-
Roman Tsisyk authored
* Set version to {1, 6, 8} in box.space._schema * Add 'LUA' language to built-in stored proceduresRoman Tsisyk authored* Set version to {1, 6, 8} in box.space._schema * Add 'LUA' language to built-in stored procedures
access_misc.result 12.33 KiB
session = box.session
---
...
--
-- Check a double create space
--
s = box.schema.space.create('test')
---
...
s = box.schema.space.create('test')
---
- error: Space 'test' already exists
...
--
-- Check a double drop space
--
s:drop()
---
...
s:drop()
---
- error: Space 'test' does not exist
...
--
-- Check double create user
--
box.schema.user.create('testus')
---
...
box.schema.user.create('testus')
---
- error: User 'testus' already exists
...
s = box.schema.space.create('admin_space')
---
...
index = s:create_index('primary', {type = 'hash', parts = {1, 'NUM'}})
---
...
s:insert({1})
---
- [1]
...
s:insert({2})
---
- [2]
...
--
-- Check double grant and read access
--
box.schema.user.grant('testus', 'read', 'space', 'admin_space')
---
...
box.schema.user.grant('testus', 'read', 'space', 'admin_space')
---
- error: User 'testus' already has read access on space 'admin_space'
...
session.su('testus')
---
...
s:select(1)
---
- - [1]
...
s:insert({3})
---
- error: Write access is denied for user 'testus' to space 'admin_space'
...
s:delete(1)
---- error: Write access is denied for user 'testus' to space 'admin_space'
...
s:drop()
---
- error: Read access is denied for user 'testus' to space '_index'
...
--
-- Check double revoke
--
session.su('admin')
---
...
box.schema.user.revoke('testus', 'read', 'space', 'admin_space')
---
...
box.schema.user.revoke('testus', 'read', 'space', 'admin_space')
---
- error: User 'testus' does not have read access on space 'admin_space'
...
session.su('testus')
---
...
s:select(1)
---
- error: Read access is denied for user 'testus' to space 'admin_space'
...
session.su('admin')
---
...
--
-- Check write access on space
--
box.schema.user.grant('testus', 'write', 'space', 'admin_space')
---
...
session.su('testus')
---
...
s:select(1)
---
- error: Read access is denied for user 'testus' to space 'admin_space'
...
s:delete(1)
---
- [1]
...
s:insert({3})
---
- [3]
...
s:drop()
---
- error: Read access is denied for user 'testus' to space '_index'
...
session.su('admin')
---
...
--
-- Check double drop user
--
box.schema.user.drop('testus')
---
...
box.schema.user.drop('testus')
---
- error: User 'testus' is not found
...
--
-- Check 'guest' user
--session.su('guest')
---
...
session.uid()
---
- 0
...
box.space._user:select(1)
---
- error: Read access is denied for user 'guest' to space '_user'
...
s:select(1)
---
- error: Read access is denied for user 'guest' to space 'admin_space'
...
s:insert({4})
---
- error: Write access is denied for user 'guest' to space 'admin_space'
...
s:delete({3})
---
- error: Write access is denied for user 'guest' to space 'admin_space'
...
s:drop()
---
- error: Read access is denied for user 'guest' to space '_index'
...
gs = box.schema.space.create('guest_space')
---
- error: Write access is denied for user 'guest' to space '_schema'
...
box.schema.func.create('guest_func')
---
- error: Read access is denied for user 'guest' to space '_func'
...
session.su('admin')
---
...
s:select()
---
- - [2]
- [3]
...
--
-- Create user with universe read&write grants
-- and create this user session
--
box.schema.user.create('uniuser')
---
...
box.schema.user.grant('uniuser', 'read, write, execute', 'universe')
---
...
session.su('uniuser')
---
...
uid = session.uid()
---
...
--
-- Check universal user
-- Check delete currently authenticated user
--
box.schema.user.drop('uniuser')
---
- error: Create, drop or alter access on role is denied for user 'uniuser'
...
--
--Check create, call and drop function
--box.schema.func.create('uniuser_func')
---
...
function uniuser_func() return 'hello' end
---
...
uniuser_func()
---
- hello
...
box.schema.func.drop('uniuser_func')
---
...
--
-- Check create and drop space
--
us = box.schema.space.create('uniuser_space')
---
...
us:drop()
---
...
--
-- Check create and drop user
--
box.schema.user.create('uniuser_testus')
---
...
box.schema.user.drop('uniuser_testus')
---
...
--
-- Check access system and any spaces
--
box.space.admin_space:select()
---
- - [2]
- [3]
...
box.space._user:select(1)
---
- - [1, 1, 'admin', 'user']
...
box.space._space:select(280)
---
- - [280, 1, '_space', 'memtx', 0, {}, [{'name': 'id', 'type': 'num'}, {'name': 'owner',
'type': 'num'}, {'name': 'name', 'type': 'str'}, {'name': 'engine', 'type': 'str'},
{'name': 'field_count', 'type': 'num'}, {'name': 'flags', 'type': 'str'}, {
'name': 'format', 'type': '*'}]]
...
us = box.schema.space.create('uniuser_space')
---
...
box.schema.func.create('uniuser_func')
---
...
session.su('admin')
---
...
box.schema.user.create('someuser')
---
...
box.schema.user.grant('someuser', 'read, write, execute', 'universe')
---
...
session.su('someuser')
---
...
--
-- Check drop objects of another user--
s:drop()
---
- error: Create, drop or alter access on space is denied for user 'someuser'
...
us:drop()
---
- error: Create, drop or alter access on space is denied for user 'someuser'
...
box.schema.func.drop('uniuser_func')
---
- error: Create, drop or alter access on function is denied for user 'someuser'
...
box.schema.user.drop('uniuser_testus')
---
- error: User 'uniuser_testus' is not found
...
session.su('admin')
---
...
box.schema.func.drop('uniuser_func')
---
...
box.schema.user.drop('someuser')
---
...
box.schema.user.drop('uniuser_testus')
---
- error: User 'uniuser_testus' is not found
...
box.schema.user.drop('uniuser')
---
...
box.space._user:delete(uid)
---
...
s:drop()
---
...
--
-- Check write grant on _user
--
box.schema.user.create('testuser')
---
...
maxuid = box.space._user.index.primary:max()[1]
---
...
box.schema.user.grant('testuser', 'write', 'space', '_user')
---
...
session.su('testuser')
---
...
testuser_uid = session.uid()
---
...
box.space._user:delete(2)
---
- error: Create, drop or alter access on user is denied for user 'testuser'
...
box.space._user:select(1)
---
- error: Read access is denied for user 'testuser' to space '_user'
...
uid = box.space._user:insert{maxuid+1, session.uid(), 'someone', 'user'}[1]
---
...
box.space._user:delete(uid)
---- [5, 4, 'someone', 'user']
...
session.su('admin')
---
...
box.space._user:select(1)
---
- - [1, 1, 'admin', 'user']
...
box.space._user:delete(testuser_uid)
---
- error: 'Failed to drop user or role ''testuser'': the user has objects'
...
box.schema.user.revoke('testuser', 'write', 'space', '_user')
---
...
--
-- Check read grant on _user
--
box.schema.user.grant('testuser', 'read', 'space', '_user')
---
...
session.su('testuser')
---
...
box.space._user:delete(2)
---
- error: Write access is denied for user 'testuser' to space '_user'
...
box.space._user:select(1)
---
- - [1, 1, 'admin', 'user']
...
box.space._user:insert{uid, session.uid(), 'someone2', 'user'}
---
- error: Write access is denied for user 'testuser' to space '_user'
...
session.su('admin')
---
...
--
-- Check read grant on _index
--
box.schema.user.grant('testuser', 'read', 'space', '_index')
---
...
session.su('testuser')
---
...
box.space._index:select(272)
---
- - [272, 0, 'primary', 'tree', {'unique': true}, [[0, 'str']]]
...
box.space._index:insert{512, 1,'owner','tree', 1, 1, 0,'num'}
---
- error: Write access is denied for user 'testuser' to space '_index'
...
session.su('admin')
---
...
box.schema.user.revoke('testuser', 'read, write, execute', 'universe')
---
- error: User 'testuser' does not have read, write, execute access on universe 'nil'
...
--
-- Check that itertors check privileges
--
s = box.schema.space.create('glade')
---
...box.schema.user.grant('testuser', 'read', 'space', 'glade')
---
...
index = s:create_index('primary', {unique = true, parts = {1, 'NUM', 2, 'STR'}})
---
...
s:insert({1, 'A'})
---
- [1, 'A']
...
s:insert({2, 'B'})
---
- [2, 'B']
...
s:insert({3, 'C'})
---
- [3, 'C']
...
s:insert({4, 'D'})
---
- [4, 'D']
...
t = {}
---
...
for key, v in s.index.primary:pairs(3, {iterator = 'GE'}) do table.insert (t, v) end
---
...
t
---
- - [3, 'C']
- [4, 'D']
...
t = {}
---
...
session.su('testuser')
---
...
s:select()
---
- - [1, 'A']
- [2, 'B']
- [3, 'C']
- [4, 'D']
...
for key, v in s.index.primary:pairs(3, {iterator = 'GE'}) do table.insert (t, v) end
---
...
t
---
- - [3, 'C']
- [4, 'D']
...
t = {}
---
...
session.su('admin')
---
...
box.schema.user.revoke('testuser', 'read', 'space', 'glade')
---
...
box.schema.user.grant('testuser', 'write', 'space', 'glade')
---
...
session.su('testuser')
---
...
s:select()---
- error: Read access is denied for user 'testuser' to space 'glade'
...
for key, v in s.index.primary:pairs(1, {iterator = 'GE'}) do table.insert (t, v) end
---
- error: Read access is denied for user 'testuser' to space 'glade'
...
t
---
- []
...
t = {}
---
...
session.su('admin')
---
...
box.schema.user.grant('testuser', 'read, write, execute', 'space', 'glade')
---
...
session.su('testuser')
---
...
s:select()
---
- - [1, 'A']
- [2, 'B']
- [3, 'C']
- [4, 'D']
...
for key, v in s.index.primary:pairs(3, {iterator = 'GE'}) do table.insert (t, v) end
---
...
t
---
- - [3, 'C']
- [4, 'D']
...
t = {}
---
...
session.su('guest')
---
...
s:select()
---
- error: Read access is denied for user 'guest' to space 'glade'
...
for key, v in s.index.primary:pairs(3, {iterator = 'GE'}) do table.insert (t, v) end
---
- error: Read access is denied for user 'guest' to space 'glade'
...
t
---
- []
...
t = {}
---
...
session.su('guest')
---
...
s:select()
---
- error: Read access is denied for user 'guest' to space 'glade'
...
for key, v in s.index.primary:pairs(3, {iterator = 'GE'}) do table.insert (t, v) end
---
- error: Read access is denied for user 'guest' to space 'glade'
...t
---
- []
...
session.su('admin')
---
...
box.schema.user.drop('testuser')
---
...
s:drop()
---
...
box.space._user:select()
---
- - [0, 1, 'guest', 'user']
- [1, 1, 'admin', 'user']
- [2, 1, 'public', 'role']
- [3, 1, 'replication', 'role']
...
box.space._space:select()
---
- - [272, 1, '_schema', 'memtx', 0, {}, [{'type': 'str', 'name': 'key'}]]
- [280, 1, '_space', 'memtx', 0, {}, [{'name': 'id', 'type': 'num'}, {'name': 'owner',
'type': 'num'}, {'name': 'name', 'type': 'str'}, {'name': 'engine', 'type': 'str'},
{'name': 'field_count', 'type': 'num'}, {'name': 'flags', 'type': 'str'}, {
'name': 'format', 'type': '*'}]]
- [281, 1, '_vspace', 'sysview', 0, {}, [{'name': 'id', 'type': 'num'}, {'name': 'owner',
'type': 'num'}, {'name': 'name', 'type': 'str'}, {'name': 'engine', 'type': 'str'},
{'name': 'field_count', 'type': 'num'}, {'name': 'flags', 'type': 'str'}, {
'name': 'format', 'type': '*'}]]
- [288, 1, '_index', 'memtx', 0, {}, [{'name': 'id', 'type': 'num'}, {'name': 'iid',
'type': 'num'}, {'name': 'name', 'type': 'str'}, {'name': 'type', 'type': 'str'},
{'name': 'opts', 'type': 'array'}, {'name': 'parts', 'type': 'array'}]]
- [289, 1, '_vindex', 'sysview', 0, {}, [{'name': 'id', 'type': 'num'}, {'name': 'iid',
'type': 'num'}, {'name': 'name', 'type': 'str'}, {'name': 'type', 'type': 'str'},
{'name': 'opts', 'type': 'array'}, {'name': 'parts', 'type': 'array'}]]
- [296, 1, '_func', 'memtx', 0, {}, [{'name': 'id', 'type': 'num'}, {'name': 'owner',
'type': 'num'}, {'name': 'name', 'type': 'str'}, {'name': 'setuid', 'type': 'num'}]]
- [297, 1, '_vfunc', 'sysview', 0, {}, [{'name': 'id', 'type': 'num'}, {'name': 'owner',
'type': 'num'}, {'name': 'name', 'type': 'str'}, {'name': 'setuid', 'type': 'num'}]]
- [304, 1, '_user', 'memtx', 0, {}, [{'name': 'id', 'type': 'num'}, {'name': 'owner',
'type': 'num'}, {'name': 'name', 'type': 'str'}, {'name': 'type', 'type': 'str'},
{'name': 'auth', 'type': '*'}]]
- [305, 1, '_vuser', 'sysview', 0, {}, [{'name': 'id', 'type': 'num'}, {'name': 'owner',
'type': 'num'}, {'name': 'name', 'type': 'str'}, {'name': 'type', 'type': 'str'},
{'name': 'auth', 'type': '*'}]]
- [312, 1, '_priv', 'memtx', 0, {}, [{'name': 'grantor', 'type': 'num'}, {'name': 'grantee',
'type': 'num'}, {'name': 'object_type', 'type': 'str'}, {'name': 'object_id',
'type': 'num'}, {'name': 'privilege', 'type': 'num'}]]
- [313, 1, '_vpriv', 'sysview', 0, {}, [{'name': 'grantor', 'type': 'num'}, {'name': 'grantee',
'type': 'num'}, {'name': 'object_type', 'type': 'str'}, {'name': 'object_id',
'type': 'num'}, {'name': 'privilege', 'type': 'num'}]]
- [320, 1, '_cluster', 'memtx', 0, {}, [{'name': 'id', 'type': 'num'}, {'name': 'uuid',
'type': 'str'}]]
...
box.space._func:select()
---
- - [1, 1, 'box.schema.user.info', 1, 'LUA']
...
session = nil
---
...