forked from tarantool/tarantool
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
config: delayed privilege alert doesn't stuck now
The declarative configuration has the `credentials` section that describes users and their privileges. It is OK to have privileges for a space/function/sequence that does not exist. Such a privilege will lead to an alert that states that the privilege will be granted, when the object is created. The problem that is fixed by this commit is that such an alert was not dropped, when the object is created and the relevant privileges are granted. There are several ways to solve the problem. Let's look on them. 1. When a privilege is granted, drop an alert if any. 2. After the config-database privilege synchronization, revisit alerts to drop all obsolete ones. 3. Drop all the alerts regarding missed privileges before the config-database privilege synchronization and issue actual alerts afterwards. The first way is the simplest, but it doesn't cover one specific scenario: an object rename. Let's assume that the object T has privileges declared in the configuration and the object doesn't exist. There is an alert regarding it. Now, object S is renamed to T. Let's assume that S had some or all the privileges needed for T according to the configuration. In the given scenario, we don't need to grant some or all of the privileges and, so, the first solution doesn't work. We don't reach the code that grants the privileges and, so, dropping alerts at this point has no effect. The second and the third solutions are similar and mainly differs in how complicated the code is. The third one is implemented here with idea of simplifying the code. The internal `aboard` module has the following changes. 1. The `aboard` module now ignores underscored fields of an alert on its serialization to allow a caller to store a machine-readable information in them. 2. The new method `:drop_if()` is added to perform a conditional alert drop. Several unit test cases are updated, because now we always need initialized `config._aboard` for testing of the credentials applier. Fixes tarantool#9574 NO_DOC=bugfix (cherry picked from commit 1c1ee4d)
- Loading branch information
1 parent
7365d33
commit c55627a
Showing
5 changed files
with
423 additions
and
18 deletions.
There are no files selected for viewing
4 changes: 4 additions & 0 deletions
4
changelogs/unreleased/config-stuck-privilege-granting-alert.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
## bugfix/config | ||
|
||
* An alert regarding delayed privilege granting is now cleared when the | ||
privilege is granted (gh-9574). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.