Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document lua_call feature #4462

Closed
Tracked by #4505
TarantoolBot opened this issue Aug 19, 2024 · 1 comment · Fixed by #4648
Closed
Tracked by #4505

Document lua_call feature #4462

TarantoolBot opened this issue Aug 19, 2024 · 1 comment · Fixed by #4648
Assignees
@p7nov
Labels
3.2 access Related with the granting of rights, the access config

Comments

@TarantoolBot
Copy link
Collaborator

TarantoolBot commented Aug 19, 2024
edited by p7nov
Loading

Product: Tarantool
Since: 3.2
Root document:

SME: @ mandesero @ Totktonada

Details

To be done together with before #4552.

Target release: 3.2.0.

<user_or_role_name>.privileges.lua_call:

Defines the Lua functions that the specified user or a user with the
specified role has permission to call. This field accepts a special
value, all, which grants the privilege to use any global non-built-in
Lua functions.

For example, setting
credentials.users.alice.privileges.lua_call = ['foo']
allows the user alice to execute the foo function.

Requested by @mandesero in tarantool/tarantool@e7c7b24 (issue, pull request).
@andreyaksenov andreyaksenov self-assigned this Aug 20, 2024
@Totktonada
Copy link
Member

Totktonada commented Sep 25, 2024
edited
Loading

Taking into account #4552 it is especially important to rewrite the example of granting a privilege to call failover.execute to lua_call, because this way it is possible to switch from tarantool 2.x directly to tarantool 3.x with the failover coordinator (the non-upgraded schema doesn't prevent us from giving the privilege and so the coordinator is able to assign a leader).

The example now is the following:

credentials:
  users:
    replicator:
      password: 'topsecret'
      roles: [ replication ]
      privileges:
      - permissions: [ execute ]
        functions: [ 'failover.execute' ]

Plus a role with box.schema.func.create('failover.execute', {<...>}).

Now, the configuration is the following:

credentials:
  users:
    replicator:
      password: 'topsecret'
      roles: [ replication ]
      privileges:
      - permissions: [ execute ]
        lua_call: [ 'failover.execute' ] # !! changed

And the role is not needed.

It works on 3.2+.

Is works if all the instance are RO on 3.3+ that allows a seamless upgrade from 2.x on 3.3+.

@p7nov p7nov added the access Related with the granting of rights, the access label Sep 27, 2024
This was referenced Sep 27, 2024
Open
Open
@p7nov p7nov self-assigned this Nov 21, 2024
@p7nov p7nov mentioned this issue Nov 22, 2024
Merged
@p7nov p7nov closed this as completed in cef17a0 Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@p7nov p7nov

Labels
3.2 access Related with the granting of rights, the access config
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update lua_call config description tarantool/doc
4 participants
@Totktonada @TarantoolBot @andreyaksenov @p7nov