From d45ccb36bef39200ec020dc77643d4da8746429b Mon Sep 17 00:00:00 2001 From: "a.ardeev" Date: Fri, 6 Jun 2025 14:31:36 +0300 Subject: [PATCH 1/4] Adds **Revoking grants from a user** paragraph Fixes #5152 --- .../instances.enabled/credentials/revoke.yaml | 23 +++++++++++++++++++ .../connections_and_auth/credentials.rst | 11 +++++++++ 2 files changed, 34 insertions(+) create mode 100644 doc/code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml diff --git a/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml new file mode 100644 index 0000000000..379757b523 --- /dev/null +++ b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml @@ -0,0 +1,23 @@ +# grant privileges + sampleuser: + password: '123456' + roles: [ writers_space_reader ] + privileges: + - permissions: [ read, write ] + spaces: [ books ] + +# take away a privilege: + sampleuser: + password: '123456' + roles: [ writers_space_reader ] + privileges: + - permissions: [ read ] + spaces: [ books ] + +# take away all previously granted privileges: + sampleuser: + password: '123456' + roles: [ writers_space_reader ] + privileges: [] +# - permissions: [ read ] +# spaces: [ books ] diff --git a/doc/platform/connections_and_auth/credentials.rst b/doc/platform/connections_and_auth/credentials.rst index a3f3179f5c..6df662afc7 100644 --- a/doc/platform/connections_and_auth/credentials.rst +++ b/doc/platform/connections_and_auth/credentials.rst @@ -80,7 +80,18 @@ In this example, ``sampleuser`` gets privileges to select and modify data in the You can find the full example here: `credentials `_. +.. _configuration_credentials_managing_users_roles_revoking_privileges: +Revoking privileges from a user +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To take a previously granted privilege away, specify the ``permission`` field without the +previously allowed privilege, or with an empty ``privileges`` array. Further options may retain commented-out, if necessary: + +.. literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml + :language: yaml + :start-at: sampleuser: + :dedent: .. _configuration_credentials_loading_secrets: From bb820727d77dfd35d430d2145bfc020b1e86c4ea Mon Sep 17 00:00:00 2001 From: "a.ardeev" Date: Fri, 6 Jun 2025 14:51:56 +0300 Subject: [PATCH 2/4] Fixes yaml code and example --- .../snippets/config/instances.enabled/credentials/revoke.yaml | 2 +- doc/platform/connections_and_auth/credentials.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml index 379757b523..26a5900aa9 100644 --- a/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml +++ b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml @@ -19,5 +19,5 @@ password: '123456' roles: [ writers_space_reader ] privileges: [] -# - permissions: [ read ] +# - permissions: [ read, write ] # spaces: [ books ] diff --git a/doc/platform/connections_and_auth/credentials.rst b/doc/platform/connections_and_auth/credentials.rst index 6df662afc7..14ebe2f345 100644 --- a/doc/platform/connections_and_auth/credentials.rst +++ b/doc/platform/connections_and_auth/credentials.rst @@ -90,7 +90,7 @@ previously allowed privilege, or with an empty ``privileges`` array. Further opt .. literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml :language: yaml - :start-at: sampleuser: + :start-at: # grant privileges :dedent: .. _configuration_credentials_loading_secrets: From b6eb865cbc14086c9a4637f9d6e3fca1f520e226 Mon Sep 17 00:00:00 2001 From: "a.ardeev" Date: Mon, 9 Jun 2025 13:33:27 +0300 Subject: [PATCH 3/4] Updates by comments --- .../instances.enabled/credentials/revoke.yaml | 23 ---------------- .../credentials/revoke_all.yaml | 13 ++++++++++ .../credentials/revoke_one.yaml | 15 +++++++++++ .../connections_and_auth/credentials.rst | 26 ++++++++++++++++--- 4 files changed, 51 insertions(+), 26 deletions(-) delete mode 100644 doc/code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml create mode 100644 doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml create mode 100644 doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml diff --git a/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml deleted file mode 100644 index 26a5900aa9..0000000000 --- a/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# grant privileges - sampleuser: - password: '123456' - roles: [ writers_space_reader ] - privileges: - - permissions: [ read, write ] - spaces: [ books ] - -# take away a privilege: - sampleuser: - password: '123456' - roles: [ writers_space_reader ] - privileges: - - permissions: [ read ] - spaces: [ books ] - -# take away all previously granted privileges: - sampleuser: - password: '123456' - roles: [ writers_space_reader ] - privileges: [] -# - permissions: [ read, write ] -# spaces: [ books ] diff --git a/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml new file mode 100644 index 0000000000..26a9ab7a44 --- /dev/null +++ b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml @@ -0,0 +1,13 @@ +# empty permissions array: +sampleuser: + password: '123456' + roles: [ writers_space_reader ] +privileges: +- permissions: [] # !! read permission revoked !! + spaces: [books] + +# empty privileges array: +sampleuser: + password: '123456' + roles: [ writers_space_reader ] + privileges: [] # !! no privileges at all !! diff --git a/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml new file mode 100644 index 0000000000..2e3964feb1 --- /dev/null +++ b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml @@ -0,0 +1,15 @@ +# grant privileges +sampleuser: + password: '123456' + roles: [ writers_space_reader ] +privileges: +- permissions: [read, write] + spaces: [books] + +# revoke a privilege: +sampleuser: + password: '123456' + roles: [ writers_space_reader ] + privileges: + - permissions: [read] # !! write permission revoked !! + spaces: [books] diff --git a/doc/platform/connections_and_auth/credentials.rst b/doc/platform/connections_and_auth/credentials.rst index 14ebe2f345..7a75c4e9bb 100644 --- a/doc/platform/connections_and_auth/credentials.rst +++ b/doc/platform/connections_and_auth/credentials.rst @@ -85,14 +85,34 @@ You can find the full example here: `credentials Date: Mon, 9 Jun 2025 15:47:31 +0300 Subject: [PATCH 4/4] Updates by comments --- .../config/instances.enabled/credentials/revoke_all.yaml | 6 ------ .../config/instances.enabled/credentials/revoke_one.yaml | 8 +------- doc/platform/connections_and_auth/credentials.rst | 8 ++++---- 3 files changed, 5 insertions(+), 17 deletions(-) diff --git a/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml index 26a9ab7a44..70439cbeb9 100644 --- a/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml +++ b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml @@ -1,13 +1,7 @@ # empty permissions array: -sampleuser: - password: '123456' - roles: [ writers_space_reader ] privileges: - permissions: [] # !! read permission revoked !! spaces: [books] # empty privileges array: -sampleuser: - password: '123456' - roles: [ writers_space_reader ] privileges: [] # !! no privileges at all !! diff --git a/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml index 2e3964feb1..4678703d23 100644 --- a/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml +++ b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml @@ -1,15 +1,9 @@ -# grant privileges -sampleuser: - password: '123456' - roles: [ writers_space_reader ] +# grant privileges: privileges: - permissions: [read, write] spaces: [books] # revoke a privilege: -sampleuser: - password: '123456' - roles: [ writers_space_reader ] privileges: - permissions: [read] # !! write permission revoked !! spaces: [books] diff --git a/doc/platform/connections_and_auth/credentials.rst b/doc/platform/connections_and_auth/credentials.rst index 7a75c4e9bb..6fba06d739 100644 --- a/doc/platform/connections_and_auth/credentials.rst +++ b/doc/platform/connections_and_auth/credentials.rst @@ -87,7 +87,7 @@ Revoking privileges from a user To revoke a previously granted privilege, remove it from the configuration. -For example, here is how to to grant privileges to a space and how to revoke one of the privileges: +For example, here is how to grant privileges to a space and how to revoke one of the privileges: .. literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml :language: yaml @@ -98,15 +98,15 @@ If you want to revoke the remaining privilege to from a space, you can remove it .. literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml :language: yaml - :start-at: # empty permissions array - :end-at: [ books ] + :start-at: # empty permissions array: + :end-at: [books] :dedent: You can revoke all privileges by making the ``privileges`` an empty array: .. literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml :language: yaml - :start-at: # empty privileges array + :start-at: # empty privileges array: :dedent: .. warning::