@Qc@sddlmZmZddlmZdefdYZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZidd6dd6dd!6dd$6dd'6dd*6dd-6dd06dd36dd66dd96dd<6dd?6ddB6ddD6ddG6ddJ6ddM6ddP6ddS6ddV6ddY6dd\6dd_6ddb6dde6ddh6ddk6ddn6ddq6dds6ZedtejDZidudvdwdxgdydzd{d|gd}d~fdq6duddddddgdzdyd{d|gd}d~fds6Zddej fdddhd-dDd0dGgfddd-dGgfddded-gfddd9ded-dDdsgfddd3gfddd'd*d9dhdBd$d?ddd!dJdMdkdYd\d_dbdDgfddd'dBd?dkdYd\d_dbdDdqg fdddVdSdGgfdddhddMdDgfg Z!dZ"dZ#dZ$de%fdYZ&de%fdYZ'de%fdYZ(de%fdYZ)dS(i(t QueryErrortescape_sql_string(tPermissionDeniedErrortWBSecurityValidationErrorcBseZRS((t__name__t __module__(((s"..\modules\wb_admin_security_be.pyRss/SELECT User, Host FROM mysql.user ORDER BY UsersSHOW DATABASESsBSELECT * FROM mysql.user WHERE User='%(user)s' AND Host='%(host)s's,SELECT * FROM mysql.db WHERE User='%(user)s'sXSELECT * FROM mysql.tables_priv WHERE Host='%(host)s' AND User='%(user)s' AND Db='mysql's>CREATE USER '%(user)s'@'%(host)s' IDENTIFIED BY '%(password)s'sMCREATE USER '%(user)s' IDENTIFIED WITH '%(auth_plugin)s' AS '%(auth_string)s's8CREATE USER '%(user)s' IDENTIFIED WITH '%(auth_plugin)s's7GRANT %(granted_privs)s ON *.* TO '%(user)s'@'%(host)s's:REVOKE %(revoked_privs)s ON *.* FROM '%(user)s'@'%(host)s's:GRANT USAGE ON *.* TO '%(user)s'@'%(host)s' WITH %(limit)ssBRENAME USER '%(old_user)s'@'%(old_host)s' TO '%(user)s'@'%(host)s'sASET PASSWORD FOR '%(user)s'@'%(host)s' = PASSWORD('%(password)s')s+SET PASSWORD FOR '%(user)s'@'%(host)s' = ''s?REVOKE %(revoked_privs)s ON %(db)s.* FROM '%(user)s'@'%(host)s's<GRANT %(granted_privs)s ON %(db)s.* TO '%(user)s'@'%(host)s's0ALTER USER '%(user)s'@'%(host)s' PASSWORD EXPIREsFLUSH PRIVILEGESs>REVOKE ALL PRIVILEGES, GRANT OPTION FROM '%(user)s'@'%(host)s'sDROP USER '%(user)s'@'%(host)s'tSELECTsThe SELECT privilege enables you to select rows from tables in a database. SELECT statements require the SELECT privilege only if they actually retrieve rows from a table. Some SELECT statements do not access tables and can be executed without permission for any databaset Select_privtINSERTsThe INSERT privilege enables rows to be inserted into tables in a database. INSERT is also required for the ANALYZE TABLE, OPTIMIZE TABLE, and REPAIR TABLE table-maintenance statements.t Insert_privtUPDATEsHThe UPDATE privilege enables rows to be updated in tables in a database.t Update_privtDELETEsJThe DELETE privilege enables rows to be deleted from tables in a database.t Delete_privtCREATEsBThe CREATE privilege enables creation of new databases and tables.t Create_privtDROPs The DROP privilege enables you to drop (remove) existing databases, tables, and views. Beginning with MySQL 5.1.10, the DROP privilege is also required in order to use the statement ALTER TABLE ... DROP PARTITION on a partitioned table. Beginning with MySQL 5.1.16, the DROP privilege is required for TRUNCATE TABLE (before that, TRUNCATE TABLE requires the DELETE privilege). If you grant the DROP privilege for the mysql database to a user, that user can drop the database in which the MySQL access privileges are stored.t Drop_privtRELOADsThe RELOAD privilege enables use of the FLUSH statement. It also enables mysqladmin commands that are equivalent to FLUSH operations: flush-hosts, flush-logs, flush-privileges, flush-status, flush-tables, flush-threads, refresh, and reload.t Reload_privtSHUTDOWNsoThe SHUTDOWN privilege enables use of the mysqladmin shutdown command. There is no corresponding SQL statement.t Shutdown_privtPROCESSsGThe PROCESS privilege pertains to display of information about the threads executing within the server (that is, information about the statements being executed by sessions). The privilege enables use of SHOW PROCESSLIST or mysqladmin processlist to see threads belonging to other accounts; you can always see your own threads.t Process_privtFILEskThe FILE privilege gives you permission to read and write files on the server host using the LOAD DATA INFILE and SELECT ... INTO OUTFILE statements and the LOAD_FILE() function. A user who has the FILE privilege can read any file on the server host that is either world-readable or readable by the MySQL server. (This implies the user can read any file in any database directory, because the server can access any of those files.) The FILE privilege also enables the user to create new files in any directory where the MySQL server has write access. As a security measure, the server will not overwrite existing files.t File_privs GRANT OPTIONsThe GRANT OPTION privilege enables you to give to other users or remove from other users those privileges that you yourself possess.t Grant_privt REFERENCESs-The REFERENCES privilege currently is unused.tReferences_privtINDEXsThe INDEX privilege enables you to create or drop (remove) indexes. INDEX applies to existing tables. If you have the CREATE privilege for a table, you can include index definitions in the CREATE TABLE statement.t Index_privtALTERsThe ALTER privilege enables use of ALTER TABLE to change the structure of or rename tables. (ALTER TABLE also requires the INSERT and CREATE privileges.)t Alter_privssThe SHOW DATABASES privilege enables the account to see database names by issuing the SHOW DATABASE statement. Accounts that do not have this privilege see only databases for which they have some privileges, and cannot use the statement at all if the server was started with the --skip-show-database option. Note that any global privilege is a privilege for the database.t Show_db_privtSUPERs8The SUPER privilege enables an account to use CHANGE MASTER TO, KILL or mysqladmin kill to kill threads belonging to other accounts (you can always kill your own threads), PURGE BINARY LOGS, configuration changes via SET GLOBAL to modify global system variables, the mysqladmin debug command, enabling or disabling logging, performing updates even if the read_only system variable is enabled, starting and stopping replication on slave servers, and allows you to connect (once) even if the connection limit controlled by the max_connections system variable is reached.t Super_privsCREATE TEMPORARY TABLESsjThe CREATE TEMPORARY TABLES privilege enables the use of the keyword TEMPORARY in CREATE TABLE statements.tCreate_tmp_table_privs LOCK TABLESsThe LOCK TABLES privilege enables the use of explicit LOCK TABLES statements to lock tables for which you have the SELECT privilege. This includes the use of write locks, which prevents other sessions from reading the locked table.tLock_tables_privtEXECUTEsXThe EXECUTE privilege is required to execute stored routines (procedures and functions).t Execute_privsREPLICATION SLAVEsThe REPLICATION SLAVE privilege should be granted to accounts that are used by slave servers to connect to the current server as their master. Without this privilege, the slave cannot request updates that have been made to databases on the master server.tRepl_slave_privsREPLICATION CLIENTs\The REPLICATION CLIENT privilege enables the use of SHOW MASTER STATUS and SHOW SLAVE STATUStRepl_client_privs CREATE VIEWs5The CREATE VIEW privilege enables use of CREATE VIEW.tCreate_view_privs SHOW VIEWs8The SHOW VIEW privilege enables use of SHOW CREATE VIEW.tShow_view_privsCREATE ROUTINEs\The CREATE ROUTINE privilege is needed to create stored routines (procedures and functions).tCreate_routine_privs ALTER ROUTINEsbThe ALTER ROUTINE privilege is needed to alter or drop stored routines (procedures and functions).tAlter_routine_privs CREATE USERshThe CREATE USER privilege enables use of CREATE USER, DROP USER, RENAME USER, and REVOKE ALL PRIVILEGES.tCreate_user_privtEVENTsThe EVENT privilege is required to create, alter, or drop events for the Event Scheduler. This privilege was added in MySQL 5.1.6.t Event_privtTRIGGERsThe TRIGGER privilege enables you to create and drop triggers. You must have this privilege for a table to create or drop triggers for that table. This privilege was added in MySQL 5.1.6. (Prior to MySQL 5.1.6, trigger operations required the SUPER privilege.)t Trigger_privsCREATE TABLESPACEsdThe CREATE TABLESPACE privilege is needed to create, alter, or drop tablespaces and log file groups.tCreate_tablespace_privs* Modify RoutinesttRoutine_manage_attrs* Modify Access ControltUser_manage_attrccs%|]\}}|d|fVqdS(iN((t.0tkeytval((s"..\modules\wb_admin_security_be.pys rstmysqltproctfuncteventtInserttSelecttUpdatetDeletesVGRANT INSERT, SELECT, UPDATE, DELETE ON TABLE mysql.%(table)s TO '%(user)s'@'%(host)s'sYREVOKE INSERT, SELECT, UPDATE, DELETE ON TABLE mysql.%(table)s FROM '%(user)s'@'%(host)s't columns_privtdbthostt procs_privt tables_privtusertDBAs&grants the rights to perform all taskstMaintenanceAdmins'grants rights needed to maintain servert ProcessAdminsMrights needed to assess, monitor, and kill any user process running in servert UserAdmins8grants rights to create users logins and reset passwordst SecurityAdminsQrights to manage logins and grant and revoke server and database level permissiont MonitorAdmins.minimum set of rights needed to monitor servert DBManagers#grants full rights on all databasest DBDesigners9rights to create and reverse engineer any database schematReplicationAdmins-rights needed to setup and manage replicationt BackupAdmins,minimal rights needed to backup any databasecCsd}d}d}x|D]}t|tk r7qnx[tt|D]G}||}|dkrin"|dks|dkr|}Pnd}qJW|d>|rt|dp|}qW|S(Nis\t%t_iii(ttypetstrtrangetlentmin(ttuptordertwild_postcharstttitc((s"..\modules\wb_admin_security_be.pyt get_acl_sorts     'cCst|t|S(N(R`(tt1tt2((s"..\modules\wb_admin_security_be.pyt acl_comparescCs(|jddjddjddS(Ns\s\\RSs\_RRs\%(treplace(ts((s"..\modules\wb_admin_security_be.pytescape_schema_namest AdminSecuritycBseZdZdZdZedZedZedZdZ dZ dZ d Z d Z d Zd ZRS( cCsp||_g|_g|_i|_i|_t|_t|_t|_t|_ g|_ g|_ g|_ dS(N( tctrl_bet _accountst _schema_namest_account_info_cachet_schema_privileges_cachetFalset has_pluginthas_authentication_stringthas_max_user_connectionsthas_password_expiredtschema_privilege_namestglobal_privilege_namestuser_table_fields(tselfRh((s"..\modules\wb_admin_security_be.pyt__init__s           cCsLg}x?|jD]4}tj|d\}}|r|j|qqW|S(N(NN(Rst PrivilegeInfotgettNonetappend(Rutprivstnametprivtdesc((s"..\modules\wb_admin_security_be.pytget_valid_privilegess c Cse|jsy|jjd}Wn;tk r\}|jdkrStd|n|nX|dk rxD|jr|jd}|j drl|jj |qlqlWqn|j sy|jjd}Wn;tk r}|jdkrtd|n|nX|dk rx|jr|jd}|j j ||j drl|j j |q|dkrt |_q|dkrt |_q|d krt |_q|d krt |_qqWqng}y|jjt}Wn]tk r/}|jdkr&td|n|n#tk rQ}td |nX|dk rx/|jr|jd }|j |qaWn|j||_g}y|jjt}Wn#tk r}td |nX|r2xD|jr.|jd }|jd} |j || fqWn|jt||_i|_i|_|dS(NsDESCRIBE mysql.dbivsJPlease make sure the used account has rights to the MySQL grant tables. %stFieldt_privsDESCRIBE mysql.usertmax_user_connectionstplugintauthentication_stringtpassword_expireds(Error querying privilege information: %stDatabasetUsertHost(RrRht exec_queryRterrorRRytnextRowt stringByNametendswithRzRtRstTrueRpRnRoRqtLIST_SCHEMAS_QUERYt ExceptiontsortRjtLIST_ACCOUNTS_QUERYRcRiRkt_schema_privileges_by_user( Rutcallbacktresulttetfieldt schema_namesR|taccountsRGRD((s"..\modules\wb_admin_security_be.pyt async_refreshs~                     cCs|jS(N(Rj(Ru((s"..\modules\wb_admin_security_be.pyRFscCs g|jD]}t|^q S(N(RjRf(RuRe((s"..\modules\wb_admin_security_be.pytescaped_schema_namesJscCs|jS(N(Ri(Ru((s"..\modules\wb_admin_security_be.pyt account_namesNscCs|jrtit|jd6t|jd6}y$|jjd|jj|Wqtk r}|jdkrt d|j|jfdqqXn|j |jd|j=|j j |j|jfdS(NRGRDs use mysqlis"Error removing the account %s@%s:s]You must have the global CREATE USER privilege or the DELETE privilege for the mysql databaset@( t is_commitedt REMOVE_USERRtusernameRDRhtexec_sqlRRRRkRitremove(RutaccounttqueryR((s"..\modules\wb_admin_security_be.pytdelete_accountSs *cCsn|jj|j|jf}|j|jf|j|<|j|jd|j=||j|jd|j<|S(NR(RitindexRRDRk(RuRtbackupR^((s"..\modules\wb_admin_security_be.pytrevert_accountbs cCs_|j}t|_|jd7_||j|jd|j<|jj|j|jf|S(Nt_copyR(tcopyRmRRRkRDRiRz(RuRR((s"..\modules\wb_admin_security_be.pyt copy_accountks   cszdfdt}d|_d|j|_|j|jd|j<jj|j|jf|S(Ncsc||rt|nd}||fjkr_||t|trS|dnd}n|S(NR4i(RURit isinstancetint(RGRDtcounterR|(t unique_nameRu(s"..\modules\wb_admin_security_be.pyRus.RRtnewuserR(Ryt AdminAccountRDRRkRiRz(Rutacct((RuRs"..\modules\wb_admin_security_be.pytcreate_accountts  cCsl|d|}|jj|r5||j|dSt|}|j||||j|<||dS(NR(Rkthas_keyRtload(RuRR|RDR8R((s"..\modules\wb_admin_security_be.pytasync_get_accounts  cCs!|j|j=||j|j<|S(N(RlR(RuR{R((s"..\modules\wb_admin_security_be.pytrevert_user_schema_privss cCs[|jj|r'||j|dSt|}|j|||j|<||dS(N(RlRtAdminUserDbPrivsR(RuRRGt privileges((s"..\modules\wb_admin_security_be.pytasync_get_user_schema_privss   (RRRvRRtpropertyRRRRRRRRRR(((s"..\modules\wb_admin_security_be.pyRgs  T    tAdminUserDbPrivEntrycBs/eZdZdZeZdZdZRS(cCs7t|tkst||_||_||_dS(N(RTtsettAssertionErrorRDRCR(RuRDRCR((s"..\modules\wb_admin_security_be.pyRvs  cCst|j|j|jjS(N(RRDRCRR(Ru((s"..\modules\wb_admin_security_be.pyRsN( RRRyRDRCRRRvR(((s"..\modules\wb_admin_security_be.pyRs   RcBsVeZdZdZgZgZdZdZdZ dZ dZ dZ RS(cCs ||_dS(N(t_owner(Rutowner((s"..\modules\wb_admin_security_be.pyRvscCsDt|j}|j|_g|jD]}|j^q%|_|S(N(RRRtentriesR(RuRR((s"..\modules\wb_admin_security_be.pyRs %cCs|j}|j|_|S(N(Rt _orig_entries(RuR((s"..\modules\wb_admin_security_be.pytsnapshot_for_reverts  cCs&t|||}|jj||S(N(RRRz(RuRDRCRtentry((s"..\modules\wb_admin_security_be.pyt add_entrysc Cs<tit|d6}y|jjj|}Wn#tk rU}td|nX||_g|_x|jrt }x?|jj D]1}|j |}|dkr|j |qqW|j d}|j d} |jj t| ||qkW|jjdg|jD]}|j^q|_dS(NRGs'Error querying security information: %stYtDbRcSs%t|j|jf|j|jfS(N(RcRDRC(tatb((s"..\modules\wb_admin_security_be.pyts(tGET_ACCOUNT_SCHEMA_PRIVS_QUERYRRRhRRRRRRRrRtaddRzRRRR( RuRRRRR{R}tvaluetschemaRD((s"..\modules\wb_admin_security_be.pyRs$     c Cs|jjjdx|jD]}it|jd6t|jd6|jdkr^|jndd6}g}g}xd|jjD]V}t j |d\}}|sqn||j kr|j |q|j |qW|rSdj||dsRtOPTIONtGRANTsALL PRIVILEGESs, tUSAGERs WITH s%s %s Rtsha256_passwordsSET old_passwords = 2sSET old_passwords = 0tchangingtcreatingivs@Error %s account %s@%s: Insufficient rights to perform operationsError %s account %s@%s: %st_attrcst|\}}}}}d|krqx|D]>}|i|d6jd6jd6}jjj|q,Wn8|i|d6jd6jd6}jjj|dS(Ns %(table)sttableRGRD(tAdminAttributesRRDRRhR(R}RCttablesR{tgranttrevokeRR(Ru(s"..\modules\wb_admin_security_be.pyt grant_special!s  %%cst|\}}}}}d|krqx|D]>}|i|d6jd6jd6}jjj|q,Wn8|i|d6jd6jd6}jjj|dS(Ns %(table)sRRGRD(RRRDRRhR(R}RCRR{RRRR(Ru(s"..\modules\wb_admin_security_be.pytrevoke_special+s  %%(8RRRRzRDRRRRRRRtcountRRRyRRmtCREATE_USER_QUERY_PLUGINt$CREATE_USER_QUERY_PLUGIN_AUTH_STRINGtCREATE_USER_QUERYRRtRENAME_USER_QUERYRpRRRRRUtdicttzipt_orig_account_limitsRRsRt_orig_global_privsRRwRtGRANT_GLOBAL_PRIVILEGES_QUERYt iteritemsRxtREVOKE_GLOBAL_PRIVILEGES_QUERYRRtCHANGE_PASSWORD_QUERYtBLANK_PASSWORD_QUERYRhRRRRt errortextRt difference(RutqueriesRtpassword_already_sett create_querytnamesRetvaluestaccount_limitstlimits_changedtall_normal_privstnew_granted_privstorig_revoked_privstnew_revoked_privst priv_listR}t grant_queryt with_clauseR8RtactionRRRt new_attrst old_attrsRR((RuR s"..\modules\wb_admin_security_be.pyRs  - '"""   $$(M "     !   !   ".*11  cCst|_tit|d6t|d6}y|jjj|}Wn#tk rk}td|nX|jstd||fn|j d|_ |j d|_ d|_ |j |_ |j |_|j |_|j|_|jd|_|jd |_|jd |_it|jd 6t|jd 6t|jd 6|_|jjr|jd|_t|j|jdRR@RRRR#R%tGRANT_LIMITS_QUERYRR&R'RRRtFLUSH_PRIVILEGESRRRwRR$tPrivilegeReverseDictRtkeysRR`RcRftobjectRgRRR(((s"..\modules\wb_admin_security_be.pyts           d