diff --git a/changelogs/unreleased/gh-8967-creds-restore-defaults-for-default-user.md b/changelogs/unreleased/gh-8967-creds-restore-defaults-for-default-user.md
new file mode 100644
index 0000000000000000000000000000000000000000..8ac282d66bb6a57a7c66a83a26ee257b0d7a91dc
--- /dev/null
+++ b/changelogs/unreleased/gh-8967-creds-restore-defaults-for-default-user.md
@@ -0,0 +1,4 @@
+## feature/config
+
+* Non-default privileges are now revoked from default users and roles
+ when they are removed from the config (gh-8967).
diff --git a/src/box/lua/config/applier/credentials.lua b/src/box/lua/config/applier/credentials.lua
index e9ce2832aa2f790a24e05f84c4e6d780be6d64e4..03171f40f92dfa7f4922d357a894bff11eb82620 100644
--- a/src/box/lua/config/applier/credentials.lua
+++ b/src/box/lua/config/applier/credentials.lua
@@ -493,6 +493,35 @@ local function apply(config)
return
end
+ -- Tarantool has the following roles and users present by default on every
+ -- instance:
+ --
+ -- Default roles:
+ -- * super
+ -- * public
+ -- * replication
+ --
+ -- Default users:
+ -- * guest
+ -- * admin
+ --
+ -- These roles and users have according privileges pre-granted by design.
+ -- Credentials applier adds such privileges with `priviliges_add_default()`
+ -- when syncing. So, for the excessive (non-default) privs to be removed,
+ -- these roles and users must be present inside configuration at least in a
+ -- form of an empty table. Otherwise, the privileges will be left unchanged,
+ -- similar to all used-defined roles and users.
+
+ credentials.roles = credentials.roles or {}
+ credentials.roles['super'] = credentials.roles['super'] or {}
+ credentials.roles['public'] = credentials.roles['public'] or {}
+ credentials.roles['replication'] = credentials.roles['replication'] or {}
+
+ credentials.users = credentials.users or {}
+ credentials.users['guest'] = credentials.users['guest'] or {}
+ credentials.users['admin'] = credentials.users['admin'] or {}
+
+ -- Create roles and users and synchronise privileges for them.
create_roles(credentials.roles)
create_users(credentials.users)
end
diff --git a/test/config-luatest/credentials_applier_test.lua b/test/config-luatest/credentials_applier_test.lua
index be2de2be8df684f356a2dbcc0d5baa4120ffebac..4ba7f2855234d13ead4887de0436d438fc995d42 100644
--- a/test/config-luatest/credentials_applier_test.lua
+++ b/test/config-luatest/credentials_applier_test.lua
@@ -636,3 +636,94 @@ g.test_remove_user_role = function(g)
verify_2 = verify,
})
end
+
+g.test_restore_defaults_for_default_user = function(g)
+ -- Verify that if the default users and roles are not present in config
+ -- their excessive privileges are revoked (restored to built-in defaults).
+
+ helpers.reload_success_case(g, {
+ options = {
+ credentials = {
+ roles = {
+ dummy = { },
+ super = {
+ roles = { 'dummy' },
+ },
+ public = {
+ roles = { 'dummy' },
+ },
+ replication = {
+ roles = { 'dummy' },
+ },
+ },
+ users = {
+ guest = {
+ roles = { 'super', 'dummy' }
+ },
+ admin = {
+ roles = { 'dummy' }
+ },
+ }
+ }
+ },
+ verify = function()
+ local internal =
+ require('internal.config.applier.credentials')._internal
+
+ local default_identities = {{
+ 'user', 'admin',
+ }, {
+ 'user', 'guest',
+ }, {
+ 'role', 'super',
+ }, {
+ 'role', 'public',
+ }, {
+ 'role', 'replication',
+ },}
+
+ for _, id in ipairs(default_identities) do
+ local user_or_role, name = unpack(id)
+
+ local perm = box.schema[user_or_role].info(name)
+ perm = internal.privileges_from_box(perm)
+
+ t.assert_equals(perm['role']['dummy'], {execute = true})
+ end
+ end,
+ options_2 = {
+ credentials = {
+ users = {
+ guest = {
+ roles = { 'super' }
+ }
+ }
+ }
+ },
+ verify_2 = function()
+ local internal =
+ require('internal.config.applier.credentials')._internal
+
+ local default_identities = {{
+ 'user', 'admin',
+ }, {
+ 'user', 'guest',
+ }, {
+ 'role', 'super',
+ }, {
+ 'role', 'public',
+ }, {
+ 'role', 'replication',
+ },}
+
+ for _, id in ipairs(default_identities) do
+ local user_or_role, name = unpack(id)
+
+ local perm = box.schema[user_or_role].info(name)
+ perm = internal.privileges_from_box(perm)
+
+ t.assert_not_equals(perm['role']['dummy'], {execute = true})
+ end
+ end,
+ })
+end