Tarantool development patches archive
 help / color / mirror / Atom feed
From: Georgy Kirichenko <georgy@tarantool.org>
To: tarantool-patches@freelists.org
Cc: Ilya Markov <imarkov@tarantool.org>
Subject: [tarantool-patches] [PATCH] security: Use system views instead of system spaces
Date: Mon,  4 Jun 2018 19:02:21 +0300	[thread overview]
Message-ID: <5aec875966ff843a32b03cf9d0e7c85e4fec7f20.1528128037.git.georgy@tarantool.org> (raw)

From: Ilya Markov <imarkov@tarantool.org>

System views are used instead of direct reads of corresponding system
spaces to explore all accessible objects such as spaces, functions, users
and e.g. An operation with an inaccessible object produces a 'not found'
error even if the object exists.

In scope of #3250

Includes up fixes from Georgy
---
Branch: https://github.com/tarantool/tarantool/tree/gh-3250-use-system-views
 src/box/lua/schema.lua           |  97 ++++++++++++---------
 src/box/sysview_index.c          |  83 +++++++++++++-----
 test/box/access.result           | 145 ++++++++++++++++++++++++++-----
 test/box/access.test.lua         |  67 +++++++++-----
 test/box/access_bin.result       |   2 +-
 test/box/access_bin.test.lua     |   2 +-
 test/box/access_misc.result      |  14 +++
 test/box/access_misc.test.lua    |   9 +-
 test/box/access_sysview.result   |  11 +--
 test/box/access_sysview.test.lua |   6 +-
 test/box/ddl.result              |   4 +
 test/box/ddl.test.lua            |   2 +
 test/box/on_replace.result       |   8 +-
 test/box/role.result             |   2 +-
 test/box/transaction.result      |  18 +++-
 test/box/transaction.test.lua    |   4 +
 test/engine/iterator.result      |   2 +-
 test/engine/savepoint.result     |  12 +--
 18 files changed, 353 insertions(+), 135 deletions(-)

diff --git a/src/box/lua/schema.lua b/src/box/lua/schema.lua
index 0b7849fa9..d6d39170f 100644
--- a/src/box/lua/schema.lua
+++ b/src/box/lua/schema.lua
@@ -104,12 +104,12 @@ ffi.cdef[[
 ]]
 
 local function user_or_role_resolve(user)
-    local _user = box.space[box.schema.VUSER_ID]
+    local _vuser = box.space[box.schema.VUSER_ID]
     local tuple
     if type(user) == 'string' then
-        tuple = _user.index.name:get{user}
+        tuple = _vuser.index.name:get{user}
     else
-        tuple = _user:get{user}
+        tuple = _vuser:get{user}
     end
     if tuple == nil then
         return nil
@@ -118,12 +118,12 @@ local function user_or_role_resolve(user)
 end
 
 local function role_resolve(name_or_id)
-    local _user = box.space[box.schema.USER_ID]
+    local _vuser = box.space[box.schema.VUSER_ID]
     local tuple
     if type(name_or_id) == 'string' then
-        tuple = _user.index.name:get{name_or_id}
+        tuple = _vuser.index.name:get{name_or_id}
     elseif type(name_or_id) ~= 'nil' then
-        tuple = _user:get{name_or_id}
+        tuple = _vuser:get{name_or_id}
     end
     if tuple == nil or tuple[4] ~= 'role' then
         return nil
@@ -133,12 +133,12 @@ local function role_resolve(name_or_id)
 end
 
 local function user_resolve(name_or_id)
-    local _user = box.space[box.schema.USER_ID]
+    local _vuser = box.space[box.schema.VUSER_ID]
     local tuple
     if type(name_or_id) == 'string' then
-        tuple = _user.index.name:get{name_or_id}
+        tuple = _vuser.index.name:get{name_or_id}
     elseif type(name_or_id) ~= 'nil' then
-        tuple = _user:get{name_or_id}
+        tuple = _vuser:get{name_or_id}
     end
     if tuple == nil or tuple[4] ~= 'user' then
         return nil
@@ -148,12 +148,12 @@ local function user_resolve(name_or_id)
 end
 
 local function sequence_resolve(name_or_id)
-    local _sequence = box.space[box.schema.SEQUENCE_ID]
+    local _vsequence = box.space[box.schema.VSEQUENCE_ID]
     local tuple
     if type(name_or_id) == 'string' then
-        tuple = _sequence.index.name:get{name_or_id}
+        tuple = _vsequence.index.name:get{name_or_id}
     elseif type(name_or_id) ~= 'nil' then
-        tuple = _sequence:get{name_or_id}
+        tuple = _vsequence:get{name_or_id}
     end
     if tuple ~= nil then
         return tuple[1], tuple
@@ -164,8 +164,9 @@ end
 
 -- Revoke all privileges associated with the given object.
 local function revoke_object_privs(object_type, object_id)
+    local _vpriv = box.space[box.schema.VPRIV_ID]
     local _priv = box.space[box.schema.PRIV_ID]
-    local privs = _priv.index.object:select{object_type, object_id}
+    local privs = _vpriv.index.object:select{object_type, object_id}
     for k, tuple in pairs(privs) do
         local uid = tuple[2]
         _priv:delete{uid, object_type, object_id}
@@ -431,10 +432,15 @@ end
 -- space format - the metadata about space fields
 function box.schema.space.format(id, format)
     local _space = box.space._space
+    local _vspace = box.space._vspace
     check_param(id, 'id', 'number')
 
     if format == nil then
-        return _space:get(id)[7]
+        local tuple = _vspace:get(id)
+        if tuple == nil then
+            box.error(box.error.NO_SUCH_SPACE, '#' .. tostring(id))
+        end
+        return tuple[7]
     else
         check_param(format, 'format', 'table')
         format = update_format(format)
@@ -450,6 +456,7 @@ box.schema.space.drop = function(space_id, space_name, opts)
     check_param_table(opts, { if_exists = 'boolean' })
     local _space = box.space[box.schema.SPACE_ID]
     local _index = box.space[box.schema.INDEX_ID]
+    local _vindex = box.space[box.schema.VINDEX_ID]
     local _truncate = box.space[box.schema.TRUNCATE_ID]
     local _space_sequence = box.space[box.schema.SPACE_SEQUENCE_ID]
     local sequence_tuple = _space_sequence:delete{space_id}
@@ -457,7 +464,7 @@ box.schema.space.drop = function(space_id, space_name, opts)
         -- Delete automatically generated sequence.
         box.schema.sequence.drop(sequence_tuple[2])
     end
-    local keys = _index:select(space_id)
+    local keys = _vindex:select(space_id)
     for i = #keys, 1, -1 do
         local v = keys[i]
         _index:delete{v[1], v[2]}
@@ -695,7 +702,8 @@ box.schema.index.create = function(space_id, name, options)
     options = update_param_table(options, options_defaults)
 
     local _index = box.space[box.schema.INDEX_ID]
-    if _index.index.name:get{space_id, name} then
+    local _vindex = box.space[box.schema.VINDEX_ID]
+    if _vindex.index.name:get{space_id, name} then
         if options.if_not_exists then
             return space.index[name], "not created"
         else
@@ -708,7 +716,7 @@ box.schema.index.create = function(space_id, name, options)
         iid = options.id
     else
         -- max
-        local tuple = _index.index[0]
+        local tuple = _vindex.index[0]
             :select(space_id, { limit = 1, iterator = 'LE' })[1]
         if tuple then
             local id = tuple[1]
@@ -1745,12 +1753,12 @@ local function object_resolve(object_type, object_name)
         return space.id
     end
     if object_type == 'function' then
-        local _func = box.space[box.schema.FUNC_ID]
+        local _vfunc = box.space[box.schema.VFUNC_ID]
         local func
         if type(object_name) == 'string' then
-            func = _func.index.name:get{object_name}
+            func = _vfunc.index.name:get{object_name}
         else
-            func = _func:get{object_name}
+            func = _vfunc:get{object_name}
         end
         if func then
             return func[1]
@@ -1766,12 +1774,12 @@ local function object_resolve(object_type, object_name)
         return seq
     end
     if object_type == 'role' then
-        local _user = box.space[box.schema.USER_ID]
+        local _vuser = box.space[box.schema.VUSER_ID]
         local role
         if type(object_name) == 'string' then
-            role = _user.index.name:get{object_name}
+            role = _vuser.index.name:get{object_name}
         else
-            role = _user:get{object_name}
+            role = _vuser:get{object_name}
         end
         if role and role[4] == 'role' then
             return role[1]
@@ -1789,13 +1797,13 @@ local function object_name(object_type, object_id)
     end
     local space
     if object_type == 'space' then
-        space = box.space._space
+        space = box.space._vspace
     elseif object_type == 'sequence' then
         space = box.space._sequence
     elseif object_type == 'function' then
-        space = box.space._func
+        space = box.space._vfunc
     elseif object_type == 'role' or object_type == 'user' then
-        space = box.space._user
+        space = box.space._vuser
     else
         box.error(box.error.UNKNOWN_SCHEMA_OBJECT, object_type)
     end
@@ -1809,7 +1817,8 @@ box.schema.func.create = function(name, opts)
                               if_not_exists = 'boolean',
                               language = 'string'})
     local _func = box.space[box.schema.FUNC_ID]
-    local func = _func.index.name:get{name}
+    local _vfunc = box.space[box.schema.VFUNC_ID]
+    local func = _vfunc.index.name:get{name}
     if func then
         if not opts.if_not_exists then
             box.error(box.error.FUNCTION_EXISTS, name)
@@ -1826,12 +1835,13 @@ box.schema.func.drop = function(name, opts)
     opts = opts or {}
     check_param_table(opts, { if_exists = 'boolean' })
     local _func = box.space[box.schema.FUNC_ID]
+    local _vfunc = box.space[box.schema.VFUNC_ID]
     local fid
     local tuple
     if type(name) == 'string' then
-        tuple = _func.index.name:get{name}
+        tuple = _vfunc.index.name:get{name}
     else
-        tuple = _func:get{name}
+        tuple = _vfunc:get{name}
     end
     if tuple then
         fid = tuple[1]
@@ -1847,12 +1857,12 @@ box.schema.func.drop = function(name, opts)
 end
 
 function box.schema.func.exists(name_or_id)
-    local _func = box.space[box.schema.VFUNC_ID]
+    local _vfunc = box.space[box.schema.VFUNC_ID]
     local tuple = nil
     if type(name_or_id) == 'string' then
-        tuple = _func.index.name:get{name_or_id}
+        tuple = _vfunc.index.name:get{name_or_id}
     elseif type(name_or_id) == 'number' then
-        tuple = _func:get{name_or_id}
+        tuple = _vfunc:get{name_or_id}
     end
     return tuple ~= nil
 end
@@ -2007,8 +2017,9 @@ local function grant(uid, name, privilege, object_type,
         options.grantor = user_or_role_resolve(options.grantor)
     end
     local _priv = box.space[box.schema.PRIV_ID]
+    local _vpriv = box.space[box.schema.VPRIV_ID]
     -- add the granted privilege to the current set
-    local tuple = _priv:get{uid, object_type, oid}
+    local tuple = _vpriv:get{uid, object_type, oid}
     local old_privilege
     if tuple ~= nil then
         old_privilege = tuple[5]
@@ -2043,7 +2054,8 @@ local function revoke(uid, name, privilege, object_type, object_name, options)
     options = options or {}
     local oid = object_resolve(object_type, object_name)
     local _priv = box.space[box.schema.PRIV_ID]
-    local tuple = _priv:get{uid, object_type, oid}
+    local _vpriv = box.space[box.schema.VPRIV_ID]
+    local tuple = _vpriv:get{uid, object_type, oid}
     -- system privileges of admin and guest can't be revoked
     if tuple == nil then
         if options.if_exists then
@@ -2072,32 +2084,32 @@ end
 
 local function drop(uid, opts)
     -- recursive delete of user data
-    local _priv = box.space[box.schema.PRIV_ID]
-    local spaces = box.space[box.schema.SPACE_ID].index.owner:select{uid}
+    local _vpriv = box.space[box.schema.VPRIV_ID]
+    local spaces = box.space[box.schema.VSPACE_ID].index.owner:select{uid}
     for k, tuple in pairs(spaces) do
         box.space[tuple[1]]:drop()
     end
-    local funcs = box.space[box.schema.FUNC_ID].index.owner:select{uid}
+    local funcs = box.space[box.schema.VFUNC_ID].index.owner:select{uid}
     for k, tuple in pairs(funcs) do
         box.schema.func.drop(tuple[1])
     end
     -- if this is a role, revoke this role from whoever it was granted to
-    local grants = _priv.index.object:select{'role', uid}
+    local grants = _vpriv.index.object:select{'role', uid}
     for k, tuple in pairs(grants) do
         revoke(tuple[2], tuple[2], uid)
     end
-    local sequences = box.space[box.schema.SEQUENCE_ID].index.owner:select{uid}
+    local sequences = box.space[box.schema.VSEQUENCE_ID].index.owner:select{uid}
     for k, tuple in pairs(sequences) do
         box.schema.sequence.drop(tuple[1])
     end
     -- xxx: hack, we have to revoke session and usage privileges
     -- of a user using a setuid function in absence of create/drop
     -- privileges and grant option
-    if box.space._user:get{uid}[4] == 'user' then
+    if box.space._vuser:get{uid}[4] == 'user' then
         box.session.su('admin', box.schema.user.revoke, uid,
                        'session,usage', 'universe', nil, {if_exists = true})
     end
-    local privs = _priv.index.primary:select{uid}
+    local privs = _vpriv.index.primary:select{uid}
     for k, tuple in pairs(privs) do
         revoke(uid, uid, tuple[5], tuple[3], tuple[4])
     end
@@ -2154,8 +2166,7 @@ box.schema.user.drop = function(name, opts)
 end
 
 local function info(id)
-    local _priv = box.space._priv
-    local _user = box.space._priv
+    local _priv = box.space._vpriv
     local privs = {}
     for _, v in pairs(_priv:select{id}) do
         table.insert(
diff --git a/src/box/sysview_index.c b/src/box/sysview_index.c
index 51bd63ac8..f1dfbefe5 100644
--- a/src/box/sysview_index.c
+++ b/src/box/sysview_index.c
@@ -198,15 +198,32 @@ static const struct index_vtab sysview_index_vtab = {
 	/* .end_build = */ generic_index_end_build,
 };
 
+/*
+ * System view filters.
+ * Filter gives access to an object, if one of the following conditions is true:
+ * 1. User has read, write, drop or alter access to universe.
+ * 2. User has read access to according system space.
+ * 3. User has read, write, drop or alter access to the object.
+ * 4. User is a owner of the object.
+ * 5. User is grantor or grantee for the privilege.
+ * 6. User has execute for the function or the sequence.
+ * 7. User is parent for the user/role.
+ */
+
+const uint32_t PRIV_WRDA = PRIV_W | PRIV_D | PRIV_A | PRIV_R;
+
 static bool
 vspace_filter(struct space *source, struct tuple *tuple)
 {
 	struct credentials *cr = effective_user();
-	if (PRIV_R & cr->universal_access)
-		return true; /* read access to universe */
+	/*
+	 * Allow access for a user with read, write,
+	 * drop or alter privileges for universe.
+	 */
+	if (PRIV_WRDA & cr->universal_access)
+		return true;
 	if (PRIV_R & source->access[cr->auth_token].effective)
 		return true; /* read access to _space space */
-
 	uint32_t space_id;
 	if (tuple_field_u32(tuple, BOX_SPACE_FIELD_ID, &space_id) != 0)
 		return false;
@@ -214,16 +231,24 @@ vspace_filter(struct space *source, struct tuple *tuple)
 	if (space == NULL)
 		return false;
 	user_access_t effective = space->access[cr->auth_token].effective;
-	return ((PRIV_R | PRIV_W) & (cr->universal_access | effective) ||
-		space->def->uid == cr->uid);
+	/*
+	 * Allow access for space owners and users with any
+	 * privilege for the space.
+	 */
+	return (PRIV_WRDA & effective ||
+	       space->def->uid == cr->uid);
 }
 
 static bool
 vuser_filter(struct space *source, struct tuple *tuple)
 {
 	struct credentials *cr = effective_user();
-	if (PRIV_R & cr->universal_access)
-		return true; /* read access to universe */
+	/*
+	 * Allow access for a user with read, write,
+	 * drop or alter privileges for universe.
+	 */
+	if (PRIV_WRDA & cr->universal_access)
+		return true;
 	if (PRIV_R & source->access[cr->auth_token].effective)
 		return true; /* read access to _user space */
 
@@ -233,15 +258,20 @@ vuser_filter(struct space *source, struct tuple *tuple)
 	uint32_t owner_id;
 	if (tuple_field_u32(tuple, BOX_USER_FIELD_UID, &owner_id) != 0)
 		return false;
-	return uid == cr->uid || owner_id == cr->uid;
+	/* Allow access for self, childs or public user. */
+	return uid == cr->uid || owner_id == cr->uid || uid == PUBLIC;
 }
 
 static bool
 vpriv_filter(struct space *source, struct tuple *tuple)
 {
 	struct credentials *cr = effective_user();
-	if (PRIV_R & cr->universal_access)
-		return true; /* read access to universe */
+	/*
+	 * Allow access for a user with read, write,
+	 * drop or alter privileges for universe.
+	 */
+	if (PRIV_WRDA & cr->universal_access)
+		return true;
 	if (PRIV_R & source->access[cr->auth_token].effective)
 		return true; /* read access to _priv space */
 
@@ -251,6 +281,7 @@ vpriv_filter(struct space *source, struct tuple *tuple)
 	uint32_t grantee_id;
 	if (tuple_field_u32(tuple, BOX_PRIV_FIELD_UID, &grantee_id) != 0)
 		return false;
+	/* Allow access for privilege grantor or grantee. */
 	return grantor_id == cr->uid || grantee_id == cr->uid;
 }
 
@@ -258,29 +289,37 @@ static bool
 vfunc_filter(struct space *source, struct tuple *tuple)
 {
 	struct credentials *cr = effective_user();
-	if ((PRIV_R | PRIV_X) & cr->universal_access)
-		return true; /* read or execute access to universe */
+	/*
+	 * Allow access for a user with read, write,
+	 * drop, alter or execute privileges for universe.
+	 */
+	if ((PRIV_WRDA | PRIV_X) & cr->universal_access)
+		return true;
 	if (PRIV_R & source->access[cr->auth_token].effective)
 		return true; /* read access to _func space */
 
-	const char *name = tuple_field_cstr(tuple, BOX_FUNC_FIELD_NAME);
+	uint32_t name_len;
+	const char *name = tuple_field_str(tuple, BOX_FUNC_FIELD_NAME,
+					   &name_len);
 	if (name == NULL)
 		return false;
-	uint32_t name_len = strlen(name);
 	struct func *func = func_by_name(name, name_len);
 	assert(func != NULL);
 	user_access_t effective = func->access[cr->auth_token].effective;
-	if (func->def->uid == cr->uid || (PRIV_X & effective))
-		return true;
-	return false;
+	return func->def->uid == cr->uid ||
+	       ((PRIV_WRDA | PRIV_X) & effective);
 }
 
 static bool
 vsequence_filter(struct space *source, struct tuple *tuple)
 {
 	struct credentials *cr = effective_user();
-	if ((PRIV_R | PRIV_X) & cr->universal_access)
-		return true; /* read or execute access to universe */
+	/*
+	 * Allow access for a user with read, write,
+	 * drop, alter or execute privileges for universe.
+	 */
+	if ((PRIV_WRDA | PRIV_X) & cr->universal_access)
+		return true;
 	if (PRIV_R & source->access[cr->auth_token].effective)
 		return true; /* read access to _sequence space */
 
@@ -291,12 +330,10 @@ vsequence_filter(struct space *source, struct tuple *tuple)
 	if (sequence == NULL)
 		return false;
 	user_access_t effective = sequence->access[cr->auth_token].effective;
-	if (sequence->def->uid == cr->uid || ((PRIV_W | PRIV_R) & effective))
-		return true;
-	return false;
+	return sequence->def->uid == cr->uid ||
+	       ((PRIV_WRDA | PRIV_X) & effective);
 }
 
-
 struct sysview_index *
 sysview_index_new(struct sysview_engine *sysview,
 		  struct index_def *def, const char *space_name)
diff --git a/test/box/access.result b/test/box/access.result
index 5c39bc97e..131a21510 100644
--- a/test/box/access.result
+++ b/test/box/access.result
@@ -386,7 +386,8 @@ session.su('grantee')
 -- fails - can't suicide - ask the creator to kill you
 box.schema.user.drop('grantee')
 ---
-- error: Read access to space '_user' is denied for user 'grantee'
+- error: 'Failed to drop user or role ''grantee'': the user is active in the current
+    session'
 ...
 session.su('grantor')
 ---
@@ -471,7 +472,7 @@ session.su('user1')
 -- permission denied
 box.schema.user.passwd('admin', 'xxx')
 ---
-- error: Read access to space '_user' is denied for user 'user1'
+- error: User 'admin' is not found
 ...
 session.su('admin')
 ---
@@ -1048,7 +1049,7 @@ session.su("test1")
 ...
 box.schema.user.disable("test")
 ---
-- error: Read access to space '_user' is denied for user 'test1'
+- error: User 'test' is not found
 ...
 session.su("admin")
 ---
@@ -1080,7 +1081,7 @@ session.su("test1")
 ...
 box.schema.user.grant("test", "usage", "universe")
 ---
-- error: Read access to space '_user' is denied for user 'test1'
+- error: User 'test' is not found
 ...
 session.su('admin')
 ---
@@ -1357,28 +1358,59 @@ box.schema.user.create("tester")
 s = box.schema.space.create("test")
 ---
 ...
+_ = s:create_index("primary")
+---
+...
+seq = box.schema.sequence.create("test")
+---
+...
 u = box.schema.user.create("test")
 ---
 ...
 f = box.schema.func.create("test")
 ---
 ...
-box.schema.user.grant("tester", "read,execute", "universe")
+-- failed create, auto_increment requires read.
+box.session.su("tester")
+---
+...
+box.schema.space.create("test_space")
+---
+- error: Write access to space '_schema' is denied for user 'tester'
+...
+box.schema.user.create('test_user')
+---
+- error: Read access to space '_user' is denied for user 'tester'
+...
+box.schema.func.create('test_func')
+---
+- error: Read access to space '_func' is denied for user 'tester'
+...
+box.session.su("admin")
+---
+...
+box.schema.user.grant("tester", "read", "universe")
 ---
 ...
 -- failed create
-box.session.su("tester", box.schema.space.create, "test_space")
+box.session.su("tester")
+---
+...
+box.schema.space.create("test_space")
 ---
 - error: Write access to space '_schema' is denied for user 'tester'
 ...
-box.session.su("tester", box.schema.user.create, 'test_user')
+box.schema.user.create('test_user')
 ---
 - error: Write access to space '_user' is denied for user 'tester'
 ...
-box.session.su("tester", box.schema.func.create, 'test_func')
+box.schema.func.create('test_func')
 ---
 - error: Write access to space '_func' is denied for user 'tester'
 ...
+box.session.su("admin")
+---
+...
 --
 -- FIXME 2.0: we still need to grant 'write' on universe
 -- explicitly since we still use process_rw to write to system
@@ -1387,24 +1419,36 @@ box.session.su("tester", box.schema.func.create, 'test_func')
 box.schema.user.grant("tester", "create,write", "universe")
 ---
 ...
+box.session.su("tester")
+---
+...
 -- successful create
-s1 = box.session.su("tester", box.schema.space.create, "test_space")
+s1 = box.schema.space.create("test_space")
 ---
 ...
-_ = box.session.su("tester", box.schema.user.create, 'test_user')
+_ = s1:create_index("primary")
 ---
 ...
-_ = box.session.su("tester", box.schema.func.create, 'test_func')
+_ = box.schema.user.create('test_user')
+---
+...
+_ = box.schema.func.create('test_func')
+---
+...
+seq1 = box.schema.sequence.create('test_seq')
 ---
 ...
 -- successful drop of owned objects
-_ = box.session.su("tester", s1.drop, s1)
+s1:drop()
 ---
 ...
-_ = box.session.su("tester", box.schema.user.drop, 'test_user')
+seq1:drop()
 ---
 ...
-_ = box.session.su("tester", box.schema.func.drop, 'test_func')
+box.schema.user.drop('test_user')
+---
+...
+box.schema.func.drop('test_func')
 ---
 ...
 -- failed alter
@@ -1414,22 +1458,24 @@ _ = box.session.su("tester", box.schema.func.drop, 'test_func')
 -- box.session.su("tester", s.format, s, {name="id", type="unsigned"})
 -- failed drop
 -- box.session.su("tester", s.drop, s)
--- can't use here sudo
--- because drop use sudo inside
--- and currently sudo can't be performed nested
-box.session.su("tester")
+s:drop()
 ---
+- error: Drop access to space 'test' is denied for user 'tester'
+...
+seq:drop()
+---
+- error: Drop access to sequence 'test' is denied for user 'tester'
 ...
 box.schema.user.drop("test")
 ---
 - error: Revoke access to role 'public' is denied for user 'tester'
 ...
-box.session.su("admin")
+box.schema.func.drop("test")
 ---
+- error: Drop access to function 'test' is denied for user 'tester'
 ...
-box.session.su("tester", box.schema.func.drop, "test")
+box.session.su("admin")
 ---
-- error: Drop access to function 'test' is denied for user 'tester'
 ...
 box.schema.user.grant("tester", "drop", "universe")
 ---
@@ -1438,6 +1484,9 @@ box.schema.user.grant("tester", "drop", "universe")
 box.session.su("tester", s.drop, s)
 ---
 ...
+box.session.su("tester", seq.drop, seq)
+---
+...
 box.session.su("tester", box.schema.user.drop, "test")
 ---
 ...
@@ -1510,36 +1559,86 @@ box.schema.func.exists('test')
 ---
 - false
 ...
+box.space._vspace.index.name:get{"test"} ~= nil
+---
+- false
+...
+box.space._vsequence.index.name:get{"test"} ~= nil
+---
+- false
+...
 --
--- create an object, but 'guest' still has no access to it
+-- create an objects, but 'guest' still has no access to them
 --
 box.session.su('admin', box.schema.func.create, 'test')
 ---
 ...
+s = box.session.su('admin', box.schema.space.create, 'test')
+---
+...
+_ = box.session.su('admin', box.schema.sequence.create, 'test')
+---
+...
 box.schema.func.exists('test')
 ---
 - false
 ...
+box.space._vspace.index.name:get{"test"} ~= nil
+---
+- false
+...
+box.space._vsequence.index.name:get{"test"} ~= nil
+---
+- false
+...
 --
 -- grant access, the object should become visible to guest
 --
 box.session.su('admin', box.schema.user.grant, 'guest', 'execute', 'function', 'test')
 ---
 ...
+box.session.su('admin', box.schema.user.grant, 'guest', 'read', 'space', 'test')
+---
+...
+box.session.su('admin', box.schema.user.grant, 'guest', 'read', 'sequence', 'test')
+---
+...
 box.schema.func.exists('test')
 ---
 - true
 ...
+box.space._vspace.index.name:get{"test"} ~= nil
+---
+- true
+...
+box.space._vsequence.index.name:get{"test"} ~= nil
+---
+- true
+...
 --
--- drop object
+-- drop objects
 --
 box.session.su('admin', box.schema.func.drop, 'test')
 ---
 ...
+box.session.su('admin', s.drop, s)
+---
+...
+box.session.su('admin', box.schema.sequence.drop, 'test')
+---
+...
 box.schema.func.exists('test')
 ---
 - false
 ...
+box.space._vspace.index.name:get{"test"} ~= nil
+---
+- false
+...
+box.space._vsequence.index.name:get{"test"} ~= nil
+---
+- false
+...
 --
 -- restore
 --
diff --git a/test/box/access.test.lua b/test/box/access.test.lua
index 501c766ae..4bd34e45d 100644
--- a/test/box/access.test.lua
+++ b/test/box/access.test.lua
@@ -509,14 +509,24 @@ s:drop()
 --
 box.schema.user.create("tester")
 s = box.schema.space.create("test")
+_ = s:create_index("primary")
+seq = box.schema.sequence.create("test")
 u = box.schema.user.create("test")
 f = box.schema.func.create("test")
-box.schema.user.grant("tester", "read,execute", "universe")
 
+-- failed create, auto_increment requires read.
+box.session.su("tester")
+box.schema.space.create("test_space")
+box.schema.user.create('test_user')
+box.schema.func.create('test_func')
+box.session.su("admin")
+box.schema.user.grant("tester", "read", "universe")
 -- failed create
-box.session.su("tester", box.schema.space.create, "test_space")
-box.session.su("tester", box.schema.user.create, 'test_user')
-box.session.su("tester", box.schema.func.create, 'test_func')
+box.session.su("tester")
+box.schema.space.create("test_space")
+box.schema.user.create('test_user')
+box.schema.func.create('test_func')
+box.session.su("admin")
 
 --
 -- FIXME 2.0: we still need to grant 'write' on universe
@@ -524,15 +534,19 @@ box.session.su("tester", box.schema.func.create, 'test_func')
 -- tables from ddl
 --
 box.schema.user.grant("tester", "create,write", "universe")
+box.session.su("tester")
 -- successful create
-s1 = box.session.su("tester", box.schema.space.create, "test_space")
-_ = box.session.su("tester", box.schema.user.create, 'test_user')
-_ = box.session.su("tester", box.schema.func.create, 'test_func')
+s1 = box.schema.space.create("test_space")
+_ = s1:create_index("primary")
+_ = box.schema.user.create('test_user')
+_ = box.schema.func.create('test_func')
+seq1 = box.schema.sequence.create('test_seq')
 
 -- successful drop of owned objects
-_ = box.session.su("tester", s1.drop, s1)
-_ = box.session.su("tester", box.schema.user.drop, 'test_user')
-_ = box.session.su("tester", box.schema.func.drop, 'test_func')
+s1:drop()
+seq1:drop()
+box.schema.user.drop('test_user')
+box.schema.func.drop('test_func')
 
 -- failed alter
 -- box.session.su("tester", s.format, s, {name="id", type="unsigned"})
@@ -543,19 +557,16 @@ _ = box.session.su("tester", box.schema.func.drop, 'test_func')
 
 -- failed drop
 -- box.session.su("tester", s.drop, s)
-
--- can't use here sudo
--- because drop use sudo inside
--- and currently sudo can't be performed nested
-box.session.su("tester")
+s:drop()
+seq:drop()
 box.schema.user.drop("test")
-box.session.su("admin")
-
-box.session.su("tester", box.schema.func.drop, "test")
+box.schema.func.drop("test")
 
+box.session.su("admin")
 box.schema.user.grant("tester", "drop", "universe")
 -- successful drop
 box.session.su("tester", s.drop, s)
+box.session.su("tester", seq.drop, seq)
 box.session.su("tester", box.schema.user.drop, "test")
 box.session.su("tester", box.schema.func.drop, "test")
 
@@ -589,22 +600,36 @@ box.session.su('guest')
 -- has no access to the function
 --
 box.schema.func.exists('test')
+box.space._vspace.index.name:get{"test"} ~= nil
+box.space._vsequence.index.name:get{"test"} ~= nil
 --
--- create an object, but 'guest' still has no access to it
+-- create an objects, but 'guest' still has no access to them
 --
 box.session.su('admin', box.schema.func.create, 'test')
+s = box.session.su('admin', box.schema.space.create, 'test')
+_ = box.session.su('admin', box.schema.sequence.create, 'test')
 box.schema.func.exists('test')
+box.space._vspace.index.name:get{"test"} ~= nil
+box.space._vsequence.index.name:get{"test"} ~= nil
 --
 -- grant access, the object should become visible to guest
 --
 box.session.su('admin', box.schema.user.grant, 'guest', 'execute', 'function', 'test')
+box.session.su('admin', box.schema.user.grant, 'guest', 'read', 'space', 'test')
+box.session.su('admin', box.schema.user.grant, 'guest', 'read', 'sequence', 'test')
 box.schema.func.exists('test')
+box.space._vspace.index.name:get{"test"} ~= nil
+box.space._vsequence.index.name:get{"test"} ~= nil
 --
--- drop object
+-- drop objects
 --
 box.session.su('admin', box.schema.func.drop, 'test')
+box.session.su('admin', s.drop, s)
+box.session.su('admin', box.schema.sequence.drop, 'test')
 box.schema.func.exists('test')
+box.space._vspace.index.name:get{"test"} ~= nil
+box.space._vsequence.index.name:get{"test"} ~= nil
 --
 -- restore
 --
-box.session.su('admin')
+box.session.su('admin')
\ No newline at end of file
diff --git a/test/box/access_bin.result b/test/box/access_bin.result
index b81279cfe..7b30d11f2 100644
--- a/test/box/access_bin.result
+++ b/test/box/access_bin.result
@@ -344,7 +344,7 @@ box.session.su('admin', box.session.user())
 ---
 - error: 'bad argument #2 to ''?'' (function expected, got string)'
 ...
--- clenaup
+-- cleanup
 box.session.su('admin')
 ---
 ...
diff --git a/test/box/access_bin.test.lua b/test/box/access_bin.test.lua
index cb3a50c68..4c7a6d08f 100644
--- a/test/box/access_bin.test.lua
+++ b/test/box/access_bin.test.lua
@@ -131,5 +131,5 @@ box.schema.func.drop('f2')
 --
 box.session.su('admin', box.session.user)
 box.session.su('admin', box.session.user())
--- clenaup
+-- cleanup
 box.session.su('admin')
diff --git a/test/box/access_misc.result b/test/box/access_misc.result
index 3a56a4cb2..8bf99f2e7 100644
--- a/test/box/access_misc.result
+++ b/test/box/access_misc.result
@@ -175,6 +175,17 @@ gs = box.schema.space.create('guest_space')
 ---
 - error: Write access to space '_schema' is denied for user 'guest'
 ...
+--
+-- FIXME: object create calls system space auto_increment, which requires
+-- read and write privileges. Create privilege must solve this.
+--
+box.schema.func.create('guest_func')
+---
+- error: Read access to space '_func' is denied for user 'guest'
+...
+session.su('admin', box.schema.user.grant, "guest", "read", "universe")
+---
+...
 box.schema.func.create('guest_func')
 ---
 - error: Read access to space '_func' is denied for user 'guest'
@@ -182,6 +193,9 @@ box.schema.func.create('guest_func')
 session.su('admin')
 ---
 ...
+box.schema.user.revoke("guest", "read", "universe")
+---
+...
 s:select()
 ---
 - - [2]
diff --git a/test/box/access_misc.test.lua b/test/box/access_misc.test.lua
index cf6447ea6..27064c491 100644
--- a/test/box/access_misc.test.lua
+++ b/test/box/access_misc.test.lua
@@ -70,9 +70,16 @@ s:insert({4})
 s:delete({3})
 s:drop()
 gs = box.schema.space.create('guest_space')
+--
+-- FIXME: object create calls system space auto_increment, which requires
+-- read and write privileges. Create privilege must solve this.
+--
+box.schema.func.create('guest_func')
+session.su('admin', box.schema.user.grant, "guest", "read", "universe")
 box.schema.func.create('guest_func')
-
 session.su('admin')
+box.schema.user.revoke("guest", "read", "universe")
+
 s:select()
 --
 -- Create user with universe read&write grants
diff --git a/test/box/access_sysview.result b/test/box/access_sysview.result
index 340ed2164..20efd2bbc 100644
--- a/test/box/access_sysview.result
+++ b/test/box/access_sysview.result
@@ -266,11 +266,11 @@ box.session.su('guest')
 ...
 #box.space._vuser:select{}
 ---
-- 1
+- 5
 ...
 #box.space._vpriv:select{}
 ---
-- 2
+- 15
 ...
 #box.space._vfunc:select{}
 ---
@@ -343,7 +343,7 @@ box.session.su('guest')
 -- _vuser
 --
 -- a guest user can read information about itself
-t = box.space._vuser:select(); return #t == 1 and t[1][3] == 'guest'
+t = box.space._vuser:select(); for i = 1, #t do if t[i][3] == 'guest' then return true end end return false
 ---
 - true
 ...
@@ -526,8 +526,9 @@ box.schema.user.grant('guest', 'execute', 'function', 'test')
 box.session.su('guest')
 ---
 ...
-#box.space._vfunc:select{} = cnt + 1
+#box.space._vfunc:select{} == func_cnt
 ---
+- true
 ...
 box.session.su('admin')
 ---
@@ -551,7 +552,7 @@ box.schema.user.grant('guest', 'execute', 'universe')
 box.session.su('guest')
 ---
 ...
-#box.space._vfunc:select{} == cnt + 1
+#box.space._vfunc:select{} == func_cnt
 ---
 - true
 ...
diff --git a/test/box/access_sysview.test.lua b/test/box/access_sysview.test.lua
index 7955ffc98..4cc5611a6 100644
--- a/test/box/access_sysview.test.lua
+++ b/test/box/access_sysview.test.lua
@@ -134,7 +134,7 @@ box.session.su('guest')
 --
 
 -- a guest user can read information about itself
-t = box.space._vuser:select(); return #t == 1 and t[1][3] == 'guest'
+t = box.space._vuser:select(); for i = 1, #t do if t[i][3] == 'guest' then return true end end return false
 
 -- read access to original space also allow to read a view
 box.session.su('admin')
@@ -218,7 +218,7 @@ box.session.su('admin')
 box.schema.user.grant('guest', 'execute', 'function', 'test')
 box.session.su('guest')
 
-#box.space._vfunc:select{} = cnt + 1
+#box.space._vfunc:select{} == func_cnt
 
 box.session.su('admin')
 box.schema.user.revoke('guest', 'execute', 'function', 'test')
@@ -230,7 +230,7 @@ box.session.su('admin')
 box.schema.user.grant('guest', 'execute', 'universe')
 box.session.su('guest')
 
-#box.space._vfunc:select{} == cnt + 1
+#box.space._vfunc:select{} == func_cnt
 
 box.session.su('admin')
 box.schema.user.revoke('guest', 'execute', 'universe')
diff --git a/test/box/ddl.result b/test/box/ddl.result
index 30f0cf7ec..f84a4dc50 100644
--- a/test/box/ddl.result
+++ b/test/box/ddl.result
@@ -580,6 +580,10 @@ test_run:cmd("setopt delimiter ''");
 ---
 - true
 ...
+-- finish transaction
+box.rollback()
+---
+...
 _ = c:get()
 ---
 ...
diff --git a/test/box/ddl.test.lua b/test/box/ddl.test.lua
index ebbefe77b..ba028361d 100644
--- a/test/box/ddl.test.lua
+++ b/test/box/ddl.test.lua
@@ -234,6 +234,8 @@ test_latch:create_index("sec2", {unique = true, parts = {2, 'unsigned'}})
 box.commit();
 
 test_run:cmd("setopt delimiter ''");
+-- finish transaction
+box.rollback()
 
 _ = c:get()
 test_latch:drop() -- this is where everything stops
diff --git a/test/box/on_replace.result b/test/box/on_replace.result
index a961df192..8c52e1282 100644
--- a/test/box/on_replace.result
+++ b/test/box/on_replace.result
@@ -471,7 +471,7 @@ t = s:on_replace(function () s:create_index('sec') end, t)
 ...
 s:replace({2, 3})
 ---
-- error: Space _index does not support multi-statement transactions
+- error: A multi-statement transaction can not use multiple storage engines
 ...
 t = s:on_replace(function () box.schema.user.create('newu') end, t)
 ---
@@ -506,21 +506,21 @@ t = s:on_replace(function () s:drop() end, t)
 ...
 s:replace({5, 6})
 ---
-- error: DDL does not support multi-statement transactions
+- error: A multi-statement transaction can not use multiple storage engines
 ...
 t = s:on_replace(function () box.schema.func.create('newf') end, t)
 ---
 ...
 s:replace({6, 7})
 ---
-- error: Space _func does not support multi-statement transactions
+- error: A multi-statement transaction can not use multiple storage engines
 ...
 t = s:on_replace(function () box.schema.user.grant('guest', 'read,write', 'space', 'test_on_repl_ddl') end, t)
 ---
 ...
 s:replace({7, 8})
 ---
-- error: Space _priv does not support multi-statement transactions
+- error: A multi-statement transaction can not use multiple storage engines
 ...
 t = s:on_replace(function () s:rename('newname') end, t)
 ---
diff --git a/test/box/role.result b/test/box/role.result
index 736ec85f9..806cea90b 100644
--- a/test/box/role.result
+++ b/test/box/role.result
@@ -662,7 +662,7 @@ box.session.su('john')
 -- error
 box.schema.user.grant('grantee', 'role')
 ---
-- error: Read access to space '_user' is denied for user 'john'
+- error: User 'grantee' is not found
 ...
 --
 box.session.su('admin')
diff --git a/test/box/transaction.result b/test/box/transaction.result
index 05803316d..2fb1abf7c 100644
--- a/test/box/transaction.result
+++ b/test/box/transaction.result
@@ -69,7 +69,7 @@ box.rollback();
 ...
 box.begin() box.schema.func.create('test');
 ---
-- error: Space _func does not support multi-statement transactions
+- error: A multi-statement transaction can not use multiple storage engines
 ...
 box.rollback();
 ---
@@ -83,7 +83,7 @@ box.rollback();
 ...
 box.begin() box.schema.user.grant('guest', 'read', 'space', '_priv');
 ---
-- error: Space _priv does not support multi-statement transactions
+- error: A multi-statement transaction can not use multiple storage engines
 ...
 box.rollback();
 ---
@@ -95,6 +95,20 @@ box.begin() box.space._user:delete{box.schema.GUEST_ID};
 box.rollback();
 ---
 ...
+box.begin() box.space._space:delete{box.schema.CLUSTER_ID};
+---
+- error: DDL does not support multi-statement transactions
+...
+box.rollback();
+---
+...
+box.begin() box.space._sequence:insert{1, 1, 'test', 1, 1, 2, 1, 0, false};
+---
+- error: Space _sequence does not support multi-statement transactions
+...
+box.rollback();
+---
+...
 box.begin() box.space._schema:insert{'test'};
 ---
 - error: Space _schema does not support multi-statement transactions
diff --git a/test/box/transaction.test.lua b/test/box/transaction.test.lua
index ca6de44a3..14d1a690d 100644
--- a/test/box/transaction.test.lua
+++ b/test/box/transaction.test.lua
@@ -38,6 +38,10 @@ box.begin() box.schema.user.grant('guest', 'read', 'space', '_priv');
 box.rollback();
 box.begin() box.space._user:delete{box.schema.GUEST_ID};
 box.rollback();
+box.begin() box.space._space:delete{box.schema.CLUSTER_ID};
+box.rollback();
+box.begin() box.space._sequence:insert{1, 1, 'test', 1, 1, 2, 1, 0, false};
+box.rollback();
 box.begin() box.space._schema:insert{'test'};
 box.rollback();
 box.begin() box.space._cluster:insert{123456789, 'abc'};
diff --git a/test/engine/iterator.result b/test/engine/iterator.result
index 423ed0b7b..ae14c4320 100644
--- a/test/engine/iterator.result
+++ b/test/engine/iterator.result
@@ -4211,7 +4211,7 @@ s:replace{35}
 ...
 state, value = gen(param,state)
 ---
-- error: 'builtin/box/schema.lua:985: usage: next(param, state)'
+- error: 'builtin/box/schema.lua:993: usage: next(param, state)'
 ...
 value
 ---
diff --git a/test/engine/savepoint.result b/test/engine/savepoint.result
index d440efa6b..dc2ad7986 100644
--- a/test/engine/savepoint.result
+++ b/test/engine/savepoint.result
@@ -14,7 +14,7 @@ s1 = box.savepoint()
 ...
 box.rollback_to_savepoint(s1)
 ---
-- error: 'builtin/box/schema.lua:300: Usage: box.rollback_to_savepoint(savepoint)'
+- error: 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)'
 ...
 box.begin() s1 = box.savepoint()
 ---
@@ -323,27 +323,27 @@ test_run:cmd("setopt delimiter ''");
 ok1, errmsg1
 ---
 - false
-- 'builtin/box/schema.lua:300: Usage: box.rollback_to_savepoint(savepoint)'
+- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)'
 ...
 ok2, errmsg2
 ---
 - false
-- 'builtin/box/schema.lua:300: Usage: box.rollback_to_savepoint(savepoint)'
+- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)'
 ...
 ok3, errmsg3
 ---
 - false
-- 'builtin/box/schema.lua:300: Usage: box.rollback_to_savepoint(savepoint)'
+- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)'
 ...
 ok4, errmsg4
 ---
 - false
-- 'builtin/box/schema.lua:300: Usage: box.rollback_to_savepoint(savepoint)'
+- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)'
 ...
 ok5, errmsg5
 ---
 - false
-- 'builtin/box/schema.lua:300: Usage: box.rollback_to_savepoint(savepoint)'
+- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)'
 ...
 s:select{}
 ---
-- 
2.17.1

             reply	other threads:[~2018-06-04 16:02 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-04 16:02 Georgy Kirichenko [this message]
2018-06-08  3:57 ` [tarantool-patches] " Konstantin Osipov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5aec875966ff843a32b03cf9d0e7c85e4fec7f20.1528128037.git.georgy@tarantool.org \
    --to=georgy@tarantool.org \
    --cc=imarkov@tarantool.org \
    --cc=tarantool-patches@freelists.org \
    --subject='Re: [tarantool-patches] [PATCH] security: Use system views instead of system spaces' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox