From: Serge Petrenko <sergepetrenko@tarantool.org> To: tarantool-patches@freelists.org Cc: Serge Petrenko <sergepetrenko@tarantool.org> Subject: [tarantool-patches] [PATCH 0/4] Fixes in access control and privileges Date: Tue, 17 Jul 2018 18:47:43 +0300 [thread overview] Message-ID: <cover.1531840892.git.sergepetrenko@tarantool.org> (raw) This patch set fixes various issues with access control, mostly in function access_check_ddl(). Patches 1-3 already were sent separately a couple of days ago, but I believe they belong together, since every next one is based on the previous. Also I rebased patches 1-3 to the latest 1.10. Patch 1 adds an entity privilege check to access_check_ddl https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3516-entity-access-checks https://github.com/tarantool/tarantool/issues/3516 Patch 2 is a follow-up to patch 1 and adds ACLs for entities user and role. https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3524-entity-access-grants https://github.com/tarantool/tarantool/issues/3524 Patch 3 is a follow-up to patch 2 and adds single object access checks in access_check_ddl and adds ACLs to a single object user(and role). https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3530-object-access-checks https://github.com/tarantool/tarantool/issues/3530 Patch 4 adds an upgrade script which should fire on update to 1.10 and grant create/alter/drop privileges to users with read and write access. Also Patch 4 modifies tests to grant entity and object privileges instead of universal privileges. This is made possible by patches 1-3. https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3539-1.10-upgrade-script https://github.com/tarantool/tarantool/issues/3539 Serge Petrenko (4): Make access_check_ddl check for entity privileges. Add entities user, role to access control. Add single object privilege checks to access_check_ddl. Add a privilege upgrade script and update tests. src/box/alter.cc | 226 ++++++++++++++++++------ src/box/lua/schema.lua | 30 ++-- src/box/lua/upgrade.lua | 22 +++ src/box/schema.h | 6 + src/box/user.cc | 31 +++- src/box/user.h | 2 + test/box-tap/auth.test.lua | 5 - test/box-tap/session.test.lua | 15 +- test/box/access.result | 215 +++++++++++++++++++++- test/box/access.test.lua | 73 +++++++- test/box/access_bin.result | 4 +- test/box/access_bin.test.lua | 4 +- test/box/access_escalation.result | 15 +- test/box/access_escalation.test.lua | 10 +- test/box/access_misc.result | 6 +- test/box/access_misc.test.lua | 4 +- test/box/call.result | 4 +- test/box/call.test.lua | 4 +- test/box/errinj.result | 30 +++- test/box/errinj.test.lua | 21 ++- test/box/net.box.result | 265 ++++++++++++++++++++++++++-- test/box/net.box.test.lua | 121 +++++++++++-- test/box/net_msg_max.result | 13 +- test/box/net_msg_max.test.lua | 9 +- test/box/on_replace.result | 2 +- test/box/on_replace.test.lua | 2 +- test/box/protocol.result | 9 +- test/box/protocol.test.lua | 5 +- test/box/push.result | 52 +++++- test/box/push.test.lua | 27 ++- test/box/role.result | 34 +++- test/box/role.test.lua | 12 +- test/box/schema_reload.result | 32 +++- test/box/schema_reload.test.lua | 16 +- test/box/sequence.result | 131 ++++++++++++-- test/box/sequence.test.lua | 58 ++++-- test/box/sql.result | 9 +- test/box/sql.test.lua | 5 +- test/box/stat_net.result | 7 +- test/box/stat_net.test.lua | 5 +- test/engine/params.result | 6 - test/engine/params.test.lua | 2 - test/engine/replica_join.result | 6 - test/engine/replica_join.test.lua | 2 - test/replication/autobootstrap.result | 23 ++- test/replication/autobootstrap.test.lua | 10 +- test/replication/catch.result | 6 - test/replication/catch.test.lua | 2 - test/replication/errinj.result | 3 - test/replication/errinj.test.lua | 1 - test/replication/gc.result | 6 - test/replication/gc.test.lua | 2 - test/replication/join_vclock.result | 6 - test/replication/join_vclock.test.lua | 2 - test/replication/skip_conflict_row.result | 6 - test/replication/skip_conflict_row.test.lua | 2 - test/vinyl/replica_quota.result | 6 - test/vinyl/replica_quota.test.lua | 2 - test/wal_off/func_max.result | 25 +-- test/wal_off/func_max.test.lua | 19 +- test/xlog/errinj.result | 9 +- test/xlog/errinj.test.lua | 4 +- test/xlog/misc.result | 9 +- test/xlog/misc.test.lua | 5 +- test/xlog/upgrade.result | 4 +- 65 files changed, 1380 insertions(+), 329 deletions(-) -- 2.15.2 (Apple Git-101.1)
next reply other threads:[~2018-07-17 15:47 UTC|newest] Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-07-17 15:47 Serge Petrenko [this message] 2018-07-17 15:47 ` [tarantool-patches] [PATCH 1/4] Make access_check_ddl check for entity privileges Serge Petrenko 2018-07-17 15:47 ` [tarantool-patches] [PATCH 2/4] Add entities user, role to access control Serge Petrenko 2018-07-17 15:47 ` [tarantool-patches] [PATCH 3/4] Add single object privilege checks to access_check_ddl Serge Petrenko 2018-07-17 15:47 ` [tarantool-patches] [PATCH 4/4] Add a privilege upgrade script and update tests Serge Petrenko [not found] ` <cover.1531843622.git.sergepetrenko@tarantool.org> 2018-07-17 16:08 ` [tarantool-patches] [PATCH v2 1/4] Make access_check_ddl check for entity privileges Serge Petrenko 2018-07-17 16:08 ` [tarantool-patches] [PATCH v2 2/4] Add entities user, role to access control Serge Petrenko 2018-07-17 16:08 ` [tarantool-patches] [PATCH v2 3/4] Add single object privilege checks to access_check_ddl Serge Petrenko 2018-07-26 20:37 ` [tarantool-patches] " Konstantin Osipov 2018-07-30 8:37 ` Sergey Petrenko 2018-07-17 16:08 ` [tarantool-patches] [PATCH v2 4/4] Add a privilege upgrade script and update tests Serge Petrenko
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=cover.1531840892.git.sergepetrenko@tarantool.org \ --to=sergepetrenko@tarantool.org \ --cc=tarantool-patches@freelists.org \ --subject='Re: [tarantool-patches] [PATCH 0/4] Fixes in access control and privileges' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox