From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 8FBD02609A for ; Fri, 8 Jun 2018 06:32:00 -0400 (EDT) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S0SnCc-HdBPB for ; Fri, 8 Jun 2018 06:32:00 -0400 (EDT) Received: from smtp16.mail.ru (smtp16.mail.ru [94.100.176.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTPS id A40ED26099 for ; Fri, 8 Jun 2018 06:31:59 -0400 (EDT) Subject: [tarantool-patches] Re: [PATCH 1/3] box: Add privilleges constants to lua References: <8c9a6e9950b1e64b88a05cb64d8869d5c4a877c5.1528448404.git.georgy@tarantool.org> From: Vladislav Shpilevoy Message-ID: <8c0e16df-52b5-d35c-0a82-27033a0e2ece@tarantool.org> Date: Fri, 8 Jun 2018 13:31:55 +0300 MIME-Version: 1.0 In-Reply-To: <8c9a6e9950b1e64b88a05cb64d8869d5c4a877c5.1528448404.git.georgy@tarantool.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: tarantool-patches-bounce@freelists.org Errors-to: tarantool-patches-bounce@freelists.org Reply-To: tarantool-patches@freelists.org List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: tarantool-patches List-subscribe: List-owner: List-post: List-archive: To: tarantool-patches@freelists.org, Georgy Kirichenko Cc: imarkov Hello. Please, do not change older upgrade functions in upgrade.lua. They are not executed on new versions, and so _priv is not updated. Because of such updates now 1.8.2 and 1.8.4 upgrade to 2.1.0 does not work. On 08/06/2018 12:06, Georgy Kirichenko wrote: > From: imarkov > > Add lua bindings of PRIV_XXX constants. > > This patch helps to avoid using numerical constants of privilleges > in schema.lua code. > > Relates #945 > --- > src/box/lua/schema.lua | 67 ++++++++++++++++++++++++++++-------- > src/box/lua/upgrade.lua | 40 +++++++++++---------- > test/box/misc.result | 1 + > test/engine/iterator.result | 2 +- > test/engine/savepoint.result | 12 +++---- > 5 files changed, 82 insertions(+), 40 deletions(-) > > diff --git a/src/box/lua/schema.lua b/src/box/lua/schema.lua > index d6d39170f..43c7d4e6b 100644 > --- a/src/box/lua/schema.lua > +++ b/src/box/lua/schema.lua > @@ -101,8 +101,47 @@ ffi.cdef[[ > > void password_prepare(const char *password, int len, > char *out, int out_len); > + > + enum priv_type { > + PRIV_R = 1, > + PRIV_W = 2, > + PRIV_X = 4, > + PRIV_S = 8, > + PRIV_U = 16, > + PRIV_C = 32, > + PRIV_D = 64, > + PRIV_A = 128, > + PRIV_REFERENCE = 256, > + PRIV_TRIGGER = 512, > + PRIV_INSERT = 1024, > + PRIV_UPDATE = 2048, > + PRIV_DELETE = 4096, > + PRIV_GRANT = 8192, > + PRIV_REVOKE = 16384, > + PRIV_ALL = 4294967295 > + }; > + > ]] > > +box.priv = { > + ["R"] = builtin.PRIV_R, > + ["W"] = builtin.PRIV_W, > + ["X"] = builtin.PRIV_X, > + ["S"] = builtin.PRIV_S, > + ["U"] = builtin.PRIV_U, > + ["C"] = builtin.PRIV_C, > + ["D"] = builtin.PRIV_D, > + ["A"] = builtin.PRIV_A, > + ["REFERENCE"] = builtin.PRIV_REFERENCE, > + ["TRIGGER"] = builtin.PRIV_TRIGGER, > + ["INSERT"] = builtin.PRIV_INSERT, > + ["UPDATE"] = builtin.PRIV_UPDATE, > + ["DELETE"] = builtin.PRIV_DELETE, > + ["GRANT"]= builtin.PRIV_GRANT, > + ["REVOKE"] = builtin.PRIV_REVOKE, > + ["ALL"] = builtin.PRIV_ALL > +} > + > local function user_or_role_resolve(user) > local _vuser = box.space[box.schema.VUSER_ID] > local tuple > @@ -1687,7 +1726,7 @@ end > > local function checked_privilege(privilege, object_type) > local priv_hex = privilege_resolve(privilege) > - if object_type == 'role' and priv_hex ~= 4 then > + if object_type == 'role' and priv_hex ~= box.priv.X then > box.error(box.error.UNSUPPORTED_ROLE_PRIV, privilege) > end > return priv_hex > @@ -1695,43 +1734,43 @@ end > > local function privilege_name(privilege) > local names = {} > - if bit.band(privilege, 1) ~= 0 then > + if bit.band(privilege, box.priv.R) ~= 0 then > table.insert(names, "read") > end > - if bit.band(privilege, 2) ~= 0 then > + if bit.band(privilege, box.priv.W) ~= 0 then > table.insert(names, "write") > end > - if bit.band(privilege, 4) ~= 0 then > + if bit.band(privilege, box.priv.X) ~= 0 then > table.insert(names, "execute") > end > - if bit.band(privilege, 8) ~= 0 then > + if bit.band(privilege, box.priv.S) ~= 0 then > table.insert(names, "session") > end > - if bit.band(privilege, 16) ~= 0 then > + if bit.band(privilege, box.priv.U) ~= 0 then > table.insert(names, "usage") > end > - if bit.band(privilege, 32) ~= 0 then > + if bit.band(privilege, box.priv.C) ~= 0 then > table.insert(names, "create") > end > - if bit.band(privilege, 64) ~= 0 then > + if bit.band(privilege, box.priv.D) ~= 0 then > table.insert(names, "drop") > end > - if bit.band(privilege, 128) ~= 0 then > + if bit.band(privilege, box.priv.A) ~= 0 then > table.insert(names, "alter") > end > - if bit.band(privilege, 256) ~= 0 then > + if bit.band(privilege, box.priv.REFERENCE) ~= 0 then > table.insert(names, "reference") > end > - if bit.band(privilege, 512) ~= 0 then > + if bit.band(privilege, box.priv.TRIGGER) ~= 0 then > table.insert(names, "trigger") > end > - if bit.band(privilege, 1024) ~= 0 then > + if bit.band(privilege, box.priv.INSERT) ~= 0 then > table.insert(names, "insert") > end > - if bit.band(privilege, 2048) ~= 0 then > + if bit.band(privilege, box.priv.UPDATE) ~= 0 then > table.insert(names, "update") > end > - if bit.band(privilege, 4096) ~= 0 then > + if bit.band(privilege, box.priv.DELETE) ~= 0 then > table.insert(names, "delete") > end > return table.concat(names, ",") > diff --git a/src/box/lua/upgrade.lua b/src/box/lua/upgrade.lua > index 589161944..0293f6ef8 100644 > --- a/src/box/lua/upgrade.lua > +++ b/src/box/lua/upgrade.lua > @@ -211,11 +211,11 @@ local function initial() > log.info("create role public") > _user:insert{PUBLIC, ADMIN, 'public', 'role'} > log.info("grant read,write,execute on universe to admin") > - _priv:insert{ADMIN, ADMIN, 'universe', 0, 7} > + _priv:insert{ADMIN, ADMIN, 'universe', 0, box.priv.R + box.priv.W + box.priv.X} > > -- grant role 'public' to 'guest' > log.info("grant role public to guest") > - _priv:insert{ADMIN, GUEST, 'role', PUBLIC, 4} > + _priv:insert{ADMIN, GUEST, 'role', PUBLIC, box.priv.X} > > log.info("set max_id to box.schema.SYSTEM_ID_MAX") > _schema:insert{'max_id', box.schema.SYSTEM_ID_MAX} > @@ -406,7 +406,7 @@ local function create_sysview(source_id, target_id) > -- public can read system views > if box.space._priv.index.primary:count({PUBLIC, 'space', target_id}) == 0 then > log.info("grant read access to 'public' role for %s view", def[3]) > - box.space._priv:insert({1, PUBLIC, 'space', target_id, 1}) > + box.space._priv:insert({1, PUBLIC, 'space', target_id, box.priv.R}) > end > end > > @@ -416,16 +416,17 @@ local function upgrade_users_to_1_6_8() > local RPL_ID = box.space._user:auto_increment{ADMIN, 'replication', 'role'}[1] > -- replication can read the entire universe > log.info("grant read on universe to replication") > - box.space._priv:replace{1, RPL_ID, 'universe', 0, 1} > + box.space._priv:replace{1, RPL_ID, 'universe', 0, box.priv.R} > -- replication can append to '_cluster' system space > log.info("grant write on space _cluster to replication") > - box.space._priv:replace{1, RPL_ID, 'space', box.space._cluster.id, 2} > + box.space._priv:replace{1, RPL_ID, 'space', box.space._cluster.id, box.priv.W} > end > > if box.space._priv.index.primary:count({ADMIN, 'universe', 0}) == 0 then > -- grant admin access to the universe > log.info("grant all on universe to admin") > - box.space._priv:insert{ADMIN, ADMIN, 'universe', 0, 7} > + box.space._priv:insert{ADMIN, ADMIN, 'universe', 0, box.priv.R + > + box.priv.W + box.priv.X} > end > > if box.space._func.index.name:count("box.schema.user.info") == 0 then > @@ -435,7 +436,7 @@ local function upgrade_users_to_1_6_8() > > -- grant 'public' role access to 'box.schema.user.info' function > log.info('grant execute on function "box.schema.user.info" to public') > - box.space._priv:replace{ADMIN, PUBLIC, 'function', 1, 4} > + box.space._priv:replace{ADMIN, PUBLIC, 'function', 1, box.priv.X} > end > end > > @@ -555,7 +556,7 @@ local function create_truncate_space() > box.space._index:insert{_truncate.id, 0, 'primary', 'tree', {unique = true}, {{0, 'unsigned'}}} > > local _priv = box.space[box.schema.PRIV_ID] > - _priv:insert{ADMIN, PUBLIC, 'space', _truncate.id, 2} > + _priv:insert{ADMIN, PUBLIC, 'space', _truncate.id, box.priv.W} > end > > local function update_existing_users_to_1_7_5() > @@ -809,20 +810,20 @@ local function initial_1_7_5() > -- Create grants > -- > log.info("grant read,write,execute on universe to admin") > - _priv:insert{ADMIN, ADMIN, 'universe', 0, 7} > + _priv:insert{ADMIN, ADMIN, 'universe', 0, box.priv.R + box.priv.W + box.priv.X} > > -- grant role 'public' to 'guest' > log.info("grant role public to guest") > - _priv:insert{ADMIN, GUEST, 'role', PUBLIC, 4} > + _priv:insert{ADMIN, GUEST, 'role', PUBLIC, box.priv.X} > > -- replication can read the entire universe > log.info("grant read on universe to replication") > - _priv:replace{ADMIN, REPLICATION, 'universe', 0, 1} > + _priv:replace{ADMIN, REPLICATION, 'universe', 0, box.priv.R} > -- replication can append to '_cluster' system space > log.info("grant write on space _cluster to replication") > - _priv:replace{ADMIN, REPLICATION, 'space', _cluster.id, 2} > + _priv:replace{ADMIN, REPLICATION, 'space', _cluster.id, box.priv.W} > > - _priv:insert{ADMIN, PUBLIC, 'space', _truncate.id, 2} > + _priv:insert{ADMIN, PUBLIC, 'space', _truncate.id, box.priv.W} > > -- create "box.schema.user.info" function > log.info('create function "box.schema.user.info" with setuid') > @@ -830,7 +831,7 @@ local function initial_1_7_5() > > -- grant 'public' role access to 'box.schema.user.info' function > log.info('grant execute on function "box.schema.user.info" to public') > - _priv:replace{ADMIN, PUBLIC, 'function', 1, 4} > + _priv:replace{ADMIN, PUBLIC, 'function', 1, box.priv.X} > > log.info("set max_id to box.schema.SYSTEM_ID_MAX") > _schema:insert{'max_id', box.schema.SYSTEM_ID_MAX} > @@ -904,7 +905,7 @@ local function create_collation_space() > box.space._collation:replace{2, "unicode_ci", ADMIN, "ICU", "", {strength='primary'}} > > local _priv = box.space[box.schema.PRIV_ID] > - _priv:insert{ADMIN, PUBLIC, 'space', _collation.id, 2} > + _priv:insert{ADMIN, PUBLIC, 'space', _collation.id, box.priv.W} > end > > local function upgrade_to_1_7_6() > @@ -924,7 +925,8 @@ local function upgrade_to_1_7_7() > -- > for _, v in _user:pairs() do > if v[4] ~= "role" then > - _priv:upsert({ADMIN, v[1], "universe", 0, 24}, {{"|", 5, 24}}) > + _priv:upsert({ADMIN, v[1], "universe", 0, box.priv.S + box.priv.U}, > + {{"|", 5, box.priv.S + box.priv.U}}) > end > end > -- > @@ -935,14 +937,14 @@ local function upgrade_to_1_7_7() > -- > for _, v in _priv.index.object:pairs{'universe'} do > if bit.band(v[5], 1) ~= 0 and bit.band(v[5], 2) ~= 0 then > - _priv:update({v[2], v[3], v[4]}, {{ "|", 5, 32}}) > + _priv:update({v[2], v[3], v[4]}, {{ "|", 5, box.priv.C}}) > end > end > -- grant admin all new privileges (session, usage, grant option, > -- create, alter, drop and anything that might come up in the future > -- > - _priv:upsert({ADMIN, ADMIN, 'universe', 0, 4294967295}, > - {{ "|", 5, 4294967295}}) > + _priv:upsert({ADMIN, ADMIN, 'universe', 0, box.priv.ALL}, > + {{ "|", 5, box.priv.ALL}}) > -- > -- create role 'super' and grant it all privileges on universe > -- > diff --git a/test/box/misc.result b/test/box/misc.result > index 8f94f5513..c6e4917bf 100644 > --- a/test/box/misc.result > +++ b/test/box/misc.result > @@ -68,6 +68,7 @@ t > - info > - internal > - once > + - priv > - rollback > - rollback_to_savepoint > - runtime > diff --git a/test/engine/iterator.result b/test/engine/iterator.result > index ae14c4320..1bde10eaf 100644 > --- a/test/engine/iterator.result > +++ b/test/engine/iterator.result > @@ -4211,7 +4211,7 @@ s:replace{35} > ... > state, value = gen(param,state) > --- > -- error: 'builtin/box/schema.lua:993: usage: next(param, state)' > +- error: 'builtin/box/schema.lua:1032: usage: next(param, state)' > ... > value > --- > diff --git a/test/engine/savepoint.result b/test/engine/savepoint.result > index dc2ad7986..a62a2e135 100644 > --- a/test/engine/savepoint.result > +++ b/test/engine/savepoint.result > @@ -14,7 +14,7 @@ s1 = box.savepoint() > ... > box.rollback_to_savepoint(s1) > --- > -- error: 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)' > +- error: 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)' > ... > box.begin() s1 = box.savepoint() > --- > @@ -323,27 +323,27 @@ test_run:cmd("setopt delimiter ''"); > ok1, errmsg1 > --- > - false > -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)' > +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)' > ... > ok2, errmsg2 > --- > - false > -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)' > +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)' > ... > ok3, errmsg3 > --- > - false > -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)' > +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)' > ... > ok4, errmsg4 > --- > - false > -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)' > +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)' > ... > ok5, errmsg5 > --- > - false > -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)' > +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)' > ... > s:select{} > --- >