-
Rahul Sisondia authored
Description =========== This worklog introduces the following - A dynamic privilege 'SYSTEM_USER'. The users who will have this privilege can be modified only through the users who will have the same privilege. - Security_context class is extended so that it can have privilege related checks. - It will be possible to revoke the privileges from an user on specific databases if the user has global level grant. This feature will be controlled by the system variable 'partial_revoke'. The system variable cannot be turned off as long as there exists one partial revokes. - Partial revokes are created in the user_attributes column of the mysql.user table. - Database restrictions are represented by class DB_restrictions - Aggregations of restrictions are done by the object from family of 'Restrictions_aggregator' interface. - Overall restrictions in authorization system will be represented by the 'Restrictions' class. - Please refer the UML diagrams in low level design section of the worklog for more details - Not directly related : - A few method definitions from the Security_context class are made inline explicitly and some of them are moved to source files. This was done to de-clutter the class declarations. - Role_id class is renamed as Auth_id so that it can represent both Roles and Non-roles Auth_ids. - A class that manages MEM_ROOT is added in the auth_util.h - Security_context class now has MEM_ROOT based constructor. Review ====== RB#21117Rahul Sisondia authoredDescription =========== This worklog introduces the following - A dynamic privilege 'SYSTEM_USER'. The users who will have this privilege can be modified only through the users who will have the same privilege. - Security_context class is extended so that it can have privilege related checks. - It will be possible to revoke the privileges from an user on specific databases if the user has global level grant. This feature will be controlled by the system variable 'partial_revoke'. The system variable cannot be turned off as long as there exists one partial revokes. - Partial revokes are created in the user_attributes column of the mysql.user table. - Database restrictions are represented by class DB_restrictions - Aggregations of restrictions are done by the object from family of 'Restrictions_aggregator' interface. - Overall restrictions in authorization system will be represented by the 'Restrictions' class. - Please refer the UML diagrams in low level design section of the worklog for more details - Not directly related : - A few method definitions from the Security_context class are made inline explicitly and some of them are moved to source files. This was done to de-clutter the class declarations. - Role_id class is renamed as Auth_id so that it can represent both Roles and Non-roles Auth_ids. - A class that manages MEM_ROOT is added in the auth_util.h - Security_context class now has MEM_ROOT based constructor. Review ====== RB#21117
Loading