security: add automatic upgrade provisioning a fix for gh-945

Currently we requrie read and write on system spaces to be able to create objects, and only object definer can drop an object. Release 1.7.7 adds 'create' and 'drop' acls, which can be used to explicitly pass around create/drop privileges. Automatically grant 'create' privilege to all users created pre-1.7.7 who have global read and write privileges on universe during 1.7.7 automatic upgrade.

security: add automatic upgrade provisioning a fix for gh-945
9a7c918f · Konstantin Osipov · d645f58d · 9a7c918f
Commit 9a7c918f authored 7 years ago by Konstantin Osipov
--- a/src/box/lua/upgrade.lua
+++ b/src/box/lua/upgrade.lua
@@ -928,6 +928,16 @@ local function upgrade_to_1_7_7()
        end
    end
    --
+    -- grant 'create' to all users with 'read' and 'write'
+    -- on the universe, since going forward we will require
+    -- 'create' rather than 'read,write' to be able to create
+    -- objects
+    --
+    for _, v in _priv.index.object:pairs{'universe'} do
+        if bit.band(v[5], 1) ~= 0 and bit.band(v[5], 2) ~= 0 then
+            _priv:update({v[2], v[3], v[4]}, {{ "|", 5, 32}})
+        end
+    end
    -- grant admin all new privileges (session, usage, grant option,
    -- create, alter, drop and anything that might come up in the future
    --