Configuration: document the 'credentials' option #4035
Conversation
andreyaksenov
force-pushed
the
access-control-configuration
branch
3 times, most recently
from
ea999ec to
9138851
Compare
andreyaksenov
force-pushed
the
access-control-configuration
branch
10 times, most recently
from
949cf7d to
1750c3d
Compare
andreyaksenov
changed the title
andreyaksenov
changed the title
andreyaksenov
force-pushed
the
access-control-configuration
branch
13 times, most recently
from
707582d to
232d204
Compare
andreyaksenov
force-pushed
the
access-control-configuration
branch
16 times, most recently
from
328befc to
cc629f0
Compare
andreyaksenov
force-pushed
the
access-control-configuration
branch
from
cc629f0 to
377fe57
Compare
| credentials.roles.* | ||
| ~~~~~~~~~~~~~~~~~~~ |
There was a problem hiding this comment.
Personally, I would prefer to have user section before role, because it has the primary meaning.
doc/concepts/configuration.rst
Outdated
| @@ -395,18 +395,15 @@ Access control | |||
| ~~~~~~~~~~~~~~ | |||
|
|
|||
| The ``credentials`` section allows you to create users and grant them the specified privileges. | |||
| In the example below, there are two users: | |||
| In the example below, a password for the built-in 'admin' user is set: | |||
There was a problem hiding this comment.
| In the example below, a password for the built-in 'admin' user is set: | |
| In the example below, a password for the built-in ``admin`` user is set: |
There was a problem hiding this comment.
Omg, here is a new dbadmin user is created, fixed:
| You can read more about the main concepts of Tarantool access control system in the :ref:`authentication` section. | ||
|
|
||
| This topic describes how to create users and grant them the specified privileges in the :ref:`credentials <configuration_reference_credentials>` section of a YAML configuration. | ||
| This might be used to create specific users used in communications between Tarantool instances. |
There was a problem hiding this comment.
Used to create users used - needs rephrasing.
Also, specific and specified seem redundant in sentences of this paragraphs. It's better to keep short.
There was a problem hiding this comment.
If I get it right, these replication and sharding users are necessary in case of a sharded cluster (which is the main use case of Tarantool 3.0). If it's true, I'd expect a stronger wording expressing this, not just might be used.
There was a problem hiding this comment.
Al right, the last comment on this paragraph =)
The only example made me think that this section is only for such technical users, while regular users are created from the Lua console. Maybe a bit more explicit explanation?
There was a problem hiding this comment.
Decided to remove the second sentence at all:
This topic describes how to create users and grant them the specified privileges in the :ref:`credentials <configuration_reference_credentials>` section of a YAML configuration.
For example, you can define users with the ``replication`` and ``sharding`` roles to maintain :ref:`replication <replication-master_replica_configuring_credentials>` and sharding in a Tarantool cluster.
| :end-at: [ writers_space_reader ] | ||
| :dedent: | ||
|
|
||
| Apart from assigning a role to a user, you can grant specific privileges directly using :ref:`credentials.users.\<username\>.privileges <configuration_reference_credentials_users_name_privileges>`. |
There was a problem hiding this comment.
Nit: intro part Apart from assigning a role to a user doesn't seem to add meaning, so I'd drop it to keep short. Up to you.
There was a problem hiding this comment.
Idea: maybe make separate headings Granting roles and Granting privileges to make the right ToC more explicit?
|
|
||
| .. confval:: <user_or_role_name>.privileges.permissions | ||
|
|
||
| Permissions assigned to this user or a user with this role. |
There was a problem hiding this comment.
New/updated topics
Configurationsection. Note that main concepts of access control system is described in the reworked Access control topic (PR: Rework the Access control topic #4024).New reference sections
Changes not directly related to this PR
Given that a privilege is a container for a permission and a corresponding object, it is necessary to clarify terminology in the existing
Access controltopic and related admin functions. So,privilegeis changed topermissionwhere applicable:Topic:
Reference - Updated signatures and descriptions: