config: allow to grant access to specific functions using lua_call
#10304
Assignees
Comments
mandesero
added a commit
to mandesero/tarantool
that referenced
this issue
Jul 29, 2024
This patch adds the capability to grant access to specific Lua functions in the declarative configuration. You can now grant access by assigning the function name to `credentials.users.<user>.privileges.lua_call`. For example, setting `credentials.users.alice.privileges.lua_call = ['foo']` allows user 'alice' to execute the `foo` function. Closes tarantool#10304 NO_DOC=yet
mandesero
added a commit
to mandesero/tarantool
that referenced
this issue
Jul 29, 2024
This patch adds the capability to grant access to specific Lua functions in the declarative configuration. You can now grant access by assigning the function name to `credentials.users.<user>.privileges.lua_call`. For example, setting `credentials.users.alice.privileges.lua_call = ['foo']` allows user 'alice' to execute the `foo` function. Closes tarantool#10304 NO_DOC=yet
mandesero
added a commit
to mandesero/tarantool
that referenced
this issue
Jul 30, 2024
This patch adds the capability to grant access to specific Lua functions in the declarative configuration. You can now grant access by assigning the function name to `credentials.users.<user>.privileges.lua_call`. For example, setting `credentials.users.alice.privileges.lua_call = ['foo']` allows user 'alice' to execute the `foo` function. Closes tarantool#10304 NO_DOC=yet
mandesero
added a commit
to mandesero/tarantool
that referenced
this issue
Jul 30, 2024
This patch adds the capability to grant access to specific Lua functions in the declarative configuration. You can now grant access by assigning the function name to `credentials.users.<user>.privileges.lua_call`. For example, setting `credentials.users.alice.privileges.lua_call = ['foo']` allows user 'alice' to execute the `foo` function. Closes tarantool#10304 @TarantoolBot document Title: Grant access to specific functions using lua_call Root document: https://www.tarantool.io/ru/doc/latest/book/admin/access_control object-types: - `lua_call`: A list of permitted global user-defined Lua functions that can be called. object-types-and-permissions: - `lua_call`: `execute` This field specifies a list of allowed global user-defined Lua functions that can be executed using the IPROTO_CALL request. This permission doesn’t allow a user to call built-in Lua functions (for example, `loadstring()` or `box.session.su()`) and functions defined in the `_func` system space.
mandesero
added a commit
to mandesero/tarantool
that referenced
this issue
Jul 30, 2024
This patch adds the capability to grant access to specific Lua functions in the declarative configuration. You can now grant access by assigning the function name to `credentials.users.<user>.privileges.lua_call`. For example, setting `credentials.users.alice.privileges.lua_call = ['foo']` allows user 'alice' to execute the `foo` function. Closes tarantool#10304 @TarantoolBot document Title: Grant access to specific functions using lua_call Root document: https://www.tarantool.io/en/doc/latest/book/admin/access_control object-types: - `lua_call`: A list of permitted global user-defined Lua functions that can be called. object-types-and-permissions: - `lua_call`: `execute` This field specifies a list of allowed global user-defined Lua functions that can be executed using the IPROTO_CALL request. This permission doesn’t allow a user to call built-in Lua functions (for example, `loadstring()` or `box.session.su()`) and functions defined in the `_func` system space.
mandesero
added a commit
to mandesero/tarantool
that referenced
this issue
Aug 5, 2024
This patch adds the capability to grant access to specific Lua functions in the declarative configuration. You can now grant access by assigning the function name to `credentials.users.<user>.privileges.lua_call`. For example, setting `credentials.users.alice.privileges.lua_call = ['foo']` allows user 'alice' to execute the `foo` function. Closes tarantool#10304 @TarantoolBot document Title: Grant access to specific functions using lua_call Root document: https://www.tarantool.io/en/doc/latest/book/admin/access_control object-types: - `lua_call`: A list of permitted global user-defined Lua functions that can be called. object-types-and-permissions: - `lua_call`: `execute` This field specifies a list of allowed global user-defined Lua functions that can be executed using the IPROTO_CALL request. This permission doesn’t allow a user to call built-in Lua functions (for example, `loadstring()` or `box.session.su()`) and functions defined in the `_func` system space.
mandesero
added a commit
to mandesero/tarantool
that referenced
this issue
Aug 5, 2024
This patch adds the capability to grant access to specific Lua functions in the declarative configuration. You can now grant access by assigning the function name to `credentials.users.<user>.privileges.lua_call`. For example, setting `credentials.users.alice.privileges.lua_call = ['foo']` allows user 'alice' to execute the `foo` function. Closes tarantool#10304 @TarantoolBot document Title: Grant access to specific functions using lua_call Root document: https://www.tarantool.io/en/doc/latest/book/admin/access_control object-types: - `lua_call`: A list of permitted global user-defined Lua functions that can be called. object-types-and-permissions: - `lua_call`: `execute` This field specifies a list of allowed global user-defined Lua functions that can be executed using the IPROTO_CALL request. This permission doesn’t allow a user to call built-in Lua functions (for example, `loadstring()` or `box.session.su()`) and functions defined in the `_func` system space.
mandesero
added a commit
to mandesero/tarantool
that referenced
this issue
Aug 5, 2024
This patch adds the capability to grant access to specific Lua functions in the declarative configuration. You can now grant access by assigning the function name to `credentials.users.<user>.privileges.lua_call`. For example, setting `credentials.users.alice.privileges.lua_call = ['foo']` allows user 'alice' to execute the `foo` function. Closes tarantool#10304
mandesero
added a commit
to mandesero/tarantool
that referenced
this issue
Aug 6, 2024
This patch adds the capability to grant access to specific Lua functions in the declarative configuration. You can now grant access by assigning the function name to `credentials.users.<user>.privileges.lua_call`. Closes tarantool#10304 @TarantoolBot document Title: Document lua_call feature Root document: https://www.tarantool.io/en/doc/latest/reference/configuration/configuration_reference/ `<user_or_role_name>.privileges.lua_call`: Defines the Lua functions that the specified user or a user with the specified role has permission to call. This field accepts a special value, `all`, which grants the privilege to use any global non-built-in Lua functions. For example, setting `credentials.users.alice.privileges.lua_call = ['foo']` allows the user alice to execute the foo function.
mandesero
added a commit
to mandesero/tarantool
that referenced
this issue
Aug 8, 2024
This patch adds the capability to grant access to specific Lua functions in the declarative configuration. You can now grant access by assigning the function name to `credentials.users.<user>.privileges.lua_call`. Closes tarantool#10304 @TarantoolBot document Title: Document lua_call feature Root document: https://www.tarantool.io/en/doc/latest/reference/configuration/configuration_reference/ `<user_or_role_name>.privileges.lua_call`: Defines the Lua functions that the specified user or a user with the specified role has permission to call. This field accepts a special value, `all`, which grants the privilege to use any global non-built-in Lua functions. For example, setting `credentials.users.alice.privileges.lua_call = ['foo']` allows the user alice to execute the foo function.
mandesero
added a commit
to mandesero/tarantool
that referenced
this issue
Aug 9, 2024
no commit message yet [WIP]: This task depends on - tarantool#10304 (PR tarantool#10324) - tarantool#10306 (PR tarantool#10358) and uses commits from these PRs. Closes tarantool#10310 NO_DOC=yet NO_CHANGELOG=yet
mandesero
added a commit
to mandesero/tarantool
that referenced
this issue
Aug 9, 2024
no commit message yet [WIP]: This task depends on - tarantool#10304 (PR tarantool#10324) - tarantool#10306 (PR tarantool#10358) and uses commits from these PRs. Closes tarantool#10310 NO_DOC=yet NO_CHANGELOG=yet
mandesero
added a commit
to mandesero/tarantool
that referenced
this issue
Aug 13, 2024
This patch adds the capability to grant access to specific Lua functions in the declarative configuration. You can now grant access by assigning the function name to `credentials.users.<user>.privileges.lua_call`. Closes tarantool#10304 @TarantoolBot document Title: Document lua_call feature Root document: https://www.tarantool.io/en/doc/latest/reference/configuration/configuration_reference/ `<user_or_role_name>.privileges.lua_call`: Defines the Lua functions that the specified user or a user with the specified role has permission to call. This field accepts a special value, `all`, which grants the privilege to use any global non-built-in Lua functions. For example, setting `credentials.users.alice.privileges.lua_call = ['foo']` allows the user alice to execute the foo function.
Totktonada
pushed a commit
to mandesero/tarantool
that referenced
this issue
Aug 19, 2024
This patch adds the capability to grant access to specific Lua functions in the declarative configuration. You can now grant access by assigning the function name to `credentials.users.<user>.privileges.lua_call`. Closes tarantool#10304 @TarantoolBot document Title: Document lua_call feature Root document: https://www.tarantool.io/en/doc/latest/reference/configuration/configuration_reference/ `<user_or_role_name>.privileges.lua_call`: Defines the Lua functions that the specified user or a user with the specified role has permission to call. This field accepts a special value, `all`, which grants the privilege to use any global non-built-in Lua functions. For example, setting `credentials.users.alice.privileges.lua_call = ['foo']` allows the user alice to execute the foo function.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The declarative configuration allows to grant access to all global Lua functions (except built-in ones).
An excerpt from the instance config schema
tarantool/src/box/lua/config/instance_config.lua
Lines 1572 to 1576 in c68e8a8
It is a rough equivalent of the following
box.schema.{user,role}.grant()call:box.schema.{user,role}.grant()allows to grant access to a particular global Lua function usinglua_callsince the 3.0.0 release (see #9360):We should support it in the declarative configuration too.
An example of such configuration:
Part of TNTP-201.
The text was updated successfully, but these errors were encountered: