Tarantool development patches archive
 help / color / mirror / Atom feed
From: Serge Petrenko <sergepetrenko@tarantool.org>
To: tarantool-patches@freelists.org
Cc: Serge Petrenko <sergepetrenko@tarantool.org>
Subject: [tarantool-patches] [PATCH 0/4] Fixes in access control and privileges
Date: Tue, 17 Jul 2018 18:47:43 +0300	[thread overview]
Message-ID: <cover.1531840892.git.sergepetrenko@tarantool.org> (raw)

This patch set fixes various issues with access control,
mostly in function access_check_ddl().

Patches 1-3 already were sent separately a couple of days
ago, but I believe they belong together, since every next
one is based on the previous.
Also I rebased patches 1-3 to the latest 1.10.

Patch 1 adds an entity privilege check to access_check_ddl
https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3516-entity-access-checks
https://github.com/tarantool/tarantool/issues/3516
Patch 2 is a follow-up to patch 1 and adds ACLs for entities
user and role.
https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3524-entity-access-grants
https://github.com/tarantool/tarantool/issues/3524
Patch 3 is a follow-up to patch 2 and adds single object access
checks in access_check_ddl and adds ACLs to a single object
user(and role).
https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3530-object-access-checks
https://github.com/tarantool/tarantool/issues/3530
Patch 4 adds an upgrade script which should fire on update to
1.10 and grant create/alter/drop privileges to users with
read and write access. Also Patch 4 modifies tests to grant
entity and object privileges instead of universal privileges.
This is made possible by patches 1-3.
https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3539-1.10-upgrade-script
https://github.com/tarantool/tarantool/issues/3539

Serge Petrenko (4):
  Make access_check_ddl check for entity privileges.
  Add entities user, role to access control.
  Add single object privilege checks to access_check_ddl.
  Add a privilege upgrade script and update tests.

 src/box/alter.cc                            | 226 ++++++++++++++++++------
 src/box/lua/schema.lua                      |  30 ++--
 src/box/lua/upgrade.lua                     |  22 +++
 src/box/schema.h                            |   6 +
 src/box/user.cc                             |  31 +++-
 src/box/user.h                              |   2 +
 test/box-tap/auth.test.lua                  |   5 -
 test/box-tap/session.test.lua               |  15 +-
 test/box/access.result                      | 215 +++++++++++++++++++++-
 test/box/access.test.lua                    |  73 +++++++-
 test/box/access_bin.result                  |   4 +-
 test/box/access_bin.test.lua                |   4 +-
 test/box/access_escalation.result           |  15 +-
 test/box/access_escalation.test.lua         |  10 +-
 test/box/access_misc.result                 |   6 +-
 test/box/access_misc.test.lua               |   4 +-
 test/box/call.result                        |   4 +-
 test/box/call.test.lua                      |   4 +-
 test/box/errinj.result                      |  30 +++-
 test/box/errinj.test.lua                    |  21 ++-
 test/box/net.box.result                     | 265 ++++++++++++++++++++++++++--
 test/box/net.box.test.lua                   | 121 +++++++++++--
 test/box/net_msg_max.result                 |  13 +-
 test/box/net_msg_max.test.lua               |   9 +-
 test/box/on_replace.result                  |   2 +-
 test/box/on_replace.test.lua                |   2 +-
 test/box/protocol.result                    |   9 +-
 test/box/protocol.test.lua                  |   5 +-
 test/box/push.result                        |  52 +++++-
 test/box/push.test.lua                      |  27 ++-
 test/box/role.result                        |  34 +++-
 test/box/role.test.lua                      |  12 +-
 test/box/schema_reload.result               |  32 +++-
 test/box/schema_reload.test.lua             |  16 +-
 test/box/sequence.result                    | 131 ++++++++++++--
 test/box/sequence.test.lua                  |  58 ++++--
 test/box/sql.result                         |   9 +-
 test/box/sql.test.lua                       |   5 +-
 test/box/stat_net.result                    |   7 +-
 test/box/stat_net.test.lua                  |   5 +-
 test/engine/params.result                   |   6 -
 test/engine/params.test.lua                 |   2 -
 test/engine/replica_join.result             |   6 -
 test/engine/replica_join.test.lua           |   2 -
 test/replication/autobootstrap.result       |  23 ++-
 test/replication/autobootstrap.test.lua     |  10 +-
 test/replication/catch.result               |   6 -
 test/replication/catch.test.lua             |   2 -
 test/replication/errinj.result              |   3 -
 test/replication/errinj.test.lua            |   1 -
 test/replication/gc.result                  |   6 -
 test/replication/gc.test.lua                |   2 -
 test/replication/join_vclock.result         |   6 -
 test/replication/join_vclock.test.lua       |   2 -
 test/replication/skip_conflict_row.result   |   6 -
 test/replication/skip_conflict_row.test.lua |   2 -
 test/vinyl/replica_quota.result             |   6 -
 test/vinyl/replica_quota.test.lua           |   2 -
 test/wal_off/func_max.result                |  25 +--
 test/wal_off/func_max.test.lua              |  19 +-
 test/xlog/errinj.result                     |   9 +-
 test/xlog/errinj.test.lua                   |   4 +-
 test/xlog/misc.result                       |   9 +-
 test/xlog/misc.test.lua                     |   5 +-
 test/xlog/upgrade.result                    |   4 +-
 65 files changed, 1380 insertions(+), 329 deletions(-)

-- 
2.15.2 (Apple Git-101.1)

             reply	other threads:[~2018-07-17 15:47 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-17 15:47 Serge Petrenko [this message]
2018-07-17 15:47 ` [tarantool-patches] [PATCH 1/4] Make access_check_ddl check for entity privileges Serge Petrenko
2018-07-17 15:47 ` [tarantool-patches] [PATCH 2/4] Add entities user, role to access control Serge Petrenko
2018-07-17 15:47 ` [tarantool-patches] [PATCH 3/4] Add single object privilege checks to access_check_ddl Serge Petrenko
2018-07-17 15:47 ` [tarantool-patches] [PATCH 4/4] Add a privilege upgrade script and update tests Serge Petrenko
     [not found] ` <cover.1531843622.git.sergepetrenko@tarantool.org>
2018-07-17 16:08   ` [tarantool-patches] [PATCH v2 1/4] Make access_check_ddl check for entity privileges Serge Petrenko
2018-07-17 16:08   ` [tarantool-patches] [PATCH v2 2/4] Add entities user, role to access control Serge Petrenko
2018-07-17 16:08   ` [tarantool-patches] [PATCH v2 3/4] Add single object privilege checks to access_check_ddl Serge Petrenko
2018-07-26 20:37     ` [tarantool-patches] " Konstantin Osipov
2018-07-30  8:37       ` Sergey Petrenko
2018-07-17 16:08   ` [tarantool-patches] [PATCH v2 4/4] Add a privilege upgrade script and update tests Serge Petrenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1531840892.git.sergepetrenko@tarantool.org \
    --to=sergepetrenko@tarantool.org \
    --cc=tarantool-patches@freelists.org \
    --subject='Re: [tarantool-patches] [PATCH 0/4] Fixes in access control and privileges' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox