Skip to content

Adds **Revoking grants from a user** paragraph #5161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jun 9, 2025
Merged

Adds **Revoking grants from a user** paragraph #5161

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d45ccb3
Adds **Revoking grants from a user** paragraph
AArdeev Jun 6, 2025
bb82072
Fixes yaml code and example
AArdeev Jun 6, 2025
b6eb865
Updates by comments
AArdeev Jun 9, 2025
6453d36
Updates by comments
AArdeev Jun 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# empty permissions array:
sampleuser:
password: '123456'
roles: [ writers_space_reader ]
Copy link
Contributor

@Totktonada Totktonada Jun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to show any password/roles? It seems irrelevent to the idea we're describing.

I guess if we show everything starting from the privileges key, it is easy enough to understand. But at least I would eliminate passwords and roles.

Copy link
Contributor Author

@AArdeev AArdeev Jun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's remove

privileges:
- permissions: [] # !! read permission revoked !!
spaces: [books]

# empty privileges array:
sampleuser:
password: '123456'
roles: [ writers_space_reader ]
privileges: [] # !! no privileges at all !!
15 changes: 15 additions & 0 deletions doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# grant privileges
Copy link
Contributor

@Totktonada Totktonada Jun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments ends with a colon, but some don't.

Copy link
Contributor Author

@AArdeev AArdeev Jun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

sampleuser:
password: '123456'
roles: [ writers_space_reader ]
privileges:
- permissions: [read, write]
spaces: [books]

# revoke a privilege:
sampleuser:
password: '123456'
roles: [ writers_space_reader ]
privileges:
- permissions: [read] # !! write permission revoked !!
spaces: [books]
31 changes: 31 additions & 0 deletions doc/platform/connections_and_auth/credentials.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,38 @@ In this example, ``sampleuser`` gets privileges to select and modify data in the

You can find the full example here: `credentials <https://github.com/tarantool/doc/tree/latest/doc/code_snippets/snippets/config/instances.enabled/credentials>`_.

.. _configuration_credentials_managing_users_roles_revoking_privileges:

Revoking privileges from a user
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To revoke a previously granted privilege, remove it from the configuration.

For example, here is how to to grant privileges to a space and how to revoke one of the privileges:
Copy link
Contributor

@Totktonada Totktonada Jun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo: to to.

Copy link
Contributor Author

@AArdeev AArdeev Jun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed


.. literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml
:language: yaml
:start-at: # grant privileges
:dedent:

If you want to revoke the remaining privilege to from a space, you can remove it, too, thus making ``permissions`` an empty array:

.. literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml
:language: yaml
:start-at: # empty permissions array
:end-at: [ books ]
:dedent:
Copy link
Contributor

@Totktonada Totktonada Jun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This example is not shown: https://docs.d.tarantool.io/en/doc/gh-5152-revoke-grants-paragraph/platform/connections_and_auth/credentials/

Copy link
Contributor Author

@AArdeev AArdeev Jun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed


You can revoke all privileges by making the ``privileges`` an empty array:

.. literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml
:language: yaml
:start-at: # empty privileges array
:dedent:

.. warning::
Do not remove a user or a role from configuration in order to revoke that user's or role's privileges. If a user or a role is entirely
removed from the configuration, it is not tracked by configuration machinery anymore. The user/role is not removed and its privileges are not revoked.

.. _configuration_credentials_loading_secrets:

Expand Down