From: Vladimir Davydov <vdavydov.dev@gmail.com> To: Serge Petrenko <sergepetrenko@tarantool.org> Cc: kostja@tarantool.org, tarantool-patches@freelists.org Subject: Re: [tarantool-patches] [PATCH 3/4] Add single object privilege checks to access_check_ddl. Date: Wed, 22 Aug 2018 14:58:06 +0300 [thread overview] Message-ID: <20180822115806.rjb76wbg5g6nsxap@esperanza> (raw) In-Reply-To: <a75d8e0cc758df9830fead2d2ef1e6c37fe98072.1534751862.git.sergepetrenko@tarantool.org> On Mon, Aug 20, 2018 at 11:10:07AM +0300, Serge Petrenko wrote: > diff --git a/src/box/alter.cc b/src/box/alter.cc > index 436827a6d..b58832612 100644 > --- a/src/box/alter.cc > +++ b/src/box/alter.cc > @@ -62,7 +62,8 @@ > /* {{{ Auxiliary functions and methods. */ > > static void > -access_check_ddl(const char *name, uint32_t owner_uid, > +access_check_ddl(const char *name, uint32_t object_id, > + uint32_t owner_uid, Nit: this could fit in one line. > enum schema_object_type type, > enum priv_type priv_type, This too. > bool is_17_compat_mode) > @@ -103,9 +104,51 @@ access_check_ddl(const char *name, uint32_t owner_uid, > */ > if (access == 0 || (is_owner && !(access & (PRIV_U | PRIV_C)))) > return; /* Access granted. */ > + /* > + * You can't grant CREATE privilege to a non-existing object. > + * USAGE can be granted only globally. > + */ > + if (access & (PRIV_U | PRIV_C)) > + goto error; AFAIU in case of index creation you need to check PRIV_C on the space, no? > + /* Check for privileges on a single object. */ > + switch (type) { > + case SC_SPACE: > + { > + struct space *space = space_by_id(object_id); > + if (space) > + access &= ~space->access[cr->auth_token].effective; > + break; > + } > + case SC_FUNCTION: > + { > + struct func *func = func_by_id(object_id); > + if (func) > + access &= ~func->access[cr->auth_token].effective; > + break; > + } > + case SC_USER: > + case SC_ROLE: > + { > + struct user *user_or_role = user_by_id(object_id); > + if (user_or_role) > + access &= ~user_or_role->access[cr->auth_token].effective; > + break; > + } > + case SC_SEQUENCE: > + { > + struct sequence *seq = sequence_by_id(object_id); > + if (seq) > + access &= ~seq->access[cr->auth_token].effective; > + break; > + } > + default: > + break; > + } Why don't you use access_find() here? That would reduce the amount of code so that you wouldn't need to use the error label. > + if (access == 0) > + return; /* Access granted. */ Nit: spaces instead of a tab. > > /* Create a meaningful error message. */ > - struct user *user = user_find_xc(cr->uid); > +error: struct user *user = user_find_xc(cr->uid); > const char *object_name; > const char *pname; > if (access & PRIV_U) { > diff --git a/src/box/lua/schema.lua b/src/box/lua/schema.lua > index bad35b680..1c254fe1d 100644 > --- a/src/box/lua/schema.lua > +++ b/src/box/lua/schema.lua > @@ -2060,6 +2060,9 @@ box.schema.user.create = function(name, opts) > uid = _user:auto_increment{session.euid(), name, 'user', auth_mech_list}[1] > -- grant role 'public' to the user > box.schema.user.grant(uid, 'public') > + -- grant user 'alter' on itself, so it can Nit: -- Grant privilege 'alter to itself so that it can > + -- change its password or username. > + box.schema.user.grant(uid, 'alter', 'user', uid) > -- we have to grant global privileges from setuid function, since > -- only admin has the ownership over universe and we don't have > -- grant option > diff --git a/src/box/user.cc b/src/box/user.cc > index b4fb65a59..83d07f7b3 100644 > --- a/src/box/user.cc > +++ b/src/box/user.cc > @@ -1860,3 +1875,174 @@ box.session.su('admin') > box.schema.user.drop('tester') > --- > ... > +-- > +-- test case for 3530: do not ignore single object privileges in > +-- access_check_ddl. Please don't mention core function names in the tests, because we can rename them any time, which will make it more difficult to understand the tests.
next prev parent reply other threads:[~2018-08-22 11:58 UTC|newest] Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-08-20 8:10 [tarantool-patches] [PATCH 0/4] Finish implementation of privileges Serge Petrenko 2018-08-20 8:10 ` [tarantool-patches] [PATCH 1/4] Introduce separate entity object types for entity privileges Serge Petrenko 2018-08-22 10:28 ` Vladimir Davydov 2018-08-22 12:37 ` Vladimir Davydov 2018-08-20 8:10 ` [tarantool-patches] [PATCH 2/4] Add entities user, role to access control Serge Petrenko 2018-08-22 10:37 ` Vladimir Davydov 2018-08-22 12:53 ` Vladimir Davydov 2018-08-20 8:10 ` [tarantool-patches] [PATCH 3/4] Add single object privilege checks to access_check_ddl Serge Petrenko 2018-08-22 11:58 ` Vladimir Davydov [this message] 2018-08-20 8:10 ` [tarantool-patches] [PATCH 4/4] Add a privilege upgrade script and update tests Serge Petrenko 2018-08-22 12:48 ` Vladimir Davydov -- strict thread matches above, loose matches on Subject: below -- 2018-07-17 15:47 [tarantool-patches] [PATCH 0/4] Fixes in access control and privileges Serge Petrenko 2018-07-17 15:47 ` [tarantool-patches] [PATCH 3/4] Add single object privilege checks to access_check_ddl Serge Petrenko
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20180822115806.rjb76wbg5g6nsxap@esperanza \ --to=vdavydov.dev@gmail.com \ --cc=kostja@tarantool.org \ --cc=sergepetrenko@tarantool.org \ --cc=tarantool-patches@freelists.org \ --subject='Re: [tarantool-patches] [PATCH 3/4] Add single object privilege checks to access_check_ddl.' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox