From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tarantool-patches-bounce@freelists.org>
Received: from localhost (localhost [127.0.0.1])
	by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 051CA2645C
	for <tarantool-patches@freelists.org>; Fri,  8 Jun 2018 10:01:38 -0400 (EDT)
Received: from turing.freelists.org ([127.0.0.1])
	by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id wMVsIm7zrvB0 for <tarantool-patches@freelists.org>;
	Fri,  8 Jun 2018 10:01:37 -0400 (EDT)
Received: from smtp58.i.mail.ru (smtp58.i.mail.ru [217.69.128.38])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTPS id B805226452
	for <tarantool-patches@freelists.org>; Fri,  8 Jun 2018 10:01:37 -0400 (EDT)
Date: Fri, 8 Jun 2018 17:01:35 +0300
From: Konstantin Osipov <kostja@tarantool.org>
Subject: [tarantool-patches] Re: [PATCH 2/3] security: add limits on
 object_type-privilege pair
Message-ID: <20180608140135.GA6436@chai>
References: <cover.1528448404.git.georgy@tarantool.org>
 <0e6cd9bcff2fca4d04105b42f96dd78a3bfee743.1528448404.git.georgy@tarantool.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <0e6cd9bcff2fca4d04105b42f96dd78a3bfee743.1528448404.git.georgy@tarantool.org>
Sender: tarantool-patches-bounce@freelists.org
Errors-to: tarantool-patches-bounce@freelists.org
Reply-To: tarantool-patches@freelists.org
List-help: <mailto:ecartis@freelists.org?Subject=help>
List-unsubscribe: <tarantool-patches-request@freelists.org?Subject=unsubscribe>
List-software: Ecartis version 1.0.0
List-Id: tarantool-patches <tarantool-patches.freelists.org>
List-subscribe: <tarantool-patches-request@freelists.org?Subject=subscribe>
List-owner: <mailto:>
List-post: <mailto:tarantool-patches@freelists.org>
List-archive: <http://www.freelists.org/archives/tarantool-patches>
To: tarantool-patches@freelists.org
Cc: imarkov <imarkov@tarantool.org>

* Georgy Kirichenko <georgy@tarantool.org> [18/06/08 12:11]:
> From: imarkov <imarkov@tarantool.org>
> 
> Introduce constraints on object_type-privilege pairs.
> These constraints limit senseless grants/revokes, i.e.,
> sequence - execute, all space related privileges(insert, delete,
> update),
> function - alter, all space related privileges,
> role - all privileges except create, drop, alter, execute

Sorry for nitpicking, but wouldn't it be better to 
list allowed privileges rather than forbidden ones?

Perhaps making a plain C array which would map object type to the
list of allowed bits and exporting it to Lua make things even
simpler?

> 

-- 
Konstantin Osipov, Moscow, Russia, +7 903 626 22 32
http://tarantool.io - www.twitter.com/kostja_osipov