config: revoke privs for default users and roles

Lord-KA · Lord-KA · commit 7cce95d73d45 · 2023-09-04T17:31:24.000Z
All user-defined users and roles are not being removed and their privileges are not being revoked when this user or role is removed from config. This is done to prevent extreme repercussions of misconfiguration, e.g. empty config is provided to cluster and it breaks up. Default users and roles are not supposed to be changed, so this rule does not apply to them. Now all of non-default privileges will be revoked if such user or role is removed from config. Default users: * guest * admin Default roles: * super * public * replication Part of tarantool#8967 NO_DOC=tarantool/doc#3544 links the most actual schema, no need to update the issue.
diff --git a/changelogs/unreleased/gh-8967-creds-restore-defaults-for-default-user.md b/changelogs/unreleased/gh-8967-creds-restore-defaults-for-default-user.md
@@ -0,0 +1,4 @@
+## feature/config
+
+* Implemented revoking of non-default privileges for default
+  users and roles (gh-8967).
diff --git a/src/box/lua/config/applier/credentials.lua b/src/box/lua/config/applier/credentials.lua
@@ -493,6 +493,28 @@ local function apply(config)
         return
     end
 
+    -- Now the credentials config should be enriched with empty configs
+    -- for roles and users that are present by default on every instance:
+    -- - - super
+    --   - public
+    --   - replication
+    -- - - guest
+    --   - admin
+    --
+    -- It is done to revoke all non-default privileges for this roles and
+    -- users if they are not present in config. Otherwise, the privileges
+    -- will be synced as usual.
+
+    credentials.roles = credentials.roles or {}
+    credentials.roles['super'] = credentials.roles['super'] or {}
+    credentials.roles['public'] = credentials.roles['public'] or {}
+    credentials.roles['replication'] = credentials.roles['replication'] or {}
+
+    credentials.users = credentials.users or {}
+    credentials.users['guest'] = credentials.users['guest'] or {}
+    credentials.users['admin'] = credentials.users['admin'] or {}
+
+    -- Create roles and users and synchronise privileges for them.
     create_roles(credentials.roles)
     create_users(credentials.users)
 end
diff --git a/test/config-luatest/credentials_applier_test.lua b/test/config-luatest/credentials_applier_test.lua
@@ -636,3 +636,94 @@ g.test_remove_user_role = function(g)
         verify_2 = verify,
     })
 end
+
+g.test_restore_defaults_for_default_user = function(g)
+    -- Verify that if the default users and roles are not present in config
+    -- their excessive privileges are revoked (restored to built-in defaults).
+
+    helpers.reload_success_case(g, {
+        options = {
+            credentials = {
+                roles = {
+                    dummy = { },
+                    super = {
+                        roles = { 'dummy' },
+                    },
+                    public = {
+                        roles = { 'dummy' },
+                    },
+                    replication = {
+                        roles = { 'dummy' },
+                    },
+                },
+                users = {
+                    guest = {
+                        roles = { 'super', 'dummy' }
+                    },
+                    admin = {
+                        roles = { 'dummy' }
+                    },
+                }
+            }
+        },
+        verify = function()
+            local internal =
+                    require('internal.config.applier.credentials')._internal
+
+            local default_identities = {{
+                'user', 'admin',
+            }, {
+                'user', 'guest',
+            }, {
+                'role', 'super',
+            }, {
+                'role', 'public',
+            }, {
+                'role', 'replication',
+            },}
+
+            for _, id in ipairs(default_identities) do
+                local user_or_role, name = unpack(id)
+
+                local perm = box.schema[user_or_role].info(name)
+                perm = internal.privileges_from_box(perm)
+
+                t.assert_equals(perm['role']['dummy'], {execute = true})
+            end
+        end,
+        options_2 = {
+            credentials = {
+                users = {
+                    guest = {
+                        roles = { 'super' }
+                    }
+                }
+            }
+        },
+        verify_2 = function()
+            local internal =
+                    require('internal.config.applier.credentials')._internal
+
+            local default_identities = {{
+                'user', 'admin',
+            }, {
+                'user', 'guest',
+            }, {
+                'role', 'super',
+            }, {
+                'role', 'public',
+            }, {
+                'role', 'replication',
+            },}
+
+            for _, id in ipairs(default_identities) do
+                local user_or_role, name = unpack(id)
+
+                local perm = box.schema[user_or_role].info(name)
+                perm = internal.privileges_from_box(perm)
+
+                t.assert_not_equals(perm['role']['dummy'], {execute = true})
+            end
+        end,
+    })
+end
