From f3742c01ab876806d73ed41ff0d0278a70834d65 Mon Sep 17 00:00:00 2001 From: "a.ardeev" Date: Fri, 30 May 2025 15:38:57 +0300 Subject: [PATCH 1/5] Adds description of ```lua_call`` option specifics * ``lua_call`` option allows the specified user to perform the specified lua function on the instance * permissions can be granted to any user registered on the instance * ``lua_call: [all]`` grants access to all global Lua functions except built-in ones * grants are valid until instance is rebooted * Fixes 4552 --- .../instances.enabled/lua_call/config.yaml | 7 +++++++ .../configuration/configuration_reference.rst | 20 +++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml diff --git a/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml b/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml new file mode 100644 index 000000000..ec49034e7 --- /dev/null +++ b/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml @@ -0,0 +1,7 @@ +credentials: + users: + alice: + privileges: + - permissions: [execute] + lua_call: [my_func] + \ No newline at end of file diff --git a/doc/reference/configuration/configuration_reference.rst b/doc/reference/configuration/configuration_reference.rst index 8a0b8a2a2..7d5d475d8 100644 --- a/doc/reference/configuration/configuration_reference.rst +++ b/doc/reference/configuration/configuration_reference.rst @@ -3220,6 +3220,26 @@ The ``lua`` section outlines the configuration parameters related to the Lua env | Default: 2147483648 (2GB) | Environment variable: TT_LUA_MEMORY +.. _configuration_reference_lua_call: + +.. confval:: lua_call + + Since version :doc:`3.3.0 `, the ``lua_call`` option allows the specified user to perform the specified lua function on + the instance during runtime. + + Via the ``lua_call`` option, one can grant permissions to the function to any user registered on the instance. + + Note that the special option ``lua_call: [all]`` is also supported, granting access to all global Lua functions except built-in ones, + bypassing database restrictions. + + After the instance is rebooted, permissions defined via the ``lua_call`` options are reset to the values stored in the database. + + Example to grant custom function to the 'alice' user: + + .. literalinclude:: /code_snippets/snippets/config/instances.enabled/lua_call/config.yaml + :language: yaml + :dedent: + .. _configuration_reference_memtx: memtx From 81b0d7620772bb818077ed7b6d3eaec33d38468e Mon Sep 17 00:00:00 2001 From: "a.ardeev" Date: Fri, 30 May 2025 15:50:57 +0300 Subject: [PATCH 2/5] Fixes yaml syntax --- .../snippets/config/instances.enabled/lua_call/config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml b/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml index ec49034e7..78a255d35 100644 --- a/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml +++ b/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml @@ -4,4 +4,3 @@ credentials: privileges: - permissions: [execute] lua_call: [my_func] - \ No newline at end of file From 1b170145efca3d10a7ecbd47ba3f80cc1d91129c Mon Sep 17 00:00:00 2001 From: "a.ardeev" Date: Tue, 3 Jun 2025 10:35:27 +0300 Subject: [PATCH 3/5] Updates by comments --- .../instances.enabled/lua_call/config.yaml | 17 +++++++++ .../configuration/configuration_reference.rst | 35 ++++++++----------- 2 files changed, 31 insertions(+), 21 deletions(-) diff --git a/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml b/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml index 78a255d35..29ed9ef23 100644 --- a/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml +++ b/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml @@ -1,6 +1,23 @@ +# grant privilege +credentials: + users: + alice: + privileges: + - permissions: [execute] + lua_call: [my_func, my_func2] + +# take away a privilege: credentials: users: alice: privileges: - permissions: [execute] lua_call: [my_func] + +# take away a privilege: +credentials: + users: + alice: + privileges: [] +# - permissions: [execute] +# lua_call: [my_func, my_func2] diff --git a/doc/reference/configuration/configuration_reference.rst b/doc/reference/configuration/configuration_reference.rst index 7d5d475d8..061a0fd60 100644 --- a/doc/reference/configuration/configuration_reference.rst +++ b/doc/reference/configuration/configuration_reference.rst @@ -1447,11 +1447,24 @@ credentials.users.* .. confval:: .privileges.lua_call A list of global user-defined Lua functions that this user or a user with this role can call. - To allow calling all such functions, specify the ``all`` value. + To allow calling a specific function, specify its name as the value. + To allow calling all global Lua functions except built-in ones functions, specify the ``all`` value. This option should be configured together with the ``execute`` :ref:`permission `. + To take a previously granted privilege away, specify the ``lua_call`` option without the function name, + or with an empty privileges array (furhter options may retain commented-out). + + Since version :doc:`3.3.0 `, the ``lua_call`` option allows granting users privileges to call specified lua function on + the instance in runtime. + + Example to grant and take away custom functions from the 'alice' user: + + .. literalinclude:: /code_snippets/snippets/config/instances.enabled/lua_call/config.yaml + :language: yaml + :dedent: + .. _configuration_reference_credentials_privileges_sql: .. confval:: .privileges.sql @@ -3220,26 +3233,6 @@ The ``lua`` section outlines the configuration parameters related to the Lua env | Default: 2147483648 (2GB) | Environment variable: TT_LUA_MEMORY -.. _configuration_reference_lua_call: - -.. confval:: lua_call - - Since version :doc:`3.3.0 `, the ``lua_call`` option allows the specified user to perform the specified lua function on - the instance during runtime. - - Via the ``lua_call`` option, one can grant permissions to the function to any user registered on the instance. - - Note that the special option ``lua_call: [all]`` is also supported, granting access to all global Lua functions except built-in ones, - bypassing database restrictions. - - After the instance is rebooted, permissions defined via the ``lua_call`` options are reset to the values stored in the database. - - Example to grant custom function to the 'alice' user: - - .. literalinclude:: /code_snippets/snippets/config/instances.enabled/lua_call/config.yaml - :language: yaml - :dedent: - .. _configuration_reference_memtx: memtx From 3deee06b87bc739d67f9547cbe8855c92af9746f Mon Sep 17 00:00:00 2001 From: "a.ardeev" Date: Wed, 4 Jun 2025 14:29:06 +0300 Subject: [PATCH 4/5] Updates by comments --- .../instances.enabled/lua_call/config.yaml | 17 ----------------- .../configuration/configuration_reference.rst | 7 ++----- 2 files changed, 2 insertions(+), 22 deletions(-) diff --git a/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml b/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml index 29ed9ef23..114b4005d 100644 --- a/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml +++ b/doc/code_snippets/snippets/config/instances.enabled/lua_call/config.yaml @@ -1,23 +1,6 @@ -# grant privilege credentials: users: alice: privileges: - permissions: [execute] lua_call: [my_func, my_func2] - -# take away a privilege: -credentials: - users: - alice: - privileges: - - permissions: [execute] - lua_call: [my_func] - -# take away a privilege: -credentials: - users: - alice: - privileges: [] -# - permissions: [execute] -# lua_call: [my_func, my_func2] diff --git a/doc/reference/configuration/configuration_reference.rst b/doc/reference/configuration/configuration_reference.rst index 061a0fd60..480b7c510 100644 --- a/doc/reference/configuration/configuration_reference.rst +++ b/doc/reference/configuration/configuration_reference.rst @@ -1453,13 +1453,10 @@ credentials.users.* This option should be configured together with the ``execute`` :ref:`permission `. - To take a previously granted privilege away, specify the ``lua_call`` option without the function name, - or with an empty privileges array (furhter options may retain commented-out). - Since version :doc:`3.3.0 `, the ``lua_call`` option allows granting users privileges to call specified lua function on - the instance in runtime. + the instance in runtime (thus it doesn't require an ability to write to the database). - Example to grant and take away custom functions from the 'alice' user: + Example to grant custom functions from the 'alice' user: .. literalinclude:: /code_snippets/snippets/config/instances.enabled/lua_call/config.yaml :language: yaml From 076b8491e0fbbb95f08d6325578bd3d20ea8d293 Mon Sep 17 00:00:00 2001 From: "a.ardeev" Date: Wed, 4 Jun 2025 16:51:26 +0300 Subject: [PATCH 5/5] fix typo --- doc/reference/configuration/configuration_reference.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/reference/configuration/configuration_reference.rst b/doc/reference/configuration/configuration_reference.rst index 480b7c510..5f2a846d8 100644 --- a/doc/reference/configuration/configuration_reference.rst +++ b/doc/reference/configuration/configuration_reference.rst @@ -1456,7 +1456,7 @@ credentials.users.* Since version :doc:`3.3.0 `, the ``lua_call`` option allows granting users privileges to call specified lua function on the instance in runtime (thus it doesn't require an ability to write to the database). - Example to grant custom functions from the 'alice' user: + Example to grant custom functions to the 'alice' user: .. literalinclude:: /code_snippets/snippets/config/instances.enabled/lua_call/config.yaml :language: yaml