box: public role rw access on _session_settings

The _session_settings space is a virtual space which only contains information about the current session, hence, it should be accessible by everyone without granting any additional privileges. New users are granted public role by default: grant read,write access on _session_settings space to public role. Closes #6310 @TarantoolBot document Title: public role rw access on _session_settings space Public role (which is granted to new users by default) now has read, write access on _session_settings_space.

box: public role rw access on _session_settings
18eae244 · Georgiy Lebedev · Nikita Pettik · 2bbd13b4 · 18eae244 · 18eae244
Commit 18eae244 authored 3 years ago by Georgiy Lebedev Committed by Nikita Pettik 3 years ago
--- a/changelogs/unreleased/gh-6310-grant-rw-access-on-_session_settings-space-to-public-role.md
+++ b/changelogs/unreleased/gh-6310-grant-rw-access-on-_session_settings-space-to-public-role.md
+## feature/box
+
+* Public role now has read, write access on _session_settings space (gh-6310).
--- a/src/box/bootstrap.snap
+++ b/src/box/bootstrap.snap
--- a/src/box/lua/upgrade.lua
+++ b/src/box/lua/upgrade.lua
@@ -1212,6 +1212,19 @@ local function upgrade_to_2_9_1()
    remove_sql_builtin_functions_from_func()
 end

+--------------------------------------------------------------------------------
+-- Tarantool 2.10.1
+--------------------------------------------------------------------------------
+local function grant_rw_access_on__session_settings_to_role_public()
+    local _priv = box.space[box.schema.PRIV_ID]
+    log.info("grant read,write access on _session_settings space to public role")
+    _priv:insert({ADMIN, PUBLIC, 'space', box.schema.SESSION_SETTINGS_ID,
+                  box.priv.R + box.priv.W})
+end
+
+local function upgrade_to_2_10_1()
+    grant_rw_access_on__session_settings_to_role_public()
+end
 --------------------------------------------------------------------------------

 local handlers = {
@@ -1229,6 +1242,7 @@ local handlers = {
    {version = mkversion(2, 3, 1), func = upgrade_to_2_3_1, auto = true},
    {version = mkversion(2, 7, 1), func = upgrade_to_2_7_1, auto = true},
    {version = mkversion(2, 9, 1), func = upgrade_to_2_9_1, auto = true},
+    {version = mkversion(2, 10, 1), func = upgrade_to_2_10_1, auto = true},
 }

 -- Schema version of the snapshot.

--- a/test/box-luatest/gh_6310_grant_rw_access_on__session_settings_space_to_public_role_test.lua
+++ b/test/box-luatest/gh_6310_grant_rw_access_on__session_settings_space_to_public_role_test.lua
+local cluster = require('test.luatest_helpers.cluster')
+local t = require('luatest')
+
+local g = t.group('gh-6310-grant-rw-access-on-_session_settings-space-to-public-role')
+
+g.before_all(function()
+    local helpers = require('test.luatest_helpers')
+
+    g.cluster = cluster:new({})
+
+    local bootstrap_box_cfg = {
+        listen = helpers.instance_uri('bootstrap'),
+    }
+    g.bootstrap = g.cluster:build_and_add_server({alias   = 'bootstrap',
+                                                  box_cfg = bootstrap_box_cfg})
+
+    local data_dir = 'test/box-luatest/upgrade/2.9.1'
+    local upgrade_box_cfg = {
+        listen   = helpers.instance_uri('upgrade'),
+    }
+    g.upgrade = g.cluster:build_and_add_server({alias   = 'upgrade',
+                                                datadir = data_dir,
+                                                box_cfg = upgrade_box_cfg})
+
+    g.cluster:start()
+end)
+
+g.after_all(function()
+    g.cluster:drop()
+end)
+
+g.test_boostrap = function()
+    g.bootstrap:exec(function()
+        local t = require('luatest')
+
+        local _session_settings_privs
+        local public_privs = box.schema.role.info('public')
+        for _, priv in pairs(public_privs) do
+            if priv[3] == '_session_settings' then
+                _session_settings_privs = priv[1]
+            end
+        end
+        local msg = 'public role has read,write access on ' ..
+                    '_session_settings space on bootstrapped instance'
+        t.assert(_session_settings_privs and
+                 _session_settings_privs:find('read,write'), msg)
+
+        box.schema.user.create('test')
+        box.session.su('test')
+        local _session_settings = box.space._session_settings
+        msg = 'newly created user has read access on _session_settings space'
+        t.assert(pcall(_session_settings.select, _session_settings), msg)
+        msg = 'newly created user has write access on _session_settings space'
+        t.assert(pcall(_session_settings.update, _session_settings,
+                       'sql_default_engine', {{'=', 2, 'vinyl'}}), msg)
+    end)
+end
+
+g.test_upgrade = function()
+    g.upgrade:exec(function()
+        local t = require('luatest')
+
+        box.schema.upgrade()
+        local _session_settings_privs
+        local public_privs = box.schema.role.info('public')
+        for _, priv in pairs(public_privs) do
+            if priv[3] == '_session_settings' then
+                _session_settings_privs = priv[1]
+            end
+        end
+        local msg = 'public role has read,write access on ' ..
+                '_session_settings space on upgraded instance'
+        t.assert(_session_settings_privs and
+                 _session_settings_privs:find('read,write'), msg)
+
+        box.schema.user.create('test')
+        box.session.su('test')
+        local _session_settings = box.space._session_settings
+        msg = 'newly created user has read access on _session_settings space'
+        t.assert(pcall(_session_settings.select, _session_settings), msg)
+        msg = 'newly created user has write access on _session_settings space'
+        t.assert(pcall(_session_settings.update, _session_settings,
+                       'sql_default_engine', {{'=', 2, 'vinyl'}}), msg)
+    end)
+end
--- a/test/box-luatest/upgrade/2.9.1/00000000000000000000.snap
+++ b/test/box-luatest/upgrade/2.9.1/00000000000000000000.snap
--- a/test/box-luatest/upgrade/2.9.1/00000000000000000000.xlog
+++ b/test/box-luatest/upgrade/2.9.1/00000000000000000000.xlog
--- a/test/box-py/bootstrap.result
+++ b/test/box-py/bootstrap.result
@@ -4,7 +4,7 @@ box.internal.bootstrap()
 box.space._schema:select{}
 ---
 - - ['max_id', 511]
-  - ['version', 2, 9, 1]
+  - ['version', 2, 10, 1]
 ...
 box.space._cluster:select{}
 ---
@@ -186,6 +186,7 @@ box.space._priv:select{}
  - [1, 2, 'space', 305, 1]
  - [1, 2, 'space', 313, 1]
  - [1, 2, 'space', 330, 2]
+  - [1, 2, 'space', 380, 3]
  - [1, 3, 'space', 320, 2]
  - [1, 3, 'universe', 0, 1]
  - [1, 31, 'universe', 0, 4294967295]

--- a/test/box/access_sysview.result
+++ b/test/box/access_sysview.result
@@ -150,11 +150,11 @@ box.session.su('guest')
 ...
 #box.space._vspace:select{}
 ---
- 9
+- 10
 ...
 #box.space._vindex:select{}
 ---
- 22
+- 23
 ...
 #box.space._vcollation:select{}
 ---
@@ -258,7 +258,7 @@ box.session.su('guest')
 ...
 #box.space._vpriv:select{}
 ---
- 17
+- 18
 ...
 #box.space._vfunc:select{}
 ---
@@ -290,7 +290,7 @@ box.session.su('guest')
 ...
 #box.space._vpriv:select{}
 ---
- 17
+- 18
 ...
 #box.space._vfunc:select{}
 ---