From af35de967b084d6731952eea61497a40590bdc13 Mon Sep 17 00:00:00 2001
From: Georgy Kirichenko <georgy@tarantool.org>
Date: Fri, 8 Jun 2018 11:35:46 +0300
Subject: [PATCH] Introduce privileges for object groups
Allow define access privileges for all spaces, functions and sequences.
Read and write privileges are supported for spaces, execute privilege
for sequences. Privilege granting and revoking might be done through old api
without object identification:
box.schema.user.grant("guest", "read", "space")
Prerequisite #945
---
src/box/alter.cc | 18 ++++++---
src/box/call.c | 2 +
src/box/lua/schema.lua | 9 +++++
src/box/schema.cc | 8 ++++
src/box/schema.h | 26 +++++++++++++
src/box/sequence.c | 1 +
src/box/space.c | 2 +
src/box/sysview_index.c | 11 ++++++
src/box/user.cc | 12 ++++++
test/box/access.result | 77 +++++++++++++++++++++++++++++++++++++
test/box/access.test.lua | 29 ++++++++++++++
test/box/lua/identifier.lua | 1 -
12 files changed, 189 insertions(+), 7 deletions(-)
diff --git a/src/box/alter.cc b/src/box/alter.cc
index 6f6fcb097d..48af128f1c 100644
--- a/src/box/alter.cc
+++ b/src/box/alter.cc
@@ -2523,8 +2523,10 @@ priv_def_check(struct priv_def *priv, enum priv_type priv_type)
break;
case SC_SPACE:
{
- struct space *space = space_cache_find_xc(priv->object_id);
- if (space->def->uid != grantor->def->uid &&
+ struct space *space = NULL;
+ if (priv->object_id != 0)
+ space = space_cache_find_xc(priv->object_id);
+ if ((space == NULL || space->def->uid != grantor->def->uid) &&
grantor->def->uid != ADMIN) {
tnt_raise(AccessDeniedError,
priv_name(priv_type),
@@ -2535,8 +2537,10 @@ priv_def_check(struct priv_def *priv, enum priv_type priv_type)
}
case SC_FUNCTION:
{
- struct func *func = func_cache_find(priv->object_id);
- if (func->def->uid != grantor->def->uid &&
+ struct func *func = NULL;
+ if (priv->object_id != 0)
+ func = func_cache_find(priv->object_id);
+ if ((func == NULL || func->def->uid != grantor->def->uid) &&
grantor->def->uid != ADMIN) {
tnt_raise(AccessDeniedError,
priv_name(priv_type),
@@ -2547,8 +2551,10 @@ priv_def_check(struct priv_def *priv, enum priv_type priv_type)
}
case SC_SEQUENCE:
{
- struct sequence *seq = sequence_cache_find(priv->object_id);
- if (seq->def->uid != grantor->def->uid &&
+ struct sequence *seq = NULL;
+ if (priv->object_id != 0)
+ seq = sequence_cache_find(priv->object_id);
+ if ((seq == NULL || seq->def->uid != grantor->def->uid) &&
grantor->def->uid != ADMIN) {
tnt_raise(AccessDeniedError,
priv_name(priv_type),
diff --git a/src/box/call.c b/src/box/call.c
index 6388e1e68f..438be190ed 100644
--- a/src/box/call.c
+++ b/src/box/call.c
@@ -71,6 +71,8 @@ access_check_func(const char *name, uint32_t name_len, struct func **funcp)
return 0;
}
user_access_t access = PRIV_X | PRIV_U;
+ /* Check access for all functions. */
+ access &= ~entity_access_get(SC_FUNCTION)[credentials->auth_token].effective;
user_access_t func_access = access & ~credentials->universal_access;
if (func == NULL ||
/* Check for missing Usage access, ignore owner rights. */
diff --git a/src/box/lua/schema.lua b/src/box/lua/schema.lua
index 55018d6b60..2b0597708d 100644
--- a/src/box/lua/schema.lua
+++ b/src/box/lua/schema.lua
@@ -1804,6 +1804,9 @@ local function object_resolve(object_type, object_name)
return 0
end
if object_type == 'space' then
+ if object_name == nil or object_name == 0 then
+ return 0
+ end
local space = box.space[object_name]
if space == nil then
box.error(box.error.NO_SUCH_SPACE, object_name)
@@ -1811,6 +1814,9 @@ local function object_resolve(object_type, object_name)
return space.id
end
if object_type == 'function' then
+ if object_name == nil or object_name == 0 then
+ return 0
+ end
local _vfunc = box.space[box.schema.VFUNC_ID]
local func
if type(object_name) == 'string' then
@@ -1825,6 +1831,9 @@ local function object_resolve(object_type, object_name)
end
end
if object_type == 'sequence' then
+ if object_name == nil or object_name == 0 then
+ return 0
+ end
local seq = sequence_resolve(object_name)
if seq == nil then
box.error(box.error.NO_SUCH_SEQUENCE, object_name)
diff --git a/src/box/schema.cc b/src/box/schema.cc
index 8df4aa73bb..32d7791a66 100644
--- a/src/box/schema.cc
+++ b/src/box/schema.cc
@@ -69,6 +69,8 @@ struct rlist on_alter_sequence = RLIST_HEAD_INITIALIZER(on_alter_sequence);
*/
struct latch schema_lock = LATCH_INITIALIZER(schema_lock);
+struct entity_access entity_access;
+
bool
space_is_system(struct space *space)
{
@@ -528,6 +530,8 @@ schema_find_name(enum schema_object_type type, uint32_t object_id)
return "";
case SC_SPACE:
{
+ if (object_id == 0)
+ return "SPACE";
struct space *space = space_by_id(object_id);
if (space == NULL)
break;
@@ -535,6 +539,8 @@ schema_find_name(enum schema_object_type type, uint32_t object_id)
}
case SC_FUNCTION:
{
+ if (object_id == 0)
+ return "FUNCTION";
struct func *func = func_by_id(object_id);
if (func == NULL)
break;
@@ -542,6 +548,8 @@ schema_find_name(enum schema_object_type type, uint32_t object_id)
}
case SC_SEQUENCE:
{
+ if (object_id == 0)
+ return "SEQUENCE";
struct sequence *seq = sequence_by_id(object_id);
if (seq == NULL)
break;
diff --git a/src/box/schema.h b/src/box/schema.h
index 2b87f5f500..dd31d2d9da 100644
--- a/src/box/schema.h
+++ b/src/box/schema.h
@@ -235,4 +235,30 @@ struct on_access_denied_ctx {
const char *object_name;
};
+/** Global grants to classes of objects. */
+struct entity_access {
+ struct access space[BOX_USER_MAX];
+ struct access function[BOX_USER_MAX];
+ struct access sequence[BOX_USER_MAX];
+};
+
+/** A single instance of the global entities. */
+extern struct entity_access entity_access;
+
+static inline
+struct access *
+entity_access_get(enum schema_object_type type)
+{
+ switch (type) {
+ case SC_SPACE:
+ return entity_access.space;
+ case SC_FUNCTION:
+ return entity_access.function;
+ case SC_SEQUENCE:
+ return entity_access.sequence;
+ default:
+ return NULL;
+ }
+}
+
#endif /* INCLUDES_TARANTOOL_BOX_SCHEMA_H */
diff --git a/src/box/sequence.c b/src/box/sequence.c
index 162147cded..35b7605d22 100644
--- a/src/box/sequence.c
+++ b/src/box/sequence.c
@@ -250,6 +250,7 @@ access_check_sequence(struct sequence *seq)
user_access_t access = PRIV_U | PRIV_W;
user_access_t sequence_access = access & ~cr->universal_access;
+ sequence_access &= ~entity_access_get(SC_SEQUENCE)[cr->auth_token].effective;
if (sequence_access &&
/* Check for missing Usage access, ignore owner rights. */
(sequence_access & PRIV_U ||
diff --git a/src/box/space.c b/src/box/space.c
index 0510f232d2..631877699e 100644
--- a/src/box/space.c
+++ b/src/box/space.c
@@ -42,6 +42,7 @@
#include "request.h"
#include "xrow.h"
#include "iproto_constants.h"
+#include "schema.h"
int
access_check_space(struct space *space, user_access_t access)
@@ -57,6 +58,7 @@ access_check_space(struct space *space, user_access_t access)
* since ADMIN has universal access.
*/
user_access_t space_access = access & ~cr->universal_access;
+ space_access &= ~entity_access_get(SC_SPACE)[cr->auth_token].effective;
if (space_access &&
/* Check for missing Usage access, ignore owner rights. */
diff --git a/src/box/sysview_index.c b/src/box/sysview_index.c
index f1dfbefe5a..3e56d1fa90 100644
--- a/src/box/sysview_index.c
+++ b/src/box/sysview_index.c
@@ -222,6 +222,9 @@ vspace_filter(struct space *source, struct tuple *tuple)
*/
if (PRIV_WRDA & cr->universal_access)
return true;
+ /* Allow access for a user with space privileges. */
+ if (PRIV_WRDA & entity_access_get(SC_SPACE)[cr->auth_token].effective)
+ return true;
if (PRIV_R & source->access[cr->auth_token].effective)
return true; /* read access to _space space */
uint32_t space_id;
@@ -295,6 +298,10 @@ vfunc_filter(struct space *source, struct tuple *tuple)
*/
if ((PRIV_WRDA | PRIV_X) & cr->universal_access)
return true;
+ /* Allow access for a user with function privileges. */
+ if ((PRIV_WRDA | PRIV_X) &
+ entity_access_get(SC_FUNCTION)[cr->auth_token].effective)
+ return true;
if (PRIV_R & source->access[cr->auth_token].effective)
return true; /* read access to _func space */
@@ -320,6 +327,10 @@ vsequence_filter(struct space *source, struct tuple *tuple)
*/
if ((PRIV_WRDA | PRIV_X) & cr->universal_access)
return true;
+ /* Allow access for a user with sequence privileges. */
+ if ((PRIV_WRDA | PRIV_X) &
+ entity_access_get(SC_SEQUENCE)[cr->auth_token].effective)
+ return true;
if (PRIV_R & source->access[cr->auth_token].effective)
return true; /* read access to _sequence space */
diff --git a/src/box/user.cc b/src/box/user.cc
index 7fa66da8f1..fbf06566a7 100644
--- a/src/box/user.cc
+++ b/src/box/user.cc
@@ -209,6 +209,10 @@ access_find(struct priv_def *priv)
}
case SC_SPACE:
{
+ if (priv->object_id == 0) {
+ access = entity_access.space;
+ break;
+ }
struct space *space = space_by_id(priv->object_id);
if (space)
access = space->access;
@@ -216,6 +220,10 @@ access_find(struct priv_def *priv)
}
case SC_FUNCTION:
{
+ if (priv->object_id == 0) {
+ access = entity_access.function;
+ break;
+ }
struct func *func = func_by_id(priv->object_id);
if (func)
access = func->access;
@@ -223,6 +231,10 @@ access_find(struct priv_def *priv)
}
case SC_SEQUENCE:
{
+ if (priv->object_id == 0) {
+ access = entity_access.sequence;
+ break;
+ }
struct sequence *seq = sequence_by_id(priv->object_id);
if (seq)
access = seq->access;
diff --git a/test/box/access.result b/test/box/access.result
index 72f91173b1..ccd0b737ff 100644
--- a/test/box/access.result
+++ b/test/box/access.result
@@ -1662,3 +1662,80 @@ box.schema.user.grant("guest", "read,write,execute", "role")
---
- error: Unsupported role privilege 'read,write,execute'
...
+-- Check entities DML
+box.schema.user.create("tester", { password = '123' })
+---
+...
+s = box.schema.space.create("test")
+---
+...
+_ = s:create_index("primary", {parts={1, "unsigned"}})
+---
+...
+seq = box.schema.sequence.create("test")
+---
+...
+box.schema.func.create("func")
+---
+...
+c = (require 'net.box').connect(LISTEN.host, LISTEN.service, {user='tester', password = '123'})
+---
+...
+box.session.su("tester", s.select, s)
+---
+- error: Read access to space 'test' is denied for user 'tester'
+...
+box.session.su("tester", seq.set, seq, 1)
+---
+- error: Write access to sequence 'test' is denied for user 'tester'
+...
+c:call("func")
+---
+- error: Execute access to function 'func' is denied for user 'tester'
+...
+box.schema.user.grant("tester", "read", "space")
+---
+...
+box.schema.user.grant("tester", "write", "sequence")
+---
+...
+box.schema.user.grant("tester", "execute", "function")
+---
+...
+box.session.su("tester", s.select, s)
+---
+- []
+...
+box.session.su("tester", seq.next, seq)
+---
+- 1
+...
+c:call("func")
+---
+...
+box.session.su("tester", s.insert, s, {1})
+---
+- error: Write access to space 'test' is denied for user 'tester'
+...
+box.schema.user.grant("tester", "write", "space")
+---
+...
+box.session.su("tester", s.insert, s, {1})
+---
+- [1]
+...
+box.schema.user.drop("tester")
+---
+...
+s:drop()
+---
+...
+seq:drop()
+---
+...
+box.schema.func.drop("func")
+---
+...
+c:close()
+---
+...
diff --git a/test/box/access.test.lua b/test/box/access.test.lua
index 62691c4718..8d90b38133 100644
--- a/test/box/access.test.lua
+++ b/test/box/access.test.lua
@@ -640,3 +640,32 @@ box.schema.user.grant("guest", "alter", "function")
box.schema.user.grant("guest", "execute", "sequence")
box.schema.user.grant("guest", "read,execute", "sequence")
box.schema.user.grant("guest", "read,write,execute", "role")
+
+-- Check entities DML
+box.schema.user.create("tester", { password = '123' })
+s = box.schema.space.create("test")
+_ = s:create_index("primary", {parts={1, "unsigned"}})
+seq = box.schema.sequence.create("test")
+box.schema.func.create("func")
+c = (require 'net.box').connect(LISTEN.host, LISTEN.service, {user='tester', password = '123'})
+
+box.session.su("tester", s.select, s)
+box.session.su("tester", seq.set, seq, 1)
+c:call("func")
+box.schema.user.grant("tester", "read", "space")
+box.schema.user.grant("tester", "write", "sequence")
+box.schema.user.grant("tester", "execute", "function")
+box.session.su("tester", s.select, s)
+box.session.su("tester", seq.next, seq)
+c:call("func")
+
+box.session.su("tester", s.insert, s, {1})
+box.schema.user.grant("tester", "write", "space")
+box.session.su("tester", s.insert, s, {1})
+
+box.schema.user.drop("tester")
+s:drop()
+seq:drop()
+box.schema.func.drop("func")
+c:close()
+
diff --git a/test/box/lua/identifier.lua b/test/box/lua/identifier.lua
index c3149bce79..0cfb9e722a 100644
--- a/test/box/lua/identifier.lua
+++ b/test/box/lua/identifier.lua
@@ -36,7 +36,6 @@ invalid_testcases = {
function run_test(create_func, cleanup_func)
local json = require("json")
- print("loosadlalsd")
local bad_tests = {}
for i, identifier in ipairs(valid_testcases) do
local ok, res = pcall(create_func,identifier)
--
GitLab