Tarantool development patches archive
 help / color / mirror / Atom feed
From: Vladimir Davydov <vdavydov.dev@gmail.com>
To: Serge Petrenko <sergepetrenko@tarantool.org>
Cc: kostja@tarantool.org, tarantool-patches@freelists.org
Subject: Re: [tarantool-patches] [PATCH 2/4] Add entities user, role to access control.
Date: Wed, 22 Aug 2018 13:37:43 +0300	[thread overview]
Message-ID: <20180822103743.72y5glc2fuuhamyj@esperanza> (raw)
In-Reply-To: <4edfd1024c84ab0bfd1a752e9d84ef0356036b48.1534751862.git.sergepetrenko@tarantool.org>

On Mon, Aug 20, 2018 at 11:10:06AM +0300, Serge Petrenko wrote:
> diff --git a/src/box/alter.cc b/src/box/alter.cc
> index 42136b7df..436827a6d 100644
> --- a/src/box/alter.cc
> +++ b/src/box/alter.cc
> @@ -2170,7 +2170,7 @@ on_replace_dd_user(struct trigger * /* trigger */, void *event)
>  	struct user *old_user = user_by_id(uid);
>  	if (new_tuple != NULL && old_user == NULL) { /* INSERT */
>  		struct user_def *user = user_def_new_from_tuple(new_tuple);
> -		access_check_ddl(user->name, user->owner, SC_USER, PRIV_C, true);
> +		access_check_ddl(user->name, user->owner, user->type, PRIV_C, true);
>  		auto def_guard = make_scoped_guard([=] { free(user); });
>  		(void) user_cache_replace(user);
>  		def_guard.is_active = false;
> @@ -2179,7 +2179,7 @@ on_replace_dd_user(struct trigger * /* trigger */, void *event)
>  		txn_on_rollback(txn, on_rollback);
>  	} else if (new_tuple == NULL) { /* DELETE */
>  		access_check_ddl(old_user->def->name, old_user->def->owner,
> -				 SC_USER, PRIV_D, true);
> +				 old_user->def->type, PRIV_D, true);
>  		/* Can't drop guest or super user */
>  		if (uid <= (uint32_t) BOX_SYSTEM_USER_ID_MAX || uid == SUPER) {
>  			tnt_raise(ClientError, ER_DROP_USER,

There's one more call to access_check_ddl() in this funciton, in the
UPDATE case. I guess you should replace SC_USER with old_user->type
there too.

> @@ -2670,6 +2670,38 @@ priv_def_check(struct priv_def *priv, enum priv_type priv_type)
>  		}
>  		/* Not necessary to do during revoke, but who cares. */
>  		role_check(grantee, role);
> +		break;
> +	}
> +	case SC_USER:
> +	{
> +		struct user *user = NULL;
> +		user = user_by_id(priv->object_id);

Nit:

		struct user *user = user_by_id(priv->object_id);

> +		if (user == NULL || user->def->type != SC_USER) {
> +			tnt_raise(ClientError, ER_NO_SUCH_USER,
> +				  user ? user->def->name :
> +				  int2str(priv->object_id));
> +		}
> +		if (user->def->owner != grantor->def->uid &&
> +		    grantor->def->uid != ADMIN) {
> +			tnt_raise(AccessDeniedError,
> +				  priv_name(priv_type),
> +				  schema_object_name(SC_USER), name,
> +				  grantor->def->name);
> +		}

I think you could painlessly merge this condition with SC_ROLE above.
Not sure if it's worth it though.

> +		break;
> +	}
> +	case SC_ENTITY_SPACE:
> +	case SC_ENTITY_FUNCTION:
> +	case SC_ENTITY_SEQUENCE:
> +	case SC_ENTITY_ROLE:
> +	case SC_ENTITY_USER:
> +	{
> +		/* Only amdin may grant privileges on an entire entity. */
> +		if (grantor->def->uid != ADMIN) {
> +			tnt_raise(AccessDeniedError, priv_name(priv_type),
> +				  schema_object_name(priv->object_type), name,
> +				  grantor->def->name);
> +		}

This should go to patch 1. This patch should only add
SC_ENTITY_USER/ROLE here.

>  	}
>  	default:
>  		break;
> @@ -1845,19 +1847,24 @@ local function object_resolve(object_type, object_name)
>          end
>          return seq
>      end
> -    if object_type == 'role' then
> +    if object_type == 'role' or object_type == 'user' then
> +        if object_name == '' then
> +            return ''
> +        end
>          local _vuser = box.space[box.schema.VUSER_ID]
> -        local role
> +        local role_or_user
>          if type(object_name) == 'string' then
> -            role = _vuser.index.name:get{object_name}
> +            role_or_user = _vuser.index.name:get{object_name}
>          else
> -            role = _vuser:get{object_name}
> +            role_or_user = _vuser:get{object_name}
>          end
> -        if role and role[4] == 'role' then
> -            return role[1]
> -        else
> +        if role_or_user and role_or_user[4] == object_type then
> +            return role_or_user[1]
> +        elseif object_type == 'role' then
>              box.error(box.error.NO_SUCH_ROLE, object_name)
> -        end
> +        else
> +            box.error(box.error.NO_SUCH_USER, object_name)
> +	end

Nit: tab instead of spaces.

> diff --git a/src/box/user.cc b/src/box/user.cc
> index eec785652..b4fb65a59 100644
> --- a/src/box/user.cc
> +++ b/src/box/user.cc
> @@ -236,6 +246,16 @@ access_find(struct priv_def *priv)
>  			access = func->access;
>  		break;
>  	}
> +	case SC_USER:
> +	{
> +		/* No grants on a single object user yet. */
> +		break;
> +	}
> +	case SC_ROLE:
> +	{
> +		/* No grants on a single object role yet. */
> +		break;
> +	}

Again, these two could be painlessly merged, I guess. And it wouldn't
hurt patch 3 IMO. Up to you.

  reply	other threads:[~2018-08-22 10:37 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-20  8:10 [tarantool-patches] [PATCH 0/4] Finish implementation of privileges Serge Petrenko
2018-08-20  8:10 ` [tarantool-patches] [PATCH 1/4] Introduce separate entity object types for entity privileges Serge Petrenko
2018-08-22 10:28   ` Vladimir Davydov
2018-08-22 12:37   ` Vladimir Davydov
2018-08-20  8:10 ` [tarantool-patches] [PATCH 2/4] Add entities user, role to access control Serge Petrenko
2018-08-22 10:37   ` Vladimir Davydov [this message]
2018-08-22 12:53   ` Vladimir Davydov
2018-08-20  8:10 ` [tarantool-patches] [PATCH 3/4] Add single object privilege checks to access_check_ddl Serge Petrenko
2018-08-22 11:58   ` Vladimir Davydov
2018-08-20  8:10 ` [tarantool-patches] [PATCH 4/4] Add a privilege upgrade script and update tests Serge Petrenko
2018-08-22 12:48   ` Vladimir Davydov
  -- strict thread matches above, loose matches on Subject: below --
2018-07-17 15:47 [tarantool-patches] [PATCH 0/4] Fixes in access control and privileges Serge Petrenko
2018-07-17 15:47 ` [tarantool-patches] [PATCH 2/4] Add entities user, role to access control Serge Petrenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180822103743.72y5glc2fuuhamyj@esperanza \
    --to=vdavydov.dev@gmail.com \
    --cc=kostja@tarantool.org \
    --cc=sergepetrenko@tarantool.org \
    --cc=tarantool-patches@freelists.org \
    --subject='Re: [tarantool-patches] [PATCH 2/4] Add entities user, role to access control.' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox