From a683192b91380ddfcdb018903032125f93ea5318 Mon Sep 17 00:00:00 2001
From: Egor Ivkov <e.o.ivkov@gmail.com>
Date: Mon, 5 Feb 2024 15:17:07 +0300
Subject: [PATCH] fix: skip on_auth checks for pico service user
---
src/lib.rs | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/src/lib.rs b/src/lib.rs
index f857beeb6f..104c297669 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -301,6 +301,21 @@ fn set_login_check(storage: Clusterwide) {
let compute_auth_verdict = move |user_name: String, successful_authentication: bool| {
use std::collections::hash_map::Entry;
+ // If the user is pico service (used for internal communication) we don't perform any additional checks.
+ // Map result to print audit message, tarantool handles auth automatically.
+ //
+ // The reason for not performaing checks is twofold:
+ // 1. We might not have the user or required privileges in _pico_* spaces yet.
+ // 2. We should never block pico service user or instances would loose ability to communicate
+ // with each other.
+ if user_name == PICO_SERVICE_USER_NAME {
+ if successful_authentication {
+ return Verdict::AuthOk;
+ } else {
+ return Verdict::AuthFail;
+ }
+ }
+
// Switch to admin to access system spaces.
let admin_guard = session::su(ADMIN_ID).expect("switching to admin should not fail");
let max_login_attempts = storage
@@ -406,7 +421,9 @@ fn set_login_check(storage: Clusterwide) {
);
// Raises an error instead of returning it as a function result.
- // This is the behavior required by `on_auth` trigger to drop the connection.
+ // This is the behavior required by `on_auth` trigger to drop the connection
+ // even if auth was successful. If auth failed the connection will be dropped automatically.
+ //
// All the drop implementations are called, no need to clean anything up.
tlua::error!(lua, "{}", err);
}
--
GitLab