Tarantool development patches archive
 help / color / mirror / Atom feed
From: Serge Petrenko <sergepetrenko@tarantool.org>
To: tarantool-patches@freelists.org, kostja@tarantool.org
Cc: Serge Petrenko <sergepetrenko@tarantool.org>
Subject: [tarantool-patches] [PATCH] Add a privilege check when creating a sequence
Date: Mon,  9 Jul 2018 13:32:34 +0300	[thread overview]
Message-ID: <20180709103234.61121-1-sergepetrenko@tarantool.org> (raw)

There was no check for create privilege when creating a sequence.
Added one, and modified the tests accordingly.
---
https://github.com/tarantool/tarantool/tree/sergepetrenko/access-checks

 src/box/alter.cc           |  2 ++
 test/box/access.result     | 18 ++++++++++++++++--
 test/box/access.test.lua   |  9 +++++++--
 test/box/sequence.result   | 13 ++++++++-----
 test/box/sequence.test.lua | 11 ++++++-----
 5 files changed, 39 insertions(+), 14 deletions(-)

diff --git a/src/box/alter.cc b/src/box/alter.cc
index 509e4b7e3..70732def3 100644
--- a/src/box/alter.cc
+++ b/src/box/alter.cc
@@ -2981,6 +2981,8 @@ on_replace_dd_sequence(struct trigger * /* trigger */, void *event)
 		new_def = sequence_def_new_from_tuple(new_tuple,
 						      ER_CREATE_SEQUENCE);
 		assert(sequence_by_id(new_def->id) == NULL);
+		access_check_ddl(new_def->name, new_def->uid, SC_SEQUENCE,
+			PRIV_C, false);
 		sequence_cache_replace(new_def);
 		alter->new_def = new_def;
 	} else if (old_tuple != NULL && new_tuple == NULL) {	/* DELETE */
diff --git a/test/box/access.result b/test/box/access.result
index 7e070e6d5..928c3fcd4 100644
--- a/test/box/access.result
+++ b/test/box/access.result
@@ -1740,8 +1740,9 @@ c:close()
 ---
 ...
 --
--- A user with read/write access to sequence was able
--- to create a sequence
+-- A user with read/write access to sequence shouldn't
+-- be able to create a sequence. It also needs a create privilege
+-- on universe.
 --
 box.schema.user.create('tester')
 ---
@@ -1754,6 +1755,19 @@ box.session.su('tester')
 ...
 _  = box.schema.sequence.create('test_sequence')
 ---
+- error: Create access to sequence 'test_sequence' is denied for user 'tester'
+...
+box.session.su('admin')
+---
+...
+box.schema.user.grant('tester', 'create', 'universe')
+---
+...
+box.session.su('tester')
+---
+...
+_ = box.schema.sequence.create('test_sequence')
+---
 ...
 box.session.su('admin')
 ---
diff --git a/test/box/access.test.lua b/test/box/access.test.lua
index a2988c4c0..7dc92ba52 100644
--- a/test/box/access.test.lua
+++ b/test/box/access.test.lua
@@ -670,13 +670,18 @@ box.schema.func.drop("func")
 c:close()
 
 --
--- A user with read/write access to sequence was able
--- to create a sequence
+-- A user with read/write access to sequence shouldn't
+-- be able to create a sequence. It also needs a create privilege
+-- on universe.
 --
 box.schema.user.create('tester')
 box.schema.user.grant('tester', 'read,write', 'space', '_sequence')
 box.session.su('tester')
 _  = box.schema.sequence.create('test_sequence')
 box.session.su('admin')
+box.schema.user.grant('tester', 'create', 'universe')
+box.session.su('tester')
+_ = box.schema.sequence.create('test_sequence')
+box.session.su('admin')
 box.schema.user.drop('tester')
 
diff --git a/test/box/sequence.result b/test/box/sequence.result
index 0c9951d8b..cbbd45080 100644
--- a/test/box/sequence.result
+++ b/test/box/sequence.result
@@ -1472,6 +1472,9 @@ sq:drop()
 ---
 ...
 -- A user can alter/use sequences that he owns.
+box.schema.user.grant('user', 'create', 'universe')
+---
+...
 box.session.su('user')
 ---
 ...
@@ -1490,13 +1493,13 @@ sq = box.schema.sequence.create('seq')
 box.session.su('admin')
 ---
 ...
-box.schema.user.revoke('user', 'read,write', 'universe')
+box.schema.user.revoke('user', 'read,write,create', 'universe')
 ---
 ...
 box.session.su('user')
 ---
 ...
-sq:set(100) -- ok
+sq:set(100) -- ok - user owns the sequence
 ---
 ...
 sq:next() -- ok
@@ -1677,7 +1680,7 @@ s:drop()
 ---
 ...
 -- When a user is dropped, all his sequences are dropped as well.
-box.schema.user.grant('user', 'read,write', 'universe')
+box.schema.user.grant('user', 'read,write,create', 'universe')
 ---
 ...
 box.session.su('user')
@@ -1707,10 +1710,10 @@ box.schema.user.create('user1')
 box.schema.user.create('user2')
 ---
 ...
-box.schema.user.grant('user1', 'read,write', 'universe')
+box.schema.user.grant('user1', 'read,write,create', 'universe')
 ---
 ...
-box.schema.user.grant('user2', 'read,write', 'universe')
+box.schema.user.grant('user2', 'read,write,create', 'universe')
 ---
 ...
 box.session.su('user1')
diff --git a/test/box/sequence.test.lua b/test/box/sequence.test.lua
index 1bcb91a9c..c119459b3 100644
--- a/test/box/sequence.test.lua
+++ b/test/box/sequence.test.lua
@@ -490,15 +490,16 @@ box.session.su('admin')
 sq:drop()
 
 -- A user can alter/use sequences that he owns.
+box.schema.user.grant('user', 'create', 'universe')
 box.session.su('user')
 sq = box.schema.sequence.create('seq')
 sq:alter{step = 2} -- ok
 sq:drop() -- ok
 sq = box.schema.sequence.create('seq')
 box.session.su('admin')
-box.schema.user.revoke('user', 'read,write', 'universe')
+box.schema.user.revoke('user', 'read,write,create', 'universe')
 box.session.su('user')
-sq:set(100) -- ok
+sq:set(100) -- ok - user owns the sequence
 sq:next() -- ok
 sq:reset() -- ok
 box.session.su('admin')
@@ -562,7 +563,7 @@ box.session.su('admin')
 s:drop()
 
 -- When a user is dropped, all his sequences are dropped as well.
-box.schema.user.grant('user', 'read,write', 'universe')
+box.schema.user.grant('user', 'read,write,create', 'universe')
 box.session.su('user')
 _ = box.schema.sequence.create('test1')
 _ = box.schema.sequence.create('test2')
@@ -574,8 +575,8 @@ box.sequence
 -- to a sequence.
 box.schema.user.create('user1')
 box.schema.user.create('user2')
-box.schema.user.grant('user1', 'read,write', 'universe')
-box.schema.user.grant('user2', 'read,write', 'universe')
+box.schema.user.grant('user1', 'read,write,create', 'universe')
+box.schema.user.grant('user2', 'read,write,create', 'universe')
 box.session.su('user1')
 sq = box.schema.sequence.create('test')
 box.session.su('user2')
-- 
2.15.2 (Apple Git-101.1)

                 reply	other threads:[~2018-07-09 10:33 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180709103234.61121-1-sergepetrenko@tarantool.org \
    --to=sergepetrenko@tarantool.org \
    --cc=kostja@tarantool.org \
    --cc=tarantool-patches@freelists.org \
    --subject='Re: [tarantool-patches] [PATCH] Add a privilege check when creating a sequence' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox