diff --git a/src/box/bootstrap.snap b/src/box/bootstrap.snap
index b1ec58e4174747b1135ff6841e2fc8b1a7c99e19..85579a7c1fa829b6739a333bbd8003d8ab6b4858 100644
Binary files a/src/box/bootstrap.snap and b/src/box/bootstrap.snap differ
diff --git a/src/box/lua/upgrade.lua b/src/box/lua/upgrade.lua
index eb5efbc5f0dec31cc3be136291430c9f391f5626..dc328ba42564db933c55bb7539169210c5eb12d1 100644
--- a/src/box/lua/upgrade.lua
+++ b/src/box/lua/upgrade.lua
@@ -10,6 +10,10 @@ local ADMIN = 1
local PUBLIC = 2
-- role 'REPLICATION'
local REPLICATION = 3
+-- role 'SUPER'
+-- choose a fancy id to not clash with any existing role or
+-- user during upgrade
+local SUPER = 31
--------------------------------------------------------------------------------
-- Utils
@@ -929,6 +933,11 @@ local function upgrade_to_1_7_7()
--
_priv:upsert({ADMIN, ADMIN, 'universe', 0, 4294967295},
{{ "|", 5, 4294967295}})
+ --
+ -- create role 'super' and grant it all privileges on universe
+ --
+ _user:replace{SUPER, ADMIN, 'super', 'role', setmap({})}
+ _priv:replace({ADMIN, SUPER, 'universe', 0, 4294967295})
end
local function get_version()
diff --git a/src/box/user.cc b/src/box/user.cc
index a0cbf4e981f716f10671ee4a652eea062d35d0be..7fa66da8f1c11d8a3a9d3d40b2b5cac265d6e201 100644
--- a/src/box/user.cc
+++ b/src/box/user.cc
@@ -408,20 +408,22 @@ user_cache_replace(struct user_def *def)
void
user_cache_delete(uint32_t uid)
{
- struct user *user = user_by_id(uid);
- if (user) {
+ mh_int_t k = mh_i32ptr_find(user_registry, uid, NULL);
+ if (k != mh_end(user_registry)) {
+ struct user *user = (struct user *)
+ mh_i32ptr_node(user_registry, k)->val;
assert(user->auth_token > ADMIN);
auth_token_put(user->auth_token);
assert(user_map_is_empty(&user->roles));
assert(user_map_is_empty(&user->users));
+ user_destroy(user);
/*
* Sic: we don't have to remove a deleted
* user from users hash of roles, since
* to drop a user, one has to revoke
* all privileges from them first.
*/
- user_destroy(user);
- mh_i32ptr_del(user_registry, uid, NULL);
+ mh_i32ptr_del(user_registry, k, NULL);
}
}
diff --git a/test/box-py/bootstrap.result b/test/box-py/bootstrap.result
index ae8fb487cb40f75ea78cdd663e83efd53a95e57e..5e51aa2ed481a8dd5664babeaca33f26b08df1b2 100644
--- a/test/box-py/bootstrap.result
+++ b/test/box-py/bootstrap.result
@@ -115,6 +115,7 @@ box.space._user:select{}
- [1, 1, 'admin', 'user', {}]
- [2, 1, 'public', 'role', {}]
- [3, 1, 'replication', 'role', {}]
+ - [31, 1, 'super', 'role', {}]
...
box.space._func:select{}
---
@@ -135,4 +136,5 @@ box.space._priv:select{}
- [1, 2, 'space', 330, 2]
- [1, 3, 'space', 320, 2]
- [1, 3, 'universe', 0, 1]
+ - [1, 31, 'universe', 0, 4294967295]
...
diff --git a/test/box/access.result b/test/box/access.result
index 45d384519f7678da6c4ea57c9c888914c720358d..afbed171d415019b10cb98c831cb5a9533b3c2eb 100644
--- a/test/box/access.result
+++ b/test/box/access.result
@@ -95,7 +95,7 @@ end;
...
usermax();
---
-- error: User 'user28' is not found
+- error: User 'user27' is not found
...
test_run:cmd("setopt delimiter ''");
---
@@ -145,7 +145,7 @@ box.schema.user.disable("rich")
...
box.space['_user']:delete{uid}
---
-- [5, 1, 'rich', 'user', {}]
+- [33, 1, 'rich', 'user', {}]
...
box.schema.user.drop('test')
---
@@ -421,7 +421,7 @@ box.schema.user.create('user1')
...
box.space._user.index.name:select{'user1'}
---
-- - [4, 1, 'user1', 'user', {}]
+- - [32, 1, 'user1', 'user', {}]
...
session.su('user1')
---
@@ -434,14 +434,14 @@ session.su('admin')
...
box.space._user.index.name:select{'user1'}
---
-- - [4, 1, 'user1', 'user', {'chap-sha1': 'CRO/LiziDOIb+xlhrxJNSSBFjl8='}]
+- - [32, 1, 'user1', 'user', {'chap-sha1': 'CRO/LiziDOIb+xlhrxJNSSBFjl8='}]
...
box.schema.user.passwd('user1', 'extra_new_password')
---
...
box.space._user.index.name:select{'user1'}
---
-- - [4, 1, 'user1', 'user', {'chap-sha1': 'nMc3F1oaUtz37IYbgGYYPZawmfE='}]
+- - [32, 1, 'user1', 'user', {'chap-sha1': 'nMc3F1oaUtz37IYbgGYYPZawmfE='}]
...
box.schema.user.passwd('invalid_user', 'some_password')
---
@@ -484,8 +484,8 @@ box.schema.user.grant('user', 'read,write', 'universe')
...
box.space._priv:select{id}
---
-- - [1, 4, 'role', 2, 4]
- - [1, 4, 'universe', 0, 27]
+- - [1, 32, 'role', 2, 4]
+ - [1, 32, 'universe', 0, 27]
...
box.schema.user.grant('user', 'read', 'universe')
---
@@ -493,40 +493,40 @@ box.schema.user.grant('user', 'read', 'universe')
...
box.space._priv:select{id}
---
-- - [1, 4, 'role', 2, 4]
- - [1, 4, 'universe', 0, 27]
+- - [1, 32, 'role', 2, 4]
+ - [1, 32, 'universe', 0, 27]
...
box.schema.user.revoke('user', 'write', 'universe')
---
...
box.space._priv:select{id}
---
-- - [1, 4, 'role', 2, 4]
- - [1, 4, 'universe', 0, 25]
+- - [1, 32, 'role', 2, 4]
+ - [1, 32, 'universe', 0, 25]
...
box.schema.user.revoke('user', 'read', 'universe')
---
...
box.space._priv:select{id}
---
-- - [1, 4, 'role', 2, 4]
- - [1, 4, 'universe', 0, 24]
+- - [1, 32, 'role', 2, 4]
+ - [1, 32, 'universe', 0, 24]
...
box.schema.user.grant('user', 'write', 'universe')
---
...
box.space._priv:select{id}
---
-- - [1, 4, 'role', 2, 4]
- - [1, 4, 'universe', 0, 26]
+- - [1, 32, 'role', 2, 4]
+ - [1, 32, 'universe', 0, 26]
...
box.schema.user.grant('user', 'read', 'universe')
---
...
box.space._priv:select{id}
---
-- - [1, 4, 'role', 2, 4]
- - [1, 4, 'universe', 0, 27]
+- - [1, 32, 'role', 2, 4]
+ - [1, 32, 'universe', 0, 27]
...
box.schema.user.drop('user')
---
@@ -1066,3 +1066,54 @@ box.schema.user.drop('test1')
s:drop()
---
...
+--
+-- gh-3022 role 'super'
+--
+box.schema.user.grant('guest', 'super')
+---
+...
+box.session.su('guest')
+---
+...
+_ = box.schema.space.create('test')
+---
+...
+box.space.test:drop()
+---
+...
+_ = box.schema.user.create('test')
+---
+...
+box.schema.user.drop('test')
+---
+...
+_ = box.schema.func.create('test')
+---
+...
+box.schema.func.drop('test')
+---
+...
+box.session.su('admin')
+---
+...
+box.schema.user.revoke('guest', 'super')
+---
+...
+box.session.su('guest')
+---
+...
+box.schema.space.create('test')
+---
+- error: Write access is denied for user 'guest' to space '_schema'
+...
+box.schema.user.create('test')
+---
+- error: Read access is denied for user 'guest' to space '_user'
+...
+box.schema.func.create('test')
+---
+- error: Read access is denied for user 'guest' to space '_func'
+...
+box.session.su('admin')
+---
+...
diff --git a/test/box/access.test.lua b/test/box/access.test.lua
index a5c4cd57169deba434ce250633c8276090e32e64..8f366ddde729a88dd1b44fdf1ff5d42fdd00fb3a 100644
--- a/test/box/access.test.lua
+++ b/test/box/access.test.lua
@@ -406,3 +406,23 @@ session.su("admin")
box.schema.user.drop('test')
box.schema.user.drop('test1')
s:drop()
+
+--
+-- gh-3022 role 'super'
+--
+
+box.schema.user.grant('guest', 'super')
+box.session.su('guest')
+_ = box.schema.space.create('test')
+box.space.test:drop()
+_ = box.schema.user.create('test')
+box.schema.user.drop('test')
+_ = box.schema.func.create('test')
+box.schema.func.drop('test')
+box.session.su('admin')
+box.schema.user.revoke('guest', 'super')
+box.session.su('guest')
+box.schema.space.create('test')
+box.schema.user.create('test')
+box.schema.func.create('test')
+box.session.su('admin')
diff --git a/test/box/access_bin.result b/test/box/access_bin.result
index 31f25c61ce4b6c0a350b66ca4a7e655794fda222..e3b5e3fdba297d2f6398975724b338d67221cf5a 100644
--- a/test/box/access_bin.result
+++ b/test/box/access_bin.result
@@ -174,7 +174,7 @@ box.schema.user.drop('test')
...
c.space.test:insert{1}
---
-- error: User '4' is not found
+- error: User '32' is not found
...
c:close()
---
diff --git a/test/box/access_misc.result b/test/box/access_misc.result
index 56460689865888d98bc3a9a2b32b9a16b3250dad..53e86a3359f2a9e16de46d886ba1e006d5db132b 100644
--- a/test/box/access_misc.result
+++ b/test/box/access_misc.result
@@ -355,7 +355,7 @@ uid = box.space._user:insert{maxuid+1, session.uid(), 'someone', 'user', EMPTY_M
...
box.space._user:delete(uid)
---
-- [5, 4, 'someone', 'user', {}]
+- [33, 32, 'someone', 'user', {}]
...
session.su('admin')
---
@@ -626,6 +626,7 @@ box.space._user:select()
- [1, 1, 'admin', 'user', {}]
- [2, 1, 'public', 'role', {}]
- [3, 1, 'replication', 'role', {}]
+ - [31, 1, 'super', 'role', {}]
...
box.space._space:select()
---
diff --git a/test/box/access_sysview.result b/test/box/access_sysview.result
index e82cc462e17935d7c71db6c3045169ba495b4955..5f16ed10bd3266e36ede23ae5e65c19de7b61172 100644
--- a/test/box/access_sysview.result
+++ b/test/box/access_sysview.result
@@ -234,11 +234,11 @@ box.session.su('guest')
...
#box.space._vuser:select{}
---
-- 4
+- 5
...
#box.space._vpriv:select{}
---
-- 13
+- 14
...
#box.space._vfunc:select{}
---
diff --git a/test/box/sequence.result b/test/box/sequence.result
index 3564a52235f3e3493560a13a189cfbb933931c57..48669650e9e8bca869d78ab81cd158713799ab1c 100644
--- a/test/box/sequence.result
+++ b/test/box/sequence.result
@@ -1293,7 +1293,7 @@ box.schema.user.grant('user', 'write', 'sequence', 'seq') -- ok
...
box.space._priv.index.object:select{'sequence'}
---
-- - [1, 4, 'sequence', 1, 2]
+- - [1, 32, 'sequence', 1, 2]
...
box.space._sequence:delete(sq.id) -- error: sequence has grants
---
diff --git a/test/xlog/upgrade.result b/test/xlog/upgrade.result
index 3802f0e3e451df963ad72035794ba27e32842bdf..113c06671832ea9c9663e4b80f2488cf75e2c1c3 100644
--- a/test/xlog/upgrade.result
+++ b/test/xlog/upgrade.result
@@ -151,6 +151,7 @@ box.space._user:select()
- [3, 1, 'replication', 'role', {}]
- [4, 1, 'someuser', 'user', {'chap-sha1': '2qvbQIHM4zMWhAmm2xGeGNjqoHM='}]
- [5, 1, 'somerole', 'role', {}]
+ - [31, 1, 'super', 'role', {}]
...
box.space._func:select()
---
@@ -185,6 +186,7 @@ box.space._priv:select()
- [1, 4, 'space', 513, 3]
- [1, 4, 'universe', 0, 24]
- [1, 5, 'space', 512, 3]
+ - [1, 31, 'universe', 0, 4294967295]
...
box.space._vspace ~= nil
---