box: add sql grant object type
Closes #8803
@TarantoolBot document
Title: Document `lua_eval`, `lua_call`, and `sql` grant object types
In Tarantool 3.0 we introduced the new `lua_eval`, `lua_call`, and `sql`
object types for `box.schema.user.grant` to control access to code
execution over the network protocol (IPROTO).
1. Granting the 'execute' privilege on `lua_eval` permits the user to
execute arbitrary Lua code with the `IPROTO_EVAL` request.
Example:
```Lua
box.cfg({listen = 3301})
box.schema.user.create('alice', {password = 'secret'})
conn = require('net.box').connect(
box.cfg.listen, {user = 'alice', password = 'secret'})
conn:eval('return true') -- access denied
box.schema.user.grant('alice', 'execute', 'lua_eval')
conn:eval('return true') -- ok
```
2. Granting the 'execute' privilege on `lua_call` permits the user to
call any global (accessible via the `_G` Lua table) user-defined
Lua function with the `IPROTO_CALL` request. It does **not** permit
the user to call built-in Lua functions, such as `loadstring` or
`box.session.su`. It does **not** permit the user to call functions
registered in the `_func` system space with `box.schema.func.create`
(access to those functions is still controlled by privileges granted
on `function`).
Example:
```Lua
function my_func() end
box.cfg({listen = 3301})
box.schema.user.create('alice', {password = 'secret'})
conn = require('net.box').connect(
box.cfg.listen, {user = 'alice', password = 'secret'})
conn:call('my_func') -- access denied
box.schema.user.grant('alice', 'execute', 'lua_call')
conn:call('my_func') -- ok
conn:call('box.session.su', {'admin'}) -- access denied
```
3. Granting the 'execute' privilege on `sql` permits the user to
execute an arbitrary SQL expression with the `IPROTO_PREPARE`
and `IPROTO_EXECUTE` requests. Without this privilege or the
'execute' privilege granted on `universe`, the user is **not**
permitted to execute SQL expressions over IPROTO anymore.
Note that before Tarantool 3.0 any user (even guest) could execute
SQL expressions over IPROTO. It is possible to revert to the old
behavior by toggling the `sql_priv` compat option. Please add
a description to https://tarantool.io/compat/sql_priv
Example:
```Lua
box.cfg({listen = 3301})
box.schema.user.create('alice', {password = 'secret'})
conn = require('net.box').connect(
box.cfg.listen, {user = 'alice', password = 'secret'})
conn:execute('SELECT 1') -- access denied
box.schema.user.grant('alice', 'execute', 'sql')
conn:execute('SELECT 1') -- ok
```
Showing
- changelogs/unreleased/gh-8803-exec-priv.md 5 additions, 0 deletionschangelogs/unreleased/gh-8803-exec-priv.md
- src/box/execute.c 28 additions, 0 deletionssrc/box/execute.c
- src/box/lua/schema.lua 2 additions, 0 deletionssrc/box/lua/schema.lua
- src/box/schema_def.c 1 addition, 0 deletionssrc/box/schema_def.c
- src/box/schema_def.h 1 addition, 0 deletionssrc/box/schema_def.h
- src/box/user.cc 2 additions, 0 deletionssrc/box/user.cc
- src/box/user.h 2 additions, 0 deletionssrc/box/user.h
- src/lua/compat.lua 15 additions, 0 deletionssrc/lua/compat.lua
- test/box-luatest/gh_8803_exec_priv_test.lua 47 additions, 1 deletiontest/box-luatest/gh_8803_exec_priv_test.lua
- test/box/tx_man.result 3 additions, 0 deletionstest/box/tx_man.result
- test/box/tx_man.test.lua 1 addition, 0 deletionstest/box/tx_man.test.lua
- test/sql-tap/array.test.lua 2 additions, 0 deletionstest/sql-tap/array.test.lua
- test/sql-tap/map.test.lua 2 additions, 0 deletionstest/sql-tap/map.test.lua
- test/sql/gh-2362-select-access-rights.result 6 additions, 0 deletionstest/sql/gh-2362-select-access-rights.result
- test/sql/gh-2362-select-access-rights.test.lua 2 additions, 0 deletionstest/sql/gh-2362-select-access-rights.test.lua
- test/sql/gh-4104-view-access-check.result 6 additions, 0 deletionstest/sql/gh-4104-view-access-check.result
- test/sql/gh-4104-view-access-check.test.lua 2 additions, 0 deletionstest/sql/gh-4104-view-access-check.test.lua
Loading
Please register or sign in to comment