Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
replication: don't drop admin super privileges
The admin user has universal privileges before bootstrap or recovery are done. That allows to, for example, bootstrap from a remote master, because to do that the admin should be able to insert into system spaces, such as _priv. But after the patch on online credentials update was implemented (#2763, 48d00b0) the admin could loose its universal access if, for example, a role was granted to him before universal access was recovered. That happened by two reasons: - Any change in access rights, even in granted roles, led to rebuild of universal access; - Any change in access rights updated the universal access in all existing sessions, thanks to #2763. What happened: two tarantools were started. One of them master, granted 'replication' role to admin. Second node, slave, tried to bootstrap from the master. The slave created an admin session and started loading data. After it loaded 'grant replication role to admin' command, this nullified admin universal access everywhere, including this session. Next rows could not be applied. Closes #4606
- Loading branch information
Showing
5 changed files
with
112 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
-- test-run result file version 2 | ||
test_run = require('test_run').new() | ||
| --- | ||
| ... | ||
-- | ||
-- gh-4606: the admin user has universal privileges before | ||
-- bootstrap or recovery are done. That allows to, for example, | ||
-- bootstrap from a remote master, because to do that the admin | ||
-- should be able to insert into system spaces, such as _priv. | ||
-- | ||
-- But the admin could lost its universal access if, for | ||
-- example, a role was granted to him before universal access was | ||
-- recovered. Because any change in access rights, even in granted | ||
-- roles, led to rebuild of universal access. | ||
-- | ||
box.schema.user.passwd('admin', '111') | ||
| --- | ||
| ... | ||
box.schema.user.grant('admin', 'replication') | ||
| --- | ||
| ... | ||
test_run:cmd("create server replica_auth with rpl_master=default, script='replication/replica_auth.lua'") | ||
| --- | ||
| - true | ||
| ... | ||
test_run:cmd("start server replica_auth with args='admin:111 0.1'") | ||
| --- | ||
| - true | ||
| ... | ||
test_run:switch('replica_auth') | ||
| --- | ||
| - true | ||
| ... | ||
i = box.info | ||
| --- | ||
| ... | ||
i.replication[(i.id + 1) % 2].upstream.status == 'follow' or i | ||
| --- | ||
| - true | ||
| ... | ||
test_run:switch('default') | ||
| --- | ||
| - true | ||
| ... | ||
test_run:cmd("stop server replica_auth") | ||
| --- | ||
| - true | ||
| ... | ||
test_run:cmd("cleanup server replica_auth") | ||
| --- | ||
| - true | ||
| ... | ||
test_run:cmd("delete server replica_auth") | ||
| --- | ||
| - true | ||
| ... | ||
|
||
box.schema.user.passwd('admin', '') | ||
| --- | ||
| ... | ||
box.schema.user.revoke('admin', 'replication') | ||
| --- | ||
| ... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
test_run = require('test_run').new() | ||
-- | ||
-- gh-4606: the admin user has universal privileges before | ||
-- bootstrap or recovery are done. That allows to, for example, | ||
-- bootstrap from a remote master, because to do that the admin | ||
-- should be able to insert into system spaces, such as _priv. | ||
-- | ||
-- But the admin could lost its universal access if, for | ||
-- example, a role was granted to him before universal access was | ||
-- recovered. Because any change in access rights, even in granted | ||
-- roles, led to rebuild of universal access. | ||
-- | ||
box.schema.user.passwd('admin', '111') | ||
box.schema.user.grant('admin', 'replication') | ||
test_run:cmd("create server replica_auth with rpl_master=default, script='replication/replica_auth.lua'") | ||
test_run:cmd("start server replica_auth with args='admin:111 0.1'") | ||
test_run:switch('replica_auth') | ||
i = box.info | ||
i.replication[(i.id + 1) % 2].upstream.status == 'follow' or i | ||
test_run:switch('default') | ||
test_run:cmd("stop server replica_auth") | ||
test_run:cmd("cleanup server replica_auth") | ||
test_run:cmd("delete server replica_auth") | ||
|
||
box.schema.user.passwd('admin', '') | ||
box.schema.user.revoke('admin', 'replication') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters