From: Serge Petrenko <sergepetrenko@tarantool.org>
To: vdavydov.dev@gmail.com
Cc: kostja@tarantool.org, tarantool-patches@freelists.org,
Serge Petrenko <sergepetrenko@tarantool.org>
Subject: [PATCH v2 0/4] Finish implementation of privileges.
Date: Wed, 22 Aug 2018 16:39:01 +0300 [thread overview]
Message-ID: <cover.1534944662.git.sergepetrenko@tarantool.org> (raw)
First patch introduces a separate schema_object_type for entity privileges
and adds '' (empty string) in object_id field to indicate grants on an entire
entity.
https://github.com/tarantool/tarantool/issues/3574
Second patch adds previously non-existent entities to access control: user
and role.
https://github.com/tarantool/tarantool/issues/3524
Third patch introduces single object access checks to access_checks_ddl.
Theese checks were previously ignored and in some cases granting privileges
on a single object had no effect.
https://github.com/tarantool/tarantool/issues/3530
Fourth patch adds an upgrade script for 1.10.2 to grant alter, create and
drop privileges to users with read and write privileges on objects.
https://github.com/tarantool/tarantool/issues/3539
Branch: https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3539-1.10-upgrade-script
Changes in v2:
- fix indentation
- move introduction of SC_ENTITY_USER and
SC_ENTITY_ROLE to 2nd patch from 1st
- move new code handling entity grants
in priv_def_check() from 2nd patch to 1st
- remove extraneous test changes from patches 2 and 3
Serge Petrenko (4):
Introduce separate entity object types for entity privileges.
Add entities user, role to access control.
Add single object privilege checks to access_check_ddl.
Add a privilege upgrade script and update tests.
src/box/alter.cc | 157 +++++++++++-----
src/box/bootstrap.snap | Bin 1540 -> 1555 bytes
src/box/lua/schema.lua | 88 +++++----
src/box/lua/upgrade.lua | 46 +++++
src/box/schema.cc | 11 +-
src/box/schema.h | 31 ++--
src/box/schema_def.c | 21 +++
src/box/schema_def.h | 18 +-
src/box/user.cc | 68 ++++---
src/box/user.h | 5 +
test/box-py/bootstrap.result | 14 +-
test/box-tap/auth.test.lua | 5 -
test/box-tap/session.test.lua | 15 +-
test/box/access.result | 213 ++++++++++++++++++++--
test/box/access.test.lua | 72 ++++++--
test/box/access_bin.result | 4 +-
test/box/access_bin.test.lua | 4 +-
test/box/access_escalation.result | 18 +-
test/box/access_escalation.test.lua | 11 +-
test/box/access_misc.result | 14 +-
test/box/access_misc.test.lua | 4 +-
test/box/alter.result | 8 +-
test/box/call.result | 4 +-
test/box/call.test.lua | 4 +-
test/box/errinj.result | 39 +++-
test/box/errinj.test.lua | 25 ++-
test/box/net.box.result | 265 ++++++++++++++++++++++++++--
test/box/net.box.test.lua | 121 +++++++++++--
test/box/net_msg_max.result | 13 +-
test/box/net_msg_max.test.lua | 9 +-
test/box/on_replace.result | 2 +-
test/box/on_replace.test.lua | 2 +-
test/box/protocol.result | 9 +-
test/box/protocol.test.lua | 5 +-
test/box/push.result | 52 +++++-
test/box/push.test.lua | 27 ++-
test/box/role.result | 9 +
test/box/schema_reload.result | 32 +++-
test/box/schema_reload.test.lua | 16 +-
test/box/sequence.result | 3 +
test/box/sql.result | 9 +-
test/box/sql.test.lua | 5 +-
test/box/stat_net.result | 7 +-
test/box/stat_net.test.lua | 5 +-
test/engine/params.result | 6 -
test/engine/params.test.lua | 2 -
test/engine/replica_join.result | 6 -
test/engine/replica_join.test.lua | 2 -
test/replication/autobootstrap.result | 23 ++-
test/replication/autobootstrap.test.lua | 10 +-
test/replication/catch.result | 6 -
test/replication/catch.test.lua | 2 -
test/replication/errinj.result | 3 -
test/replication/errinj.test.lua | 1 -
test/replication/gc.result | 6 -
test/replication/gc.test.lua | 2 -
test/replication/join_vclock.result | 6 -
test/replication/join_vclock.test.lua | 2 -
test/replication/skip_conflict_row.result | 6 -
test/replication/skip_conflict_row.test.lua | 2 -
test/vinyl/replica_quota.result | 6 -
test/vinyl/replica_quota.test.lua | 2 -
test/wal_off/func_max.result | 25 +--
test/wal_off/func_max.test.lua | 19 +-
test/xlog/errinj.result | 9 +-
test/xlog/errinj.test.lua | 4 +-
test/xlog/misc.result | 9 +-
test/xlog/misc.test.lua | 5 +-
test/xlog/upgrade.result | 18 +-
69 files changed, 1294 insertions(+), 378 deletions(-)
--
2.15.2 (Apple Git-101.1)
next reply other threads:[~2018-08-22 13:39 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-22 13:39 Serge Petrenko [this message]
2018-08-22 13:39 ` [PATCH v2 1/4] Introduce separate entity object types for entity privileges Serge Petrenko
2018-08-22 15:42 ` Serge Petrenko
2018-08-22 16:22 ` Vladimir Davydov
2018-08-22 13:39 ` [PATCH v2 2/4] Add entities user, role to access control Serge Petrenko
2018-08-22 16:36 ` Vladimir Davydov
2018-08-22 13:39 ` [PATCH v2 3/4] Add single object privilege checks to access_check_ddl Serge Petrenko
2018-08-22 16:47 ` Vladimir Davydov
2018-08-23 7:51 ` Serge Petrenko
2018-08-23 8:57 ` Vladimir Davydov
2018-08-22 13:39 ` [PATCH v2 4/4] Add a privilege upgrade script and update tests Serge Petrenko
2018-08-22 16:48 ` Vladimir Davydov
2018-08-23 7:54 ` Serge Petrenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1534944662.git.sergepetrenko@tarantool.org \
--to=sergepetrenko@tarantool.org \
--cc=kostja@tarantool.org \
--cc=tarantool-patches@freelists.org \
--cc=vdavydov.dev@gmail.com \
--subject='Re: [PATCH v2 0/4] Finish implementation of privileges.' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox