From 754af7a978b2ab12e4e24718b05b7d2e6e6eda72 Mon Sep 17 00:00:00 2001
From: Gleb Kashkin <g.kashkin@tarantool.org>
Date: Sun, 3 Sep 2023 19:26:44 +0000
Subject: [PATCH] test/config: verify that user/role is not deleted
When the configuration changes and the instance is reloaded with it,
some roles or users may have been removed from the config. In such case,
it would be destructive to delete/disable them on the instance, so
this test checks that all users and roles removed in config stay
on the instance and keep all the privileges.
Part of #8967
NO_DOC=test
NO_CHANGELOG=test
---
.../credentials_applier_test.lua | 78 ++++++++++++++++++-
1 file changed, 77 insertions(+), 1 deletion(-)
diff --git a/test/config-luatest/credentials_applier_test.lua b/test/config-luatest/credentials_applier_test.lua
index 659e1c2f1b..be2de2be8d 100644
--- a/test/config-luatest/credentials_applier_test.lua
+++ b/test/config-luatest/credentials_applier_test.lua
@@ -2,8 +2,9 @@ local json = require('json')
local it = require('test.interactive_tarantool')
local t = require('luatest')
local treegen = require('test.treegen')
+local helpers = require('test.config-luatest.helpers')
-local g = t.group()
+local g = helpers.group()
local internal = require('internal.config.applier.credentials')._internal
@@ -560,3 +561,78 @@ g.test_set_password = function(g)
child:close()
end
end
+
+g.test_remove_user_role = function(g)
+ -- Verify that when user or role is removed from the config,
+ -- it is not being deleted.
+
+ -- Whole removed user/role configuration is expected to be left
+ -- as is after the reload, so verification functions for before/after
+ -- reload are the same.
+ local verify = function()
+ local ok, err = pcall(box.schema.user.info, 'myuser')
+ t.assert(ok, err)
+ ok, err = pcall(box.schema.role.info, 'myrole')
+ t.assert(ok, err)
+ local internal =
+ require('internal.config.applier.credentials')._internal
+
+ local guest_perm = box.schema.user.info('guest')
+ guest_perm = internal.privileges_from_box(guest_perm)
+
+ t.assert(guest_perm['role']['super'].execute)
+
+ local user_perm = box.schema.user.info('myuser')
+ user_perm = internal.privileges_from_box(user_perm)
+
+ t.assert(user_perm['universe'][''].execute)
+
+ local role_perm = box.schema.role.info('myrole')
+ role_perm = internal.privileges_from_box(role_perm)
+
+ t.assert(role_perm['universe'][''].read)
+ t.assert(role_perm['universe'][''].write)
+ end
+
+ helpers.reload_success_case(g, {
+ options = {
+ credentials = {
+ roles = {
+ myrole = {
+ privileges = {{
+ permissions = {
+ 'read',
+ 'write',
+ },
+ universe = true,
+ }}
+ },
+ },
+ users = {
+ guest = {
+ roles = { 'super' }
+ },
+ myuser = {
+ privileges = {{
+ permissions = {
+ 'execute',
+ },
+ universe = true,
+ }},
+ },
+ }
+ }
+ },
+ verify = verify,
+ options_2 = {
+ credentials = {
+ users = {
+ guest = {
+ roles = { 'super' }
+ },
+ }
+ }
+ },
+ verify_2 = verify,
+ })
+end
--
GitLab