From 2de398ff01918342eebe0e779327e99c71dd950f Mon Sep 17 00:00:00 2001
From: Vladislav Shpilevoy <v.shpilevoy@tarantool.org>
Date: Fri, 1 Nov 2019 22:35:10 +0100
Subject: [PATCH] access: forbid to drop admin's universe access

Bootstrap and recovery work on behalf of admin. Without the
universe access they are not able to even fill system spaces with
data.

It is better to forbid this ability until someone made their
cluster unrecoverable.
---
 src/box/user.cc          | 6 ++++++
 test/box/access.result   | 8 ++++++++
 test/box/access.test.lua | 6 ++++++
 3 files changed, 20 insertions(+)

diff --git a/src/box/user.cc b/src/box/user.cc
index cdddf237bb..6b4a5565e7 100644
--- a/src/box/user.cc
+++ b/src/box/user.cc
@@ -764,6 +764,12 @@ priv_grant(struct user *grantee, struct priv_def *priv)
 	struct access *object = access_find(priv->object_type, priv->object_id);
 	if (object == NULL)
 		return 0;
+	if (grantee->auth_token == ADMIN && priv->object_type == SC_UNIVERSE &&
+	    priv->access != USER_ACCESS_FULL) {
+		diag_set(ClientError, ER_GRANT,
+			 "can't revoke universe from the admin user");
+		return -1;
+	}
 	struct access *access = &object[grantee->auth_token];
 	access->granted = priv->access;
 	if (rebuild_effective_grants(grantee) != 0)
diff --git a/test/box/access.result b/test/box/access.result
index dc339038db..01126a94b6 100644
--- a/test/box/access.result
+++ b/test/box/access.result
@@ -2099,3 +2099,11 @@ box.schema.user.drop("user2")
 box.schema.user.drop("user3")
 ---
 ...
+--
+-- Check that admin user privileges can't be removed. Otherwise an
+-- instance could not bootstrap nor recovery.
+--
+box.space._priv:delete{1, 'universe', 0}
+---
+- error: 'Incorrect grant arguments: can''t revoke universe from the admin user'
+...
diff --git a/test/box/access.test.lua b/test/box/access.test.lua
index a9843d1552..759827721a 100644
--- a/test/box/access.test.lua
+++ b/test/box/access.test.lua
@@ -800,3 +800,9 @@ box.space._user:select{}
 box.schema.user.drop("user1")
 box.schema.user.drop("user2")
 box.schema.user.drop("user3")
+
+--
+-- Check that admin user privileges can't be removed. Otherwise an
+-- instance could not bootstrap nor recovery.
+--
+box.space._priv:delete{1, 'universe', 0}
-- 
GitLab