Tarantool development patches archive
 help / color / mirror / Atom feed
From: Vladimir Davydov <vdavydov.dev@gmail.com>
To: Serge Petrenko <sergepetrenko@tarantool.org>
Cc: kostja@tarantool.org, tarantool-patches@freelists.org
Subject: Re: [tarantool-patches] [PATCH 2/4] Add entities user, role to access control.
Date: Wed, 22 Aug 2018 15:53:38 +0300	[thread overview]
Message-ID: <20180822125338.m332lx4scw56tvvh@esperanza> (raw)
In-Reply-To: <4edfd1024c84ab0bfd1a752e9d84ef0356036b48.1534751862.git.sergepetrenko@tarantool.org>

On Mon, Aug 20, 2018 at 11:10:06AM +0300, Serge Petrenko wrote:
> diff --git a/test/box/access.test.lua b/test/box/access.test.lua
> index 9ae0e1114..9b7510e64 100644
> --- a/test/box/access.test.lua
> +++ b/test/box/access.test.lua
> @@ -341,8 +341,7 @@ c:close()
>  session = box.session
>  box.schema.user.create('test')
>  box.schema.user.grant('test', 'read', 'space', '_collation')
> ---box.schema.user.grant('test', 'write', 'space', '_collation')
> --- FIXME: granting create on 'collation' only doesn't work
> +

Hmm, why? I don't understand how this change is connected to this patch.

>  box.schema.user.grant('test', 'create', 'universe')
>  session.su('test')
>  box.internal.collation.create('test', 'ICU', 'ru_RU')
> @@ -538,14 +537,10 @@ box.session.su("admin")
>  -- tables from ddl
>  --
>  box.schema.user.grant('tester', 'write', 'universe')
> --- no entity user currently, so have to grant create
> --- on universe in order to create a user.
> -box.schema.user.grant('tester', 'create', 'universe')
> --- this should work instead:
> ---box.schema.user.grant('tester', 'create', 'user')
> ---box.schema.user.grant('tester', 'create', 'space')
> ---box.schema.user.grant('tester', 'create', 'function')
> ---box.schema.user.grant('tester', 'create' , 'sequence')
> +box.schema.user.grant('tester', 'create', 'user')
> +box.schema.user.grant('tester', 'create', 'space')
> +box.schema.user.grant('tester', 'create', 'function')
> +box.schema.user.grant('tester', 'create' , 'sequence')

This is OK, I guess.

>  box.schema.user.grant('tester', 'read', 'space', '_sequence')
>  box.session.su("tester")
>  -- successful create

> diff --git a/test/box/role.test.lua b/test/box/role.test.lua
> index e97339f49..9845f4c4c 100644
> --- a/test/box/role.test.lua
> +++ b/test/box/role.test.lua
> @@ -69,7 +69,13 @@ box.schema.role.revoke('test', 'liaison')
>  box.schema.role.drop('test')
>  
>  box.schema.user.grant('grantee', 'liaison')
> -box.schema.user.grant('test', 'read,write,create', 'universe')
> +
> +box.schema.user.grant('test', 'read,write', 'space', '_priv')
> +box.schema.user.grant('test', 'write', 'space', '_schema')
> +box.schema.user.grant('test', 'create', 'space')
> +box.schema.user.grant('test', 'read,write', 'space', '_space')
> +box.schema.user.grant('test', 'write', 'space', '_index')
> +box.schema.user.grant('test', 'read', 'space', '_user')
>  box.session.su('test')
>  s = box.schema.space.create('test')
>  _ = s:create_index('i1')
> @@ -248,7 +254,9 @@ box.schema.role.drop("role10")
>  box.schema.user.create('user')
>  box.schema.user.create('grantee')
>  
> -box.schema.user.grant('user', 'read,write,execute,create', 'universe')
> +box.schema.user.grant('user', 'read,write', 'space', '_user')
> +box.schema.user.grant('user', 'read,write', 'space', '_priv')
> +box.schema.user.grant('user', 'create', 'role')

IMO this belongs to the patch that will fix *all* access tests (it
should be separated from patch 4).

>  box.session.su('user')
>  box.schema.role.create('role')
>  box.session.su('admin')

  parent reply	other threads:[~2018-08-22 12:53 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-20  8:10 [tarantool-patches] [PATCH 0/4] Finish implementation of privileges Serge Petrenko
2018-08-20  8:10 ` [tarantool-patches] [PATCH 1/4] Introduce separate entity object types for entity privileges Serge Petrenko
2018-08-22 10:28   ` Vladimir Davydov
2018-08-22 12:37   ` Vladimir Davydov
2018-08-20  8:10 ` [tarantool-patches] [PATCH 2/4] Add entities user, role to access control Serge Petrenko
2018-08-22 10:37   ` Vladimir Davydov
2018-08-22 12:53   ` Vladimir Davydov [this message]
2018-08-20  8:10 ` [tarantool-patches] [PATCH 3/4] Add single object privilege checks to access_check_ddl Serge Petrenko
2018-08-22 11:58   ` Vladimir Davydov
2018-08-20  8:10 ` [tarantool-patches] [PATCH 4/4] Add a privilege upgrade script and update tests Serge Petrenko
2018-08-22 12:48   ` Vladimir Davydov
  -- strict thread matches above, loose matches on Subject: below --
2018-07-17 15:47 [tarantool-patches] [PATCH 0/4] Fixes in access control and privileges Serge Petrenko
2018-07-17 15:47 ` [tarantool-patches] [PATCH 2/4] Add entities user, role to access control Serge Petrenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180822125338.m332lx4scw56tvvh@esperanza \
    --to=vdavydov.dev@gmail.com \
    --cc=kostja@tarantool.org \
    --cc=sergepetrenko@tarantool.org \
    --cc=tarantool-patches@freelists.org \
    --subject='Re: [tarantool-patches] [PATCH 2/4] Add entities user, role to access control.' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox