[patches] [security 1/1] security: Add create,drop,alter privileges support

imarkov imarkov at tarantool.org
Mon Jan 29 16:34:38 MSK 2018


From: IlyaMarkovMipt <markovilya197 at gmail.com>

* Add privileges Create, Drop, Alter on universe support.
* Fix super role behavior, allowing users with
this role to drop any objects.

Relates #945
Closes #3089

Signed-off-by: imarkov <imarkov at tarantool.org>
---
 src/box/alter.cc                        |  56 ++++++++------
 test/box/access.result                  | 132 ++++++++++++++++++++++++++++++--
 test/box/access.test.lua                |  72 +++++++++++++++--
 test/box/access_escalation.result       |   3 +
 test/box/access_escalation.test.lua     |   1 +
 test/box/access_misc.result             |   7 +-
 test/box/access_misc.test.lua           |   5 +-
 test/box/access_sysview.result          |   4 +-
 test/box/access_sysview.test.lua        |   4 +-
 test/box/role.result                    |   4 +-
 test/box/role.test.lua                  |   4 +-
 test/box/sequence.result                |   5 +-
 test/box/sequence.test.lua              |   1 +
 test/replication/autobootstrap.result   |   2 +-
 test/replication/autobootstrap.test.lua |   2 +-
 test/wal_off/func_max.result            |   2 +-
 test/wal_off/func_max.test.lua          |   2 +-
 17 files changed, 254 insertions(+), 52 deletions(-)

diff --git a/src/box/alter.cc b/src/box/alter.cc
index 74043b8..7d883bd 100644
--- a/src/box/alter.cc
+++ b/src/box/alter.cc
@@ -67,30 +67,35 @@ access_check_ddl(const char *name, uint32_t owner_uid,
 		 enum priv_type priv_type)
 {
 	struct credentials *cr = effective_user();
+	user_access_t universal_access = (PRIV_U | (priv_type))
+					 & ~cr->universal_access;
+	bool not_owner = owner_uid != cr->uid && cr->uid != ADMIN;
 	/*
-	 * Only the owner of the object can be the grantor
-	 * of the privilege on the object. This means that
-	 * for universe/space/func/other persistent object,
-	 * only the creator of the object can be the grantor,
-	 * since Tarantool lacks separate CREATE/DROP/GRANT OPTION
-	 * privileges.
+	 * Only the owner of the object or someone who has specific privilege
+	 * on universe can be the grantor of the privilege on the object.
+	 *
+	 * Handling "create" case differs from other ddl operations
+	 * because being owner of objects and possessing usage right
+	 * don't guarantee the right to create object
 	 */
-	user_access_t access = PRIV_U & ~cr->universal_access;
-	if (access || (owner_uid != cr->uid && cr->uid != ADMIN)) {
+	bool access_denied = (priv_type == PRIV_C) ?
+			     (universal_access || not_owner) :
+			     (universal_access & PRIV_U ||
+				     (universal_access && not_owner));
+	if (access_denied) {
 		struct user *user = user_find_xc(cr->uid);
-		if (access) {
-			tnt_raise(AccessDeniedError,
-				  priv_name(PRIV_U),
-				  schema_object_name(SC_UNIVERSE),
-				  "",
-				  user->def->name);
-		} else {
+		if (not_owner)
 			tnt_raise(AccessDeniedError,
 				  priv_name(priv_type),
 				  schema_object_name(type),
 				  name,
 				  user->def->name);
-		}
+		else
+			tnt_raise(AccessDeniedError,
+				  priv_name(universal_access),
+				  schema_object_name(SC_UNIVERSE),
+				  "",
+				  user->def->name);
 	}
 }
 
@@ -2150,6 +2155,7 @@ on_replace_dd_func(struct trigger * /* trigger */, void *event)
 	struct func *old_func = func_by_id(fid);
 	if (new_tuple != NULL && old_func == NULL) { /* INSERT */
 		struct func_def *def = func_def_new_from_tuple(new_tuple);
+		access_check_ddl(def->name, def->uid, SC_FUNCTION, PRIV_C);
 		auto def_guard = make_scoped_guard([=] { free(def); });
 		func_cache_replace(def);
 		def_guard.is_active = false;
@@ -2467,11 +2473,11 @@ priv_def_check(struct priv_def *priv, enum priv_type priv_type)
 		 */
 		if (role->def->owner != grantor->def->uid &&
 		    grantor->def->uid != ADMIN &&
-		    (role->def->uid != PUBLIC || priv->access < PRIV_X)) {
+		    (role->def->uid != PUBLIC || priv->access != PRIV_X)) {
 			tnt_raise(AccessDeniedError,
 				  priv_name(priv_type),
 				  schema_object_name(SC_ROLE), name,
-				  grantor->def->name);;
+				  grantor->def->name);
 		}
 		/* Not necessary to do during revoke, but who cares. */
 		role_check(grantee, role);
@@ -2564,6 +2570,15 @@ on_replace_dd_priv(struct trigger * /* trigger */, void *event)
 
 			priv.access |= PRIV_S;
 			priv.access |= PRIV_U;
+			/*
+			 * F
+			 * or admin we have to set his privileges
+			 * explicitly because he needs them in upgrade and
+			 * bootstrap script
+			 */
+			if (priv.grantor_id == ADMIN) {
+				priv.access = admin_credentials.universal_access;
+			}
 		}
 		priv_def_check(&priv, PRIV_GRANT);
 		grant_or_revoke(&priv);
@@ -2573,10 +2588,7 @@ on_replace_dd_priv(struct trigger * /* trigger */, void *event)
 	} else if (new_tuple == NULL) {                /* revoke */
 		assert(old_tuple);
 		priv_def_create_from_tuple(&priv, old_tuple);
-		const char *name = schema_find_name(priv.object_type,
-						    priv.object_id);
-		access_check_ddl(name, priv.grantor_id, priv.object_type,
-				 PRIV_REVOKE);
+		priv_def_check(&priv, PRIV_REVOKE);
 		struct trigger *on_commit =
 			txn_alter_trigger_new(revoke_priv, NULL);
 		txn_on_commit(txn, on_commit);
diff --git a/test/box/access.result b/test/box/access.result
index ac53c1f..bae10c6 100644
--- a/test/box/access.result
+++ b/test/box/access.result
@@ -104,7 +104,7 @@ test_run:cmd("setopt delimiter ''");
 box.schema.user.create('rich')
 ---
 ...
-box.schema.user.grant('rich', 'read,write', 'universe')
+box.schema.user.grant('rich', 'read,write,create', 'universe')
 ---
 ...
 session.su('rich')
@@ -143,6 +143,9 @@ box.schema.user.disable("rich")
 box.schema.user.disable("rich")
 ---
 ...
+box.schema.user.revoke('rich', 'create', 'universe')
+---
+...
 box.space['_user']:delete{uid}
 ---
 - [33, 1, 'rich', 'user', {}]
@@ -342,7 +345,7 @@ session = box.session
 box.schema.user.create('uniuser')
 ---
 ...
-box.schema.user.grant('uniuser', 'read, write, execute', 'universe')
+box.schema.user.grant('uniuser', 'read, write, execute, create, drop', 'universe')
 ---
 ...
 session.su('uniuser')
@@ -367,7 +370,7 @@ box.schema.user.drop('uniuser')
 box.schema.user.create('grantor')
 ---
 ...
-box.schema.user.grant('grantor', 'read, write, execute', 'universe')  
+box.schema.user.grant('grantor', 'read, write, execute, create, drop', 'universe')
 ---
 ...
 session.su('grantor')
@@ -573,7 +576,7 @@ session = nil
 box.schema.user.create('twostep')
 ---
 ...
-box.schema.user.grant('twostep', 'read,write,execute', 'universe')
+box.schema.user.grant('twostep', 'read,write,execute,create,drop', 'universe')
 ---
 ...
 box.session.su('twostep')
@@ -607,7 +610,7 @@ box.schema.user.drop('twostep_client')
 ---
 ...
 -- the space is dropped when the user is dropped
--- 
+--
 -- box.schema.user.exists()
 box.schema.user.exists('guest')
 ---
@@ -830,7 +833,7 @@ session = box.session
 box.schema.user.create('test')
 ---
 ...
-box.schema.user.grant('test', 'read,write', 'universe')
+box.schema.user.grant('test', 'read,write,create,alter', 'universe')
 ---
 ...
 session.su('test')
@@ -1083,6 +1086,9 @@ s:drop()
 --
 -- gh-3022 role 'super'
 --
+s = box.schema.space.create("admin_space")
+---
+...
 box.schema.user.grant('guest', 'super')
 ---
 ...
@@ -1107,6 +1113,10 @@ _ = box.schema.func.create('test')
 box.schema.func.drop('test')
 ---
 ...
+-- gh-3088 bug: super role lacks drop privileges on other users' spaces
+s:drop()
+---
+...
 box.session.su('admin')
 ---
 ...
@@ -1297,3 +1307,113 @@ seq:drop()
 s:drop()
 ---
 ...
+--
+-- gh-945 create, drop, alter privileges
+--
+box.schema.user.create("tester")
+---
+...
+s = box.schema.space.create("test")
+---
+...
+u = box.schema.user.create("test")
+---
+...
+f = box.schema.func.create("test")
+---
+...
+box.schema.user.grant("tester", "read,write,execute", "universe")
+---
+...
+-- failed create
+box.session.su("tester", box.schema.space.create, "testy")
+---
+- error: Create access to universe '' is denied for user 'tester'
+...
+box.session.su("tester", box.schema.user.create, 'test1')
+---
+- error: Create access to universe '' is denied for user 'tester'
+...
+box.session.su("tester", box.schema.func.create, 'test1')
+---
+- error: Create access to universe '' is denied for user 'tester'
+...
+box.schema.user.grant("tester", "create", "universe")
+---
+...
+-- successful create
+s1 = box.session.su("tester", box.schema.space.create, "testy")
+---
+...
+_ = box.session.su("tester", box.schema.user.create, 'test1')
+---
+...
+_ = box.session.su("tester", box.schema.func.create, 'test1')
+---
+...
+-- successful drop of owned objects
+_ = box.session.su("tester", s1.drop, s1)
+---
+...
+_ = box.session.su("tester", box.schema.user.drop, 'test1')
+---
+...
+_ = box.session.su("tester", box.schema.func.drop, 'test1')
+---
+...
+-- failed alter
+box.session.su("tester", s.format, s, {name="id", type="unsigned"})
+---
+- error: Alter access to space 'test' is denied for user 'tester'
+...
+box.schema.user.grant("tester", "alter", "universe")
+---
+...
+-- successful alter
+box.session.su("tester", s.format, s, {name="id", type="unsigned"})
+---
+...
+-- failed drop
+box.session.su("tester", s.drop, s)
+---
+- error: Drop access to space 'test' is denied for user 'tester'
+...
+-- can't use here sudo
+-- because drop use sudo inside
+-- and currently sudo can't be performed nested
+box.session.su("tester")
+---
+...
+box.schema.user.drop("test")
+---
+- error: Revoke access to role 'public' is denied for user 'tester'
+...
+box.session.su("admin")
+---
+...
+box.session.su("tester", box.schema.func.drop, "test")
+---
+- error: Drop access to function 'test' is denied for user 'tester'
+...
+box.schema.user.grant("tester", "drop", "universe")
+---
+...
+-- successful drop
+box.session.su("tester", s.drop, s)
+---
+...
+box.session.su("tester", box.schema.user.drop, "test")
+---
+...
+box.session.su("tester", box.schema.func.drop, "test")
+---
+...
+box.session.su("admin")
+---
+...
+box.schema.user.revoke("tester", "read,write,execute,create,drop,alter", "universe")
+---
+...
+box.schema.user.drop("tester")
+---
+...
diff --git a/test/box/access.test.lua b/test/box/access.test.lua
index 59dc55f..8208fda 100644
--- a/test/box/access.test.lua
+++ b/test/box/access.test.lua
@@ -50,7 +50,7 @@ end;
 usermax();
 test_run:cmd("setopt delimiter ''");
 box.schema.user.create('rich')
-box.schema.user.grant('rich', 'read,write', 'universe')
+box.schema.user.grant('rich', 'read,write,create', 'universe')
 session.su('rich')
 uid = session.uid()
 box.schema.func.create('dummy')
@@ -63,6 +63,7 @@ box.schema.user.revoke('rich', 'public')
 box.schema.user.disable("rich")
 -- test double disable is a no op
 box.schema.user.disable("rich")
+box.schema.user.revoke('rich', 'create', 'universe')
 box.space['_user']:delete{uid}
 box.schema.user.drop('test')
 
@@ -153,7 +154,7 @@ box.schema.user.drop('testus')
 -- ------------------------------------------------------------
 session = box.session
 box.schema.user.create('uniuser')
-box.schema.user.grant('uniuser', 'read, write, execute', 'universe')
+box.schema.user.grant('uniuser', 'read, write, execute, create, drop', 'universe')
 session.su('uniuser')
 us = box.schema.space.create('uniuser_space')
 session.su('admin')
@@ -166,7 +167,7 @@ box.schema.user.drop('uniuser')
 -- only by its creator at the moment
 -- ------------------------------------------------------------
 box.schema.user.create('grantor')
-box.schema.user.grant('grantor', 'read, write, execute', 'universe')  
+box.schema.user.grant('grantor', 'read, write, execute, create, drop', 'universe')
 session.su('grantor')
 box.schema.user.create('grantee')
 box.schema.user.grant('grantee', 'read, write, execute', 'universe')  
@@ -240,7 +241,7 @@ session = nil
 -- admin can't manage grants on not owned objects
 -- -----------------------------------------------------------
 box.schema.user.create('twostep')
-box.schema.user.grant('twostep', 'read,write,execute', 'universe')
+box.schema.user.grant('twostep', 'read,write,execute,create,drop', 'universe')
 box.session.su('twostep')
 twostep = box.schema.space.create('twostep')
 index2 = twostep:create_index('primary')
@@ -252,7 +253,7 @@ box.schema.user.grant('twostep_client', 'execute', 'function', 'test')
 box.schema.user.drop('twostep')
 box.schema.user.drop('twostep_client')
 -- the space is dropped when the user is dropped
--- 
+--
 -- box.schema.user.exists()
 box.schema.user.exists('guest')
 box.schema.user.exists(nil)
@@ -329,7 +330,7 @@ c:close()
 
 session = box.session
 box.schema.user.create('test')
-box.schema.user.grant('test', 'read,write', 'universe')
+box.schema.user.grant('test', 'read,write,create,alter', 'universe')
 session.su('test')
 box.internal.collation.create('test', 'ICU', 'ru_RU')
 session.su('admin')
@@ -425,7 +426,7 @@ s:drop()
 --
 -- gh-3022 role 'super'
 --
-
+s = box.schema.space.create("admin_space")
 box.schema.user.grant('guest', 'super')
 box.session.su('guest')
 _ = box.schema.space.create('test')
@@ -434,6 +435,9 @@ _ = box.schema.user.create('test')
 box.schema.user.drop('test')
 _ = box.schema.func.create('test')
 box.schema.func.drop('test')
+-- gh-3088 bug: super role lacks drop privileges on other users' spaces
+s:drop()
+
 box.session.su('admin')
 box.schema.user.revoke('guest', 'super')
 box.session.su('guest')
@@ -489,3 +493,57 @@ box.session.on_access_denied(nil, uid)
 box.schema.user.drop("test_user")
 seq:drop()
 s:drop()
+
+--
+-- gh-945 create, drop, alter privileges
+--
+box.schema.user.create("tester")
+s = box.schema.space.create("test")
+u = box.schema.user.create("test")
+f = box.schema.func.create("test")
+box.schema.user.grant("tester", "read,write,execute", "universe")
+
+-- failed create
+box.session.su("tester", box.schema.space.create, "testy")
+box.session.su("tester", box.schema.user.create, 'test1')
+box.session.su("tester", box.schema.func.create, 'test1')
+
+box.schema.user.grant("tester", "create", "universe")
+-- successful create
+s1 = box.session.su("tester", box.schema.space.create, "testy")
+_ = box.session.su("tester", box.schema.user.create, 'test1')
+_ = box.session.su("tester", box.schema.func.create, 'test1')
+
+-- successful drop of owned objects
+_ = box.session.su("tester", s1.drop, s1)
+_ = box.session.su("tester", box.schema.user.drop, 'test1')
+_ = box.session.su("tester", box.schema.func.drop, 'test1')
+
+-- failed alter
+box.session.su("tester", s.format, s, {name="id", type="unsigned"})
+
+box.schema.user.grant("tester", "alter", "universe")
+-- successful alter
+box.session.su("tester", s.format, s, {name="id", type="unsigned"})
+
+-- failed drop
+box.session.su("tester", s.drop, s)
+
+-- can't use here sudo
+-- because drop use sudo inside
+-- and currently sudo can't be performed nested
+box.session.su("tester")
+box.schema.user.drop("test")
+box.session.su("admin")
+
+box.session.su("tester", box.schema.func.drop, "test")
+
+box.schema.user.grant("tester", "drop", "universe")
+-- successful drop
+box.session.su("tester", s.drop, s)
+box.session.su("tester", box.schema.user.drop, "test")
+box.session.su("tester", box.schema.func.drop, "test")
+
+box.session.su("admin")
+box.schema.user.revoke("tester", "read,write,execute,create,drop,alter", "universe")
+box.schema.user.drop("tester")
\ No newline at end of file
diff --git a/test/box/access_escalation.result b/test/box/access_escalation.result
index 9d6cb99..a83f1ee 100644
--- a/test/box/access_escalation.result
+++ b/test/box/access_escalation.result
@@ -84,6 +84,9 @@ box.schema.user.create('underprivileged')
 box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
 ---
 ...
+box.schema.user.grant('underprivileged', 'create', 'universe')
+---
+...
 box.session.su('underprivileged')
 ---
 ...
diff --git a/test/box/access_escalation.test.lua b/test/box/access_escalation.test.lua
index 8b30870..29b14c8 100644
--- a/test/box/access_escalation.test.lua
+++ b/test/box/access_escalation.test.lua
@@ -61,6 +61,7 @@ connection:close()
 
 box.schema.user.create('underprivileged')
 box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
+box.schema.user.grant('underprivileged', 'create', 'universe')
 box.session.su('underprivileged')
 box.schema.func.create('setuid', {setuid=true})
 box.session.su('admin')
diff --git a/test/box/access_misc.result b/test/box/access_misc.result
index 67234ab..36158ec 100644
--- a/test/box/access_misc.result
+++ b/test/box/access_misc.result
@@ -194,7 +194,7 @@ s:select()
 box.schema.user.create('uniuser')
 ---
 ...
-box.schema.user.grant('uniuser', 'read, write, execute', 'universe')
+box.schema.user.grant('uniuser', 'read, write, execute,create', 'universe')
 ---
 ...
 session.su('uniuser')
@@ -336,6 +336,9 @@ maxuid = box.space._user.index.primary:max()[1]
 box.schema.user.grant('testuser', 'write', 'space', '_user')
 ---
 ...
+box.schema.user.grant('testuser', 'create', 'universe')
+---
+...
 session.su('testuser')
 ---
 ...
@@ -415,7 +418,7 @@ box.space._index:insert{512, 1,'owner','tree', 1, 1, 0,'unsigned'}
 session.su('admin')
 ---
 ...
-box.schema.user.revoke('testuser', 'usage,session', 'universe')
+box.schema.user.revoke('testuser', 'create,usage,session', 'universe')
 ---
 ...
 box.schema.user.revoke('testuser', 'read, write, execute', 'universe')
diff --git a/test/box/access_misc.test.lua b/test/box/access_misc.test.lua
index c23a021..2ba1324 100644
--- a/test/box/access_misc.test.lua
+++ b/test/box/access_misc.test.lua
@@ -79,7 +79,7 @@ s:select()
 -- and create this user session
 --
 box.schema.user.create('uniuser')
-box.schema.user.grant('uniuser', 'read, write, execute', 'universe')
+box.schema.user.grant('uniuser', 'read, write, execute,create', 'universe')
 session.su('uniuser')
 uid = session.uid()
 --
@@ -140,6 +140,7 @@ box.schema.user.create('testuser')
 maxuid = box.space._user.index.primary:max()[1]
 
 box.schema.user.grant('testuser', 'write', 'space', '_user')
+box.schema.user.grant('testuser', 'create', 'universe')
 session.su('testuser')
 testuser_uid = session.uid()
 box.space._user:delete(2)
@@ -172,7 +173,7 @@ box.space._index:insert{512, 1,'owner','tree', 1, 1, 0,'unsigned'}
 
 
 session.su('admin')
-box.schema.user.revoke('testuser', 'usage,session', 'universe')
+box.schema.user.revoke('testuser', 'create,usage,session', 'universe')
 box.schema.user.revoke('testuser', 'read, write, execute', 'universe')
 box.schema.user.grant('testuser', 'usage,session', 'universe')
 --
diff --git a/test/box/access_sysview.result b/test/box/access_sysview.result
index 16aa8cb..63e30af 100644
--- a/test/box/access_sysview.result
+++ b/test/box/access_sysview.result
@@ -372,7 +372,7 @@ box.session.su('guest')
 box.session.su('admin')
 ---
 ...
-box.schema.user.grant('guest', 'read,write', 'universe')
+box.schema.user.grant('guest', 'read,write,create', 'universe')
 ---
 ...
 box.session.su('guest')
@@ -384,7 +384,7 @@ box.schema.user.create('tester')
 box.session.su('admin')
 ---
 ...
-box.schema.user.revoke('guest', 'read,write', 'universe')
+box.schema.user.revoke('guest', 'read,write,create', 'universe')
 ---
 ...
 box.session.su('guest')
diff --git a/test/box/access_sysview.test.lua b/test/box/access_sysview.test.lua
index 8fa5509..ac7c179 100644
--- a/test/box/access_sysview.test.lua
+++ b/test/box/access_sysview.test.lua
@@ -146,13 +146,13 @@ box.session.su('guest')
 #box.space._vuser:select{} < user_cnt
 
 box.session.su('admin')
-box.schema.user.grant('guest', 'read,write', 'universe')
+box.schema.user.grant('guest', 'read,write,create', 'universe')
 box.session.su('guest')
 
 box.schema.user.create('tester')
 
 box.session.su('admin')
-box.schema.user.revoke('guest', 'read,write', 'universe')
+box.schema.user.revoke('guest', 'read,write,create', 'universe')
 box.session.su('guest')
 
 #box.space._vuser.index[2]:select('tester') > 0
diff --git a/test/box/role.result b/test/box/role.result
index 1c1bb21..736ec85 100644
--- a/test/box/role.result
+++ b/test/box/role.result
@@ -214,7 +214,7 @@ box.schema.role.drop('test')
 box.schema.user.grant('grantee', 'liaison')
 ---
 ...
-box.schema.user.grant('test', 'read,write', 'universe')
+box.schema.user.grant('test', 'read,write,create', 'universe')
 ---
 ...
 box.session.su('test')
@@ -635,7 +635,7 @@ box.schema.user.create('user')
 box.schema.user.create('grantee')
 ---
 ...
-box.schema.user.grant('user', 'read,write,execute', 'universe')
+box.schema.user.grant('user', 'read,write,execute,create', 'universe')
 ---
 ...
 box.session.su('user')
diff --git a/test/box/role.test.lua b/test/box/role.test.lua
index c85a26d..e97339f 100644
--- a/test/box/role.test.lua
+++ b/test/box/role.test.lua
@@ -69,7 +69,7 @@ box.schema.role.revoke('test', 'liaison')
 box.schema.role.drop('test')
 
 box.schema.user.grant('grantee', 'liaison')
-box.schema.user.grant('test', 'read,write', 'universe')
+box.schema.user.grant('test', 'read,write,create', 'universe')
 box.session.su('test')
 s = box.schema.space.create('test')
 _ = s:create_index('i1')
@@ -248,7 +248,7 @@ box.schema.role.drop("role10")
 box.schema.user.create('user')
 box.schema.user.create('grantee')
 
-box.schema.user.grant('user', 'read,write,execute', 'universe')
+box.schema.user.grant('user', 'read,write,execute,create', 'universe')
 box.session.su('user')
 box.schema.role.create('role')
 box.session.su('admin')
diff --git a/test/box/sequence.result b/test/box/sequence.result
index 22d49bc..af6d7a3 100644
--- a/test/box/sequence.result
+++ b/test/box/sequence.result
@@ -1281,6 +1281,9 @@ box.schema.user.grant('user', 'read', 'space', '_space')
 box.schema.user.grant('user', 'read', 'space', '_sequence')
 ---
 ...
+box.schema.user.grant('user', 'create', 'universe')
+---
+...
 sq = box.schema.sequence.create('seq')
 ---
 ...
@@ -1355,7 +1358,7 @@ box.schema.user.info()
   - - read
     - space
     - _priv
-  - - session,usage
+  - - session,usage,create
     - universe
     - 
 ...
diff --git a/test/box/sequence.test.lua b/test/box/sequence.test.lua
index 26147bb..011bea6 100644
--- a/test/box/sequence.test.lua
+++ b/test/box/sequence.test.lua
@@ -428,6 +428,7 @@ box.schema.user.grant('user', 'read', 'space', '_priv')
 box.schema.user.grant('user', 'read', 'space', '_user')
 box.schema.user.grant('user', 'read', 'space', '_space')
 box.schema.user.grant('user', 'read', 'space', '_sequence')
+box.schema.user.grant('user', 'create', 'universe')
 sq = box.schema.sequence.create('seq')
 box.schema.user.grant('user', 'write', 'sequence', 'test') -- error: no such sequence
 box.schema.user.grant('user', 'write', 'sequence', 'seq') -- ok
diff --git a/test/replication/autobootstrap.result b/test/replication/autobootstrap.result
index e45a386..e0ab6f5 100644
--- a/test/replication/autobootstrap.result
+++ b/test/replication/autobootstrap.result
@@ -112,7 +112,7 @@ _ = test_run:cmd("switch autobootstrap1")
 u1 = box.schema.user.create('test_u')
 ---
 ...
-box.schema.user.grant('test_u', 'read,write', 'universe')
+box.schema.user.grant('test_u', 'read,write,create', 'universe')
 ---
 ...
 box.session.su('test_u')
diff --git a/test/replication/autobootstrap.test.lua b/test/replication/autobootstrap.test.lua
index 8cb97d5..e7f624b 100644
--- a/test/replication/autobootstrap.test.lua
+++ b/test/replication/autobootstrap.test.lua
@@ -55,7 +55,7 @@ _ = test_run:cmd("switch default")
 
 _ = test_run:cmd("switch autobootstrap1")
 u1 = box.schema.user.create('test_u')
-box.schema.user.grant('test_u', 'read,write', 'universe')
+box.schema.user.grant('test_u', 'read,write,create', 'universe')
 box.session.su('test_u')
 _ = box.schema.space.create('test_u'):create_index('pk')
 box.session.su('admin')
diff --git a/test/wal_off/func_max.result b/test/wal_off/func_max.result
index c1b45bb..9211c43 100644
--- a/test/wal_off/func_max.result
+++ b/test/wal_off/func_max.result
@@ -47,7 +47,7 @@ drop_limit_func();
 box.schema.user.create('testuser');
 ---
 ...
-box.schema.user.grant('testuser', 'read, write, execute', 'universe');
+box.schema.user.grant('testuser', 'read, write, execute,create', 'universe');
 ---
 ...
 session.su('testuser');
diff --git a/test/wal_off/func_max.test.lua b/test/wal_off/func_max.test.lua
index 7a0afcf..00a0959 100644
--- a/test/wal_off/func_max.test.lua
+++ b/test/wal_off/func_max.test.lua
@@ -24,7 +24,7 @@ end;
 func_limit();
 drop_limit_func();
 box.schema.user.create('testuser');
-box.schema.user.grant('testuser', 'read, write, execute', 'universe');
+box.schema.user.grant('testuser', 'read, write, execute,create', 'universe');
 session.su('testuser');
 func_limit();
 drop_limit_func();
-- 
2.7.4




More information about the Tarantool-patches mailing list