[patches] [security 1/1] security: Add create,drop,alter privileges support
imarkov
imarkov at tarantool.org
Mon Jan 29 16:34:38 MSK 2018
From: IlyaMarkovMipt <markovilya197 at gmail.com>
* Add privileges Create, Drop, Alter on universe support.
* Fix super role behavior, allowing users with
this role to drop any objects.
Relates #945
Closes #3089
Signed-off-by: imarkov <imarkov at tarantool.org>
---
src/box/alter.cc | 56 ++++++++------
test/box/access.result | 132 ++++++++++++++++++++++++++++++--
test/box/access.test.lua | 72 +++++++++++++++--
test/box/access_escalation.result | 3 +
test/box/access_escalation.test.lua | 1 +
test/box/access_misc.result | 7 +-
test/box/access_misc.test.lua | 5 +-
test/box/access_sysview.result | 4 +-
test/box/access_sysview.test.lua | 4 +-
test/box/role.result | 4 +-
test/box/role.test.lua | 4 +-
test/box/sequence.result | 5 +-
test/box/sequence.test.lua | 1 +
test/replication/autobootstrap.result | 2 +-
test/replication/autobootstrap.test.lua | 2 +-
test/wal_off/func_max.result | 2 +-
test/wal_off/func_max.test.lua | 2 +-
17 files changed, 254 insertions(+), 52 deletions(-)
diff --git a/src/box/alter.cc b/src/box/alter.cc
index 74043b8..7d883bd 100644
--- a/src/box/alter.cc
+++ b/src/box/alter.cc
@@ -67,30 +67,35 @@ access_check_ddl(const char *name, uint32_t owner_uid,
enum priv_type priv_type)
{
struct credentials *cr = effective_user();
+ user_access_t universal_access = (PRIV_U | (priv_type))
+ & ~cr->universal_access;
+ bool not_owner = owner_uid != cr->uid && cr->uid != ADMIN;
/*
- * Only the owner of the object can be the grantor
- * of the privilege on the object. This means that
- * for universe/space/func/other persistent object,
- * only the creator of the object can be the grantor,
- * since Tarantool lacks separate CREATE/DROP/GRANT OPTION
- * privileges.
+ * Only the owner of the object or someone who has specific privilege
+ * on universe can be the grantor of the privilege on the object.
+ *
+ * Handling "create" case differs from other ddl operations
+ * because being owner of objects and possessing usage right
+ * don't guarantee the right to create object
*/
- user_access_t access = PRIV_U & ~cr->universal_access;
- if (access || (owner_uid != cr->uid && cr->uid != ADMIN)) {
+ bool access_denied = (priv_type == PRIV_C) ?
+ (universal_access || not_owner) :
+ (universal_access & PRIV_U ||
+ (universal_access && not_owner));
+ if (access_denied) {
struct user *user = user_find_xc(cr->uid);
- if (access) {
- tnt_raise(AccessDeniedError,
- priv_name(PRIV_U),
- schema_object_name(SC_UNIVERSE),
- "",
- user->def->name);
- } else {
+ if (not_owner)
tnt_raise(AccessDeniedError,
priv_name(priv_type),
schema_object_name(type),
name,
user->def->name);
- }
+ else
+ tnt_raise(AccessDeniedError,
+ priv_name(universal_access),
+ schema_object_name(SC_UNIVERSE),
+ "",
+ user->def->name);
}
}
@@ -2150,6 +2155,7 @@ on_replace_dd_func(struct trigger * /* trigger */, void *event)
struct func *old_func = func_by_id(fid);
if (new_tuple != NULL && old_func == NULL) { /* INSERT */
struct func_def *def = func_def_new_from_tuple(new_tuple);
+ access_check_ddl(def->name, def->uid, SC_FUNCTION, PRIV_C);
auto def_guard = make_scoped_guard([=] { free(def); });
func_cache_replace(def);
def_guard.is_active = false;
@@ -2467,11 +2473,11 @@ priv_def_check(struct priv_def *priv, enum priv_type priv_type)
*/
if (role->def->owner != grantor->def->uid &&
grantor->def->uid != ADMIN &&
- (role->def->uid != PUBLIC || priv->access < PRIV_X)) {
+ (role->def->uid != PUBLIC || priv->access != PRIV_X)) {
tnt_raise(AccessDeniedError,
priv_name(priv_type),
schema_object_name(SC_ROLE), name,
- grantor->def->name);;
+ grantor->def->name);
}
/* Not necessary to do during revoke, but who cares. */
role_check(grantee, role);
@@ -2564,6 +2570,15 @@ on_replace_dd_priv(struct trigger * /* trigger */, void *event)
priv.access |= PRIV_S;
priv.access |= PRIV_U;
+ /*
+ * F
+ * or admin we have to set his privileges
+ * explicitly because he needs them in upgrade and
+ * bootstrap script
+ */
+ if (priv.grantor_id == ADMIN) {
+ priv.access = admin_credentials.universal_access;
+ }
}
priv_def_check(&priv, PRIV_GRANT);
grant_or_revoke(&priv);
@@ -2573,10 +2588,7 @@ on_replace_dd_priv(struct trigger * /* trigger */, void *event)
} else if (new_tuple == NULL) { /* revoke */
assert(old_tuple);
priv_def_create_from_tuple(&priv, old_tuple);
- const char *name = schema_find_name(priv.object_type,
- priv.object_id);
- access_check_ddl(name, priv.grantor_id, priv.object_type,
- PRIV_REVOKE);
+ priv_def_check(&priv, PRIV_REVOKE);
struct trigger *on_commit =
txn_alter_trigger_new(revoke_priv, NULL);
txn_on_commit(txn, on_commit);
diff --git a/test/box/access.result b/test/box/access.result
index ac53c1f..bae10c6 100644
--- a/test/box/access.result
+++ b/test/box/access.result
@@ -104,7 +104,7 @@ test_run:cmd("setopt delimiter ''");
box.schema.user.create('rich')
---
...
-box.schema.user.grant('rich', 'read,write', 'universe')
+box.schema.user.grant('rich', 'read,write,create', 'universe')
---
...
session.su('rich')
@@ -143,6 +143,9 @@ box.schema.user.disable("rich")
box.schema.user.disable("rich")
---
...
+box.schema.user.revoke('rich', 'create', 'universe')
+---
+...
box.space['_user']:delete{uid}
---
- [33, 1, 'rich', 'user', {}]
@@ -342,7 +345,7 @@ session = box.session
box.schema.user.create('uniuser')
---
...
-box.schema.user.grant('uniuser', 'read, write, execute', 'universe')
+box.schema.user.grant('uniuser', 'read, write, execute, create, drop', 'universe')
---
...
session.su('uniuser')
@@ -367,7 +370,7 @@ box.schema.user.drop('uniuser')
box.schema.user.create('grantor')
---
...
-box.schema.user.grant('grantor', 'read, write, execute', 'universe')
+box.schema.user.grant('grantor', 'read, write, execute, create, drop', 'universe')
---
...
session.su('grantor')
@@ -573,7 +576,7 @@ session = nil
box.schema.user.create('twostep')
---
...
-box.schema.user.grant('twostep', 'read,write,execute', 'universe')
+box.schema.user.grant('twostep', 'read,write,execute,create,drop', 'universe')
---
...
box.session.su('twostep')
@@ -607,7 +610,7 @@ box.schema.user.drop('twostep_client')
---
...
-- the space is dropped when the user is dropped
---
+--
-- box.schema.user.exists()
box.schema.user.exists('guest')
---
@@ -830,7 +833,7 @@ session = box.session
box.schema.user.create('test')
---
...
-box.schema.user.grant('test', 'read,write', 'universe')
+box.schema.user.grant('test', 'read,write,create,alter', 'universe')
---
...
session.su('test')
@@ -1083,6 +1086,9 @@ s:drop()
--
-- gh-3022 role 'super'
--
+s = box.schema.space.create("admin_space")
+---
+...
box.schema.user.grant('guest', 'super')
---
...
@@ -1107,6 +1113,10 @@ _ = box.schema.func.create('test')
box.schema.func.drop('test')
---
...
+-- gh-3088 bug: super role lacks drop privileges on other users' spaces
+s:drop()
+---
+...
box.session.su('admin')
---
...
@@ -1297,3 +1307,113 @@ seq:drop()
s:drop()
---
...
+--
+-- gh-945 create, drop, alter privileges
+--
+box.schema.user.create("tester")
+---
+...
+s = box.schema.space.create("test")
+---
+...
+u = box.schema.user.create("test")
+---
+...
+f = box.schema.func.create("test")
+---
+...
+box.schema.user.grant("tester", "read,write,execute", "universe")
+---
+...
+-- failed create
+box.session.su("tester", box.schema.space.create, "testy")
+---
+- error: Create access to universe '' is denied for user 'tester'
+...
+box.session.su("tester", box.schema.user.create, 'test1')
+---
+- error: Create access to universe '' is denied for user 'tester'
+...
+box.session.su("tester", box.schema.func.create, 'test1')
+---
+- error: Create access to universe '' is denied for user 'tester'
+...
+box.schema.user.grant("tester", "create", "universe")
+---
+...
+-- successful create
+s1 = box.session.su("tester", box.schema.space.create, "testy")
+---
+...
+_ = box.session.su("tester", box.schema.user.create, 'test1')
+---
+...
+_ = box.session.su("tester", box.schema.func.create, 'test1')
+---
+...
+-- successful drop of owned objects
+_ = box.session.su("tester", s1.drop, s1)
+---
+...
+_ = box.session.su("tester", box.schema.user.drop, 'test1')
+---
+...
+_ = box.session.su("tester", box.schema.func.drop, 'test1')
+---
+...
+-- failed alter
+box.session.su("tester", s.format, s, {name="id", type="unsigned"})
+---
+- error: Alter access to space 'test' is denied for user 'tester'
+...
+box.schema.user.grant("tester", "alter", "universe")
+---
+...
+-- successful alter
+box.session.su("tester", s.format, s, {name="id", type="unsigned"})
+---
+...
+-- failed drop
+box.session.su("tester", s.drop, s)
+---
+- error: Drop access to space 'test' is denied for user 'tester'
+...
+-- can't use here sudo
+-- because drop use sudo inside
+-- and currently sudo can't be performed nested
+box.session.su("tester")
+---
+...
+box.schema.user.drop("test")
+---
+- error: Revoke access to role 'public' is denied for user 'tester'
+...
+box.session.su("admin")
+---
+...
+box.session.su("tester", box.schema.func.drop, "test")
+---
+- error: Drop access to function 'test' is denied for user 'tester'
+...
+box.schema.user.grant("tester", "drop", "universe")
+---
+...
+-- successful drop
+box.session.su("tester", s.drop, s)
+---
+...
+box.session.su("tester", box.schema.user.drop, "test")
+---
+...
+box.session.su("tester", box.schema.func.drop, "test")
+---
+...
+box.session.su("admin")
+---
+...
+box.schema.user.revoke("tester", "read,write,execute,create,drop,alter", "universe")
+---
+...
+box.schema.user.drop("tester")
+---
+...
diff --git a/test/box/access.test.lua b/test/box/access.test.lua
index 59dc55f..8208fda 100644
--- a/test/box/access.test.lua
+++ b/test/box/access.test.lua
@@ -50,7 +50,7 @@ end;
usermax();
test_run:cmd("setopt delimiter ''");
box.schema.user.create('rich')
-box.schema.user.grant('rich', 'read,write', 'universe')
+box.schema.user.grant('rich', 'read,write,create', 'universe')
session.su('rich')
uid = session.uid()
box.schema.func.create('dummy')
@@ -63,6 +63,7 @@ box.schema.user.revoke('rich', 'public')
box.schema.user.disable("rich")
-- test double disable is a no op
box.schema.user.disable("rich")
+box.schema.user.revoke('rich', 'create', 'universe')
box.space['_user']:delete{uid}
box.schema.user.drop('test')
@@ -153,7 +154,7 @@ box.schema.user.drop('testus')
-- ------------------------------------------------------------
session = box.session
box.schema.user.create('uniuser')
-box.schema.user.grant('uniuser', 'read, write, execute', 'universe')
+box.schema.user.grant('uniuser', 'read, write, execute, create, drop', 'universe')
session.su('uniuser')
us = box.schema.space.create('uniuser_space')
session.su('admin')
@@ -166,7 +167,7 @@ box.schema.user.drop('uniuser')
-- only by its creator at the moment
-- ------------------------------------------------------------
box.schema.user.create('grantor')
-box.schema.user.grant('grantor', 'read, write, execute', 'universe')
+box.schema.user.grant('grantor', 'read, write, execute, create, drop', 'universe')
session.su('grantor')
box.schema.user.create('grantee')
box.schema.user.grant('grantee', 'read, write, execute', 'universe')
@@ -240,7 +241,7 @@ session = nil
-- admin can't manage grants on not owned objects
-- -----------------------------------------------------------
box.schema.user.create('twostep')
-box.schema.user.grant('twostep', 'read,write,execute', 'universe')
+box.schema.user.grant('twostep', 'read,write,execute,create,drop', 'universe')
box.session.su('twostep')
twostep = box.schema.space.create('twostep')
index2 = twostep:create_index('primary')
@@ -252,7 +253,7 @@ box.schema.user.grant('twostep_client', 'execute', 'function', 'test')
box.schema.user.drop('twostep')
box.schema.user.drop('twostep_client')
-- the space is dropped when the user is dropped
---
+--
-- box.schema.user.exists()
box.schema.user.exists('guest')
box.schema.user.exists(nil)
@@ -329,7 +330,7 @@ c:close()
session = box.session
box.schema.user.create('test')
-box.schema.user.grant('test', 'read,write', 'universe')
+box.schema.user.grant('test', 'read,write,create,alter', 'universe')
session.su('test')
box.internal.collation.create('test', 'ICU', 'ru_RU')
session.su('admin')
@@ -425,7 +426,7 @@ s:drop()
--
-- gh-3022 role 'super'
--
-
+s = box.schema.space.create("admin_space")
box.schema.user.grant('guest', 'super')
box.session.su('guest')
_ = box.schema.space.create('test')
@@ -434,6 +435,9 @@ _ = box.schema.user.create('test')
box.schema.user.drop('test')
_ = box.schema.func.create('test')
box.schema.func.drop('test')
+-- gh-3088 bug: super role lacks drop privileges on other users' spaces
+s:drop()
+
box.session.su('admin')
box.schema.user.revoke('guest', 'super')
box.session.su('guest')
@@ -489,3 +493,57 @@ box.session.on_access_denied(nil, uid)
box.schema.user.drop("test_user")
seq:drop()
s:drop()
+
+--
+-- gh-945 create, drop, alter privileges
+--
+box.schema.user.create("tester")
+s = box.schema.space.create("test")
+u = box.schema.user.create("test")
+f = box.schema.func.create("test")
+box.schema.user.grant("tester", "read,write,execute", "universe")
+
+-- failed create
+box.session.su("tester", box.schema.space.create, "testy")
+box.session.su("tester", box.schema.user.create, 'test1')
+box.session.su("tester", box.schema.func.create, 'test1')
+
+box.schema.user.grant("tester", "create", "universe")
+-- successful create
+s1 = box.session.su("tester", box.schema.space.create, "testy")
+_ = box.session.su("tester", box.schema.user.create, 'test1')
+_ = box.session.su("tester", box.schema.func.create, 'test1')
+
+-- successful drop of owned objects
+_ = box.session.su("tester", s1.drop, s1)
+_ = box.session.su("tester", box.schema.user.drop, 'test1')
+_ = box.session.su("tester", box.schema.func.drop, 'test1')
+
+-- failed alter
+box.session.su("tester", s.format, s, {name="id", type="unsigned"})
+
+box.schema.user.grant("tester", "alter", "universe")
+-- successful alter
+box.session.su("tester", s.format, s, {name="id", type="unsigned"})
+
+-- failed drop
+box.session.su("tester", s.drop, s)
+
+-- can't use here sudo
+-- because drop use sudo inside
+-- and currently sudo can't be performed nested
+box.session.su("tester")
+box.schema.user.drop("test")
+box.session.su("admin")
+
+box.session.su("tester", box.schema.func.drop, "test")
+
+box.schema.user.grant("tester", "drop", "universe")
+-- successful drop
+box.session.su("tester", s.drop, s)
+box.session.su("tester", box.schema.user.drop, "test")
+box.session.su("tester", box.schema.func.drop, "test")
+
+box.session.su("admin")
+box.schema.user.revoke("tester", "read,write,execute,create,drop,alter", "universe")
+box.schema.user.drop("tester")
\ No newline at end of file
diff --git a/test/box/access_escalation.result b/test/box/access_escalation.result
index 9d6cb99..a83f1ee 100644
--- a/test/box/access_escalation.result
+++ b/test/box/access_escalation.result
@@ -84,6 +84,9 @@ box.schema.user.create('underprivileged')
box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
---
...
+box.schema.user.grant('underprivileged', 'create', 'universe')
+---
+...
box.session.su('underprivileged')
---
...
diff --git a/test/box/access_escalation.test.lua b/test/box/access_escalation.test.lua
index 8b30870..29b14c8 100644
--- a/test/box/access_escalation.test.lua
+++ b/test/box/access_escalation.test.lua
@@ -61,6 +61,7 @@ connection:close()
box.schema.user.create('underprivileged')
box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
+box.schema.user.grant('underprivileged', 'create', 'universe')
box.session.su('underprivileged')
box.schema.func.create('setuid', {setuid=true})
box.session.su('admin')
diff --git a/test/box/access_misc.result b/test/box/access_misc.result
index 67234ab..36158ec 100644
--- a/test/box/access_misc.result
+++ b/test/box/access_misc.result
@@ -194,7 +194,7 @@ s:select()
box.schema.user.create('uniuser')
---
...
-box.schema.user.grant('uniuser', 'read, write, execute', 'universe')
+box.schema.user.grant('uniuser', 'read, write, execute,create', 'universe')
---
...
session.su('uniuser')
@@ -336,6 +336,9 @@ maxuid = box.space._user.index.primary:max()[1]
box.schema.user.grant('testuser', 'write', 'space', '_user')
---
...
+box.schema.user.grant('testuser', 'create', 'universe')
+---
+...
session.su('testuser')
---
...
@@ -415,7 +418,7 @@ box.space._index:insert{512, 1,'owner','tree', 1, 1, 0,'unsigned'}
session.su('admin')
---
...
-box.schema.user.revoke('testuser', 'usage,session', 'universe')
+box.schema.user.revoke('testuser', 'create,usage,session', 'universe')
---
...
box.schema.user.revoke('testuser', 'read, write, execute', 'universe')
diff --git a/test/box/access_misc.test.lua b/test/box/access_misc.test.lua
index c23a021..2ba1324 100644
--- a/test/box/access_misc.test.lua
+++ b/test/box/access_misc.test.lua
@@ -79,7 +79,7 @@ s:select()
-- and create this user session
--
box.schema.user.create('uniuser')
-box.schema.user.grant('uniuser', 'read, write, execute', 'universe')
+box.schema.user.grant('uniuser', 'read, write, execute,create', 'universe')
session.su('uniuser')
uid = session.uid()
--
@@ -140,6 +140,7 @@ box.schema.user.create('testuser')
maxuid = box.space._user.index.primary:max()[1]
box.schema.user.grant('testuser', 'write', 'space', '_user')
+box.schema.user.grant('testuser', 'create', 'universe')
session.su('testuser')
testuser_uid = session.uid()
box.space._user:delete(2)
@@ -172,7 +173,7 @@ box.space._index:insert{512, 1,'owner','tree', 1, 1, 0,'unsigned'}
session.su('admin')
-box.schema.user.revoke('testuser', 'usage,session', 'universe')
+box.schema.user.revoke('testuser', 'create,usage,session', 'universe')
box.schema.user.revoke('testuser', 'read, write, execute', 'universe')
box.schema.user.grant('testuser', 'usage,session', 'universe')
--
diff --git a/test/box/access_sysview.result b/test/box/access_sysview.result
index 16aa8cb..63e30af 100644
--- a/test/box/access_sysview.result
+++ b/test/box/access_sysview.result
@@ -372,7 +372,7 @@ box.session.su('guest')
box.session.su('admin')
---
...
-box.schema.user.grant('guest', 'read,write', 'universe')
+box.schema.user.grant('guest', 'read,write,create', 'universe')
---
...
box.session.su('guest')
@@ -384,7 +384,7 @@ box.schema.user.create('tester')
box.session.su('admin')
---
...
-box.schema.user.revoke('guest', 'read,write', 'universe')
+box.schema.user.revoke('guest', 'read,write,create', 'universe')
---
...
box.session.su('guest')
diff --git a/test/box/access_sysview.test.lua b/test/box/access_sysview.test.lua
index 8fa5509..ac7c179 100644
--- a/test/box/access_sysview.test.lua
+++ b/test/box/access_sysview.test.lua
@@ -146,13 +146,13 @@ box.session.su('guest')
#box.space._vuser:select{} < user_cnt
box.session.su('admin')
-box.schema.user.grant('guest', 'read,write', 'universe')
+box.schema.user.grant('guest', 'read,write,create', 'universe')
box.session.su('guest')
box.schema.user.create('tester')
box.session.su('admin')
-box.schema.user.revoke('guest', 'read,write', 'universe')
+box.schema.user.revoke('guest', 'read,write,create', 'universe')
box.session.su('guest')
#box.space._vuser.index[2]:select('tester') > 0
diff --git a/test/box/role.result b/test/box/role.result
index 1c1bb21..736ec85 100644
--- a/test/box/role.result
+++ b/test/box/role.result
@@ -214,7 +214,7 @@ box.schema.role.drop('test')
box.schema.user.grant('grantee', 'liaison')
---
...
-box.schema.user.grant('test', 'read,write', 'universe')
+box.schema.user.grant('test', 'read,write,create', 'universe')
---
...
box.session.su('test')
@@ -635,7 +635,7 @@ box.schema.user.create('user')
box.schema.user.create('grantee')
---
...
-box.schema.user.grant('user', 'read,write,execute', 'universe')
+box.schema.user.grant('user', 'read,write,execute,create', 'universe')
---
...
box.session.su('user')
diff --git a/test/box/role.test.lua b/test/box/role.test.lua
index c85a26d..e97339f 100644
--- a/test/box/role.test.lua
+++ b/test/box/role.test.lua
@@ -69,7 +69,7 @@ box.schema.role.revoke('test', 'liaison')
box.schema.role.drop('test')
box.schema.user.grant('grantee', 'liaison')
-box.schema.user.grant('test', 'read,write', 'universe')
+box.schema.user.grant('test', 'read,write,create', 'universe')
box.session.su('test')
s = box.schema.space.create('test')
_ = s:create_index('i1')
@@ -248,7 +248,7 @@ box.schema.role.drop("role10")
box.schema.user.create('user')
box.schema.user.create('grantee')
-box.schema.user.grant('user', 'read,write,execute', 'universe')
+box.schema.user.grant('user', 'read,write,execute,create', 'universe')
box.session.su('user')
box.schema.role.create('role')
box.session.su('admin')
diff --git a/test/box/sequence.result b/test/box/sequence.result
index 22d49bc..af6d7a3 100644
--- a/test/box/sequence.result
+++ b/test/box/sequence.result
@@ -1281,6 +1281,9 @@ box.schema.user.grant('user', 'read', 'space', '_space')
box.schema.user.grant('user', 'read', 'space', '_sequence')
---
...
+box.schema.user.grant('user', 'create', 'universe')
+---
+...
sq = box.schema.sequence.create('seq')
---
...
@@ -1355,7 +1358,7 @@ box.schema.user.info()
- - read
- space
- _priv
- - - session,usage
+ - - session,usage,create
- universe
-
...
diff --git a/test/box/sequence.test.lua b/test/box/sequence.test.lua
index 26147bb..011bea6 100644
--- a/test/box/sequence.test.lua
+++ b/test/box/sequence.test.lua
@@ -428,6 +428,7 @@ box.schema.user.grant('user', 'read', 'space', '_priv')
box.schema.user.grant('user', 'read', 'space', '_user')
box.schema.user.grant('user', 'read', 'space', '_space')
box.schema.user.grant('user', 'read', 'space', '_sequence')
+box.schema.user.grant('user', 'create', 'universe')
sq = box.schema.sequence.create('seq')
box.schema.user.grant('user', 'write', 'sequence', 'test') -- error: no such sequence
box.schema.user.grant('user', 'write', 'sequence', 'seq') -- ok
diff --git a/test/replication/autobootstrap.result b/test/replication/autobootstrap.result
index e45a386..e0ab6f5 100644
--- a/test/replication/autobootstrap.result
+++ b/test/replication/autobootstrap.result
@@ -112,7 +112,7 @@ _ = test_run:cmd("switch autobootstrap1")
u1 = box.schema.user.create('test_u')
---
...
-box.schema.user.grant('test_u', 'read,write', 'universe')
+box.schema.user.grant('test_u', 'read,write,create', 'universe')
---
...
box.session.su('test_u')
diff --git a/test/replication/autobootstrap.test.lua b/test/replication/autobootstrap.test.lua
index 8cb97d5..e7f624b 100644
--- a/test/replication/autobootstrap.test.lua
+++ b/test/replication/autobootstrap.test.lua
@@ -55,7 +55,7 @@ _ = test_run:cmd("switch default")
_ = test_run:cmd("switch autobootstrap1")
u1 = box.schema.user.create('test_u')
-box.schema.user.grant('test_u', 'read,write', 'universe')
+box.schema.user.grant('test_u', 'read,write,create', 'universe')
box.session.su('test_u')
_ = box.schema.space.create('test_u'):create_index('pk')
box.session.su('admin')
diff --git a/test/wal_off/func_max.result b/test/wal_off/func_max.result
index c1b45bb..9211c43 100644
--- a/test/wal_off/func_max.result
+++ b/test/wal_off/func_max.result
@@ -47,7 +47,7 @@ drop_limit_func();
box.schema.user.create('testuser');
---
...
-box.schema.user.grant('testuser', 'read, write, execute', 'universe');
+box.schema.user.grant('testuser', 'read, write, execute,create', 'universe');
---
...
session.su('testuser');
diff --git a/test/wal_off/func_max.test.lua b/test/wal_off/func_max.test.lua
index 7a0afcf..00a0959 100644
--- a/test/wal_off/func_max.test.lua
+++ b/test/wal_off/func_max.test.lua
@@ -24,7 +24,7 @@ end;
func_limit();
drop_limit_func();
box.schema.user.create('testuser');
-box.schema.user.grant('testuser', 'read, write, execute', 'universe');
+box.schema.user.grant('testuser', 'read, write, execute,create', 'universe');
session.su('testuser');
func_limit();
drop_limit_func();
--
2.7.4
More information about the Tarantool-patches
mailing list