@@ -5,7 +5,7 @@ Access control
55================================================================================
66
77Understanding security details is primarily an issue for administrators.
8- Meanwhile , ordinary users should at least skim this section to get an idea
8+ However , ordinary users should at least skim this section to get an idea
99of how Tarantool makes it possible for administrators to prevent unauthorized
1010access to the database and to certain functions.
1111
@@ -45,16 +45,16 @@ The current user name can be found with :ref:`box.session.user() <box_session-us
4545
4646The current user can be changed:
4747
48- * For a binary port connection -- with AUTH protocol command, supported
48+ * For a binary port connection -- with the AUTH protocol command, supported
4949 by most clients;
5050
5151* For an admin-console connection and in a Lua initialization script --
5252 with :ref: `box.session.su <box_session-su >`;
5353
54- * For a stored function invoked with CALL command over a binary port --
55- with :ref: `SETUID <box_schema-func_create >` property enabled for the function,
56- which makes Tarantool temporarily replace the current user with the
57- function’s creator, with all creator's privileges, during function execution.
54+ * For a binary-port connection invoking a stored function with the CALL command --
55+ if the :ref: `SETUID <box_schema-func_create >` property is enabled for the function,
56+ Tarantool temporarily replaces the current user with the
57+ function’s creator, with all the creator's privileges, during function execution.
5858
5959.. _authentication-passwords :
6060
@@ -139,34 +139,42 @@ become creators/definers of new objects. For the objects they created, the users
139139can in turn share privileges with other users.
140140
141141This is why only an object's owner can drop the object, but other
142- ordinary users cannot. Meanwhile, 'admin' can drop any object or delete any
143- other user, because 'admin' is the creator and ultimate owner of them all.
142+ ordinary users cannot. However, 'admin' can drop any object or delete any
143+ other user, because 'admin' is the creator and ultimate owner of all
144+ objects and users.
144145
145- The syntax of all
146+ All
146147:ref: `grant() <box_schema-user_grant >`/:ref: `revoke() <box_schema-user_revoke >`
147- commands in Tarantool follows this basic idea .
148+ requests have up to four arguments .
148149
149- * The first argument is the name of the user who gets the privilege or whose
150- privilege is revoked.
150+ * The first argument is the name of the user to whom privileges are being
151+ granted or revoked.
151152
152- * The second argument is the type of privilege granted, or a list of privileges.
153+ * The second argument is the list of one or more privileges.
153154
154155* The third argument is the object type on which the privilege is granted,
155156 or the word 'universe'. Possible object types are 'space', 'function',
156- 'sequence' (not 'user' or 'role'). For 'usage' and 'session' privileges
157- are called "system privileges" the third argument must be 'universe'.
157+ 'sequence' (not 'user' or 'role'). For 'usage' and 'session' privileges,
158+ also called "system privileges", the third argument must be 'universe'.
158159
159- * The fourth argument is the name of the object if the object type
160- was specified ('universe' has no name because there is only one 'universe',
161- but otherwise you must specify the name).
160+ * The fourth argument is the name of the object.
161+ If the third argument is 'universe' then the fourth argument is not
162+ specified because there is only one 'universe'.
163+ If the third argument is 'space' or 'function' or 'sequence' then
164+ the fourth argument is optional -- omit it to mean
165+ "all" spaces or functions or sequences.
162166
163167**Example #1 **
164168
165- Here we say that user 'guest' can do common operations on any object.
169+ Here we say that user 'guest' can do common operations on any object,
170+ and user 'sally' can execute any function,
171+ and user 'yoshi' can no longer read space '_space'.
166172
167173.. code-block :: lua_tarantool
168174
169- box.schema.user.grant('guest', 'read,write,execute', 'universe')
175+ box.schema.user.grant ('guest', 'read,write,execute', 'universe')
176+ box.schema.user.grant ('sally', 'execute', 'function')
177+ box.schema.user.revoke('yoshi', 'read', 'space', '_space')
170178
171179Example #2 **
172180
0 commit comments