[tarantool-patches] Re: [PATCH v2 1/2] access: rework struct credentials API
Konstantin Osipov
kostja.osipov at gmail.com
Sat Oct 5 14:42:14 MSK 2019
* Vladislav Shpilevoy <v.shpilevoy at tarantool.org> [19/10/05 13:47]:
> Struct credentials is a cache of user's universal privileges. It
> is static and is never changed after creation. That is a problem.
> If a user privileges are updated, it is not reflected in his
> existing credentials caches.
>
> This patch reworks credentials API so as now this struct is not
> just a container for several numbers. It is an object with
> standard methods like create(), destroy(). A credentials object
> still is not updated together with its source user, but now at
> least the API allows to fix that.
>
> Next patch will add a trigger to struct credentials to catch user
> privilege changes and update the cache.
I see nothing wrong with this approach.
Re alternatives:
Re v1, there are good reasons to link all users session into a
linked list - e.g. for instrumentation, to collect per-user
statistics, to disconnect all sessions of a user, to set per-user
quotas, etc, etc.
You're using triggers, not linked lists - which gives some
encapsulation indeed, but this will not allow to reuse this linked
list for other purposes.
Your patch also works with setuid credentials, of course, which
is a benefit. But setuid credentials could be fixed differently,
by linking all setuid functions of a user into a list and
updating the list when user access changes.
--
Konstantin Osipov, Moscow, Russia
More information about the Tarantool-patches
mailing list