vitess.io/vitess@v0.16.2/go/vt/vtgate/vschemaacl/vschemaacl.go (about)

     1  /*
     2  Copyright 2019 The Vitess Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package vschemaacl
    18  
    19  import (
    20  	"strings"
    21  	"sync"
    22  
    23  	"github.com/spf13/pflag"
    24  
    25  	"vitess.io/vitess/go/vt/servenv"
    26  
    27  	querypb "vitess.io/vitess/go/vt/proto/query"
    28  )
    29  
    30  var (
    31  	// AuthorizedDDLUsers specifies the users that can perform ddl operations
    32  	AuthorizedDDLUsers string
    33  
    34  	// ddlAllowAll is true if the special value of "*" was specified
    35  	allowAll bool
    36  
    37  	// ddlACL contains a set of allowed usernames
    38  	acl map[string]struct{}
    39  
    40  	initMu sync.Mutex
    41  )
    42  
    43  // RegisterSchemaACLFlags installs log flags on the given FlagSet.
    44  //
    45  // `go/cmd/*` entrypoints should either use servenv.ParseFlags(WithArgs)? which
    46  // calls this function, or call this function directly before parsing
    47  // command-line arguments.
    48  func RegisterSchemaACLFlags(fs *pflag.FlagSet) {
    49  	fs.StringVar(&AuthorizedDDLUsers, "vschema_ddl_authorized_users", AuthorizedDDLUsers, "List of users authorized to execute vschema ddl operations, or '%' to allow all users.")
    50  }
    51  
    52  func init() {
    53  	for _, cmd := range []string{"vtcombo", "vtgate", "vtgateclienttest"} {
    54  		servenv.OnParseFor(cmd, RegisterSchemaACLFlags)
    55  	}
    56  }
    57  
    58  // Init parses the users option and sets allowAll / acl accordingly
    59  func Init() {
    60  	initMu.Lock()
    61  	defer initMu.Unlock()
    62  	acl = make(map[string]struct{})
    63  	allowAll = false
    64  
    65  	if AuthorizedDDLUsers == "%" {
    66  		allowAll = true
    67  		return
    68  	} else if AuthorizedDDLUsers == "" {
    69  		return
    70  	}
    71  
    72  	for _, user := range strings.Split(AuthorizedDDLUsers, ",") {
    73  		user = strings.TrimSpace(user)
    74  		acl[user] = struct{}{}
    75  	}
    76  }
    77  
    78  // Authorized returns true if the given caller is allowed to execute vschema operations
    79  func Authorized(caller *querypb.VTGateCallerID) bool {
    80  	if allowAll {
    81  		return true
    82  	}
    83  
    84  	user := caller.GetUsername()
    85  	_, ok := acl[user]
    86  	return ok
    87  }