Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
access: update credentials without reconnect
Credentials is a cache of user universal privileges. And that cache can become outdated in case user privs were changed after creation of the cache. The patch makes user update all its credentials caches with new privileges, via a list of all creds. That solves a couple of real life problems: - If a user managed to connect after box.cfg started listening port, but before access was granted, then he needed a reconnect; - Even if access was granted, a user may connect after box.cfg listen, but before access *is recovered* from _priv space. It was not possible to fix without a reconnect. And this problem affected replication. Closes #2763 Part of #4535 Part of #4536 @TarantoolBot document Title: User privileges update affects existing sessions and objects Previously if user privileges were updated (via `box.schema.user.grant/revoke`), it was not reflected in already existing sessions and objects like functions. Now it is. For example: ``` box.cfg{listen = 3313} box.schema.user.create('test_user', {password = '1'}) function test1() return 'success' end c = require('net.box').connect(box.cfg.listen, { user = 'test_user', password = '1' }) -- Error, no access for this connection. c:call('test1') box.schema.user.grant('test_user', 'execute', 'universe') -- Now works, even though access was granted after -- connection. c:call('test1') ``` A similar thing happens now with `box.session.su` and functions created via `box.schema.func.create` with `setuid` flag. In other words, now user privileges update is reflected everywhere immediately. (cherry picked from commit 06dbcec) (cherry picked from commit e5149e3)
- Loading branch information
Showing
8 changed files
with
118 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
-- test-run result file version 2 | ||
netbox = require('net.box') | ||
| --- | ||
| ... | ||
-- | ||
-- gh-2763: when credentials of a user are updated, it should be | ||
-- reflected in all his sessions and objects. | ||
-- | ||
|
||
box.schema.user.create('test_user', {password = '1'}) | ||
| --- | ||
| ... | ||
function test1() return 'success' end | ||
| --- | ||
| ... | ||
|
||
conns = {} | ||
| --- | ||
| ... | ||
for i = 1, 10 do \ | ||
local c \ | ||
if i % 2 == 0 then \ | ||
c = netbox.connect( \ | ||
box.cfg.listen, {user = 'test_user', password = '1'}) \ | ||
else \ | ||
c = netbox.connect(box.cfg.listen) \ | ||
end \ | ||
local ok, err = pcall(c.call, c, 'test1') \ | ||
assert(not ok and err.code == box.error.ACCESS_DENIED) \ | ||
table.insert(conns, c) \ | ||
end | ||
| --- | ||
| ... | ||
|
||
box.schema.user.grant('test_user', 'execute', 'universe') | ||
| --- | ||
| ... | ||
box.schema.user.grant('guest', 'execute', 'universe') | ||
| --- | ||
| ... | ||
-- Succeeds without a reconnect. | ||
for _, c in pairs(conns) do \ | ||
assert(c:call('test1') == 'success') \ | ||
c:close() \ | ||
end | ||
| --- | ||
| ... | ||
|
||
box.schema.user.revoke('guest', 'execute', 'universe') | ||
| --- | ||
| ... | ||
box.schema.user.drop('test_user') | ||
| --- | ||
| ... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
netbox = require('net.box') | ||
-- | ||
-- gh-2763: when credentials of a user are updated, it should be | ||
-- reflected in all his sessions and objects. | ||
-- | ||
|
||
box.schema.user.create('test_user', {password = '1'}) | ||
function test1() return 'success' end | ||
|
||
conns = {} | ||
for i = 1, 10 do \ | ||
local c \ | ||
if i % 2 == 0 then \ | ||
c = netbox.connect( \ | ||
box.cfg.listen, {user = 'test_user', password = '1'}) \ | ||
else \ | ||
c = netbox.connect(box.cfg.listen) \ | ||
end \ | ||
local ok, err = pcall(c.call, c, 'test1') \ | ||
assert(not ok and err.code == box.error.ACCESS_DENIED) \ | ||
table.insert(conns, c) \ | ||
end | ||
|
||
box.schema.user.grant('test_user', 'execute', 'universe') | ||
box.schema.user.grant('guest', 'execute', 'universe') | ||
-- Succeeds without a reconnect. | ||
for _, c in pairs(conns) do \ | ||
assert(c:call('test1') == 'success') \ | ||
c:close() \ | ||
end | ||
|
||
box.schema.user.revoke('guest', 'execute', 'universe') | ||
box.schema.user.drop('test_user') |