refactor: remove all privileges from role super

src/bootstrap_entries.rs

@@ -174,9 +174,8 @@ pub(super) fn prepare(args: &args::Run, instance: &Instance, tiers: &[Tier]) ->
 
     // equivalent SQL expressions under 'admin' user:
     // GRANT <'usage', 'session'> ON 'universe' TO 'guest'
-    // GRANT <'public', 'super'> TO 'guest'
+    // GRANT 'public' TO 'guest'
     // GRANT 'all privileges' ON 'universe' TO 'admin'
-    // GRANT 'all privileges' ON 'universe' TO 'super'
     for priv_def in PrivilegeDef::get_default_privileges() {
         init_entries_push_op(op::Dml::insert(ClusterwideTable::Privilege, priv_def));
     }

src/schema.rs

@@ -466,21 +466,16 @@ impl PrivilegeDef {
                 });
             }
 
-            // execute public
-            // execute on super (temporary until we switch to service account)
-            // SQL: GRANT 'execute' ON <'public', 'user'> TO 'guest'
-            for role in [PUBLIC_ID, SUPER_ID] {
-                v.push(PrivilegeDef {
-                    grantor_id: ADMIN_ID,
-                    grantee_id: GUEST_ID,
-                    object_type: SchemaObjectType::Role,
-                    object_id: role as _,
-                    privilege: PrivilegeType::Execute,
-                    schema_version: 0,
-                });
-            }
+            // SQL: GRANT 'public' TO 'guest'
+            v.push(PrivilegeDef {
+                grantor_id: ADMIN_ID,
+                grantee_id: GUEST_ID,
+                object_type: SchemaObjectType::Role,
+                object_id: PUBLIC_ID as _,
+                privilege: PrivilegeType::Execute,
+                schema_version: 0,
+            });
 
-            // admin - all on universe
             // SQL: GRANT 'all privileges' ON 'universe' TO 'admin'
             for privilege in PrivilegeType::VARIANTS {
                 v.push(PrivilegeDef {
@@ -493,19 +488,6 @@ impl PrivilegeDef {
                 });
             }
 
-            // super - all on universe
-            // GRANT 'all privileges' ON 'universe' TO 'super'
-            for privilege in PrivilegeType::VARIANTS {
-                v.push(PrivilegeDef {
-                    grantor_id: ADMIN_ID,
-                    grantee_id: SUPER_ID,
-                    object_type: SchemaObjectType::Universe,
-                    object_id: UNIVERSE_ID,
-                    privilege: *privilege,
-                    schema_version: 0,
-                });
-            }
-
             v
         })
     }

test/int/test_acl.py

@@ -838,10 +838,21 @@ def test_acl_from_snapshot(cluster: Cluster):
 
 def test_acl_drop_table_with_privileges(cluster: Cluster):
     i1, *_ = cluster.deploy(instance_count=1)
-    number_of_privileges_since_bootstrap = 28
 
     # Check that we can drop a table with privileges granted on it.
     index = i1.call("pico.create_user", "Dave", VALID_PASSWORD)
+
+    dave_id = i1.sql(""" select "id" from "_pico_user" where "name" = 'Dave' """)[
+        "rows"
+    ][0][0]
+
+    def dave_privileges_count():
+        return i1.sql(
+            f""" select count(*) from "_pico_privilege" where "grantee_id" = {dave_id} """,
+        )["rows"][0][0]
+
+    dave_privileges_count_at_start = dave_privileges_count()
+
     cluster.raft_wait_index(index)
     ddl = i1.sql(
         """
@@ -849,14 +860,18 @@ def test_acl_drop_table_with_privileges(cluster: Cluster):
         """
     )
     assert ddl["row_count"] == 1
+    assert dave_privileges_count_at_start == dave_privileges_count()
+
     index = i1.grant_privilege("Dave", "read", "table", "T")
     cluster.raft_wait_index(index)
+
+    assert dave_privileges_count_at_start + 1 == dave_privileges_count()
+
     ddl = i1.sql(""" drop table t """)
     assert ddl["row_count"] == 1
 
-    # Check that the picodata privileges are gone.
-    privs = i1.call("box.execute", """ select count(*) from "_pico_privilege" """)
-    assert privs["rows"][0][0] == number_of_privileges_since_bootstrap
+    # Check that the picodata privilege on table t are gone.
+    assert dave_privileges_count_at_start == dave_privileges_count()
 
 
 def test_builtin_users_and_roles(cluster: Cluster):

test/int/test_basics.py

@@ -258,37 +258,26 @@ def test_raft_log(instance: Instance):
 | 16  | 1  |1.0.16|Insert({_pico_privilege}, ["usage","universe",0,0,1,0])|
 | 17  | 1  |1.0.17|Insert({_pico_privilege}, ["session","universe",0,0,1,0])|
 | 18  | 1  |1.0.18|Insert({_pico_privilege}, ["execute","role",2,0,1,0])|
-| 19  | 1  |1.0.19|Insert({_pico_privilege}, ["execute","role",31,0,1,0])|
-| 20  | 1  |1.0.20|Insert({_pico_privilege}, ["read","universe",0,1,1,0])|
-| 21  | 1  |1.0.21|Insert({_pico_privilege}, ["write","universe",0,1,1,0])|
-| 22  | 1  |1.0.22|Insert({_pico_privilege}, ["execute","universe",0,1,1,0])|
-| 23  | 1  |1.0.23|Insert({_pico_privilege}, ["session","universe",0,1,1,0])|
-| 24  | 1  |1.0.24|Insert({_pico_privilege}, ["usage","universe",0,1,1,0])|
-| 25  | 1  |1.0.25|Insert({_pico_privilege}, ["create","universe",0,1,1,0])|
-| 26  | 1  |1.0.26|Insert({_pico_privilege}, ["drop","universe",0,1,1,0])|
-| 27  | 1  |1.0.27|Insert({_pico_privilege}, ["alter","universe",0,1,1,0])|
-| 28  | 1  |1.0.28|Insert({_pico_privilege}, ["grant","universe",0,1,1,0])|
-| 29  | 1  |1.0.29|Insert({_pico_privilege}, ["revoke","universe",0,1,1,0])|
-| 30  | 1  |1.0.30|Insert({_pico_privilege}, ["read","universe",0,31,1,0])|
-| 31  | 1  |1.0.31|Insert({_pico_privilege}, ["write","universe",0,31,1,0])|
-| 32  | 1  |1.0.32|Insert({_pico_privilege}, ["execute","universe",0,31,1,0])|
-| 33  | 1  |1.0.33|Insert({_pico_privilege}, ["session","universe",0,31,1,0])|
-| 34  | 1  |1.0.34|Insert({_pico_privilege}, ["usage","universe",0,31,1,0])|
-| 35  | 1  |1.0.35|Insert({_pico_privilege}, ["create","universe",0,31,1,0])|
-| 36  | 1  |1.0.36|Insert({_pico_privilege}, ["drop","universe",0,31,1,0])|
-| 37  | 1  |1.0.37|Insert({_pico_privilege}, ["alter","universe",0,31,1,0])|
-| 38  | 1  |1.0.38|Insert({_pico_privilege}, ["grant","universe",0,31,1,0])|
-| 39  | 1  |1.0.39|Insert({_pico_privilege}, ["revoke","universe",0,31,1,0])|
-| 40  | 1  |     |AddNode(1)|
-| 41  | 2  |     |-|
-| 42  | 2  |1.1.1|Replace({_pico_instance}, ["i1","68d4a766-4144-3248-aeb4-e212356716e4",1,"r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07",["Offline",0],["Online",1],{b},"default"])|
-| 43  | 2  |1.1.2|Insert({_pico_replicaset}, ["r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07","i1","default",0.0,"auto","not-ready"])|
-| 44  | 2  |1.1.3|Replace({_pico_instance}, ["i1","68d4a766-4144-3248-aeb4-e212356716e4",1,"r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07",["Replicated",1],["Online",1],{b},"default"])|
-| 45  | 2  |1.1.4|Update({_pico_replicaset}, ["r1"], [["=","weight",1.0], ["=","state","ready"]])|
-| 46  | 2  |1.1.5|Replace({_pico_property}, ["target_vshard_config",[{{"e0df68c5-e7f9-395f-86b3-30ad9e1b7b07":[{{"68d4a766-4144-3248-aeb4-e212356716e4":["guest:@127.0.0.1:{p}","i1",true]}},1.0]}},"on"]])|
-| 47  | 2  |1.1.6|Replace({_pico_property}, ["current_vshard_config",[{{"e0df68c5-e7f9-395f-86b3-30ad9e1b7b07":[{{"68d4a766-4144-3248-aeb4-e212356716e4":["guest:@127.0.0.1:{p}","i1",true]}},1.0]}},"on"]])|
-| 48  | 2  |1.1.7|Replace({_pico_property}, ["vshard_bootstrapped",true])|
-| 49  | 2  |1.1.8|Replace({_pico_instance}, ["i1","68d4a766-4144-3248-aeb4-e212356716e4",1,"r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07",["Online",1],["Online",1],{b},"default"])|
+| 19  | 1  |1.0.19|Insert({_pico_privilege}, ["read","universe",0,1,1,0])|
+| 20  | 1  |1.0.20|Insert({_pico_privilege}, ["write","universe",0,1,1,0])|
+| 21  | 1  |1.0.21|Insert({_pico_privilege}, ["execute","universe",0,1,1,0])|
+| 22  | 1  |1.0.22|Insert({_pico_privilege}, ["session","universe",0,1,1,0])|
+| 23  | 1  |1.0.23|Insert({_pico_privilege}, ["usage","universe",0,1,1,0])|
+| 24  | 1  |1.0.24|Insert({_pico_privilege}, ["create","universe",0,1,1,0])|
+| 25  | 1  |1.0.25|Insert({_pico_privilege}, ["drop","universe",0,1,1,0])|
+| 26  | 1  |1.0.26|Insert({_pico_privilege}, ["alter","universe",0,1,1,0])|
+| 27  | 1  |1.0.27|Insert({_pico_privilege}, ["grant","universe",0,1,1,0])|
+| 28  | 1  |1.0.28|Insert({_pico_privilege}, ["revoke","universe",0,1,1,0])|
+| 29  | 1  |     |AddNode(1)|
+| 30  | 2  |     |-|
+| 31  | 2  |1.1.1|Replace({_pico_instance}, ["i1","68d4a766-4144-3248-aeb4-e212356716e4",1,"r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07",["Offline",0],["Online",1],{b},"default"])|
+| 32  | 2  |1.1.2|Insert({_pico_replicaset}, ["r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07","i1","default",0.0,"auto","not-ready"])|
+| 33  | 2  |1.1.3|Replace({_pico_instance}, ["i1","68d4a766-4144-3248-aeb4-e212356716e4",1,"r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07",["Replicated",1],["Online",1],{b},"default"])|
+| 34  | 2  |1.1.4|Update({_pico_replicaset}, ["r1"], [["=","weight",1.0], ["=","state","ready"]])|
+| 35  | 2  |1.1.5|Replace({_pico_property}, ["target_vshard_config",[{{"e0df68c5-e7f9-395f-86b3-30ad9e1b7b07":[{{"68d4a766-4144-3248-aeb4-e212356716e4":["guest:@127.0.0.1:{p}","i1",true]}},1.0]}},"on"]])|
+| 36  | 2  |1.1.6|Replace({_pico_property}, ["current_vshard_config",[{{"e0df68c5-e7f9-395f-86b3-30ad9e1b7b07":[{{"68d4a766-4144-3248-aeb4-e212356716e4":["guest:@127.0.0.1:{p}","i1",true]}},1.0]}},"on"]])|
+| 37  | 2  |1.1.7|Replace({_pico_property}, ["vshard_bootstrapped",true])|
+| 38  | 2  |1.1.8|Replace({_pico_instance}, ["i1","68d4a766-4144-3248-aeb4-e212356716e4",1,"r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07",["Online",1],["Online",1],{b},"default"])|
 +-----+----+-----+--------+
 """.format(  # noqa: E501
         p=instance.port,