Grant 'execute' for a space object does not have an effect #9277

Lord-KA · 2023-10-19T09:55:03Z

Now 'execute' permission for space objects can be granted to a user or role with the following command:

box.schema.user.grant('myuser', 'execute', 'space')

It doesn't seem to have any effect nor meaning.

locker · 2023-10-20T07:37:42Z

According to the comment in schema.lua, this is a legacy bug, which should have been fixed in 2.0:

tarantool/src/box/lua/schema.lua

Lines 2938 to 2941 in 26d508d

    
           -- sic: we allow to grant 'execute' on space. This is a legacy 
        
           -- bug, please fix it in 2.0 
        
               ["space"]    = bit.bxor(box.priv.ALL, box.priv.S, 
        
                                       box.priv.REVOKE, box.priv.GRANT),

@Totktonada Do you think we need a compat option for this change?

Totktonada · 2023-10-20T08:41:45Z

@locker I guess that it is possible that read,write,execute on a space works as read,write now and it means that there is a positive scenario. So, it seems, that the compat option may be useful to run some existing code.

@TarantoolBot

Closes tarantool#9277 @TarantoolBot document Title: Document `box_space_execute_priv` compatibility option Historically, it was possible to grant the `execte` privilege on a space although this action had no effect. Since Tarantool 3.0 it isn't allowed anymore. The new `compat` module option `box_space_execute_priv` was added to revert to the old behavior. Example: ``` tarantool> box.cfg{log_level = 'error'} --- ... tarantool> box.schema.user.create('alice') --- ... tarantool> box.schema.user.grant('alice', 'execute', 'space') --- - error: Unsupported space privilege 'execute' ... tarantool> require('compat').box_space_execute_priv = 'old' --- ... tarantool> box.schema.user.grant('alice', 'execute', 'space') --- ... ```

@TarantoolBot

Closes tarantool#9277 @TarantoolBot document Title: Document `box_space_execute_priv` compatibility option Historically, it was possible to grant the `execte` privilege on a space although this action had no effect. Since Tarantool 3.0 it isn't allowed anymore. The new `compat` module option `box_space_execute_priv` was added to revert to the old behavior. Please create a documentation page for the new compatibility option at https://tarantool.io/compat/box_space_execute_priv Example: ``` tarantool> box.cfg{log_level = 'error'} --- ... tarantool> box.schema.user.create('alice') --- ... tarantool> box.schema.user.grant('alice', 'execute', 'space') --- - error: Unsupported space privilege 'execute' ... tarantool> require('compat').box_space_execute_priv = 'old' --- ... tarantool> box.schema.user.grant('alice', 'execute', 'space') --- ... ```

@TarantoolBot

Closes tarantool#9277 @TarantoolBot document Title: Document `box_space_execute_priv` compatibility option Historically, it was possible to grant the `execte` privilege on a space although this action had no effect. Since Tarantool 3.0 it isn't allowed anymore. The new `compat` module option `box_space_execute_priv` was added to revert to the old behavior. Please create a documentation page for the new compatibility option at https://tarantool.io/compat/box_space_execute_priv Example: ``` tarantool> box.cfg{log_level = 'error'} --- ... tarantool> box.schema.user.create('alice') --- ... tarantool> box.schema.user.grant('alice', 'execute', 'space') --- - error: Unsupported space privilege 'execute' ... tarantool> require('compat').box_space_execute_priv = 'old' --- ... tarantool> box.schema.user.grant('alice', 'execute', 'space') --- ... ```

@TarantoolBot

Closes #9277 @TarantoolBot document Title: Document `box_space_execute_priv` compatibility option Historically, it was possible to grant the `execte` privilege on a space although this action had no effect. Since Tarantool 3.0 it isn't allowed anymore. The new `compat` module option `box_space_execute_priv` was added to revert to the old behavior. Please create a documentation page for the new compatibility option at https://tarantool.io/compat/box_space_execute_priv Example: ``` tarantool> box.cfg{log_level = 'error'} --- ... tarantool> box.schema.user.create('alice') --- ... tarantool> box.schema.user.grant('alice', 'execute', 'space') --- - error: Unsupported space privilege 'execute' ... tarantool> require('compat').box_space_execute_priv = 'old' --- ... tarantool> box.schema.user.grant('alice', 'execute', 'space') --- ... ```

Lord-KA added the bug Something isn't working label Oct 19, 2023

locker added the 3.0 Target is 3.0 and all newer release/master branches label Oct 23, 2023

locker self-assigned this Oct 23, 2023

locker mentioned this issue Oct 24, 2023

box: disallow granting execute privilege on space #9293

Merged

locker closed this as completed in #9293 Oct 26, 2023

sergepetrenko added the tmp label Feb 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Grant 'execute' for a space object does not have an effect #9277

Grant 'execute' for a space object does not have an effect #9277

Lord-KA commented Oct 19, 2023

locker commented Oct 20, 2023

Totktonada commented Oct 20, 2023

Grant 'execute' for a space object does not have an effect #9277

Grant 'execute' for a space object does not have an effect #9277

Comments

Lord-KA commented Oct 19, 2023

locker commented Oct 20, 2023

Totktonada commented Oct 20, 2023