From: Georgy Kirichenko <georgy@tarantool.org> To: tarantool-patches@freelists.org Cc: imarkov <imarkov@tarantool.org> Subject: [tarantool-patches] [PATCH 1/3] box: Add privilleges constants to lua Date: Fri, 8 Jun 2018 12:06:32 +0300 [thread overview] Message-ID: <8c9a6e9950b1e64b88a05cb64d8869d5c4a877c5.1528448404.git.georgy@tarantool.org> (raw) In-Reply-To: <cover.1528448404.git.georgy@tarantool.org> In-Reply-To: <cover.1528448404.git.georgy@tarantool.org> From: imarkov <imarkov@tarantool.org> Add lua bindings of PRIV_XXX constants. This patch helps to avoid using numerical constants of privilleges in schema.lua code. Relates #945 --- src/box/lua/schema.lua | 67 ++++++++++++++++++++++++++++-------- src/box/lua/upgrade.lua | 40 +++++++++++---------- test/box/misc.result | 1 + test/engine/iterator.result | 2 +- test/engine/savepoint.result | 12 +++---- 5 files changed, 82 insertions(+), 40 deletions(-) diff --git a/src/box/lua/schema.lua b/src/box/lua/schema.lua index d6d39170f..43c7d4e6b 100644 --- a/src/box/lua/schema.lua +++ b/src/box/lua/schema.lua @@ -101,8 +101,47 @@ ffi.cdef[[ void password_prepare(const char *password, int len, char *out, int out_len); + + enum priv_type { + PRIV_R = 1, + PRIV_W = 2, + PRIV_X = 4, + PRIV_S = 8, + PRIV_U = 16, + PRIV_C = 32, + PRIV_D = 64, + PRIV_A = 128, + PRIV_REFERENCE = 256, + PRIV_TRIGGER = 512, + PRIV_INSERT = 1024, + PRIV_UPDATE = 2048, + PRIV_DELETE = 4096, + PRIV_GRANT = 8192, + PRIV_REVOKE = 16384, + PRIV_ALL = 4294967295 + }; + ]] +box.priv = { + ["R"] = builtin.PRIV_R, + ["W"] = builtin.PRIV_W, + ["X"] = builtin.PRIV_X, + ["S"] = builtin.PRIV_S, + ["U"] = builtin.PRIV_U, + ["C"] = builtin.PRIV_C, + ["D"] = builtin.PRIV_D, + ["A"] = builtin.PRIV_A, + ["REFERENCE"] = builtin.PRIV_REFERENCE, + ["TRIGGER"] = builtin.PRIV_TRIGGER, + ["INSERT"] = builtin.PRIV_INSERT, + ["UPDATE"] = builtin.PRIV_UPDATE, + ["DELETE"] = builtin.PRIV_DELETE, + ["GRANT"]= builtin.PRIV_GRANT, + ["REVOKE"] = builtin.PRIV_REVOKE, + ["ALL"] = builtin.PRIV_ALL +} + local function user_or_role_resolve(user) local _vuser = box.space[box.schema.VUSER_ID] local tuple @@ -1687,7 +1726,7 @@ end local function checked_privilege(privilege, object_type) local priv_hex = privilege_resolve(privilege) - if object_type == 'role' and priv_hex ~= 4 then + if object_type == 'role' and priv_hex ~= box.priv.X then box.error(box.error.UNSUPPORTED_ROLE_PRIV, privilege) end return priv_hex @@ -1695,43 +1734,43 @@ end local function privilege_name(privilege) local names = {} - if bit.band(privilege, 1) ~= 0 then + if bit.band(privilege, box.priv.R) ~= 0 then table.insert(names, "read") end - if bit.band(privilege, 2) ~= 0 then + if bit.band(privilege, box.priv.W) ~= 0 then table.insert(names, "write") end - if bit.band(privilege, 4) ~= 0 then + if bit.band(privilege, box.priv.X) ~= 0 then table.insert(names, "execute") end - if bit.band(privilege, 8) ~= 0 then + if bit.band(privilege, box.priv.S) ~= 0 then table.insert(names, "session") end - if bit.band(privilege, 16) ~= 0 then + if bit.band(privilege, box.priv.U) ~= 0 then table.insert(names, "usage") end - if bit.band(privilege, 32) ~= 0 then + if bit.band(privilege, box.priv.C) ~= 0 then table.insert(names, "create") end - if bit.band(privilege, 64) ~= 0 then + if bit.band(privilege, box.priv.D) ~= 0 then table.insert(names, "drop") end - if bit.band(privilege, 128) ~= 0 then + if bit.band(privilege, box.priv.A) ~= 0 then table.insert(names, "alter") end - if bit.band(privilege, 256) ~= 0 then + if bit.band(privilege, box.priv.REFERENCE) ~= 0 then table.insert(names, "reference") end - if bit.band(privilege, 512) ~= 0 then + if bit.band(privilege, box.priv.TRIGGER) ~= 0 then table.insert(names, "trigger") end - if bit.band(privilege, 1024) ~= 0 then + if bit.band(privilege, box.priv.INSERT) ~= 0 then table.insert(names, "insert") end - if bit.band(privilege, 2048) ~= 0 then + if bit.band(privilege, box.priv.UPDATE) ~= 0 then table.insert(names, "update") end - if bit.band(privilege, 4096) ~= 0 then + if bit.band(privilege, box.priv.DELETE) ~= 0 then table.insert(names, "delete") end return table.concat(names, ",") diff --git a/src/box/lua/upgrade.lua b/src/box/lua/upgrade.lua index 589161944..0293f6ef8 100644 --- a/src/box/lua/upgrade.lua +++ b/src/box/lua/upgrade.lua @@ -211,11 +211,11 @@ local function initial() log.info("create role public") _user:insert{PUBLIC, ADMIN, 'public', 'role'} log.info("grant read,write,execute on universe to admin") - _priv:insert{ADMIN, ADMIN, 'universe', 0, 7} + _priv:insert{ADMIN, ADMIN, 'universe', 0, box.priv.R + box.priv.W + box.priv.X} -- grant role 'public' to 'guest' log.info("grant role public to guest") - _priv:insert{ADMIN, GUEST, 'role', PUBLIC, 4} + _priv:insert{ADMIN, GUEST, 'role', PUBLIC, box.priv.X} log.info("set max_id to box.schema.SYSTEM_ID_MAX") _schema:insert{'max_id', box.schema.SYSTEM_ID_MAX} @@ -406,7 +406,7 @@ local function create_sysview(source_id, target_id) -- public can read system views if box.space._priv.index.primary:count({PUBLIC, 'space', target_id}) == 0 then log.info("grant read access to 'public' role for %s view", def[3]) - box.space._priv:insert({1, PUBLIC, 'space', target_id, 1}) + box.space._priv:insert({1, PUBLIC, 'space', target_id, box.priv.R}) end end @@ -416,16 +416,17 @@ local function upgrade_users_to_1_6_8() local RPL_ID = box.space._user:auto_increment{ADMIN, 'replication', 'role'}[1] -- replication can read the entire universe log.info("grant read on universe to replication") - box.space._priv:replace{1, RPL_ID, 'universe', 0, 1} + box.space._priv:replace{1, RPL_ID, 'universe', 0, box.priv.R} -- replication can append to '_cluster' system space log.info("grant write on space _cluster to replication") - box.space._priv:replace{1, RPL_ID, 'space', box.space._cluster.id, 2} + box.space._priv:replace{1, RPL_ID, 'space', box.space._cluster.id, box.priv.W} end if box.space._priv.index.primary:count({ADMIN, 'universe', 0}) == 0 then -- grant admin access to the universe log.info("grant all on universe to admin") - box.space._priv:insert{ADMIN, ADMIN, 'universe', 0, 7} + box.space._priv:insert{ADMIN, ADMIN, 'universe', 0, box.priv.R + + box.priv.W + box.priv.X} end if box.space._func.index.name:count("box.schema.user.info") == 0 then @@ -435,7 +436,7 @@ local function upgrade_users_to_1_6_8() -- grant 'public' role access to 'box.schema.user.info' function log.info('grant execute on function "box.schema.user.info" to public') - box.space._priv:replace{ADMIN, PUBLIC, 'function', 1, 4} + box.space._priv:replace{ADMIN, PUBLIC, 'function', 1, box.priv.X} end end @@ -555,7 +556,7 @@ local function create_truncate_space() box.space._index:insert{_truncate.id, 0, 'primary', 'tree', {unique = true}, {{0, 'unsigned'}}} local _priv = box.space[box.schema.PRIV_ID] - _priv:insert{ADMIN, PUBLIC, 'space', _truncate.id, 2} + _priv:insert{ADMIN, PUBLIC, 'space', _truncate.id, box.priv.W} end local function update_existing_users_to_1_7_5() @@ -809,20 +810,20 @@ local function initial_1_7_5() -- Create grants -- log.info("grant read,write,execute on universe to admin") - _priv:insert{ADMIN, ADMIN, 'universe', 0, 7} + _priv:insert{ADMIN, ADMIN, 'universe', 0, box.priv.R + box.priv.W + box.priv.X} -- grant role 'public' to 'guest' log.info("grant role public to guest") - _priv:insert{ADMIN, GUEST, 'role', PUBLIC, 4} + _priv:insert{ADMIN, GUEST, 'role', PUBLIC, box.priv.X} -- replication can read the entire universe log.info("grant read on universe to replication") - _priv:replace{ADMIN, REPLICATION, 'universe', 0, 1} + _priv:replace{ADMIN, REPLICATION, 'universe', 0, box.priv.R} -- replication can append to '_cluster' system space log.info("grant write on space _cluster to replication") - _priv:replace{ADMIN, REPLICATION, 'space', _cluster.id, 2} + _priv:replace{ADMIN, REPLICATION, 'space', _cluster.id, box.priv.W} - _priv:insert{ADMIN, PUBLIC, 'space', _truncate.id, 2} + _priv:insert{ADMIN, PUBLIC, 'space', _truncate.id, box.priv.W} -- create "box.schema.user.info" function log.info('create function "box.schema.user.info" with setuid') @@ -830,7 +831,7 @@ local function initial_1_7_5() -- grant 'public' role access to 'box.schema.user.info' function log.info('grant execute on function "box.schema.user.info" to public') - _priv:replace{ADMIN, PUBLIC, 'function', 1, 4} + _priv:replace{ADMIN, PUBLIC, 'function', 1, box.priv.X} log.info("set max_id to box.schema.SYSTEM_ID_MAX") _schema:insert{'max_id', box.schema.SYSTEM_ID_MAX} @@ -904,7 +905,7 @@ local function create_collation_space() box.space._collation:replace{2, "unicode_ci", ADMIN, "ICU", "", {strength='primary'}} local _priv = box.space[box.schema.PRIV_ID] - _priv:insert{ADMIN, PUBLIC, 'space', _collation.id, 2} + _priv:insert{ADMIN, PUBLIC, 'space', _collation.id, box.priv.W} end local function upgrade_to_1_7_6() @@ -924,7 +925,8 @@ local function upgrade_to_1_7_7() -- for _, v in _user:pairs() do if v[4] ~= "role" then - _priv:upsert({ADMIN, v[1], "universe", 0, 24}, {{"|", 5, 24}}) + _priv:upsert({ADMIN, v[1], "universe", 0, box.priv.S + box.priv.U}, + {{"|", 5, box.priv.S + box.priv.U}}) end end -- @@ -935,14 +937,14 @@ local function upgrade_to_1_7_7() -- for _, v in _priv.index.object:pairs{'universe'} do if bit.band(v[5], 1) ~= 0 and bit.band(v[5], 2) ~= 0 then - _priv:update({v[2], v[3], v[4]}, {{ "|", 5, 32}}) + _priv:update({v[2], v[3], v[4]}, {{ "|", 5, box.priv.C}}) end end -- grant admin all new privileges (session, usage, grant option, -- create, alter, drop and anything that might come up in the future -- - _priv:upsert({ADMIN, ADMIN, 'universe', 0, 4294967295}, - {{ "|", 5, 4294967295}}) + _priv:upsert({ADMIN, ADMIN, 'universe', 0, box.priv.ALL}, + {{ "|", 5, box.priv.ALL}}) -- -- create role 'super' and grant it all privileges on universe -- diff --git a/test/box/misc.result b/test/box/misc.result index 8f94f5513..c6e4917bf 100644 --- a/test/box/misc.result +++ b/test/box/misc.result @@ -68,6 +68,7 @@ t - info - internal - once + - priv - rollback - rollback_to_savepoint - runtime diff --git a/test/engine/iterator.result b/test/engine/iterator.result index ae14c4320..1bde10eaf 100644 --- a/test/engine/iterator.result +++ b/test/engine/iterator.result @@ -4211,7 +4211,7 @@ s:replace{35} ... state, value = gen(param,state) --- -- error: 'builtin/box/schema.lua:993: usage: next(param, state)' +- error: 'builtin/box/schema.lua:1032: usage: next(param, state)' ... value --- diff --git a/test/engine/savepoint.result b/test/engine/savepoint.result index dc2ad7986..a62a2e135 100644 --- a/test/engine/savepoint.result +++ b/test/engine/savepoint.result @@ -14,7 +14,7 @@ s1 = box.savepoint() ... box.rollback_to_savepoint(s1) --- -- error: 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)' +- error: 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)' ... box.begin() s1 = box.savepoint() --- @@ -323,27 +323,27 @@ test_run:cmd("setopt delimiter ''"); ok1, errmsg1 --- - false -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)' +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)' ... ok2, errmsg2 --- - false -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)' +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)' ... ok3, errmsg3 --- - false -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)' +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)' ... ok4, errmsg4 --- - false -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)' +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)' ... ok5, errmsg5 --- - false -- 'builtin/box/schema.lua:301: Usage: box.rollback_to_savepoint(savepoint)' +- 'builtin/box/schema.lua:340: Usage: box.rollback_to_savepoint(savepoint)' ... s:select{} --- -- 2.17.1
next prev parent reply other threads:[~2018-06-08 9:06 UTC|newest] Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-06-08 9:06 [tarantool-patches] [PATCH 0/3] Object group privileges Georgy Kirichenko 2018-06-08 9:06 ` Georgy Kirichenko [this message] 2018-06-08 10:31 ` [tarantool-patches] Re: [PATCH 1/3] box: Add privilleges constants to lua Vladislav Shpilevoy 2018-06-08 13:20 ` Konstantin Osipov 2018-06-08 9:06 ` [tarantool-patches] [PATCH 2/3] security: add limits on object_type-privilege pair Georgy Kirichenko 2018-06-08 14:01 ` [tarantool-patches] " Konstantin Osipov 2018-06-08 9:06 ` [tarantool-patches] [PATCH 3/3] Introduce privileges for object groups Georgy Kirichenko 2018-06-08 17:26 ` [tarantool-patches] " Konstantin Osipov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=8c9a6e9950b1e64b88a05cb64d8869d5c4a877c5.1528448404.git.georgy@tarantool.org \ --to=georgy@tarantool.org \ --cc=imarkov@tarantool.org \ --cc=tarantool-patches@freelists.org \ --subject='Re: [tarantool-patches] [PATCH 1/3] box: Add privilleges constants to lua' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox