// Revoke removes privileges from this descriptor for a given list of users.
func (p *PrivilegeDescriptor) Revoke(user string, privList privilege.List) {
userPriv, ok := p.findUser(user)
if !ok || userPriv.Privileges == 0 {
// Removing privileges from a user without privileges is a no-op.
return
}
bits := privList.ToBitField()
if isPrivilegeSet(bits, privilege.ALL) {
// Revoking 'ALL' privilege: remove user.
// TODO(marc): the grammar does not allow it, but we should
// check if other privileges are being specified and error out.
p.removeUser(user)
return
}
if isPrivilegeSet(userPriv.Privileges, privilege.ALL) {
// User has 'ALL' privilege. Remove it and set
// all other privileges one.
userPriv.Privileges = 0
for _, v := range privilege.ByValue {
if v != privilege.ALL {
userPriv.Privileges |= v.Mask()
}
}
}
// One doesn't see "AND NOT" very often.
userPriv.Privileges &^= bits
if userPriv.Privileges == 0 {
p.removeUser(user)
}
}
// NewPrivilegeDescriptor returns a privilege descriptor for the given
// user with the specified list of privileges.
func NewPrivilegeDescriptor(user string, priv privilege.List) *PrivilegeDescriptor {
return &PrivilegeDescriptor{
Users: []UserPrivileges{
{
User: user,
Privileges: priv.ToBitField(),
},
},
}
}
// Grant adds new privileges to this descriptor for a given list of users.
// TODO(marc): if all privileges other than ALL are set, should we collapse
// them into ALL?
func (p *PrivilegeDescriptor) Grant(user string, privList privilege.List) {
userPriv := p.findOrCreateUser(user)
if isPrivilegeSet(userPriv.Privileges, privilege.ALL) {
// User already has 'ALL' privilege: no-op.
return
}
bits := privList.ToBitField()
if isPrivilegeSet(bits, privilege.ALL) {
// Granting 'ALL' privilege: overwrite.
// TODO(marc): the grammar does not allow it, but we should
// check if other privileges are being specified and error out.
userPriv.Privileges = privilege.ALL.Mask()
return
}
userPriv.Privileges |= bits
}