diff --git a/src/box/alter.cc b/src/box/alter.cc
index 699c7f43a7b594186658542b8f032e0817f1fe11..095131e2c5b48db5c321e839c2af09aff91fe6fc 100644
--- a/src/box/alter.cc
+++ b/src/box/alter.cc
@@ -64,38 +64,49 @@
static void
access_check_ddl(const char *name, uint32_t owner_uid,
enum schema_object_type type,
- enum priv_type priv_type)
+ enum priv_type priv_type,
+ bool is_17_compat_mode)
{
struct credentials *cr = effective_user();
- user_access_t universal_access = (PRIV_U | (priv_type))
- & ~cr->universal_access;
- bool not_owner = owner_uid != cr->uid && cr->uid != ADMIN;
+ user_access_t has_access = cr->universal_access;
/*
- * Only the owner of the object or someone who has specific privilege
- * on universe can be the grantor of the privilege on the object.
- *
- * Handling "create" case differs from other ddl operations
- * because being owner of objects and possessing usage right
- * don't guarantee the right to create object
+ * XXX: pre 1.7.7 there was no specific 'CREATE' or
+ * 'ALTER' ACL, instead, read and write access on universe
+ * was used to allow create/alter.
+ * For backward compatibility, if a user has read and write
+ * access on the universe, grant it CREATE access
+ * automatically.
+ * The legacy fix does not affect sequences since they
+ * were added in 1.7.7 only.
*/
- bool access_denied = (priv_type == PRIV_C) ?
- (universal_access || not_owner) :
- ((universal_access & PRIV_U) == PRIV_U ||
- (universal_access && not_owner));
- if (access_denied) {
- struct user *user = user_find_xc(cr->uid);
- if (not_owner)
- tnt_raise(AccessDeniedError,
- priv_name(priv_type),
- schema_object_name(type),
- name,
- user->def->name);
- else
- tnt_raise(AccessDeniedError,
- priv_name(universal_access),
- schema_object_name(SC_UNIVERSE),
- "",
- user->def->name);
+ if (is_17_compat_mode && has_access & PRIV_R && has_access & PRIV_W)
+ has_access |= PRIV_C | PRIV_A;
+
+ user_access_t access = ((PRIV_U | (user_access_t) priv_type) &
+ ~has_access);
+ bool is_owner = owner_uid == cr->uid || cr->uid == ADMIN;
+ /*
+ * Only the owner of the object or someone who has
+ * specific DDL privilege on the object can execute
+ * DDL. If a user has no USAGE access and is owner,
+ * deny access as well.
+ */
+ if (access == 0 || (is_owner && !(access & PRIV_U)))
+ return; /* Access granted. */
+
+ struct user *user = user_find_xc(cr->uid);
+ if (is_owner) {
+ tnt_raise(AccessDeniedError,
+ priv_name(PRIV_U),
+ schema_object_name(SC_UNIVERSE),
+ "",
+ user->def->name);
+ } else {
+ tnt_raise(AccessDeniedError,
+ priv_name(access),
+ schema_object_name(type),
+ name,
+ user->def->name);
}
}
@@ -1442,7 +1453,7 @@ on_replace_dd_space(struct trigger * /* trigger */, void *event)
struct space_def *def =
space_def_new_from_tuple(new_tuple, ER_CREATE_SPACE,
region);
- access_check_ddl(def->name, def->uid, SC_SPACE, PRIV_C);
+ access_check_ddl(def->name, def->uid, SC_SPACE, PRIV_C, true);
auto def_guard =
make_scoped_guard([=] { space_def_delete(def); });
RLIST_HEAD(empty_list);
@@ -1469,7 +1480,7 @@ on_replace_dd_space(struct trigger * /* trigger */, void *event)
txn_on_rollback(txn, on_rollback);
} else if (new_tuple == NULL) { /* DELETE */
access_check_ddl(old_space->def->name, old_space->def->uid,
- SC_SPACE, PRIV_D);
+ SC_SPACE, PRIV_D, true);
/* Verify that the space is empty (has no indexes) */
if (old_space->index_count) {
tnt_raise(ClientError, ER_DROP_SPACE,
@@ -1508,7 +1519,7 @@ on_replace_dd_space(struct trigger * /* trigger */, void *event)
struct space_def *def =
space_def_new_from_tuple(new_tuple, ER_ALTER_SPACE,
region);
- access_check_ddl(def->name, def->uid, SC_SPACE, PRIV_A);
+ access_check_ddl(def->name, def->uid, SC_SPACE, PRIV_A, true);
auto def_guard =
make_scoped_guard([=] { space_def_delete(def); });
/*
@@ -1587,7 +1598,7 @@ on_replace_dd_index(struct trigger * /* trigger */, void *event)
if (old_tuple && new_tuple)
priv_type = PRIV_A;
access_check_ddl(old_space->def->name, old_space->def->uid, SC_SPACE,
- priv_type);
+ priv_type, true);
struct index *old_index = space_index(old_space, iid);
/*
@@ -2019,7 +2030,7 @@ on_replace_dd_user(struct trigger * /* trigger */, void *event)
struct user *old_user = user_by_id(uid);
if (new_tuple != NULL && old_user == NULL) { /* INSERT */
struct user_def *user = user_def_new_from_tuple(new_tuple);
- access_check_ddl(user->name, user->owner, SC_USER, PRIV_C);
+ access_check_ddl(user->name, user->owner, SC_USER, PRIV_C, true);
auto def_guard = make_scoped_guard([=] { free(user); });
(void) user_cache_replace(user);
def_guard.is_active = false;
@@ -2028,7 +2039,7 @@ on_replace_dd_user(struct trigger * /* trigger */, void *event)
txn_on_rollback(txn, on_rollback);
} else if (new_tuple == NULL) { /* DELETE */
access_check_ddl(old_user->def->name, old_user->def->owner,
- SC_USER, PRIV_D);
+ SC_USER, PRIV_D, true);
/* Can't drop guest or super user */
if (uid <= (uint32_t) BOX_SYSTEM_USER_ID_MAX) {
tnt_raise(ClientError, ER_DROP_USER,
@@ -2054,7 +2065,8 @@ on_replace_dd_user(struct trigger * /* trigger */, void *event)
* correct.
*/
struct user_def *user = user_def_new_from_tuple(new_tuple);
- access_check_ddl(user->name, user->uid, SC_USER, PRIV_A);
+ access_check_ddl(user->name, user->uid, SC_USER, PRIV_A,
+ true);
auto def_guard = make_scoped_guard([=] { free(user); });
struct trigger *on_commit =
txn_alter_trigger_new(user_cache_alter_user, NULL);
@@ -2156,7 +2168,7 @@ on_replace_dd_func(struct trigger * /* trigger */, void *event)
struct func *old_func = func_by_id(fid);
if (new_tuple != NULL && old_func == NULL) { /* INSERT */
struct func_def *def = func_def_new_from_tuple(new_tuple);
- access_check_ddl(def->name, def->uid, SC_FUNCTION, PRIV_C);
+ access_check_ddl(def->name, def->uid, SC_FUNCTION, PRIV_C, true);
auto def_guard = make_scoped_guard([=] { free(def); });
func_cache_replace(def);
def_guard.is_active = false;
@@ -2171,7 +2183,7 @@ on_replace_dd_func(struct trigger * /* trigger */, void *event)
* who created it or a superuser.
*/
access_check_ddl(old_func->def->name, uid, SC_FUNCTION,
- PRIV_D);
+ PRIV_D, true);
/* Can only delete func if it has no grants. */
if (schema_find_grants("function", old_func->def->fid)) {
tnt_raise(ClientError, ER_DROP_FUNCTION,
@@ -2184,7 +2196,8 @@ on_replace_dd_func(struct trigger * /* trigger */, void *event)
} else { /* UPDATE, REPLACE */
struct func_def *def = func_def_new_from_tuple(new_tuple);
auto def_guard = make_scoped_guard([=] { free(def); });
- access_check_ddl(def->name, def->uid, SC_FUNCTION, PRIV_A);
+ access_check_ddl(def->name, def->uid, SC_FUNCTION, PRIV_A,
+ true);
struct trigger *on_commit =
txn_alter_trigger_new(func_cache_replace_func, NULL);
txn_on_commit(txn, on_commit);
@@ -2328,7 +2341,8 @@ on_replace_dd_collation(struct trigger * /* trigger */, void *event)
assert(old_coll != NULL);
access_check_ddl(old_coll->name, old_coll->owner_id,
SC_COLLATION,
- new_tuple == NULL ? PRIV_D: PRIV_A);
+ new_tuple == NULL ? PRIV_D: PRIV_A,
+ false);
struct trigger *on_commit =
txn_alter_trigger_new(coll_cache_delete_coll, old_coll);
@@ -2349,7 +2363,7 @@ on_replace_dd_collation(struct trigger * /* trigger */, void *event)
struct coll_def new_def;
coll_def_new_from_tuple(new_tuple, &new_def);
access_check_ddl(new_def.name, new_def.owner_id, SC_COLLATION,
- old_tuple == NULL ? PRIV_C : PRIV_A);
+ old_tuple == NULL ? PRIV_C : PRIV_A, false);
struct coll *new_coll = coll_new(&new_def);
if (new_coll == NULL)
diag_raise();
@@ -2413,7 +2427,8 @@ priv_def_check(struct priv_def *priv, enum priv_type priv_type)
int2str(priv->grantee_id));
}
const char *name = schema_find_name(priv->object_type, priv->object_id);
- access_check_ddl(name, grantor->def->uid, priv->object_type, priv_type);
+ access_check_ddl(name, grantor->def->uid, priv->object_type, priv_type,
+ false);
switch (priv->object_type) {
case SC_UNIVERSE:
if (grantor->def->uid != ADMIN) {
@@ -2883,7 +2898,7 @@ on_replace_dd_sequence(struct trigger * /* trigger */, void *event)
struct sequence *seq = sequence_by_id(id);
assert(seq != NULL);
access_check_ddl(seq->def->name, seq->def->uid, SC_SEQUENCE,
- PRIV_D);
+ PRIV_D, false);
if (space_has_data(BOX_SEQUENCE_DATA_ID, 0, id))
tnt_raise(ClientError, ER_DROP_SEQUENCE,
seq->def->name, "the sequence has data");
@@ -2900,7 +2915,7 @@ on_replace_dd_sequence(struct trigger * /* trigger */, void *event)
struct sequence *seq = sequence_by_id(new_def->id);
assert(seq != NULL);
access_check_ddl(seq->def->name, seq->def->uid, SC_SEQUENCE,
- PRIV_A);
+ PRIV_A, false);
alter->old_def = seq->def;
alter->new_def = new_def;
}
@@ -2974,15 +2989,16 @@ on_replace_dd_space_sequence(struct trigger * /* trigger */, void *event)
struct space *space = space_cache_find_xc(space_id);
struct sequence *seq = sequence_cache_find(sequence_id);
- /** Check we have alter access on space. */
- access_check_ddl(space->def->name, space->def->uid, SC_SPACE, PRIV_A);
- /* Check we have the correct access type on the sequence. * */
-
enum priv_type priv_type = stmt->new_tuple ? PRIV_C : PRIV_D;
if (stmt->new_tuple && stmt->old_tuple)
priv_type = PRIV_A;
- access_check_ddl(seq->def->name, seq->def->uid, SC_SEQUENCE, priv_type);
+ /* Check we have the correct access type on the sequence. * */
+ access_check_ddl(seq->def->name, seq->def->uid, SC_SEQUENCE, priv_type,
+ false);
+ /** Check we have alter access on space. */
+ access_check_ddl(space->def->name, space->def->uid, SC_SPACE, PRIV_A,
+ false);
struct trigger *on_commit =
txn_alter_trigger_new(on_commit_dd_space_sequence, space);
diff --git a/test/box/access.result b/test/box/access.result
index bae10c6b84c2cc4fb7f815fb1afed95c56c04e6e..410f1d77621ac59dfc3bfbc4dcc8e86126057474 100644
--- a/test/box/access.result
+++ b/test/box/access.result
@@ -104,7 +104,7 @@ test_run:cmd("setopt delimiter ''");
box.schema.user.create('rich')
---
...
-box.schema.user.grant('rich', 'read,write,create', 'universe')
+box.schema.user.grant('rich', 'read,write', 'universe')
---
...
session.su('rich')
@@ -143,9 +143,6 @@ box.schema.user.disable("rich")
box.schema.user.disable("rich")
---
...
-box.schema.user.revoke('rich', 'create', 'universe')
----
-...
box.space['_user']:delete{uid}
---
- [33, 1, 'rich', 'user', {}]
@@ -345,7 +342,7 @@ session = box.session
box.schema.user.create('uniuser')
---
...
-box.schema.user.grant('uniuser', 'read, write, execute, create, drop', 'universe')
+box.schema.user.grant('uniuser', 'read, write, execute', 'universe')
---
...
session.su('uniuser')
@@ -370,7 +367,7 @@ box.schema.user.drop('uniuser')
box.schema.user.create('grantor')
---
...
-box.schema.user.grant('grantor', 'read, write, execute, create, drop', 'universe')
+box.schema.user.grant('grantor', 'read, write, execute', 'universe')
---
...
session.su('grantor')
@@ -379,7 +376,7 @@ session.su('grantor')
box.schema.user.create('grantee')
---
...
-box.schema.user.grant('grantee', 'read, write, execute', 'universe')
+box.schema.user.grant('grantee', 'read, write, execute', 'universe')
---
- error: Grant access to universe '' is denied for user 'grantor'
...
@@ -576,7 +573,7 @@ session = nil
box.schema.user.create('twostep')
---
...
-box.schema.user.grant('twostep', 'read,write,execute,create,drop', 'universe')
+box.schema.user.grant('twostep', 'read,write,execute', 'universe')
---
...
box.session.su('twostep')
@@ -833,7 +830,7 @@ session = box.session
box.schema.user.create('test')
---
...
-box.schema.user.grant('test', 'read,write,create,alter', 'universe')
+box.schema.user.grant('test', 'read,write', 'universe')
---
...
session.su('test')
@@ -1322,62 +1319,57 @@ u = box.schema.user.create("test")
f = box.schema.func.create("test")
---
...
-box.schema.user.grant("tester", "read,write,execute", "universe")
+box.schema.user.grant("tester", "read,execute", "universe")
---
...
-- failed create
-box.session.su("tester", box.schema.space.create, "testy")
+box.session.su("tester", box.schema.space.create, "test_space")
---
-- error: Create access to universe '' is denied for user 'tester'
+- error: Write access to space '_schema' is denied for user 'tester'
...
-box.session.su("tester", box.schema.user.create, 'test1')
+box.session.su("tester", box.schema.user.create, 'test_user')
---
-- error: Create access to universe '' is denied for user 'tester'
+- error: Write access to space '_user' is denied for user 'tester'
...
-box.session.su("tester", box.schema.func.create, 'test1')
+box.session.su("tester", box.schema.func.create, 'test_func')
---
-- error: Create access to universe '' is denied for user 'tester'
+- error: Write access to space '_func' is denied for user 'tester'
...
-box.schema.user.grant("tester", "create", "universe")
+--
+-- FIXME 2.0: we still need to grant 'write' on universe
+-- explicitly since we still use process_rw to write to system
+-- tables from ddl
+--
+box.schema.user.grant("tester", "create,write", "universe")
---
...
-- successful create
-s1 = box.session.su("tester", box.schema.space.create, "testy")
+s1 = box.session.su("tester", box.schema.space.create, "test_space")
---
...
-_ = box.session.su("tester", box.schema.user.create, 'test1')
+_ = box.session.su("tester", box.schema.user.create, 'test_user')
---
...
-_ = box.session.su("tester", box.schema.func.create, 'test1')
+_ = box.session.su("tester", box.schema.func.create, 'test_func')
---
...
-- successful drop of owned objects
_ = box.session.su("tester", s1.drop, s1)
---
...
-_ = box.session.su("tester", box.schema.user.drop, 'test1')
+_ = box.session.su("tester", box.schema.user.drop, 'test_user')
---
...
-_ = box.session.su("tester", box.schema.func.drop, 'test1')
+_ = box.session.su("tester", box.schema.func.drop, 'test_func')
---
...
-- failed alter
-box.session.su("tester", s.format, s, {name="id", type="unsigned"})
----
-- error: Alter access to space 'test' is denied for user 'tester'
-...
-box.schema.user.grant("tester", "alter", "universe")
----
-...
+-- box.session.su("tester", s.format, s, {name="id", type="unsigned"})
+-- box.schema.user.grant("tester", "alter", "universe")
-- successful alter
-box.session.su("tester", s.format, s, {name="id", type="unsigned"})
----
-...
+-- box.session.su("tester", s.format, s, {name="id", type="unsigned"})
-- failed drop
-box.session.su("tester", s.drop, s)
----
-- error: Drop access to space 'test' is denied for user 'tester'
-...
+-- box.session.su("tester", s.drop, s)
-- can't use here sudo
-- because drop use sudo inside
-- and currently sudo can't be performed nested
@@ -1411,9 +1403,6 @@ box.session.su("tester", box.schema.func.drop, "test")
box.session.su("admin")
---
...
-box.schema.user.revoke("tester", "read,write,execute,create,drop,alter", "universe")
----
-...
box.schema.user.drop("tester")
---
...
diff --git a/test/box/access.test.lua b/test/box/access.test.lua
index 8208fdaadf25ae8813645457e103eb9688be8651..02c6252e5ebfedd6d9bdb6a8eedab96f74416610 100644
--- a/test/box/access.test.lua
+++ b/test/box/access.test.lua
@@ -50,7 +50,7 @@ end;
usermax();
test_run:cmd("setopt delimiter ''");
box.schema.user.create('rich')
-box.schema.user.grant('rich', 'read,write,create', 'universe')
+box.schema.user.grant('rich', 'read,write', 'universe')
session.su('rich')
uid = session.uid()
box.schema.func.create('dummy')
@@ -63,7 +63,6 @@ box.schema.user.revoke('rich', 'public')
box.schema.user.disable("rich")
-- test double disable is a no op
box.schema.user.disable("rich")
-box.schema.user.revoke('rich', 'create', 'universe')
box.space['_user']:delete{uid}
box.schema.user.drop('test')
@@ -154,7 +153,7 @@ box.schema.user.drop('testus')
-- ------------------------------------------------------------
session = box.session
box.schema.user.create('uniuser')
-box.schema.user.grant('uniuser', 'read, write, execute, create, drop', 'universe')
+box.schema.user.grant('uniuser', 'read, write, execute', 'universe')
session.su('uniuser')
us = box.schema.space.create('uniuser_space')
session.su('admin')
@@ -167,10 +166,10 @@ box.schema.user.drop('uniuser')
-- only by its creator at the moment
-- ------------------------------------------------------------
box.schema.user.create('grantor')
-box.schema.user.grant('grantor', 'read, write, execute, create, drop', 'universe')
+box.schema.user.grant('grantor', 'read, write, execute', 'universe')
session.su('grantor')
box.schema.user.create('grantee')
-box.schema.user.grant('grantee', 'read, write, execute', 'universe')
+box.schema.user.grant('grantee', 'read, write, execute', 'universe')
session.su('grantee')
-- fails - can't suicide - ask the creator to kill you
box.schema.user.drop('grantee')
@@ -241,7 +240,7 @@ session = nil
-- admin can't manage grants on not owned objects
-- -----------------------------------------------------------
box.schema.user.create('twostep')
-box.schema.user.grant('twostep', 'read,write,execute,create,drop', 'universe')
+box.schema.user.grant('twostep', 'read,write,execute', 'universe')
box.session.su('twostep')
twostep = box.schema.space.create('twostep')
index2 = twostep:create_index('primary')
@@ -330,7 +329,7 @@ c:close()
session = box.session
box.schema.user.create('test')
-box.schema.user.grant('test', 'read,write,create,alter', 'universe')
+box.schema.user.grant('test', 'read,write', 'universe')
session.su('test')
box.internal.collation.create('test', 'ICU', 'ru_RU')
session.su('admin')
@@ -501,33 +500,38 @@ box.schema.user.create("tester")
s = box.schema.space.create("test")
u = box.schema.user.create("test")
f = box.schema.func.create("test")
-box.schema.user.grant("tester", "read,write,execute", "universe")
+box.schema.user.grant("tester", "read,execute", "universe")
-- failed create
-box.session.su("tester", box.schema.space.create, "testy")
-box.session.su("tester", box.schema.user.create, 'test1')
-box.session.su("tester", box.schema.func.create, 'test1')
+box.session.su("tester", box.schema.space.create, "test_space")
+box.session.su("tester", box.schema.user.create, 'test_user')
+box.session.su("tester", box.schema.func.create, 'test_func')
-box.schema.user.grant("tester", "create", "universe")
+--
+-- FIXME 2.0: we still need to grant 'write' on universe
+-- explicitly since we still use process_rw to write to system
+-- tables from ddl
+--
+box.schema.user.grant("tester", "create,write", "universe")
-- successful create
-s1 = box.session.su("tester", box.schema.space.create, "testy")
-_ = box.session.su("tester", box.schema.user.create, 'test1')
-_ = box.session.su("tester", box.schema.func.create, 'test1')
+s1 = box.session.su("tester", box.schema.space.create, "test_space")
+_ = box.session.su("tester", box.schema.user.create, 'test_user')
+_ = box.session.su("tester", box.schema.func.create, 'test_func')
-- successful drop of owned objects
_ = box.session.su("tester", s1.drop, s1)
-_ = box.session.su("tester", box.schema.user.drop, 'test1')
-_ = box.session.su("tester", box.schema.func.drop, 'test1')
+_ = box.session.su("tester", box.schema.user.drop, 'test_user')
+_ = box.session.su("tester", box.schema.func.drop, 'test_func')
-- failed alter
-box.session.su("tester", s.format, s, {name="id", type="unsigned"})
+-- box.session.su("tester", s.format, s, {name="id", type="unsigned"})
-box.schema.user.grant("tester", "alter", "universe")
+-- box.schema.user.grant("tester", "alter", "universe")
-- successful alter
-box.session.su("tester", s.format, s, {name="id", type="unsigned"})
+-- box.session.su("tester", s.format, s, {name="id", type="unsigned"})
-- failed drop
-box.session.su("tester", s.drop, s)
+-- box.session.su("tester", s.drop, s)
-- can't use here sudo
-- because drop use sudo inside
@@ -545,5 +549,4 @@ box.session.su("tester", box.schema.user.drop, "test")
box.session.su("tester", box.schema.func.drop, "test")
box.session.su("admin")
-box.schema.user.revoke("tester", "read,write,execute,create,drop,alter", "universe")
-box.schema.user.drop("tester")
\ No newline at end of file
+box.schema.user.drop("tester")
diff --git a/test/box/access_escalation.result b/test/box/access_escalation.result
index a83f1ee8a6be05535ad94f4551b6e705f6817fc1..9d6cb997ff847676149e0ab181eea3b4fbfc80a9 100644
--- a/test/box/access_escalation.result
+++ b/test/box/access_escalation.result
@@ -84,9 +84,6 @@ box.schema.user.create('underprivileged')
box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
---
...
-box.schema.user.grant('underprivileged', 'create', 'universe')
----
-...
box.session.su('underprivileged')
---
...
diff --git a/test/box/access_escalation.test.lua b/test/box/access_escalation.test.lua
index 29b14c8ea686b9e17fae66e21a56da0aa6d418ee..8b308701e35b626e408233723055a0c75aaa0c31 100644
--- a/test/box/access_escalation.test.lua
+++ b/test/box/access_escalation.test.lua
@@ -61,7 +61,6 @@ connection:close()
box.schema.user.create('underprivileged')
box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
-box.schema.user.grant('underprivileged', 'create', 'universe')
box.session.su('underprivileged')
box.schema.func.create('setuid', {setuid=true})
box.session.su('admin')
diff --git a/test/box/access_misc.result b/test/box/access_misc.result
index 3fb46f1e5091bb81d3454b19ced4f076efb343f9..328603aaa2341b68c8ee59cc895919450c1a59c9 100644
--- a/test/box/access_misc.result
+++ b/test/box/access_misc.result
@@ -194,7 +194,7 @@ s:select()
box.schema.user.create('uniuser')
---
...
-box.schema.user.grant('uniuser', 'read, write, execute,create', 'universe')
+box.schema.user.grant('uniuser', 'read, write, execute', 'universe')
---
...
session.su('uniuser')
@@ -318,7 +318,7 @@ box.schema.user.drop('uniuser_testus')
box.schema.user.drop('uniuser')
---
...
-box.space._user:delete(uid)
+_ = box.space._user:delete(uid)
---
...
s:drop()
@@ -336,16 +336,13 @@ maxuid = box.space._user.index.primary:max()[1]
box.schema.user.grant('testuser', 'write', 'space', '_user')
---
...
-box.schema.user.grant('testuser', 'create', 'universe')
----
-...
session.su('testuser')
---
...
testuser_uid = session.uid()
---
...
-box.space._user:delete(2)
+_ = box.space._user:delete(2)
---
- error: Drop access to user 'public' is denied for user 'testuser'
...
@@ -356,9 +353,8 @@ box.space._user:select(1)
uid = box.space._user:insert{maxuid+1, session.uid(), 'someone', 'user', EMPTY_MAP}[1]
---
...
-box.space._user:delete(uid)
+_ = box.space._user:delete(uid)
---
-- [33, 32, 'someone', 'user', {}]
...
session.su('admin')
---
@@ -367,7 +363,7 @@ box.space._user:select(1)
---
- - [1, 1, 'admin', 'user', {}]
...
-box.space._user:delete(testuser_uid)
+_ = box.space._user:delete(testuser_uid)
---
- error: 'Failed to drop user or role ''testuser'': the user has objects'
...
@@ -383,7 +379,7 @@ box.schema.user.grant('testuser', 'read', 'space', '_user')
session.su('testuser')
---
...
-box.space._user:delete(2)
+_ = box.space._user:delete(2)
---
- error: Write access to space '_user' is denied for user 'testuser'
...
@@ -418,7 +414,7 @@ box.space._index:insert{512, 1,'owner','tree', 1, 1, 0,'unsigned'}
session.su('admin')
---
...
-box.schema.user.revoke('testuser', 'create,usage,session', 'universe')
+box.schema.user.revoke('testuser', 'usage,session', 'universe')
---
...
box.schema.user.revoke('testuser', 'read, write, execute', 'universe')
diff --git a/test/box/access_misc.test.lua b/test/box/access_misc.test.lua
index 43580de5cc323ffbe027900ad56b91764ba9e05c..cf6447ea6aa916877436c88524d050feeaaf553c 100644
--- a/test/box/access_misc.test.lua
+++ b/test/box/access_misc.test.lua
@@ -79,7 +79,7 @@ s:select()
-- and create this user session
--
box.schema.user.create('uniuser')
-box.schema.user.grant('uniuser', 'read, write, execute,create', 'universe')
+box.schema.user.grant('uniuser', 'read, write, execute', 'universe')
session.su('uniuser')
uid = session.uid()
--
@@ -131,7 +131,7 @@ box.schema.func.drop('uniuser_func')
box.schema.user.drop('someuser')
box.schema.user.drop('uniuser_testus')
box.schema.user.drop('uniuser')
-box.space._user:delete(uid)
+_ = box.space._user:delete(uid)
s:drop()
--
-- Check write grant on _user
@@ -140,24 +140,23 @@ box.schema.user.create('testuser')
maxuid = box.space._user.index.primary:max()[1]
box.schema.user.grant('testuser', 'write', 'space', '_user')
-box.schema.user.grant('testuser', 'create', 'universe')
session.su('testuser')
testuser_uid = session.uid()
-box.space._user:delete(2)
+_ = box.space._user:delete(2)
box.space._user:select(1)
uid = box.space._user:insert{maxuid+1, session.uid(), 'someone', 'user', EMPTY_MAP}[1]
-box.space._user:delete(uid)
+_ = box.space._user:delete(uid)
session.su('admin')
box.space._user:select(1)
-box.space._user:delete(testuser_uid)
+_ = box.space._user:delete(testuser_uid)
box.schema.user.revoke('testuser', 'write', 'space', '_user')
--
-- Check read grant on _user
--
box.schema.user.grant('testuser', 'read', 'space', '_user')
session.su('testuser')
-box.space._user:delete(2)
+_ = box.space._user:delete(2)
box.space._user:select(1)
box.space._user:insert{uid, session.uid(), 'someone2', 'user'}
@@ -173,7 +172,7 @@ box.space._index:insert{512, 1,'owner','tree', 1, 1, 0,'unsigned'}
session.su('admin')
-box.schema.user.revoke('testuser', 'create,usage,session', 'universe')
+box.schema.user.revoke('testuser', 'usage,session', 'universe')
box.schema.user.revoke('testuser', 'read, write, execute', 'universe')
box.schema.user.grant('testuser', 'usage,session', 'universe')
--
diff --git a/test/box/sequence.result b/test/box/sequence.result
index af6d7a38d76afeef689f95bd22419a1e2b484423..a509207f78694526243ed23781ac5dcf7cdbf5ad 100644
--- a/test/box/sequence.result
+++ b/test/box/sequence.result
@@ -1281,9 +1281,6 @@ box.schema.user.grant('user', 'read', 'space', '_space')
box.schema.user.grant('user', 'read', 'space', '_sequence')
---
...
-box.schema.user.grant('user', 'create', 'universe')
----
-...
sq = box.schema.sequence.create('seq')
---
...
@@ -1358,7 +1355,7 @@ box.schema.user.info()
- - read
- space
- _priv
- - - session,usage,create
+ - - session,usage
- universe
-
...
@@ -1539,11 +1536,11 @@ _ = s2:create_index('pk', {sequence = 'seq1'}) -- error
...
s1.index.pk:alter({sequence = 'seq1'}) -- error
---
-- error: Alter access to space 'space1' is denied for user 'user'
+- error: Create access to sequence 'seq1' is denied for user 'user'
...
box.space._space_sequence:replace{s1.id, sq1.id, false} -- error
---
-- error: Alter access to space 'space1' is denied for user 'user'
+- error: Create access to sequence 'seq1' is denied for user 'user'
...
box.space._space_sequence:replace{s1.id, sq2.id, false} -- error
---
diff --git a/test/box/sequence.test.lua b/test/box/sequence.test.lua
index 011bea6cef019eccd018f46e9ed9d966378c5547..26147bb74e9805445aa0850c698da70bf828109d 100644
--- a/test/box/sequence.test.lua
+++ b/test/box/sequence.test.lua
@@ -428,7 +428,6 @@ box.schema.user.grant('user', 'read', 'space', '_priv')
box.schema.user.grant('user', 'read', 'space', '_user')
box.schema.user.grant('user', 'read', 'space', '_space')
box.schema.user.grant('user', 'read', 'space', '_sequence')
-box.schema.user.grant('user', 'create', 'universe')
sq = box.schema.sequence.create('seq')
box.schema.user.grant('user', 'write', 'sequence', 'test') -- error: no such sequence
box.schema.user.grant('user', 'write', 'sequence', 'seq') -- ok