[#853, !26-p] Added user permissions check to kea-admin

src/bin/admin/kea-admin.in
    mysql_can_create() - new function to verify user's ability
    to create functions

    mysql_init()
    mysql_upgrade() - modified to call mysql_can_create

1 files changed, 88 insertions, 0 deletions

diff --git a/src/bin/admin/kea-admin.in b/src/bin/admin/kea-admin.in
index d0d7f498f7..cfe3f10aed 100644
--- a/src/bin/admin/kea-admin.in
+++ b/src/bin/admin/kea-admin.in
@@ -130,6 +130,82 @@ memfile_init() {
     exit 1
 }
 
+# Validates that the MySQL db_users's permissions are sufficient to
+# create the schema.
+mysql_can_create() {
+
+    RESULT=$(mysql_execute "select @@global.version;")
+    ERRCODE=$?
+    if [ $ERRCODE -ne  0 ]
+    then
+        log_error "mysql_can_create: get MySQL version failed, mysql status = $ERRCODE"
+        exit 1
+    fi
+
+    printf "MySQL Version is:[ $RESULT ]\n"
+    mainversion=`echo $RESULT | cut -f1 -d'.'`
+    if [ $mainversion -lt 8 ]
+    then
+        # We should be good to go.
+        return;
+    fi
+
+    # SQL to drop our test table and trigger
+    cleanup_sql="DROP TABLE IF EXISTS kea_dummy_table; DROP PROCEDURE IF EXISTS kea_dummy_trigger;"
+
+    # SQL to create our test table
+    table_sql="CREATE TABLE kea_dummy_table(dummy INT UNSIGNED PRIMARY KEY NOT NULL);"
+
+    # SQL to create our test trigger
+    trigger_sql="\
+CREATE TRIGGER kea_dummy_trigger BEFORE insert ON kea_dummy_table FOR EACH ROW\n \
+BEGIN\n \
+END;"
+
+    # Let's clean up just in case.
+    RESULT=$(mysql_execute "$cleanup_sql")
+    ERRCODE=$?
+    if [ $ERRCODE -ne  0 ]
+    then
+        log_error "mysql_can_create cannot run pre cleanup, mysql status = $ERRCODE"
+        exit 1;
+    fi
+
+    # Now make the dummy table.
+    perms_ok=1
+    RESULT=$(mysql_execute "$table_sql")
+    ERRCODE=$?
+    if [ $ERRCODE -ne  0 ]
+    then
+        log_error "mysql_can_create cannot create table, check user permissions, mysql status = $ERRCODE"
+        perms_ok=0;
+    else
+        # Now attempt to maek trigger
+        RESULT=$(mysql_execute "$trigger_sql")
+        ERRCODE=$?
+        if [ $ERRCODE -ne  0 ]
+        then
+            log_error "mysql_can_create cannot trigger, check user permissions, mysql status = $ERRCODE"
+            perms_ok=0;
+        fi
+    fi
+
+    # Try to cleanup no matter what happened above
+    RESULT=$(mysql_execute "$cleanup_sql")
+    ERRCODE=$?
+    if [ $ERRCODE -ne  0 ]
+    then
+        log_error "mysql_can_create cannot run post cleanup, mysql status = $ERRCODE"
+        exit 1;
+    fi
+
+    if [ $perms_ok -ne 1 ]
+    then
+        log_error "Create failed, the user, $db_user, has insufficient privileges."
+        exit 1;
+    fi
+}
+
 # Initializes a new, empty MySQL database.
 # It essentially calls scripts/mysql/dhcpdb_create.mysql script, with
 # some extra sanity checks. It will refuse to use it if there are any
@@ -159,6 +235,12 @@ mysql_init() {
         exit 1
     fi
 
+    # Beginning with MySQL 8.0, the db user needs additional settings or SUPER
+    # privileges to create triggers and or functions. Call mysql_can_create to find
+    # out if we're good to go.  If not, it will exit.
+    printf "Verifying create permissions for $db_user\n"
+    mysql_can_create
+
     printf "Initializing database using script %s\n" $scripts_dir/mysql/dhcpdb_create.mysql
     mysql -B --host=$db_host --user=$db_user --password=$db_password $db_name < $scripts_dir/mysql/dhcpdb_create.mysql
     ERRCODE=$?
@@ -267,6 +349,12 @@ mysql_upgrade() {
         exit 1
     fi
 
+    # Beginning with MySQL 8.0, the db user needs additional settings or SUPER
+    # privileges to create triggers and or functions. Call mysql_can_create to find
+    # out if we're good to go.  If not, it will exit.
+    printf "Verifying upgrade permissions for $db_user\n"
+    mysql_can_create
+
     for script in "${scripts_dir}"/mysql/upgrade*.sh
     do
         echo "Processing $script file..."