vitess.io/vitess@v0.16.2/go/vt/vtgate/vschemaacl/vschemaacl.go (about) 1 /* 2 Copyright 2019 The Vitess Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package vschemaacl 18 19 import ( 20 "strings" 21 "sync" 22 23 "github.com/spf13/pflag" 24 25 "vitess.io/vitess/go/vt/servenv" 26 27 querypb "vitess.io/vitess/go/vt/proto/query" 28 ) 29 30 var ( 31 // AuthorizedDDLUsers specifies the users that can perform ddl operations 32 AuthorizedDDLUsers string 33 34 // ddlAllowAll is true if the special value of "*" was specified 35 allowAll bool 36 37 // ddlACL contains a set of allowed usernames 38 acl map[string]struct{} 39 40 initMu sync.Mutex 41 ) 42 43 // RegisterSchemaACLFlags installs log flags on the given FlagSet. 44 // 45 // `go/cmd/*` entrypoints should either use servenv.ParseFlags(WithArgs)? which 46 // calls this function, or call this function directly before parsing 47 // command-line arguments. 48 func RegisterSchemaACLFlags(fs *pflag.FlagSet) { 49 fs.StringVar(&AuthorizedDDLUsers, "vschema_ddl_authorized_users", AuthorizedDDLUsers, "List of users authorized to execute vschema ddl operations, or '%' to allow all users.") 50 } 51 52 func init() { 53 for _, cmd := range []string{"vtcombo", "vtgate", "vtgateclienttest"} { 54 servenv.OnParseFor(cmd, RegisterSchemaACLFlags) 55 } 56 } 57 58 // Init parses the users option and sets allowAll / acl accordingly 59 func Init() { 60 initMu.Lock() 61 defer initMu.Unlock() 62 acl = make(map[string]struct{}) 63 allowAll = false 64 65 if AuthorizedDDLUsers == "%" { 66 allowAll = true 67 return 68 } else if AuthorizedDDLUsers == "" { 69 return 70 } 71 72 for _, user := range strings.Split(AuthorizedDDLUsers, ",") { 73 user = strings.TrimSpace(user) 74 acl[user] = struct{}{} 75 } 76 } 77 78 // Authorized returns true if the given caller is allowed to execute vschema operations 79 func Authorized(caller *querypb.VTGateCallerID) bool { 80 if allowAll { 81 return true 82 } 83 84 user := caller.GetUsername() 85 _, ok := acl[user] 86 return ok 87 }