(STRLEN(OB_DEFAULT_HOST_NAME)));
} else {
host_name.assign_ptr(
user_pass->children_[3]->str_value_, static_cast<int32_t>(user_pass->children_[3]->str_len_));
}
ObString password;
ObString need_enc_str = ObString::make_string("NO");
if (user_name.empty()) {
ret = OB_CANNOT_USER;
LOG_WARN("user name is empty", K(ret));
ObString create_user = ObString::make_string("CREATE USER");
LOG_USER_ERROR(
OB_CANNOT_USER, create_user.length(), create_user.ptr(), host_name.length(), host_name.ptr());
} else if (OB_ISNULL(user_pass->children_[1])) {
password = ObString::make_string("");
// no enc
} else if (OB_ISNULL(user_pass->children_[2])) {
ret = OB_ERR_PARSE_SQL;
LOG_WARN("Child 2 of user_pass should not be NULL here", K(ret));
} else {
password.assign_ptr(
user_pass->children_[1]->str_value_, static_cast<int32_t>(user_pass->children_[1]->str_len_));
bool need_enc = (1 == user_pass->children_[2]->value_);
if (need_enc) {
need_enc_str = ObString::make_string("YES");
} else {
// no enc
if (!ObSetPasswordResolver::is_valid_mysql41_passwd(password)) {
ret = OB_ERR_PASSWORD_FORMAT;
LOG_WARN("Wrong password format", K(user_name), K(password), K(ret));
}
}
}
uint64_t profile_id = OB_INVALID_ID;
if (OB_SUCC(ret) && NULL != profile) {
ParseNode* profile_name = nullptr;
if (OB_UNLIKELY(profile->type_ != T_USER_PROFILE) || OB_UNLIKELY(profile->num_child_ != 1)) {
ret = OB_ERR_UNEXPECTED;
LOG_WARN("invalid type", K(ret), K(profile->type_), K(profile->num_child_));
} else if (OB_ISNULL(profile_name = profile->children_[0])) {
ret = OB_ERR_UNEXPECTED;
LOG_WARN("invalid profile name", K(ret));
} else if (profile_name->type_ == T_DEFAULT) {
profile_id = OB_INVALID_ID;
} else if (OB_FAIL(schema_checker_->get_profile_id(params_.session_info_->get_effective_tenant_id(),
ObString(profile_name->str_len_, profile_name->str_value_),
profile_id))) {
LOG_WARN("fail to get profile id", K(ret));
}
}
create_user_stmt->set_profile_id(profile_id); // profile id is valid only in oracle mode
if (OB_SUCC(ret)) {
if (!share::is_oracle_mode() && OB_FAIL(check_password_strength(password, user_name))) {
LOG_WARN("password don't satisfied current policy", K(ret));
} else if (share::is_oracle_mode() &&
OB_FAIL(check_oracle_password_strength(
params_.session_info_->get_effective_tenant_id(), profile_id, password, user_name))) {
LOG_WARN("fail to check password strength", K(ret));
}
}
if (OB_SUCC(ret)) {
if (user_name.length() > OB_MAX_USER_NAME_LENGTH) {
ret = OB_WRONG_USER_NAME_LENGTH;
LOG_USER_ERROR(OB_WRONG_USER_NAME_LENGTH, user_name.length(), user_name.ptr());
} else if (OB_FAIL(create_user_stmt->add_user(user_name, host_name, password, need_enc_str))) {
LOG_WARN("Failed to add user to ObCreateUserStmt", K(user_name), K(host_name), K(password), K(ret));
} else {
// do nothing
}
}
}
} // end of for
}
ObSSLType ssl_type = ObSSLType::SSL_TYPE_NOT_SPECIFIED;
ObString infos[static_cast<int32_t>(ObSSLSpecifiedType::SSL_SPEC_TYPE_MAX)] = {};
// resolve users' specs
if (OB_FAIL(ret)) {
// bypass
} else if (NULL == require_info) {
// bypass
} else if (OB_UNLIKELY(T_TLS_OPTIONS != require_info->type_) || OB_UNLIKELY(require_info->num_child_ != 1) ||
OB_ISNULL(ssl_infos = require_info->children_[0])) {
ret = OB_INVALID_ARGUMENT;
LOG_WARN(
"Create user ParseNode error", K(ret), K(require_info->type_), K(require_info->num_child_), KP(ssl_infos));
} else if (OB_UNLIKELY(ssl_infos->type_ < T_TLS_NONE && ssl_infos->type_ > T_TLS_SPECIFIED)) {
ret = OB_INVALID_ARGUMENT;
LOG_WARN("Create user ParseNode error", K(ret), K(ssl_infos->type_));
} else {
ssl_type =
static_cast<ObSSLType>(static_cast<int32_t>(ObSSLType::SSL_TYPE_NONE) + (ssl_infos->type_ - T_TLS_NONE));
if (ObSSLType::SSL_TYPE_SPECIFIED == ssl_type) {
ParseNode* specified_ssl_infos = NULL;
if (OB_UNLIKELY(ssl_infos->num_child_ != 1) || OB_ISNULL(specified_ssl_infos = ssl_infos->children_[0])) {
ret = OB_INVALID_ARGUMENT;
LOG_WARN("Create user ParseNode error", K(ret), K(ssl_infos->num_child_), KP(specified_ssl_infos));
} else {
bool check_repeat[static_cast<int32_t>(ObSSLSpecifiedType::SSL_SPEC_TYPE_MAX)] = {};
for (int i = 0; i < specified_ssl_infos->num_child_ && OB_SUCC(ret); ++i) {
ParseNode* ssl_info = specified_ssl_infos->children_[i];
if (OB_ISNULL(ssl_info)) {
ret = OB_ERR_PARSE_SQL;
LOG_WARN("The child of parseNode should not be NULL", K(ret), K(i));
} else if (OB_UNLIKELY(ssl_info->num_child_ != 1)) {
ret = OB_ERR_PARSE_SQL;
LOG_WARN("The num_child_is error", K(ret), K(i), K(ssl_info->num_child_));
} else if (OB_UNLIKELY(check_repeat[ssl_info->type_ - T_TLS_CIPHER])) {
ret = OB_ERR_DUP_ARGUMENT;
LOG_WARN("Option used twice in statement", K(ret), K(ssl_info->type_));
LOG_USER_ERROR(OB_ERR_DUP_ARGUMENT,
get_ssl_spec_type_str(static_cast<ObSSLSpecifiedType>(ssl_info->type_ - T_TLS_CIPHER)));
} else {
check_repeat[ssl_info->type_ - T_TLS_CIPHER] = true;
infos[ssl_info->type_ - T_TLS_CIPHER].assign_ptr(
ssl_info->children_[0]->str_value_, ssl_info->children_[0]->str_len_);
}
}
}
}
}
if (OB_SUCC(ret) && OB_NOT_NULL(primary_zone)) {
if (T_PRIMARY_ZONE != primary_zone->type_ || NULL == primary_zone->children_ || primary_zone->num_child_ != 1) {
ret = common::OB_INVALID_ARGUMENT;
LOG_WARN("invalid primary_zone argument", K(ret), "num_child", primary_zone->num_child_);
} else if (OB_FAIL(ObDatabaseResolver<ObCreateUserStmt>::resolve_primary_zone(
create_user_stmt, primary_zone->children_[0]))) {
LOG_WARN("fail to resolve primary zone", K(ret));
}
}
if (OB_SUCC(ret)) {
if (OB_FAIL(create_user_stmt->add_ssl_info(get_ssl_type_string(ssl_type),
infos[static_cast<int32_t>(ObSSLSpecifiedType::SSL_SPEC_TYPE_CIPHER)],
infos[static_cast<int32_t>(ObSSLSpecifiedType::SSL_SPEC_TYPE_ISSUER)],
infos[static_cast<int32_t>(ObSSLSpecifiedType::SSL_SPEC_TYPE_SUBJECT)]))) {
LOG_WARN("Failed to add_ssl_info",
K(ssl_type),
"CIPHER",
infos[static_cast<int32_t>(ObSSLSpecifiedType::SSL_SPEC_TYPE_CIPHER)],
"ISSUER",
infos[static_cast<int32_t>(ObSSLSpecifiedType::SSL_SPEC_TYPE_ISSUER)],
"SUBJECT",
infos[static_cast<int32_t>(ObSSLSpecifiedType::SSL_SPEC_TYPE_SUBJECT)],
K(ret));
}
}
if (OB_SUCC(ret) && NULL != resource_options) {
if (T_USER_RESOURCE_OPTIONS != resource_options->type_
|| OB_ISNULL(resource_options->children_)) {
ret = common::OB_INVALID_ARGUMENT;
LOG_WARN(
"invalid resource options argument", K(ret), K(resource_options->type_), K(resource_options->children_));
} else {
for (int64_t i = 0; i < resource_options->num_child_; i++) {
ParseNode* res_option = resource_options->children_[i];
if (OB_ISNULL(res_option)) {
ret = common::OB_INVALID_ARGUMENT;
LOG_WARN("null res option", K(ret), K(i));
} else if (T_MAX_CONNECTIONS_PER_HOUR == res_option->type_) {
uint64_t max_connections_per_hour = static_cast<uint64_t>(res_option->value_);
max_connections_per_hour = max_connections_per_hour > MAX_CONNECTIONS ? MAX_CONNECTIONS
: max_connections_per_hour;
create_user_stmt->set_max_connections_per_hour(max_connections_per_hour);
} else if (T_MAX_USER_CONNECTIONS == res_option->type_) {
uint64_t max_user_connections = static_cast<uint64_t>(res_option->value_);
max_user_connections = max_user_connections > MAX_CONNECTIONS ? MAX_CONNECTIONS
: max_user_connections;
create_user_stmt->set_max_user_connections(max_user_connections);
}
}
}
}
if (OB_SUCC(ret) && ObSchemaChecker::is_ora_priv_check()) {
OZ(schema_checker_->check_ora_ddl_priv(session_info_->get_effective_tenant_id(),
session_info_->get_priv_user_id(),
ObString(""),
stmt::T_CREATE_USER,
session_info_->get_enable_role_array()),
session_info_->get_effective_tenant_id(),
session_info_->get_user_id());
}
}
return ret;
}
Reference in New Issue View Git Blame Copy Permalink