diff --git a/src/bootstrap_entries.rs b/src/bootstrap_entries.rs
index 2b5602a70f1bc6113b27f61f57e5ad51eca334b6..8710c48d76715c91b205464ec34d10e6d7137d1e 100644
--- a/src/bootstrap_entries.rs
+++ b/src/bootstrap_entries.rs
@@ -174,9 +174,8 @@ pub(super) fn prepare(args: &args::Run, instance: &Instance, tiers: &[Tier]) ->
// equivalent SQL expressions under 'admin' user:
// GRANT <'usage', 'session'> ON 'universe' TO 'guest'
- // GRANT <'public', 'super'> TO 'guest'
+ // GRANT 'public' TO 'guest'
// GRANT 'all privileges' ON 'universe' TO 'admin'
- // GRANT 'all privileges' ON 'universe' TO 'super'
for priv_def in PrivilegeDef::get_default_privileges() {
init_entries_push_op(op::Dml::insert(ClusterwideTable::Privilege, priv_def));
}
diff --git a/src/schema.rs b/src/schema.rs
index 390f7a5e2c60ea59d7075146a9ce17a45e55dad1..10d9cbfb983bba5a8d930d088826e806c9a79ef7 100644
--- a/src/schema.rs
+++ b/src/schema.rs
@@ -466,21 +466,16 @@ impl PrivilegeDef {
});
}
- // execute public
- // execute on super (temporary until we switch to service account)
- // SQL: GRANT 'execute' ON <'public', 'user'> TO 'guest'
- for role in [PUBLIC_ID, SUPER_ID] {
- v.push(PrivilegeDef {
- grantor_id: ADMIN_ID,
- grantee_id: GUEST_ID,
- object_type: SchemaObjectType::Role,
- object_id: role as _,
- privilege: PrivilegeType::Execute,
- schema_version: 0,
- });
- }
+ // SQL: GRANT 'public' TO 'guest'
+ v.push(PrivilegeDef {
+ grantor_id: ADMIN_ID,
+ grantee_id: GUEST_ID,
+ object_type: SchemaObjectType::Role,
+ object_id: PUBLIC_ID as _,
+ privilege: PrivilegeType::Execute,
+ schema_version: 0,
+ });
- // admin - all on universe
// SQL: GRANT 'all privileges' ON 'universe' TO 'admin'
for privilege in PrivilegeType::VARIANTS {
v.push(PrivilegeDef {
@@ -493,19 +488,6 @@ impl PrivilegeDef {
});
}
- // super - all on universe
- // GRANT 'all privileges' ON 'universe' TO 'super'
- for privilege in PrivilegeType::VARIANTS {
- v.push(PrivilegeDef {
- grantor_id: ADMIN_ID,
- grantee_id: SUPER_ID,
- object_type: SchemaObjectType::Universe,
- object_id: UNIVERSE_ID,
- privilege: *privilege,
- schema_version: 0,
- });
- }
-
v
})
}
diff --git a/test/int/test_acl.py b/test/int/test_acl.py
index 95fddd8c253b9e7cdd4a1bdb6f27c165aa0a0a0c..503b8f55dfab271bc37570a10b2912567c102614 100644
--- a/test/int/test_acl.py
+++ b/test/int/test_acl.py
@@ -838,10 +838,21 @@ def test_acl_from_snapshot(cluster: Cluster):
def test_acl_drop_table_with_privileges(cluster: Cluster):
i1, *_ = cluster.deploy(instance_count=1)
- number_of_privileges_since_bootstrap = 28
# Check that we can drop a table with privileges granted on it.
index = i1.call("pico.create_user", "Dave", VALID_PASSWORD)
+
+ dave_id = i1.sql(""" select "id" from "_pico_user" where "name" = 'Dave' """)[
+ "rows"
+ ][0][0]
+
+ def dave_privileges_count():
+ return i1.sql(
+ f""" select count(*) from "_pico_privilege" where "grantee_id" = {dave_id} """,
+ )["rows"][0][0]
+
+ dave_privileges_count_at_start = dave_privileges_count()
+
cluster.raft_wait_index(index)
ddl = i1.sql(
"""
@@ -849,14 +860,18 @@ def test_acl_drop_table_with_privileges(cluster: Cluster):
"""
)
assert ddl["row_count"] == 1
+ assert dave_privileges_count_at_start == dave_privileges_count()
+
index = i1.grant_privilege("Dave", "read", "table", "T")
cluster.raft_wait_index(index)
+
+ assert dave_privileges_count_at_start + 1 == dave_privileges_count()
+
ddl = i1.sql(""" drop table t """)
assert ddl["row_count"] == 1
- # Check that the picodata privileges are gone.
- privs = i1.call("box.execute", """ select count(*) from "_pico_privilege" """)
- assert privs["rows"][0][0] == number_of_privileges_since_bootstrap
+ # Check that the picodata privilege on table t are gone.
+ assert dave_privileges_count_at_start == dave_privileges_count()
def test_builtin_users_and_roles(cluster: Cluster):
diff --git a/test/int/test_basics.py b/test/int/test_basics.py
index a95c3d7f9625babe96b11bea9655f84728e7b43a..5516edd052b4575385775456a30211b5f89231ec 100644
--- a/test/int/test_basics.py
+++ b/test/int/test_basics.py
@@ -258,37 +258,26 @@ def test_raft_log(instance: Instance):
| 16 | 1 |1.0.16|Insert({_pico_privilege}, ["usage","universe",0,0,1,0])|
| 17 | 1 |1.0.17|Insert({_pico_privilege}, ["session","universe",0,0,1,0])|
| 18 | 1 |1.0.18|Insert({_pico_privilege}, ["execute","role",2,0,1,0])|
-| 19 | 1 |1.0.19|Insert({_pico_privilege}, ["execute","role",31,0,1,0])|
-| 20 | 1 |1.0.20|Insert({_pico_privilege}, ["read","universe",0,1,1,0])|
-| 21 | 1 |1.0.21|Insert({_pico_privilege}, ["write","universe",0,1,1,0])|
-| 22 | 1 |1.0.22|Insert({_pico_privilege}, ["execute","universe",0,1,1,0])|
-| 23 | 1 |1.0.23|Insert({_pico_privilege}, ["session","universe",0,1,1,0])|
-| 24 | 1 |1.0.24|Insert({_pico_privilege}, ["usage","universe",0,1,1,0])|
-| 25 | 1 |1.0.25|Insert({_pico_privilege}, ["create","universe",0,1,1,0])|
-| 26 | 1 |1.0.26|Insert({_pico_privilege}, ["drop","universe",0,1,1,0])|
-| 27 | 1 |1.0.27|Insert({_pico_privilege}, ["alter","universe",0,1,1,0])|
-| 28 | 1 |1.0.28|Insert({_pico_privilege}, ["grant","universe",0,1,1,0])|
-| 29 | 1 |1.0.29|Insert({_pico_privilege}, ["revoke","universe",0,1,1,0])|
-| 30 | 1 |1.0.30|Insert({_pico_privilege}, ["read","universe",0,31,1,0])|
-| 31 | 1 |1.0.31|Insert({_pico_privilege}, ["write","universe",0,31,1,0])|
-| 32 | 1 |1.0.32|Insert({_pico_privilege}, ["execute","universe",0,31,1,0])|
-| 33 | 1 |1.0.33|Insert({_pico_privilege}, ["session","universe",0,31,1,0])|
-| 34 | 1 |1.0.34|Insert({_pico_privilege}, ["usage","universe",0,31,1,0])|
-| 35 | 1 |1.0.35|Insert({_pico_privilege}, ["create","universe",0,31,1,0])|
-| 36 | 1 |1.0.36|Insert({_pico_privilege}, ["drop","universe",0,31,1,0])|
-| 37 | 1 |1.0.37|Insert({_pico_privilege}, ["alter","universe",0,31,1,0])|
-| 38 | 1 |1.0.38|Insert({_pico_privilege}, ["grant","universe",0,31,1,0])|
-| 39 | 1 |1.0.39|Insert({_pico_privilege}, ["revoke","universe",0,31,1,0])|
-| 40 | 1 | |AddNode(1)|
-| 41 | 2 | |-|
-| 42 | 2 |1.1.1|Replace({_pico_instance}, ["i1","68d4a766-4144-3248-aeb4-e212356716e4",1,"r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07",["Offline",0],["Online",1],{b},"default"])|
-| 43 | 2 |1.1.2|Insert({_pico_replicaset}, ["r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07","i1","default",0.0,"auto","not-ready"])|
-| 44 | 2 |1.1.3|Replace({_pico_instance}, ["i1","68d4a766-4144-3248-aeb4-e212356716e4",1,"r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07",["Replicated",1],["Online",1],{b},"default"])|
-| 45 | 2 |1.1.4|Update({_pico_replicaset}, ["r1"], [["=","weight",1.0], ["=","state","ready"]])|
-| 46 | 2 |1.1.5|Replace({_pico_property}, ["target_vshard_config",[{{"e0df68c5-e7f9-395f-86b3-30ad9e1b7b07":[{{"68d4a766-4144-3248-aeb4-e212356716e4":["guest:@127.0.0.1:{p}","i1",true]}},1.0]}},"on"]])|
-| 47 | 2 |1.1.6|Replace({_pico_property}, ["current_vshard_config",[{{"e0df68c5-e7f9-395f-86b3-30ad9e1b7b07":[{{"68d4a766-4144-3248-aeb4-e212356716e4":["guest:@127.0.0.1:{p}","i1",true]}},1.0]}},"on"]])|
-| 48 | 2 |1.1.7|Replace({_pico_property}, ["vshard_bootstrapped",true])|
-| 49 | 2 |1.1.8|Replace({_pico_instance}, ["i1","68d4a766-4144-3248-aeb4-e212356716e4",1,"r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07",["Online",1],["Online",1],{b},"default"])|
+| 19 | 1 |1.0.19|Insert({_pico_privilege}, ["read","universe",0,1,1,0])|
+| 20 | 1 |1.0.20|Insert({_pico_privilege}, ["write","universe",0,1,1,0])|
+| 21 | 1 |1.0.21|Insert({_pico_privilege}, ["execute","universe",0,1,1,0])|
+| 22 | 1 |1.0.22|Insert({_pico_privilege}, ["session","universe",0,1,1,0])|
+| 23 | 1 |1.0.23|Insert({_pico_privilege}, ["usage","universe",0,1,1,0])|
+| 24 | 1 |1.0.24|Insert({_pico_privilege}, ["create","universe",0,1,1,0])|
+| 25 | 1 |1.0.25|Insert({_pico_privilege}, ["drop","universe",0,1,1,0])|
+| 26 | 1 |1.0.26|Insert({_pico_privilege}, ["alter","universe",0,1,1,0])|
+| 27 | 1 |1.0.27|Insert({_pico_privilege}, ["grant","universe",0,1,1,0])|
+| 28 | 1 |1.0.28|Insert({_pico_privilege}, ["revoke","universe",0,1,1,0])|
+| 29 | 1 | |AddNode(1)|
+| 30 | 2 | |-|
+| 31 | 2 |1.1.1|Replace({_pico_instance}, ["i1","68d4a766-4144-3248-aeb4-e212356716e4",1,"r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07",["Offline",0],["Online",1],{b},"default"])|
+| 32 | 2 |1.1.2|Insert({_pico_replicaset}, ["r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07","i1","default",0.0,"auto","not-ready"])|
+| 33 | 2 |1.1.3|Replace({_pico_instance}, ["i1","68d4a766-4144-3248-aeb4-e212356716e4",1,"r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07",["Replicated",1],["Online",1],{b},"default"])|
+| 34 | 2 |1.1.4|Update({_pico_replicaset}, ["r1"], [["=","weight",1.0], ["=","state","ready"]])|
+| 35 | 2 |1.1.5|Replace({_pico_property}, ["target_vshard_config",[{{"e0df68c5-e7f9-395f-86b3-30ad9e1b7b07":[{{"68d4a766-4144-3248-aeb4-e212356716e4":["guest:@127.0.0.1:{p}","i1",true]}},1.0]}},"on"]])|
+| 36 | 2 |1.1.6|Replace({_pico_property}, ["current_vshard_config",[{{"e0df68c5-e7f9-395f-86b3-30ad9e1b7b07":[{{"68d4a766-4144-3248-aeb4-e212356716e4":["guest:@127.0.0.1:{p}","i1",true]}},1.0]}},"on"]])|
+| 37 | 2 |1.1.7|Replace({_pico_property}, ["vshard_bootstrapped",true])|
+| 38 | 2 |1.1.8|Replace({_pico_instance}, ["i1","68d4a766-4144-3248-aeb4-e212356716e4",1,"r1","e0df68c5-e7f9-395f-86b3-30ad9e1b7b07",["Online",1],["Online",1],{b},"default"])|
+-----+----+-----+--------+
""".format( # noqa: E501
p=instance.port,