From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <v.shpilevoy@tarantool.org>
Received: from smtp38.i.mail.ru (smtp38.i.mail.ru [94.100.177.98])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id 7654A452566
 for <tarantool-patches@dev.tarantool.org>;
 Sat,  2 Nov 2019 00:36:49 +0300 (MSK)
From: Vladislav Shpilevoy <v.shpilevoy@tarantool.org>
Date: Fri,  1 Nov 2019 22:42:25 +0100
Message-Id: <a4e7ec1f743fa7901c34a48a12ffcfd312bfb796.1572644348.git.v.shpilevoy@tarantool.org>
In-Reply-To: <cover.1572644348.git.v.shpilevoy@tarantool.org>
References: <cover.1572644348.git.v.shpilevoy@tarantool.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [Tarantool-patches] [PATCH 2/2] access: forbid to drop admin's
	universe access
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
To: tarantool-patches@dev.tarantool.org, kostja.osipov@gmail.com

Bootstrap and recovery work on behalf of admin. Without the
universe access they are not able to even fill system spaces with
data.

It is better to forbid this ability until someone made their
cluster unrecoverable.
---
 src/box/user.cc          | 6 ++++++
 test/box/access.result   | 8 ++++++++
 test/box/access.test.lua | 6 ++++++
 3 files changed, 20 insertions(+)

diff --git a/src/box/user.cc b/src/box/user.cc
index cdddf237b..6b4a5565e 100644
--- a/src/box/user.cc
+++ b/src/box/user.cc
@@ -764,6 +764,12 @@ priv_grant(struct user *grantee, struct priv_def *priv)
 	struct access *object = access_find(priv->object_type, priv->object_id);
 	if (object == NULL)
 		return 0;
+	if (grantee->auth_token == ADMIN && priv->object_type == SC_UNIVERSE &&
+	    priv->access != USER_ACCESS_FULL) {
+		diag_set(ClientError, ER_GRANT,
+			 "can't revoke universe from the admin user");
+		return -1;
+	}
 	struct access *access = &object[grantee->auth_token];
 	access->granted = priv->access;
 	if (rebuild_effective_grants(grantee) != 0)
diff --git a/test/box/access.result b/test/box/access.result
index dc339038d..01126a94b 100644
--- a/test/box/access.result
+++ b/test/box/access.result
@@ -2099,3 +2099,11 @@ box.schema.user.drop("user2")
 box.schema.user.drop("user3")
 ---
 ...
+--
+-- Check that admin user privileges can't be removed. Otherwise an
+-- instance could not bootstrap nor recovery.
+--
+box.space._priv:delete{1, 'universe', 0}
+---
+- error: 'Incorrect grant arguments: can''t revoke universe from the admin user'
+...
diff --git a/test/box/access.test.lua b/test/box/access.test.lua
index a9843d155..759827721 100644
--- a/test/box/access.test.lua
+++ b/test/box/access.test.lua
@@ -800,3 +800,9 @@ box.space._user:select{}
 box.schema.user.drop("user1")
 box.schema.user.drop("user2")
 box.schema.user.drop("user3")
+
+--
+-- Check that admin user privileges can't be removed. Otherwise an
+-- instance could not bootstrap nor recovery.
+--
+box.space._priv:delete{1, 'universe', 0}
-- 
2.21.0 (Apple Git-122.2)