Skip to content

ddl/acl operations fail in lua api because user doesnt have access to raft spaces

Long story short, for cas execution we need to consult with system raft spaces and users are not expected to have access to them. In sql we bypass this problem by temporarily switching to admin using box.session.su. But we dont do this in lua api. So this results in a crash. Steps to reproduce:

  1. create new user U1
  2. grant create table privilege to U1
  3. switch to U1
  4. call pico.create_table

Crash:

picodata> pico.create_table({
        >         name = 'friends_of_peppa',
        >         format = {
        >             {name = 'id', type = 'unsigned', is_nullable = false},
        >             {name = 'name', type = 'string', is_nullable = false},
        >         },
        >         primary_key = {'id'},
        >         distribution = 'global',
        >         timeout = 3,
        >     })
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Store(Other(Tarantool(TarantoolError { code: 42, message: "Read access to space '_raft_state' is denied for user 'U1'"

This is not a high priority bug because we dont have serious plans on supporting lua API for this use case. Primary way of doing cluster-wide operations is via SQL API

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information