config: rework privilege revocation #9852
Merged
+449
−603
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
397dc48 to
d84f629
Compare
d84f629 to
412a889
Compare
Totktonada
reviewed
Mar 21, 2024
Totktonada
reviewed
Mar 21, 2024
|
The patchset looks OK on a brief glance. I'll return here back a bit later to look into the credentials applier test changes deeper. |
xuniq
approved these changes
Mar 22, 2024
412a889 to
184089f
Compare
Totktonada
reviewed
Mar 22, 2024
Totktonada
reviewed
Mar 22, 2024
Totktonada
approved these changes
Mar 22, 2024
There was a problem hiding this comment.
Thank you for this effort!
I have a few nits (see above), but the patchset is OK for me.
I would like to hear @Lord-KA's feedback before push.
184089f to
7940cf7
Compare
Lord-KA
reviewed
Mar 22, 2024
Lord-KA
reviewed
Mar 22, 2024
7940cf7 to
dbdc145
Compare
dbdc145 to
36f120f
Compare
Lord-KA
approved these changes
Mar 22, 2024
Currently, if we try to run Tarantool 3.0 with config using old snapshot, we may get a SCHEMA_NEEDS_UPGRADE error because granting and revoking privileges are DDL operations. This leads to a situation where loading Tarantool to perform an upgrade becomes quite problematic. To avoid the issue, this patch causes 'credentials.lua' to issue a warning instead of an error in case of the SCHEMA_NEEDS_UPGRADE error during granting and revoking privileges. Note that it was still possible to startup and perform the upgrade by removing the 'credentials' section from the config or without using config. This is only a part of the solution, the issue will be fixed in tarantool#9849. Part of tarantool#9849 Needed for tarantool#9643 NO_DOC=will be added later NO_CHANGELOG=will be added later
8875c82 to
8937227
Compare
Closes tarantool#9643 @TarantoolBot document Title: config: changes in `credentials` section Now the privileges that were not granted by the configuration, as well as privileges that were not granted solely by the configuration, are not revoked on reload. Privileges that have been granted only by the config module will still be revoked if they are removed from the `credentials` section on reload.
8937227 to
6634833
Compare
ochaplashkin
approved these changes
Mar 25, 2024
|
Backported to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #9643
@TarantoolBot document
Title: config: changes in
credentialssectionNow the privileges that were not granted by the configuration, as well as privileges that were not granted solely by the configuration, are not revoked on reload. Privileges only granted by the config module will still be revoked if they are removed from the
credentialssection on reload.