Tarantool development patches archive
 help / color / mirror / Atom feed
From: Vladislav Shpilevoy <v.shpilevoy@tarantool.org>
To: tarantool-patches@freelists.org,
	Georgy Kirichenko <georgy@tarantool.org>
Cc: imarkov <imarkov@tarantool.org>
Subject: [tarantool-patches] Re: [PATCH 1/3] box: Add privilleges constants to lua
Date: Fri, 8 Jun 2018 13:31:55 +0300	[thread overview]
Message-ID: <8c0e16df-52b5-d35c-0a82-27033a0e2ece@tarantool.org> (raw)
In-Reply-To: <8c9a6e9950b1e64b88a05cb64d8869d5c4a877c5.1528448404.git.georgy@tarantool.org>

Hello. Please, do not change older upgrade functions in
upgrade.lua. They are not executed on new versions, and
so _priv is not updated.

Because of such updates now 1.8.2 and 1.8.4 upgrade to
2.1.0 does not work.

On 08/06/2018 12:06, Georgy Kirichenko wrote:
> From: imarkov <imarkov@tarantool.org>
> 
> Add lua bindings of PRIV_XXX constants.
> 
> This patch helps to avoid using numerical constants of privilleges
> in schema.lua code.
> 
> Relates #945
> ---
>   src/box/lua/schema.lua       | 67 ++++++++++++++++++++++++++++--------
>   src/box/lua/upgrade.lua      | 40 +++++++++++----------
>   test/box/misc.result         |  1 +
>   test/engine/iterator.result  |  2 +-
>   test/engine/savepoint.result | 12 +++----
>   5 files changed, 82 insertions(+), 40 deletions(-)
> 
> diff --git a/src/box/lua/schema.lua b/src/box/lua/schema.lua
> index d6d39170f..43c7d4e6b 100644
> --- a/src/box/lua/schema.lua
> +++ b/src/box/lua/schema.lua
> @@ -101,8 +101,47 @@ ffi.cdef[[
>   
>       void password_prepare(const char *password, int len,
>                             char *out, int out_len);
> +
> +    enum priv_type {
> +        PRIV_R = 1,
> +        PRIV_W = 2,
> +        PRIV_X = 4,
> +        PRIV_S = 8,
> +        PRIV_U = 16,
> +        PRIV_C = 32,
> +        PRIV_D = 64,
> +        PRIV_A = 128,
> +        PRIV_REFERENCE = 256,
> +        PRIV_TRIGGER = 512,
> +        PRIV_INSERT = 1024,
> +        PRIV_UPDATE = 2048,
> +        PRIV_DELETE = 4096,
> +        PRIV_GRANT = 8192,
> +        PRIV_REVOKE = 16384,
> +        PRIV_ALL  = 4294967295
> +    };
> +
>   ]]
>   
> +box.priv = {
> +    ["R"] = builtin.PRIV_R,
> +    ["W"] = builtin.PRIV_W,
> +    ["X"] = builtin.PRIV_X,
> +    ["S"] = builtin.PRIV_S,
> +    ["U"] = builtin.PRIV_U,
> +    ["C"] = builtin.PRIV_C,
> +    ["D"] = builtin.PRIV_D,
> +    ["A"] = builtin.PRIV_A,
> +    ["REFERENCE"] = builtin.PRIV_REFERENCE,
> +    ["TRIGGER"] = builtin.PRIV_TRIGGER,
> +    ["INSERT"] = builtin.PRIV_INSERT,
> +    ["UPDATE"] = builtin.PRIV_UPDATE,
> +    ["DELETE"] = builtin.PRIV_DELETE,
> +    ["GRANT"]= builtin.PRIV_GRANT,
> +    ["REVOKE"] = builtin.PRIV_REVOKE,
> +    ["ALL"] = builtin.PRIV_ALL
> +}
> +
>   local function user_or_role_resolve(user)
>       local _vuser = box.space[box.schema.VUSER_ID]
>       local tuple
> @@ -1687,7 +1726,7 @@ end
>   
>   local function checked_privilege(privilege, object_type)
>       local priv_hex = privilege_resolve(privilege)
> -    if object_type == 'role' and priv_hex ~= 4 then
> +    if object_type == 'role' and priv_hex ~= box.priv.X then
>           box.error(box.error.UNSUPPORTED_ROLE_PRIV, privilege)
>       end
>       return priv_hex
> @@ -1695,43 +1734,43 @@ end
>   
>   local function privilege_name(privilege)
>       local names = {}
> -    if bit.band(privilege, 1) ~= 0 then
> +    if bit.band(privilege, box.priv.R) ~= 0 then
>           table.insert(names, "read")
>       end
> -    if bit.band(privilege, 2) ~= 0 then
> +    if bit.band(privilege, box.priv.W) ~= 0 then
>           table.insert(names, "write")
>       end
> -    if bit.band(privilege, 4) ~= 0 then
> +    if bit.band(privilege, box.priv.X) ~= 0 then
>           table.insert(names, "execute")
>       end
> -    if bit.band(privilege, 8) ~= 0 then
> +    if bit.band(privilege, box.priv.S) ~= 0 then
>           table.insert(names, "session")
>       end
> -    if bit.band(privilege, 16) ~= 0 then
> +    if bit.band(privilege, box.priv.U) ~= 0 then
>           table.insert(names, "usage")
>       end
> -    if bit.band(privilege, 32) ~= 0 then
> +    if bit.band(privilege, box.priv.C) ~= 0 then
>           table.insert(names, "create")
>       end
> -    if bit.band(privilege, 64) ~= 0 then
> +    if bit.band(privilege, box.priv.D) ~= 0 then
>           table.insert(names, "drop")
>       end
> -    if bit.band(privilege, 128) ~= 0 then
> +    if bit.band(privilege, box.priv.A) ~= 0 then
>           table.insert(names, "alter")
>       end
> -    if bit.band(privilege, 256) ~= 0 then
> +    if bit.band(privilege, box.priv.REFERENCE) ~= 0 then
>           table.insert(names, "reference")
>       end
> -    if bit.band(privilege, 512) ~= 0 then
> +    if bit.band(privilege, box.priv.TRIGGER) ~= 0 then
>           table.insert(names, "trigger")
>       end
> -    if bit.band(privilege, 1024) ~= 0 then
> +    if bit.band(privilege, box.priv.INSERT) ~= 0 then
>           table.insert(names, "insert")
>       end
> -    if bit.band(privilege, 2048) ~= 0 then
> +    if bit.band(privilege, box.priv.UPDATE) ~= 0 then
>           table.insert(names, "update")
>       end
> -    if bit.band(privilege, 4096) ~= 0 then
> +    if bit.band(privilege, box.priv.DELETE) ~= 0 then
>           table.insert(names, "delete")
>       end
>       return table.concat(names, ",")
> diff --git a/src/box/lua/upgrade.lua b/src/box/lua/upgrade.lua
> index 589161944..0293f6ef8 100644
> --- a/src/box/lua/upgrade.lua
> +++ b/src/box/lua/upgrade.lua
> @@ -211,11 +211,11 @@ local function initial()
>       log.info("create role public")
>       _user:insert{PUBLIC, ADMIN, 'public', 'role'}
>       log.info("grant read,write,execute on universe to admin")
> -    _priv:insert{ADMIN, ADMIN, 'universe', 0, 7}
> +    _priv:insert{ADMIN, ADMIN, 'universe', 0, box.priv.R + box.priv.W + box.priv.X}
>   
>       -- grant role 'public' to 'guest'
>       log.info("grant role public to guest")
> -    _priv:insert{ADMIN, GUEST, 'role', PUBLIC, 4}
> +    _priv:insert{ADMIN, GUEST, 'role', PUBLIC, box.priv.X}
>   
>       log.info("set max_id to box.schema.SYSTEM_ID_MAX")
>       _schema:insert{'max_id', box.schema.SYSTEM_ID_MAX}
> @@ -406,7 +406,7 @@ local function create_sysview(source_id, target_id)
>       -- public can read system views
>       if box.space._priv.index.primary:count({PUBLIC, 'space', target_id}) == 0 then
>           log.info("grant read access to 'public' role for %s view", def[3])
> -        box.space._priv:insert({1, PUBLIC, 'space', target_id, 1})
> +        box.space._priv:insert({1, PUBLIC, 'space', target_id, box.priv.R})
>       end
>   end
>   
> @@ -416,16 +416,17 @@ local function upgrade_users_to_1_6_8()
>           local RPL_ID = box.space._user:auto_increment{ADMIN, 'replication', 'role'}[1]
>           -- replication can read the entire universe
>           log.info("grant read on universe to replication")
> -        box.space._priv:replace{1, RPL_ID, 'universe', 0, 1}
> +        box.space._priv:replace{1, RPL_ID, 'universe', 0, box.priv.R}
>           -- replication can append to '_cluster' system space
>           log.info("grant write on space _cluster to replication")
> -        box.space._priv:replace{1, RPL_ID, 'space', box.space._cluster.id, 2}
> +        box.space._priv:replace{1, RPL_ID, 'space', box.space._cluster.id, box.priv.W}
>       end
>   
>       if box.space._priv.index.primary:count({ADMIN, 'universe', 0}) == 0 then
>           -- grant admin access to the universe
>           log.info("grant all on universe to admin")
> -        box.space._priv:insert{ADMIN, ADMIN, 'universe', 0, 7}
> +        box.space._priv:insert{ADMIN, ADMIN, 'universe', 0, box.priv.R +
> +                                                        box.priv.W + box.priv.X}
>       end
>   
>       if box.space._func.index.name:count("box.schema.user.info") == 0 then
> @@ -435,7 +436,7 @@ local function upgrade_users_to_1_6_8()
>   
>           -- grant 'public' role access to 'box.schema.user.info' function
>           log.info('grant execute on function "box.schema.user.info" to public')
> -        box.space._priv:replace{ADMIN, PUBLIC, 'function', 1, 4}
> +        box.space._priv:replace{ADMIN, PUBLIC, 'function', 1, box.priv.X}
>       end
>   end
>   
> @@ -555,7 +556,7 @@ local function create_truncate_space()
>       box.space._index:insert{_truncate.id, 0, 'primary', 'tree', {unique = true}, {{0, 'unsigned'}}}
>   
>       local _priv = box.space[box.schema.PRIV_ID]
> -    _priv:insert{ADMIN, PUBLIC, 'space', _truncate.id, 2}
> +    _priv:insert{ADMIN, PUBLIC, 'space', _truncate.id, box.priv.W}
>   end
>   
>   local function update_existing_users_to_1_7_5()
> @@ -809,20 +810,20 @@ local function initial_1_7_5()
>       -- Create grants
>       --
>       log.info("grant read,write,execute on universe to admin")
> -    _priv:insert{ADMIN, ADMIN, 'universe', 0, 7}
> +    _priv:insert{ADMIN, ADMIN, 'universe', 0, box.priv.R + box.priv.W + box.priv.X}
>   
>       -- grant role 'public' to 'guest'
>       log.info("grant role public to guest")
> -    _priv:insert{ADMIN, GUEST, 'role', PUBLIC, 4}
> +    _priv:insert{ADMIN, GUEST, 'role', PUBLIC, box.priv.X}
>   
>       -- replication can read the entire universe
>       log.info("grant read on universe to replication")
> -    _priv:replace{ADMIN, REPLICATION, 'universe', 0, 1}
> +    _priv:replace{ADMIN, REPLICATION, 'universe', 0, box.priv.R}
>       -- replication can append to '_cluster' system space
>       log.info("grant write on space _cluster to replication")
> -    _priv:replace{ADMIN, REPLICATION, 'space', _cluster.id, 2}
> +    _priv:replace{ADMIN, REPLICATION, 'space', _cluster.id, box.priv.W}
>   
> -    _priv:insert{ADMIN, PUBLIC, 'space', _truncate.id, 2}
> +    _priv:insert{ADMIN, PUBLIC, 'space', _truncate.id, box.priv.W}
>   
>       -- create "box.schema.user.info" function
>       log.info('create function "box.schema.user.info" with setuid')
> @@ -830,7 +831,7 @@ local function initial_1_7_5()
>   
>       -- grant 'public' role access to 'box.schema.user.info' function
>       log.info('grant execute on function "box.schema.user.info" to public')
> -    _priv:replace{ADMIN, PUBLIC, 'function', 1, 4}
> +    _priv:replace{ADMIN, PUBLIC, 'function', 1, box.priv.X}
>   
>       log.info("set max_id to box.schema.SYSTEM_ID_MAX")
>       _schema:insert{'max_id', box.schema.SYSTEM_ID_MAX}
> @@ -904,7 +905,7 @@ local function create_collation_space()
>       box.space._collation:replace{2, "unicode_ci", ADMIN, "ICU", "", {strength='primary'}}
>   
>       local _priv = box.space[box.schema.PRIV_ID]
> -    _priv:insert{ADMIN, PUBLIC, 'space', _collation.id, 2}
> +    _priv:insert{ADMIN, PUBLIC, 'space', _collation.id, box.priv.W}
>   end
>   
>   local function upgrade_to_1_7_6()
> @@ -924,7 +925,8 @@ local function upgrade_to_1_7_7()
>       --
>       for _, v in _user:pairs() do
>           if v[4] ~= "role" then
> -            _priv:upsert({ADMIN, v[1], "universe", 0, 24}, {{"|", 5, 24}})
> +            _priv:upsert({ADMIN, v[1], "universe", 0, box.priv.S + box.priv.U},
> +                                                {{"|", 5, box.priv.S + box.priv.U}})
>           end
>       end
>       --
> @@ -935,14 +937,14 @@ local function upgrade_to_1_7_7()
>       --
>       for _, v in _priv.index.object:pairs{'universe'} do
>           if bit.band(v[5], 1) ~= 0 and bit.band(v[5], 2) ~= 0 then
> -            _priv:update({v[2], v[3], v[4]}, {{ "|", 5, 32}})
> +            _priv:update({v[2], v[3], v[4]}, {{ "|", 5, box.priv.C}})
>           end
>       end
>       -- grant admin all new privileges (session, usage, grant option,
>       -- create, alter, drop and anything that might come up in the future
>       --
> -    _priv:upsert({ADMIN, ADMIN, 'universe', 0, 4294967295},
> -                 {{ "|", 5, 4294967295}})
> +    _priv:upsert({ADMIN, ADMIN, 'universe', 0, box.priv.ALL},
> +                 {{ "|", 5, box.priv.ALL}})
>       --
>       -- create role 'super' and grant it all privileges on universe
>       --
> diff --git a/test/box/misc.result b/test/box/misc.result
> index 8f94f5513..c6e4917bf 100644
> --- a/test/box/misc.result
> +++ b/test/box/misc.result
> @@ -68,6 +68,7 @@ t
>     - info
>     - internal
>     - once
> +  - priv
>     - rollback
>     - rollback_to_savepoint
>     - runtime
> diff --git a/test/engine/iterator.result b/test/engine/iterator.result
> index ae14c4320..1bde10eaf 100644
> --- a/test/engine/iterator.result
> +++ b/test/engine/iterator.result
> @@ -4211,7 +4211,7 @@ s:replace{35}
>   ...
>   state, value = gen(param,state)
>   ---
> -- error: 'builtin/box/schema.lua:993: usage: next(param, state)'
> +- error: 'builtin/box/schema.lua:1032: usage: next(param, state)'
>   ...
>   value
>   ---
> diff --git a/test/engine/savepoint.result b/test/engine/savepoint.result
> index dc2ad7986..a62a2e135 100644
> --- a/test/engine/savepoint.result
> +++ b/test/engine/savepoint.result
> @@ -14,7 +14,7 @@ s1 = box.savepoint()
>   ...
>   box.rollback_to_savepoint(s1)
>   ---
> -- error: 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)'
> +- error: 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)'
>   ...
>   box.begin() s1 = box.savepoint()
>   ---
> @@ -323,27 +323,27 @@ test_run:cmd("setopt delimiter ''");
>   ok1, errmsg1
>   ---
>   - false
> -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)'
> +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)'
>   ...
>   ok2, errmsg2
>   ---
>   - false
> -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)'
> +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)'
>   ...
>   ok3, errmsg3
>   ---
>   - false
> -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)'
> +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)'
>   ...
>   ok4, errmsg4
>   ---
>   - false
> -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)'
> +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)'
>   ...
>   ok5, errmsg5
>   ---
>   - false
> -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)'
> +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)'
>   ...
>   s:select{}
>   ---
> 

  reply	other threads:[~2018-06-08 10:32 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-08  9:06 [tarantool-patches] [PATCH 0/3] Object group privileges Georgy Kirichenko
2018-06-08  9:06 ` [tarantool-patches] [PATCH 1/3] box: Add privilleges constants to lua Georgy Kirichenko
2018-06-08 10:31   ` Vladislav Shpilevoy [this message]
2018-06-08 13:20     ` [tarantool-patches] " Konstantin Osipov
2018-06-08  9:06 ` [tarantool-patches] [PATCH 2/3] security: add limits on object_type-privilege pair Georgy Kirichenko
2018-06-08 14:01   ` [tarantool-patches] " Konstantin Osipov
2018-06-08  9:06 ` [tarantool-patches] [PATCH 3/3] Introduce privileges for object groups Georgy Kirichenko
2018-06-08 17:26   ` [tarantool-patches] " Konstantin Osipov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8c0e16df-52b5-d35c-0a82-27033a0e2ece@tarantool.org \
    --to=v.shpilevoy@tarantool.org \
    --cc=georgy@tarantool.org \
    --cc=imarkov@tarantool.org \
    --cc=tarantool-patches@freelists.org \
    --subject='[tarantool-patches] Re: [PATCH 1/3] box: Add privilleges constants to lua' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox