Rework the Access control topic

[andreyaksenov]

Reworked the Access control topic:

• Rewrote the part about Access Control concepts. Now concepts and how-to instructions are documented separately.
• Added testable samples that show how to work with users and roles.
• Added a separate how-to section that shows how to grant privileges for specific object types.
• Added info from the Wiki page about combinations of different object types and privileges. Note that some low-level details might be missing in the updated topic.
• Included new samples to reference:
  • https://docs.d.tarantool.io/en/doc/config-credentials/reference/reference_lua/box_schema/user_create/
  • ...
  • https://docs.d.tarantool.io/en/doc/config-credentials/reference/reference_lua/box_schema/user_create/
  • https://docs.d.tarantool.io/en/doc/config-credentials/reference/reference_lua/box_space/_user/

Next step: #4035.

[Lord-KA]

Thank you for the patchset! Now access control documentation looks much better overall. See my minor comments below

[Lord-KA]

Nit:

assigned to the user

(We are talking about 'testuser' here, or some other specific user that has this grant)

[Lord-KA]

Maybe note here, that 'public' is granted to all users on creation?
(I know, that this is stated in the Roles section, but it could be helpful in describing a users privileges too)

[andreyaksenov]

assigned to the user

Exactly! Thanks for the catch

[andreyaksenov]

Maybe note here, that 'public' is granted to all users on creation?
(I know, that this is stated in the Roles section, but it could be helpful in describing a users privileges too)

I'd keep it as is because it is a how-to section and maintaining such info in several places might be hard if some privileges/roles change for the default user.

[Lord-KA]

Exactly! Thanks for the catch

It seems like there is the same issue in other bullet-points below

[andreyaksenov]

It seems like there is the same issue in other bullet-points below

Thanks, fixed

[p7nov]

Please see my comments

[p7nov]

This definition looks too broad and vague without details.
I'd provide a more detailed explanation:

• Technically, a user we talk about is an entity in Tarantool, not a person or external program.
• But it corresponds (== can be used by) either to a person, or to a program, enabling them to do something

[andreyaksenov]

I feel that identify should work better here:

A user identifies a person or program that interacts with a Tarantool instance.

And this is eliminates the need of using the entity word that might add some confusion :)

[p7nov]

I don't think that regular user is definitive enough. Maybe write a more specific example?

[p7nov]

Additionally, this example confused me: from the start, I expected this to be a person that works on data in specific spaces, but then it turned out that it's about connectors.

[andreyaksenov]

Good point. Removed information about connectors because this is a specific case. Both admin and regular user might work directly or using a connector.
Also, added info that users can get privileges from dbadmin.

[p7nov]

These users: are they people or programs? I think a deeper explanation is needed here.

[p7nov]

Let's use the code style (double backticks) for all user, role, privilege, etc. names on this page.

[p7nov]

Hyphenated user-name looks grammatically incorrect (although I get why it is used here). Let's maybe change to either user or username?

[andreyaksenov]

Hmm.. In this case we need to fix this in all reference pages related to privileges (because I just copy-pasted this from the box.schema.user.grant page).

[p7nov]

The need to grant privileges to implicitly connected system objects is really hardcore. Can we maybe find a place to explain this in general before showing these lists of calls?

[andreyaksenov]

I hope, this should be enough:

[p7nov]

Yes, but I have two concerns:

1. This text is too far from the section where this question came up. Hardly somebody will read the whole page of this size.
2. Note that some looks like some rare or specific thing. To me, this whole point seems like a general concept of the Tarantool access model. I'd explain it in a stronger and more exact wording. Just a personal opinion, you decide.

[andreyaksenov]

This text is too far from the section where this question came up. Hardly somebody will read the whole page of this size.

Will add a note after the first example to remind a reader about this concept.

[p7nov]

Let's use more self-explanatory and realistic entity names than u, i, and internal.

[andreyaksenov]

Okay :) just copy-pasted this example from old docs as is and was a bit lazy to fix this.

[p7nov]

Wouldn't this look better in a three-column table?

[andreyaksenov]

Hmm.. Thought about this but cell merging in the first column is required for better readability. Does Sphinx support this?

[p7nov]

AFAIR, no: tables in Sphinx/RST are a bit limited.

[p7nov]

Nit: most style guides recommend avoiding foo/bar anywhere in examples.

[Lord-KA]

Usually password is "secret", or something similar.

[andreyaksenov]

Usually password is "secret", or something similar.

Thanks for your suggestion. Honestly, I try not to use meaningful words as password examples in docs because they make a reader think about the word meaning. IMO, passwords should look like some gibberish, well-known weak passwords (123456), or smth like P@$$word) to allow a reader quickly scan it und understand it is a password, not smth else. Not sure I'm right here :)

[p7nov]

LGTM in general, just some more ideas and qeustion.

[p7nov]

Idea: use the words role-based access control system/model explicitly somewhere in the intro paragraph. This is a familiar term, it helps readers understand general concepts easier.

[andreyaksenov]

Privileges can be assigned directly to a user. So, role-based access control doesn't cover all possible capabilities of Tarantool access control system.

[p7nov]

Singular a space, an index, a function would be more precise, since we grant permissions per object, not for all spaces (functions) at once.

[p7nov]

Maybe A privilege for consistency with other list items?

[p7nov]

Can we say anything specific or give a usage advice about this role? The current definition gives me no idea why is it needed and how to use it...

[p7nov]

I'm still confused about the two last roles.
Are they purely internal/technical by purpose? Should a person ever use them manually or change their privileges?
I mean, if I need to administer a cluster, do I connect to an instance using these role and call some functions by hand? Or Tarantool only uses them under the hood?

[andreyaksenov]

Are they purely internal/technical by purpose?

AFAIU, yes. They are granted to corresponding service users in a cluster config.

Should a person ever use them manually or change their privileges?

No, they designed only for specific internal operations.

[p7nov]

on behalf of sounds more natural than than under the user ID.

[p7nov]

I believe, this is what should be explained explicitly: setuid = true.
Most other code is pretty obvious, but this option is

1. new and unknown to readers
2. key - it is what sets the user for function execution

[andreyaksenov]

Added a link to the box.schema.func.create page where setuid is described in details.

[p7nov]

nit: no-password user sounds weird, especially when used three times in a row as a user's identifier in text. If it's really important, let's say it once and not repeat. Although I'd rephrase this completely.

[andreyaksenov]

Replaced no-password user with private_user in the next sentences.

[p7nov]

Let's maybe write a conclusion sentence, smth like: now whenever public_user calls the function, it is executed on behalf of its creator, private_user

[p7nov]

Wow, this surprised me a lot!
Isn't it important enough to mention in the Users section of Access control?

[andreyaksenov]

This is also described in Limitations: https://www.tarantool.io/en/doc/latest/book/box/limitations/.
I'd keep it as is because it might be hard to maintain such reference information is multiple places.