Skip to content
Snippets Groups Projects

When creating users populate their default permissions in `_pico_privilege`

    • Closed Issue created by Dmitry Rodionov @d.rodionov

    When user is created in tarantool it is granted some default permissions:

    • Execute role public
    • Session and Usage on universe
    • Alter on himself

    We need to add these to _pico_privilege so it matches tarantool _priv

    To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

    Child items 0

    • No child items are currently assigned. Use child items to break down this issue into smaller parts.

    Activity

    • Dmitry Rodionov changed milestone to %24.7 - Datamart

      changed milestone to %24.7 - Datamart

    • Dmitry Rodionov added 1 deleted label

      added 1 deleted label

      • Georgy Moshkin
        Georgy Moshkin @gmoshkin ·
        Maintainer

        Just for context: when _pico_user & _pico_privilege were originally implemented, this wasn't done intentionally, because in my understanding those grants are basic and are required by pretty much all users. And because our clusterwide ACL is more high-level than the tarantool one I decided to omit these implementation details

      • Dmitry Rodionov
        Dmitry Rodionov @d.rodionov ·
        Author Owner

        Yeah, let me explain a bit more. Problems begin when you try to do something with these default permissions. In pico.grant_privilege for example we run the check whether user already has specified permissions based on global permission space. If permission is missing then we decide to create it or and creation fails on tarantool level because permission is already there. For example you cant revoke alter permission from user because on creation it is not there:

        -- works
box.schema.user.revoke("Yoda", "alter", "user", "Yoda")
-- doesnt work, returns immediately because privilege is missing from global scale
pico.revoke_privilege("Yoda", "alter", "user", "Yoda")


-- when you try to grant it:
pico.grant_privilege("Yoda", "alter", "user", "Yoda")
thread 'main' panicked at 'granting a privilege shouldn't fail: LuaError(ExecutionError("User '32' already has alter access on user 'Yoda'"))

-- the whole thing crashes :(

        This case may be a not on a hot path, but it is still worth fixing. Another issue I've created is more important: #384 (closed) because here you cant grant super to anybody because it doesnt exist on picodata level

      • Please register or sign in to reply
    • Dmitry Rodionov
      Dmitry Rodionov @d.rodionov ·
      Author Owner

      That affects user blocking as well.

      Should be possible to revoke privileges with:

      pico.revoke_privilege("Yoda", "session", "universe")
pico.revoke_privilege("Yoda", "usage", "universe")
    • Yaroslav Dynnikov assigned to @kusancho

      assigned to @kusancho

    • Yaroslav Dynnikov changed milestone to %23.12.0

      changed milestone to %23.12.0

    • Emir Vildanov mentioned in merge request !707 (merged)

      mentioned in merge request !707 (merged)

    • Егор Ивков mentioned in issue #413 (closed)

      mentioned in issue #413 (closed)

    • Alexander Kurdakov mentioned in merge request !762 (merged)

      mentioned in merge request !762 (merged)

    • Dmitry Rodionov closed with merge request !762 (merged)

      closed with merge request !762 (merged)

    Please register or sign in to reply