[tarantool-patches] [PATCH 2/3] security: add limits on object_type-privilege pair
Georgy Kirichenko
georgy at tarantool.org
Fri Jun 8 12:06:33 MSK 2018
From: imarkov <imarkov at tarantool.org>
Introduce constraints on object_type-privilege pairs.
These constraints limit senseless grants/revokes, i.e.,
sequence - execute, all space related privileges(insert, delete,
update),
function - alter, all space related privileges,
role - all privileges except create, drop, alter, execute
Prerequisite #945
---
src/box/errcode.h | 2 +-
src/box/lua/schema.lua | 13 ++++++++++--
test/box/access.result | 17 +++++++++++++++
test/box/access.test.lua | 9 +++++++-
test/box/misc.result | 46 ++++++++++++++++++++--------------------
5 files changed, 60 insertions(+), 27 deletions(-)
diff --git a/src/box/errcode.h b/src/box/errcode.h
index a0759f8f4..d76673be9 100644
--- a/src/box/errcode.h
+++ b/src/box/errcode.h
@@ -150,7 +150,7 @@ struct errcode_record {
/* 95 */_(ER_UPDATE_INTEGER_OVERFLOW, "Integer overflow when performing '%c' operation on field %u") \
/* 96 */_(ER_GUEST_USER_PASSWORD, "Setting password for guest user has no effect") \
/* 97 */_(ER_TRANSACTION_CONFLICT, "Transaction has been aborted by conflict") \
- /* 98 */_(ER_UNSUPPORTED_ROLE_PRIV, "Unsupported role privilege '%s'") \
+ /* 98 */_(ER_UNSUPPORTED_PRIV, "Unsupported %s privilege '%s'") \
/* 99 */_(ER_LOAD_FUNCTION, "Failed to dynamically load function '%s': %s") \
/*100 */_(ER_FUNCTION_LANGUAGE, "Unsupported language '%s' specified for function '%s'") \
/*101 */_(ER_RTREE_RECT, "RTree: %s must be an array with %u (point) or %u (rectangle/box) numeric coordinates") \
diff --git a/src/box/lua/schema.lua b/src/box/lua/schema.lua
index 43c7d4e6b..4455b5e42 100644
--- a/src/box/lua/schema.lua
+++ b/src/box/lua/schema.lua
@@ -1724,10 +1724,19 @@ local function privilege_resolve(privilege)
return numeric
end
+-- validate privileges
+local forbidden_privileges = {
+ ["universe"] = 0,
+ ["space"] = 0,
+ ["sequence"] = bit.bor(box.priv.X, box.priv.A, box.priv.INSERT, box.priv.UPDATE, box.priv.DELETE),
+ ["function"] = bit.bor(box.priv.A, box.priv.INSERT, box.priv.UPDATE, box.priv.DELETE),
+ ["role"] = bit.bxor(box.priv.ALL, bit.bor(box.priv.C, box.priv.D, box.priv.X)),
+}
+
local function checked_privilege(privilege, object_type)
local priv_hex = privilege_resolve(privilege)
- if object_type == 'role' and priv_hex ~= box.priv.X then
- box.error(box.error.UNSUPPORTED_ROLE_PRIV, privilege)
+ if bit.band(priv_hex, forbidden_privileges[object_type] or 0) ~= 0 then
+ box.error(box.error.UNSUPPORTED_PRIV, object_type, privilege)
end
return priv_hex
end
diff --git a/test/box/access.result b/test/box/access.result
index 131a21510..72f91173b 100644
--- a/test/box/access.result
+++ b/test/box/access.result
@@ -1645,3 +1645,20 @@ box.space._vsequence.index.name:get{"test"} ~= nil
box.session.su('admin')
---
...
+-- prerequisite gh-945
+box.schema.user.grant("guest", "alter", "function")
+---
+- error: Unsupported function privilege 'alter'
+...
+box.schema.user.grant("guest", "execute", "sequence")
+---
+- error: Unsupported sequence privilege 'execute'
+...
+box.schema.user.grant("guest", "read,execute", "sequence")
+---
+- error: Unsupported sequence privilege 'read,execute'
+...
+box.schema.user.grant("guest", "read,write,execute", "role")
+---
+- error: Unsupported role privilege 'read,write,execute'
+...
diff --git a/test/box/access.test.lua b/test/box/access.test.lua
index 4bd34e45d..62691c471 100644
--- a/test/box/access.test.lua
+++ b/test/box/access.test.lua
@@ -586,6 +586,7 @@ box.schema.user.revoke("guest", "read", "universe", "useless name", {if_exists =
box.schema.user.revoke("guest", "read", "universe", 0, {if_exists = true})
box.schema.user.revoke("guest", "read", "universe", nil, {if_exists = true})
box.schema.user.revoke("guest", "read", "universe", {}, {if_exists = true})
+
--
-- Check that box.schema.* api is available to non-super user
-- In scope of gh-3250 "make sure grant/revoke does not require
@@ -632,4 +633,10 @@ box.space._vsequence.index.name:get{"test"} ~= nil
--
-- restore
--
-box.session.su('admin')
\ No newline at end of file
+box.session.su('admin')
+
+-- prerequisite gh-945
+box.schema.user.grant("guest", "alter", "function")
+box.schema.user.grant("guest", "execute", "sequence")
+box.schema.user.grant("guest", "read,execute", "sequence")
+box.schema.user.grant("guest", "read,write,execute", "role")
diff --git a/test/box/misc.result b/test/box/misc.result
index c6e4917bf..7ab3d2fc4 100644
--- a/test/box/misc.result
+++ b/test/box/misc.result
@@ -345,12 +345,11 @@ t;
- 'box.error.DROP_USER : 44'
- 'box.error.MODIFY_INDEX : 14'
- 'box.error.PASSWORD_MISMATCH : 47'
- - 'box.error.UNSUPPORTED_ROLE_PRIV : 98'
- 'box.error.ACCESS_DENIED : 42'
- 'box.error.CANT_CREATE_COLLATION : 150'
- 'box.error.USER_EXISTS : 46'
- 'box.error.WAL_IO : 40'
- - 'box.error.PROC_RET : 21'
+ - 'box.error.RTREE_RECT : 101'
- 'box.error.PRIV_GRANTED : 89'
- 'box.error.CREATE_SPACE : 9'
- 'box.error.GRANT : 88'
@@ -401,77 +400,78 @@ t;
- 'box.error.CROSS_ENGINE_TRANSACTION : 81'
- 'box.error.FORMAT_MISMATCH_INDEX_PART : 27'
- 'box.error.FUNCTION_TX_ACTIVE : 30'
+ - 'box.error.injection : table: <address>
- 'box.error.NO_SUCH_ENGINE : 57'
- 'box.error.COMMIT_IN_SUB_STMT : 122'
- - 'box.error.injection : table: <address>
- 'box.error.NULLABLE_MISMATCH : 153'
+ - 'box.error.TUPLE_FORMAT_LIMIT : 16'
- 'box.error.LAST_DROP : 15'
- - 'box.error.NO_SUCH_ROLE : 82'
+ - 'box.error.SPACE_FIELD_IS_DUPLICATE : 149'
- 'box.error.DECOMPRESSION : 124'
- 'box.error.CREATE_SEQUENCE : 142'
- 'box.error.CREATE_USER : 43'
- - 'box.error.SPACE_FIELD_IS_DUPLICATE : 149'
- - 'box.error.INSTANCE_UUID_MISMATCH : 66'
- 'box.error.SEQUENCE_OVERFLOW : 147'
+ - 'box.error.INSTANCE_UUID_MISMATCH : 66'
+ - 'box.error.INJECTION : 8'
- 'box.error.SYSTEM : 115'
- 'box.error.KEY_PART_IS_TOO_LONG : 118'
- - 'box.error.TUPLE_FORMAT_LIMIT : 16'
- - 'box.error.BEFORE_REPLACE_RET : 53'
- - 'box.error.NO_SUCH_SAVEPOINT : 61'
+ - 'box.error.INVALID_MSGPACK : 20'
- 'box.error.TRUNCATE_SYSTEM_SPACE : 137'
+ - 'box.error.NO_SUCH_SAVEPOINT : 61'
- 'box.error.VY_QUOTA_TIMEOUT : 135'
+ - 'box.error.READ_VIEW_ABORTED : 130'
- 'box.error.WRONG_INDEX_OPTIONS : 108'
- 'box.error.INVALID_VYLOG_FILE : 133'
- 'box.error.INDEX_FIELD_COUNT_LIMIT : 127'
- - 'box.error.READ_VIEW_ABORTED : 130'
- - 'box.error.USER_MAX : 56'
- 'box.error.PROTOCOL : 104'
+ - 'box.error.USER_MAX : 56'
+ - 'box.error.BEFORE_REPLACE_RET : 53'
- 'box.error.TUPLE_NOT_ARRAY : 22'
- 'box.error.KEY_PART_COUNT : 31'
- 'box.error.ALTER_SPACE : 12'
- 'box.error.ACTIVE_TRANSACTION : 79'
- 'box.error.EXACT_FIELD_COUNT : 38'
- 'box.error.DROP_SEQUENCE : 144'
- - 'box.error.INVALID_MSGPACK : 20'
- 'box.error.MORE_THAN_ONE_TUPLE : 41'
- - 'box.error.RTREE_RECT : 101'
- - 'box.error.SUB_STMT_MAX : 121'
+ - 'box.error.INVALID_XLOG_ORDER : 76'
- 'box.error.UNKNOWN_REQUEST_TYPE : 48'
- - 'box.error.SPACE_EXISTS : 10'
+ - 'box.error.SUB_STMT_MAX : 121'
- 'box.error.PROC_LUA : 32'
+ - 'box.error.SPACE_EXISTS : 10'
- 'box.error.ROLE_NOT_GRANTED : 92'
+ - 'box.error.UNSUPPORTED : 5'
- 'box.error.NO_SUCH_SPACE : 36'
- 'box.error.WRONG_INDEX_PARTS : 107'
- - 'box.error.DROP_SPACE : 11'
- 'box.error.MIN_FIELD_COUNT : 39'
- 'box.error.REPLICASET_UUID_MISMATCH : 63'
- 'box.error.UPDATE_FIELD : 29'
+ - 'box.error.INDEX_EXISTS : 85'
- 'box.error.COMPRESSION : 119'
- 'box.error.INVALID_ORDER : 68'
- - 'box.error.INDEX_EXISTS : 85'
- 'box.error.SPLICE : 25'
- 'box.error.UNKNOWN : 0'
+ - 'box.error.IDENTIFIER : 70'
- 'box.error.DROP_PRIMARY_KEY : 17'
- 'box.error.NULLABLE_PRIMARY : 152'
- 'box.error.NO_SUCH_SEQUENCE : 145'
- 'box.error.RELOAD_CFG : 58'
- 'box.error.INVALID_UUID : 64'
- - 'box.error.INJECTION : 8'
+ - 'box.error.DROP_SPACE : 11'
- 'box.error.TIMEOUT : 78'
- - 'box.error.IDENTIFIER : 70'
- 'box.error.ITERATOR_TYPE : 72'
- 'box.error.REPLICA_MAX : 73'
+ - 'box.error.NO_SUCH_ROLE : 82'
- 'box.error.MISSING_REQUEST_FIELD : 69'
- 'box.error.MISSING_SNAPSHOT : 93'
- 'box.error.WRONG_SPACE_OPTIONS : 111'
- 'box.error.READONLY : 7'
- - 'box.error.UNSUPPORTED : 5'
- 'box.error.UPDATE_INTEGER_OVERFLOW : 95'
- - 'box.error.NO_CONNECTION : 77'
- - 'box.error.INVALID_XLOG_ORDER : 76'
- 'box.error.UPSERT_UNIQUE_SECONDARY_KEY : 105'
- - 'box.error.ROLLBACK_IN_SUB_STMT : 123'
+ - 'box.error.NO_CONNECTION : 77'
+ - 'box.error.UNSUPPORTED_PRIV : 98'
- 'box.error.WRONG_SCHEMA_VERSION : 109'
+ - 'box.error.ROLLBACK_IN_SUB_STMT : 123'
+ - 'box.error.PROC_RET : 21'
- 'box.error.UNSUPPORTED_INDEX_FEATURE : 112'
- 'box.error.INDEX_PART_TYPE_MISMATCH : 24'
- 'box.error.INVALID_XLOG_TYPE : 125'
--
2.17.1
More information about the Tarantool-patches
mailing list