From: Serge Petrenko <sergepetrenko@tarantool.org>
To: kostja@tarantool.org
Cc: tarantool-patches@freelists.org,
Serge Petrenko <sergepetrenko@tarantool.org>
Subject: [tarantool-patches] [PATCH 2/4] Add entities user, role to access control.
Date: Mon, 20 Aug 2018 11:10:06 +0300 [thread overview]
Message-ID: <4edfd1024c84ab0bfd1a752e9d84ef0356036b48.1534751862.git.sergepetrenko@tarantool.org> (raw)
In-Reply-To: <cover.1534751862.git.sergepetrenko@tarantool.org>
In-Reply-To: <cover.1534751862.git.sergepetrenko@tarantool.org>
Previously the only existing entities in access control were space,
funciton and sequence. Added user and role entities, so it is now
possible to create users or roles without create privilege on universe.
Also added all the needed checks and modified tests accordingly.
Closes #3524
Prerequisite #3530
---
src/box/alter.cc | 42 +++++++++++++++++++++++++++++++++++++++---
src/box/lua/schema.lua | 29 +++++++++++++++++++----------
src/box/schema.h | 8 ++++++++
src/box/user.cc | 22 +++++++++++++++++++++-
test/box/access.result | 20 ++++++++++----------
test/box/access.test.lua | 15 +++++----------
test/box/access_misc.result | 2 +-
test/box/role.result | 25 +++++++++++++++++++++++--
test/box/role.test.lua | 12 ++++++++++--
9 files changed, 136 insertions(+), 39 deletions(-)
diff --git a/src/box/alter.cc b/src/box/alter.cc
index 42136b7df..436827a6d 100644
--- a/src/box/alter.cc
+++ b/src/box/alter.cc
@@ -2170,7 +2170,7 @@ on_replace_dd_user(struct trigger * /* trigger */, void *event)
struct user *old_user = user_by_id(uid);
if (new_tuple != NULL && old_user == NULL) { /* INSERT */
struct user_def *user = user_def_new_from_tuple(new_tuple);
- access_check_ddl(user->name, user->owner, SC_USER, PRIV_C, true);
+ access_check_ddl(user->name, user->owner, user->type, PRIV_C, true);
auto def_guard = make_scoped_guard([=] { free(user); });
(void) user_cache_replace(user);
def_guard.is_active = false;
@@ -2179,7 +2179,7 @@ on_replace_dd_user(struct trigger * /* trigger */, void *event)
txn_on_rollback(txn, on_rollback);
} else if (new_tuple == NULL) { /* DELETE */
access_check_ddl(old_user->def->name, old_user->def->owner,
- SC_USER, PRIV_D, true);
+ old_user->def->type, PRIV_D, true);
/* Can't drop guest or super user */
if (uid <= (uint32_t) BOX_SYSTEM_USER_ID_MAX || uid == SUPER) {
tnt_raise(ClientError, ER_DROP_USER,
@@ -2670,6 +2670,38 @@ priv_def_check(struct priv_def *priv, enum priv_type priv_type)
}
/* Not necessary to do during revoke, but who cares. */
role_check(grantee, role);
+ break;
+ }
+ case SC_USER:
+ {
+ struct user *user = NULL;
+ user = user_by_id(priv->object_id);
+ if (user == NULL || user->def->type != SC_USER) {
+ tnt_raise(ClientError, ER_NO_SUCH_USER,
+ user ? user->def->name :
+ int2str(priv->object_id));
+ }
+ if (user->def->owner != grantor->def->uid &&
+ grantor->def->uid != ADMIN) {
+ tnt_raise(AccessDeniedError,
+ priv_name(priv_type),
+ schema_object_name(SC_USER), name,
+ grantor->def->name);
+ }
+ break;
+ }
+ case SC_ENTITY_SPACE:
+ case SC_ENTITY_FUNCTION:
+ case SC_ENTITY_SEQUENCE:
+ case SC_ENTITY_ROLE:
+ case SC_ENTITY_USER:
+ {
+ /* Only amdin may grant privileges on an entire entity. */
+ if (grantor->def->uid != ADMIN) {
+ tnt_raise(AccessDeniedError, priv_name(priv_type),
+ schema_object_name(priv->object_type), name,
+ grantor->def->name);
+ }
}
default:
break;
@@ -2690,7 +2722,11 @@ grant_or_revoke(struct priv_def *priv)
struct user *grantee = user_by_id(priv->grantee_id);
if (grantee == NULL)
return;
- if (priv->object_type == SC_ROLE) {
+ /*
+ * Grant a role to a user only when privilege type is 'execute'
+ * and the role is specified.
+ */
+ if (priv->object_type == SC_ROLE && !(priv->access & ~PRIV_X)) {
struct user *role = user_by_id(priv->object_id);
if (role == NULL || role->def->type != SC_ROLE)
return;
diff --git a/src/box/lua/schema.lua b/src/box/lua/schema.lua
index d347fd1e6..bad35b680 100644
--- a/src/box/lua/schema.lua
+++ b/src/box/lua/schema.lua
@@ -1739,6 +1739,8 @@ local priv_object_combo = {
box.priv.C, box.priv.D),
["role"] = bit.bor(box.priv.X, box.priv.U,
box.priv.C, box.priv.D),
+ ["user"] = bit.bor(box.priv.C, box.priv.A,
+ box.priv.D),
}
--
@@ -1845,19 +1847,24 @@ local function object_resolve(object_type, object_name)
end
return seq
end
- if object_type == 'role' then
+ if object_type == 'role' or object_type == 'user' then
+ if object_name == '' then
+ return ''
+ end
local _vuser = box.space[box.schema.VUSER_ID]
- local role
+ local role_or_user
if type(object_name) == 'string' then
- role = _vuser.index.name:get{object_name}
+ role_or_user = _vuser.index.name:get{object_name}
else
- role = _vuser:get{object_name}
+ role_or_user = _vuser:get{object_name}
end
- if role and role[4] == 'role' then
- return role[1]
- else
+ if role_or_user and role_or_user[4] == object_type then
+ return role_or_user[1]
+ elseif object_type == 'role' then
box.error(box.error.NO_SUCH_ROLE, object_name)
- end
+ else
+ box.error(box.error.NO_SUCH_USER, object_name)
+ end
end
box.error(box.error.UNKNOWN_SCHEMA_OBJECT, object_type)
@@ -2111,7 +2118,8 @@ local function grant(uid, name, privilege, object_type,
if privilege_hex ~= old_privilege then
_priv:replace{options.grantor, uid, object_type, oid, privilege_hex}
elseif not options.if_not_exists then
- if object_type == 'role' then
+ if object_type == 'role' and object_name ~= '' and
+ privilege == 'execute' then
box.error(box.error.ROLE_GRANTED, name, object_name)
else
box.error(box.error.PRIV_GRANTED, name, privilege,
@@ -2145,7 +2153,8 @@ local function revoke(uid, name, privilege, object_type, object_name, options)
if options.if_exists then
return
end
- if object_type == 'role' then
+ if object_type == 'role' and object_name ~= '' and
+ privilege == 'execute' then
box.error(box.error.ROLE_NOT_GRANTED, name, object_name)
else
box.error(box.error.PRIV_NOT_GRANTED, name, privilege,
diff --git a/src/box/schema.h b/src/box/schema.h
index f1735ff34..c343650de 100644
--- a/src/box/schema.h
+++ b/src/box/schema.h
@@ -240,6 +240,8 @@ struct on_access_denied_ctx {
struct entity_access {
struct access space[BOX_USER_MAX];
struct access function[BOX_USER_MAX];
+ struct access user[BOX_USER_MAX];
+ struct access role[BOX_USER_MAX];
struct access sequence[BOX_USER_MAX];
};
@@ -257,6 +259,12 @@ entity_access_get(enum schema_object_type type)
case SC_FUNCTION:
case SC_ENTITY_FUNCTION:
return entity_access.function;
+ case SC_USER:
+ case SC_ENTITY_USER:
+ return entity_access.user;
+ case SC_ROLE:
+ case SC_ENTITY_ROLE:
+ return entity_access.role;
case SC_SEQUENCE:
case SC_ENTITY_SEQUENCE:
return entity_access.sequence;
diff --git a/src/box/user.cc b/src/box/user.cc
index eec785652..b4fb65a59 100644
--- a/src/box/user.cc
+++ b/src/box/user.cc
@@ -217,6 +217,16 @@ access_find(struct priv_def *priv)
access = entity_access.function;
break;
}
+ case SC_ENTITY_USER:
+ {
+ access = entity_access.user;
+ break;
+ }
+ case SC_ENTITY_ROLE:
+ {
+ access = entity_access.role;
+ break;
+ }
case SC_ENTITY_SEQUENCE:
{
access = entity_access.sequence;
@@ -236,6 +246,16 @@ access_find(struct priv_def *priv)
access = func->access;
break;
}
+ case SC_USER:
+ {
+ /* No grants on a single object user yet. */
+ break;
+ }
+ case SC_ROLE:
+ {
+ /* No grants on a single object role yet. */
+ break;
+ }
case SC_SEQUENCE:
{
struct sequence *seq = sequence_by_id(priv->object_id);
@@ -318,7 +338,7 @@ user_reload_privs(struct user *user)
* Skip role grants, we're only
* interested in real objects.
*/
- if (priv.object_type != SC_ROLE)
+ if (priv.object_type != SC_ROLE || !(priv.access & PRIV_X))
user_grant_priv(user, &priv);
}
}
diff --git a/test/box/access.result b/test/box/access.result
index 599500633..7ef2adac5 100644
--- a/test/box/access.result
+++ b/test/box/access.result
@@ -878,8 +878,6 @@ box.schema.user.create('test')
box.schema.user.grant('test', 'read', 'space', '_collation')
---
...
---box.schema.user.grant('test', 'write', 'space', '_collation')
--- FIXME: granting create on 'collation' only doesn't work
box.schema.user.grant('test', 'create', 'universe')
---
...
@@ -1427,16 +1425,18 @@ box.session.su("admin")
box.schema.user.grant('tester', 'write', 'universe')
---
...
--- no entity user currently, so have to grant create
--- on universe in order to create a user.
-box.schema.user.grant('tester', 'create', 'universe')
+box.schema.user.grant('tester', 'create', 'user')
+---
+...
+box.schema.user.grant('tester', 'create', 'space')
+---
+...
+box.schema.user.grant('tester', 'create', 'function')
+---
+...
+box.schema.user.grant('tester', 'create' , 'sequence')
---
...
--- this should work instead:
---box.schema.user.grant('tester', 'create', 'user')
---box.schema.user.grant('tester', 'create', 'space')
---box.schema.user.grant('tester', 'create', 'function')
---box.schema.user.grant('tester', 'create' , 'sequence')
box.schema.user.grant('tester', 'read', 'space', '_sequence')
---
...
diff --git a/test/box/access.test.lua b/test/box/access.test.lua
index 9ae0e1114..9b7510e64 100644
--- a/test/box/access.test.lua
+++ b/test/box/access.test.lua
@@ -341,8 +341,7 @@ c:close()
session = box.session
box.schema.user.create('test')
box.schema.user.grant('test', 'read', 'space', '_collation')
---box.schema.user.grant('test', 'write', 'space', '_collation')
--- FIXME: granting create on 'collation' only doesn't work
+
box.schema.user.grant('test', 'create', 'universe')
session.su('test')
box.internal.collation.create('test', 'ICU', 'ru_RU')
@@ -538,14 +537,10 @@ box.session.su("admin")
-- tables from ddl
--
box.schema.user.grant('tester', 'write', 'universe')
--- no entity user currently, so have to grant create
--- on universe in order to create a user.
-box.schema.user.grant('tester', 'create', 'universe')
--- this should work instead:
---box.schema.user.grant('tester', 'create', 'user')
---box.schema.user.grant('tester', 'create', 'space')
---box.schema.user.grant('tester', 'create', 'function')
---box.schema.user.grant('tester', 'create' , 'sequence')
+box.schema.user.grant('tester', 'create', 'user')
+box.schema.user.grant('tester', 'create', 'space')
+box.schema.user.grant('tester', 'create', 'function')
+box.schema.user.grant('tester', 'create' , 'sequence')
box.schema.user.grant('tester', 'read', 'space', '_sequence')
box.session.su("tester")
-- successful create
diff --git a/test/box/access_misc.result b/test/box/access_misc.result
index 3061f1181..c1809d69a 100644
--- a/test/box/access_misc.result
+++ b/test/box/access_misc.result
@@ -361,7 +361,7 @@ testuser_uid = session.uid()
...
_ = box.space._user:delete(2)
---
-- error: Drop access to user 'public' is denied for user 'testuser'
+- error: Drop access to role 'public' is denied for user 'testuser'
...
box.space._user:select(1)
---
diff --git a/test/box/role.result b/test/box/role.result
index 806cea90b..243c7bc6c 100644
--- a/test/box/role.result
+++ b/test/box/role.result
@@ -214,7 +214,22 @@ box.schema.role.drop('test')
box.schema.user.grant('grantee', 'liaison')
---
...
-box.schema.user.grant('test', 'read,write,create', 'universe')
+box.schema.user.grant('test', 'read,write', 'space', '_priv')
+---
+...
+box.schema.user.grant('test', 'write', 'space', '_schema')
+---
+...
+box.schema.user.grant('test', 'create', 'space')
+---
+...
+box.schema.user.grant('test', 'read,write', 'space', '_space')
+---
+...
+box.schema.user.grant('test', 'write', 'space', '_index')
+---
+...
+box.schema.user.grant('test', 'read', 'space', '_user')
---
...
box.session.su('test')
@@ -635,7 +650,13 @@ box.schema.user.create('user')
box.schema.user.create('grantee')
---
...
-box.schema.user.grant('user', 'read,write,execute,create', 'universe')
+box.schema.user.grant('user', 'read,write', 'space', '_user')
+---
+...
+box.schema.user.grant('user', 'read,write', 'space', '_priv')
+---
+...
+box.schema.user.grant('user', 'create', 'role')
---
...
box.session.su('user')
diff --git a/test/box/role.test.lua b/test/box/role.test.lua
index e97339f49..9845f4c4c 100644
--- a/test/box/role.test.lua
+++ b/test/box/role.test.lua
@@ -69,7 +69,13 @@ box.schema.role.revoke('test', 'liaison')
box.schema.role.drop('test')
box.schema.user.grant('grantee', 'liaison')
-box.schema.user.grant('test', 'read,write,create', 'universe')
+
+box.schema.user.grant('test', 'read,write', 'space', '_priv')
+box.schema.user.grant('test', 'write', 'space', '_schema')
+box.schema.user.grant('test', 'create', 'space')
+box.schema.user.grant('test', 'read,write', 'space', '_space')
+box.schema.user.grant('test', 'write', 'space', '_index')
+box.schema.user.grant('test', 'read', 'space', '_user')
box.session.su('test')
s = box.schema.space.create('test')
_ = s:create_index('i1')
@@ -248,7 +254,9 @@ box.schema.role.drop("role10")
box.schema.user.create('user')
box.schema.user.create('grantee')
-box.schema.user.grant('user', 'read,write,execute,create', 'universe')
+box.schema.user.grant('user', 'read,write', 'space', '_user')
+box.schema.user.grant('user', 'read,write', 'space', '_priv')
+box.schema.user.grant('user', 'create', 'role')
box.session.su('user')
box.schema.role.create('role')
box.session.su('admin')
--
2.15.2 (Apple Git-101.1)
next prev parent reply other threads:[~2018-08-20 8:14 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-20 8:10 [tarantool-patches] [PATCH 0/4] Finish implementation of privileges Serge Petrenko
2018-08-20 8:10 ` [tarantool-patches] [PATCH 1/4] Introduce separate entity object types for entity privileges Serge Petrenko
2018-08-22 10:28 ` Vladimir Davydov
2018-08-22 12:37 ` Vladimir Davydov
2018-08-20 8:10 ` Serge Petrenko [this message]
2018-08-22 10:37 ` [tarantool-patches] [PATCH 2/4] Add entities user, role to access control Vladimir Davydov
2018-08-22 12:53 ` Vladimir Davydov
2018-08-20 8:10 ` [tarantool-patches] [PATCH 3/4] Add single object privilege checks to access_check_ddl Serge Petrenko
2018-08-22 11:58 ` Vladimir Davydov
2018-08-20 8:10 ` [tarantool-patches] [PATCH 4/4] Add a privilege upgrade script and update tests Serge Petrenko
2018-08-22 12:48 ` Vladimir Davydov
-- strict thread matches above, loose matches on Subject: below --
2018-07-17 15:47 [tarantool-patches] [PATCH 0/4] Fixes in access control and privileges Serge Petrenko
2018-07-17 15:47 ` [tarantool-patches] [PATCH 2/4] Add entities user, role to access control Serge Petrenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4edfd1024c84ab0bfd1a752e9d84ef0356036b48.1534751862.git.sergepetrenko@tarantool.org \
--to=sergepetrenko@tarantool.org \
--cc=kostja@tarantool.org \
--cc=tarantool-patches@freelists.org \
--subject='Re: [tarantool-patches] [PATCH 2/4] Add entities user, role to access control.' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox