• We can grant/revoke one or several permissions to an object of obj_type:
  • box.schema.user.grant('alice', 'read,write', 'space', 'myspace')
  • Note that the permissions have to be divided by ‘,’ without a space.
• We can grant/revoke one or several permissions to all objects of some type, including universe:
  • box.schema.user.grant('alice', 'execute', 'function')
  • box.schema.user.grant('alice', 'read,write', 'space')
  • box.schema.user.grant('alice', 'read', 'sequence')
• For some privileges, the object_name has to be specialized, otherwise, the grant doesn't have an effect:
  • box.schema.user.grant('alice', 'execute', 'role', 'rolename')
  • box.schema.user.grant('alice', 'alter', 'user', 'username')
• On the contrary, the following privileges ignore object_name specialization:
  • box.schema.user.grant('alice', <any_perm>, 'universe')
  • box.schema.user.grant('alice', 'create'/'drop', 'user'/'role'/'space'/'function'/'sequence')
  • box.schema.user.grant('alice', 'execute', 'lua_eval'/'lua_call'/'sql')
• If empty string (””) is provided instead of object name, means the same as nil,— grant/revoke for all objects of the object type.

object_types:

• 'user'
• 'role'
• 'space'
• 'function'
• 'sequence'
• 'universe'
• 'lua_eval'
• 'lua_call'
• 'sql'

object_names:

• mostly user defined strings, provided by config or box
• special value '' or nil, when there is no object_name, e.g. for 'universe' object_type or for granting permission for all objects of a type.

priv_names:

• 'read'
• 'write'
• 'execute' - allowed only for ‘role’, ‘universe’, ‘function’, ‘lua_eval’, ‘lua_call’, ‘sql’
• 'session' - allowed only to users (not roles) for ‘universe’
• 'usage' - allowed only to users (not roles) for ‘universe’
• 'create'
• 'drop'
• 'alter'
• 'reference' - not implemented
• 'trigger' - not implemented
• 'insert' - not implemented
• 'update' - not implemented
• 'delete' - not implemented

box.schema.{role,user}.info() has the grants in the following format:

 - - - <priv_name>[,<priv_name>]...
     - <object_type>
     - <object_name> or <role_name> or <empty (if all objects of type)>

• example

  tarantool> box.schema.user.info('gleb')
  ---
  - - - execute
      - role
      - public
    - - read,write
      - space
      - my-space
    - - read
      - space
      - my-space2
    - - session,usage
      - universe
      - 
    - - alter
      - user
      - gleb
  ...

  • read+write for my-space
  • read for my-space2
  • Has role 'public' (by default for every user)
  • Has privileges 'session' and 'usage' for 'universe' (by default for every user)
  • Modify (’alter’) index that describes the user (by default for every user)

box.space._priv has the grants in the following format:

_priv is a system space where privileges are stored.

Tuples in this space contain the following fields:

• the numeric id of the user who gave the privilege (“grantor_id”),
• the numeric id of the user who received the privilege (“grantee_id”),
• the type of object: ‘space’, ‘index’, ‘function’, ‘sequence’, ‘user’, ‘role’, ‘universe’, ‘lua_eval’, ‘lua_call’, ‘sql’
• the numeric id of the object,
• the type of operation: “read” = 1, “write” = 2, “execute” = 4, “create” = 32, “drop” = 64, “alter” = 128, or a combination such as “read,write,execute”.

Object types:

• "universe"
  • "read" - read everything, including all space or sequence objects without specified grant
  • "write" - write to everything, including all space or sequence objects without specified grant, alter stuff
  • "execute" - execute function (both inside _func and _G), Lua or SQL code including IPROTO calls
  • "session" - (cannot be granted to a role) if is not grated, IPROTO_AUTH always fails for connection to the user, so does box.session.su()
  • "usage" - (cannot be granted to a role) let user use their privileges on database objects (e.g. read, write and alter space)
  • "create" - create a user, role, function, space, sequence (requires "read,write" for an according system space, it is to be grated explicitly)
  • "drop" - drop/delete a user, role, function, space, sequence (requires "read,write" for an according system space)
  • "alter" - alter user settings or a space object
  • "reference" - not implemented (according to src/box/user_def.h:63)
  • "trigger" - not implemented (according to src/box/user_def.h:65)
  • "insert" - not implemented (according to src/box/user_def.h:67)
  • "update" - not implemented (according to src/box/user_def.h:69)
  • "delete" - not implemented (according to src/box/user_def.h71)
• "user"
  • "alter" - modify users description, e.g. change the password
  • "create" - allow box.schema.user.create() (needs "read,write" for space "_user")
  • "drop" - allow box.schema.user.drop() (needs "read,write" for space "_user")
• "role"
  • "execute" - have the role assigned
  • "create" - allow box.schema.role.create() (needs "read,write" for space "_role")
  • "drop" - allow box.schema.role.drop() (needs "read,write" for space "_role")
• "space"
  • "read" - e.g. allow select from a space
  • "write" - e.g. allow update on a space
  • "create" - e.g. allow box.schema.space.create (needs "read,write" for space "_space")
  • "drop" - e.g. allow box.sequence.x:drop (needs "read,write" for space "_space")
  • "alter" - e.g. allow box.space.x.index.y:alter (needs "read,write" for space "_space"). If a space is created by a user, they can read/write it without explicit privilege
  • "trigger" - not implemented (according to src/box/user_def.h:67)
  • "insert" - not implemented, doesn’t affect space_obj:insert()
  • "update" - not implemented (according to src/box/user_def.h:69)
  • "delete" - not- implemented, doesn’t affect space_obj:delete()
• "function"
  • "execute" - allow calls for functions registered in _func (could be specified by "lua_eval", "lua_call", "sql"). Note that it is different from "execute" for “universe”, as the latter performs lookup inside _G too.
  • "create" - allow box.schema.func.create() (needs "read,write" for space "_func"). If a function is created by a user, they can execute it without explicit privilege
  • "drop" - allow box.schema.func.drop() (needs "read,write" for space "_func")
• "sequence"
  • "read" - isn’t required for any sequence object operations, including seq_obj:current(), but when specifying a sequence in space_obj:create_index() "read" is required
  • "write" - allow all sequence object operations, note that seq_obj:drop() requires write privilege to space _priv
  • "create" - allow box.schema.sequence.create() (needs "read,write" for space "_sequence"). If a sequence is created by a user, they can read/write it without explicit privilege
  • "drop" - allow box.schema.sequence.drop() (needs "read,write" for space "_sequence")
  • "alter" - does not have an effect, seq_obj:alter() requires "write" as do all the other methods
• "lua_eval"
  • "execute" - execute arbitrary Lua code with the IPROTO_EVAL request (no obj_name specialization allowed)
• "lua_call"
  • "execute" - call any user-defined function accessible via the _G Lua table with the IPROTO_CALL request. .It does not permit the user to call built-in Lua functions, e.g. loadstring() or box.session.su() nor the functions inside _func. (no function-name specialization allowed)
• "sql"
  • "execute" - execute arbitrary SQL expression with the IPROTO_PREPARE and IPROTO_EXECUTE requests. Without "execute" to "universe" the user is not permitted to execute SQL expressions over IPROTO anymore. (no obj_name specialization allowed)