Vshard cluster user experience

[DifferentialOrange]

cartridge rock won't be supported in Tarantool 3.x. crud supports running without cartridge on vshard cluster, but it seems that it is not enough for user to simply run vshard cluster and crud.init_router/crud.init_storage:

crud.insert('customer', {1, box.NULL, 'Elex'})
---
- null
- line: 86
  class_name: InsertError
  err: "Failed to get bucket ID: CallError: Failed for ac522f65-aa94-4134-9f64-51ee384f1a54:
    Function returned an error: {\"access_type\":\"Execute\",\"trace\":[{\"file\":\".\\/tarantool\\/src\\/box\\/session.c\",\"line\":473}],\"object_type\":\"function\",\"base_type\":\"AccessDeniedError\",\"type\":\"AccessDeniedError\",\"message\":\"Execute

We need to automatize the process of setup as far as possible. If some manual actions still should be required from user, we should thoroughly describe them in README.

See also #364

[DifferentialOrange]

The priority of tasks had changed, so I leave this one for now. To pass the baton, here is what I've investigated so far.

It seems that the best approach is to implement the crud-storage role and grant the role to the vshard user. To extract the name of the vshard user, one may use the following approach.

local luri = require('uri')

function utils.get_vshard_username()
    local storage_info = vshard.storage.info()
    local replicaset_info = storage_info.replicasets[utils.replicaset_uuid()]

    return luri.parse(replicaset_info.master.uri).login
end

Vshard makes some magic with its calls so vshard user (without any explicitly given grants) can write to any space, read any space and call any required procedure on the storage. I haven't yet found the reason why it works since grants are inherited through common net.box call.

local log = require('log')
local fiber = require('fiber')

vshard = require('vshard')

box.cfg{listen=3301}

box.once('storage', function()
    box.schema.user.create('storage', {password = 'storage'})
end)

local uri = 'storage:storage@localhost:3301'
local cfg = {
    bucket_count = 3000,
    sharding = {
        [box.info().cluster.uuid] = {
            replicas = {
                [box.info().uuid] = {
                    uri = uri,
                    name = 'storage',
                    master = true,
                },
            },
        },
    },
}
vshard.storage.cfg(cfg, box.info().uuid)
vshard.router.cfg(cfg)
vshard.router.bootstrap()

box.schema.space.create('myspace', {if_not_exists = true})
box.space.myspace:create_index('pk', {if_not_exists = true})

func1 = function(arg)
    return box.space.myspace:replace(arg)
end

box.schema.func.create('func1', {if_not_exists = true})

func2 = function(arg)
    return vshard.router.callro(1, 'func1', {arg})
end

box.schema.func.create('func2', {if_not_exists = true})

func3 = function()
    return true
end

box.schema.func.create('func3', {if_not_exists = true})

func4 = function(arg)
    return vshard.router.callro(1, 'func3')
end

box.schema.func.create('func4', {if_not_exists = true})

box.schema.role.create('myapi', {if_not_exists = true})
box.schema.role.grant('myapi', 'execute', 'function', 'func1', {if_not_exists = true})
box.schema.role.grant('myapi', 'execute', 'function', 'func2', {if_not_exists = true})

box.schema.user.create('customer', {password = 'customer', if_not_exists = true})
box.schema.user.grant('customer', 'myapi', nil, nil, {if_not_exists = true})
box.schema.user.grant('storage', 'myapi', nil, nil, {if_not_exists = true})

fiber.sleep(10)

box.session.su('customer')
log.info('session customer')

local success, res, res2 = pcall(func1, {1})
log.info('func1')
log.info(success) -- false
log.info(res) -- Write access to space 'myspace' is denied for user 'customer'
log.info(res2) -- nil

local success, res, res2 = pcall(func2, {1})
log.info('func2')
log.info(success) -- true
log.info(res) -- [1]
log.info(res2) -- nil

local success, res, res2 = pcall(func4)
log.info('func4')
log.info(success) -- true
log.info(res) -- true
log.info(res2) -- nil

box.session.su('storage')
log.info('session storage')

local success, res, res2 = pcall(func1, {1})
log.info('func1')
log.info(success) -- false
log.info(res) -- Write access to space 'myspace' is denied for user 'customer'
log.info(res2) -- nil

local success, res, res2 = pcall(func2, {1})
log.info('func2')
log.info(success) -- true
log.info(res) -- [1]
log.info(res2) -- nil

local success, res, res2 = pcall(func4)
log.info('func4')
log.info(success) -- true
log.info(res) -- true
log.info(res2) -- nil

It seems that we need to do something with _crud.fetch_on_storage method and then everything will be alright. (But we need to be clarify this.) It may also be an option to replace current replicaset:call to use another approach. We also need to finish the investigation and understand what makes vshard calls onmipotent and whether it would work in later versions.