replication: don't drop admin super privileges

The admin user has universal privileges before bootstrap or recovery are done. That allows to, for example, bootstrap from a remote master, because to do that the admin should be able to insert into system spaces, such as _priv. But after the patch on online credentials update was implemented (#2763, 48d00b0) the admin could loose its universal access if, for example, a role was granted to him before universal access was recovered. That happened by two reasons: - Any change in access rights, even in granted roles, led to rebuild of universal access; - Any change in access rights updated the universal access in all existing sessions, thanks to #2763. What happened: two tarantools were started. One of them master, granted 'replication' role to admin. Second node, slave, tried to bootstrap from the master. The slave created an admin session and started loading data. After it loaded 'grant replication role to admin' command, this nullified admin universal access everywhere, including this session. Next rows could not be applied. Closes #4606 (cherry picked from commit 95237ac)
tarantool · Nov 12, 2019 · b62c111 · b62c111
1 parent ed0f36a
commit b62c111
Show file tree

Hide file tree

Showing 5 changed files with 112 additions and 23 deletions.
diff --git a/src/box/session.cc b/src/box/session.cc
@@ -172,11 +172,6 @@ session_create_on_demand()
 	/* Add a trigger to destroy session on fiber stop */
 	trigger_add(&fiber()->on_stop, &s->fiber_on_stop);
 	credentials_reset(&s->credentials, admin_user);
-	/*
-	 * At bootstrap, admin user access is not loaded yet (is
-	 * 0), force global access. @sa comment in session_init()
-	 */
-	s->credentials.universal_access = ~(user_access_t) 0;
 	fiber_set_session(fiber(), s);
 	fiber_set_user(fiber(), &s->credentials);
 	return s;
@@ -252,24 +247,6 @@ session_init()
 		panic("out of memory");
 	mempool_create(&session_pool, &cord()->slabc, sizeof(struct session));
 	credentials_create(&admin_credentials, admin_user);
-	/*
-	 * For performance reasons, we do not always explicitly
-	 * look at user id in access checks, while still need to
-	 * ensure 'admin' user has full access to all objects in
-	 * the universe.
-	 *
-	 * This is why  _priv table contains a record with grants
-	 * of full access to universe to 'admin' user.
-	 *
-	 * Making a record in _priv table is, however,
-	 * insufficient, since some checks are done at bootstrap,
-	 * before _priv table is read (e.g. when we're
-	 * bootstrapping a replica in applier fiber).
-	 *
-	 * When session_init() is called, admin user access is not
-	 * loaded yet (is 0), force global access.
-	 */
-	admin_credentials.universal_access = ~((user_access_t) 0);
 }
 
 void

diff --git a/src/box/user.cc b/src/box/user.cc
@@ -49,6 +49,10 @@ static struct user_map user_map_nil;
 
 struct mh_i32ptr_t *user_registry;
 
+enum {
+	USER_ACCESS_FULL = (user_access_t)~0,
+};
+
 /* {{{ user_map */
 
 static inline int
@@ -545,6 +549,24 @@ user_cache_init()
 	def->type = SC_USER;
 	user = user_cache_replace(def);
 	admin_def_guard.is_active = false;
+	/*
+	 * For performance reasons, we do not always explicitly
+	 * look at user id in access checks, while still need to
+	 * ensure 'admin' user has full access to all objects in
+	 * the universe.
+	 *
+	 * This is why  _priv table contains a record with grants
+	 * of full access to universe to 'admin' user.
+	 *
+	 * Making a record in _priv table is, however,
+	 * insufficient, since some checks are done at bootstrap,
+	 * before _priv table is read (e.g. when we're
+	 * bootstrapping a replica in applier fiber).
+	 *
+	 * When user_cache_init() is called, admin user access is
+	 * not loaded yet (is 0), force global access.
+	 */
+	universe.access[ADMIN].effective = USER_ACCESS_FULL;
 	/* ADMIN is both the auth token and user id for 'admin' user. */
 	assert(user->def->uid == ADMIN && user->auth_token == ADMIN);
 }

diff --git a/test/replication/gh-4606-admin-creds.result b/test/replication/gh-4606-admin-creds.result
@@ -0,0 +1,63 @@
+-- test-run result file version 2
+test_run = require('test_run').new()
+ | ---
+ | ...
+--
+-- gh-4606: the admin user has universal privileges before
+-- bootstrap or recovery are done. That allows to, for example,
+-- bootstrap from a remote master, because to do that the admin
+-- should be able to insert into system spaces, such as _priv.
+--
+-- But the admin could lost its universal access if, for
+-- example, a role was granted to him before universal access was
+-- recovered. Because any change in access rights, even in granted
+-- roles, led to rebuild of universal access.
+--
+box.schema.user.passwd('admin', '111')
+ | ---
+ | ...
+box.schema.user.grant('admin', 'replication')
+ | ---
+ | ...
+test_run:cmd("create server replica_auth with rpl_master=default, script='replication/replica_auth.lua'")
+ | ---
+ | - true
+ | ...
+test_run:cmd("start server replica_auth with args='admin:111 0.1'")
+ | ---
+ | - true
+ | ...
+test_run:switch('replica_auth')
+ | ---
+ | - true
+ | ...
+i = box.info
+ | ---
+ | ...
+i.replication[i.id % 2 + 1].upstream.status == 'follow' or i
+ | ---
+ | - true
+ | ...
+test_run:switch('default')
+ | ---
+ | - true
+ | ...
+test_run:cmd("stop server replica_auth")
+ | ---
+ | - true
+ | ...
+test_run:cmd("cleanup server replica_auth")
+ | ---
+ | - true
+ | ...
+test_run:cmd("delete server replica_auth")
+ | ---
+ | - true
+ | ...
+
+box.schema.user.passwd('admin', '')
+ | ---
+ | ...
+box.schema.user.revoke('admin', 'replication')
+ | ---
+ | ...
diff --git a/test/replication/gh-4606-admin-creds.test.lua b/test/replication/gh-4606-admin-creds.test.lua
@@ -0,0 +1,26 @@
+test_run = require('test_run').new()
+--
+-- gh-4606: the admin user has universal privileges before
+-- bootstrap or recovery are done. That allows to, for example,
+-- bootstrap from a remote master, because to do that the admin
+-- should be able to insert into system spaces, such as _priv.
+--
+-- But the admin could lost its universal access if, for
+-- example, a role was granted to him before universal access was
+-- recovered. Because any change in access rights, even in granted
+-- roles, led to rebuild of universal access.
+--
+box.schema.user.passwd('admin', '111')
+box.schema.user.grant('admin', 'replication')
+test_run:cmd("create server replica_auth with rpl_master=default, script='replication/replica_auth.lua'")
+test_run:cmd("start server replica_auth with args='admin:111 0.1'")
+test_run:switch('replica_auth')
+i = box.info
+i.replication[i.id % 2 + 1].upstream.status == 'follow' or i
+test_run:switch('default')
+test_run:cmd("stop server replica_auth")
+test_run:cmd("cleanup server replica_auth")
+test_run:cmd("delete server replica_auth")
+
+box.schema.user.passwd('admin', '')
+box.schema.user.revoke('admin', 'replication')
diff --git a/test/replication/suite.cfg b/test/replication/suite.cfg
@@ -10,6 +10,7 @@
     "force_recovery.test.lua": {},
     "on_schema_init.test.lua": {},
     "long_row_timeout.test.lua": {},
+    "gh-4606-admin-creds.test.lua": {},
     "*": {
         "memtx": {"engine": "memtx"},
         "vinyl": {"engine": "vinyl"}