config: delayed privilege alert doesn't stuck now
The declarative configuration has the `credentials` section that describes users and their privileges. It is OK to have privileges for a space/function/sequence that does not exist. Such a privilege will lead to an alert that states that the privilege will be granted, when the object is created. The problem that is fixed by this commit is that such an alert was not dropped, when the object is created and the relevant privileges are granted. There are several ways to solve the problem. Let's look on them. 1. When a privilege is granted, drop an alert if any. 2. After the config-database privilege synchronization, revisit alerts to drop all obsolete ones. 3. Drop all the alerts regarding missed privileges before the config-database privilege synchronization and issue actual alerts afterwards. The first way is the simplest, but it doesn't cover one specific scenario: an object rename. Let's assume that the object T has privileges declared in the configuration and the object doesn't exist. There is an alert regarding it. Now, object S is renamed to T. Let's assume that S had some or all the privileges needed for T according to the configuration. In the given scenario, we don't need to grant some or all of the privileges and, so, the first solution doesn't work. We don't reach the code that grants the privileges and, so, dropping alerts at this point has no effect. The second and the third solutions are similar and mainly differs in how complicated the code is. The third one is implemented here with idea of simplifying the code. The internal `aboard` module has the following changes. 1. The `aboard` module now ignores underscored fields of an alert on its serialization to allow a caller to store a machine-readable information in them. 2. The new method `:drop_if()` is added to perform a conditional alert drop. Several unit test cases are updated, because now we always need initialized `config._aboard` for testing of the credentials applier. Fixes #9574 NO_DOC=bugfix
Showing
- changelogs/unreleased/config-stuck-privilege-granting-alert.md 4 additions, 0 deletions...elogs/unreleased/config-stuck-privilege-granting-alert.md
- src/box/lua/config/applier/credentials.lua 59 additions, 6 deletionssrc/box/lua/config/applier/credentials.lua
- src/box/lua/config/utils/aboard.lua 38 additions, 2 deletionssrc/box/lua/config/utils/aboard.lua
- test/config-luatest/appliers_test.lua 5 additions, 1 deletiontest/config-luatest/appliers_test.lua
- test/config-luatest/credentials_applier_test.lua 317 additions, 9 deletionstest/config-luatest/credentials_applier_test.lua
Loading
Please register or sign in to comment