From 051cbc4b225bcc92bc7fd949b0573c479da0aafe Mon Sep 17 00:00:00 2001 From: "a.ardeev" Date: Fri, 30 May 2025 09:00:49 +0300 Subject: [PATCH] Adds description of granting access via ```lua_call``` With the ```lua_call``` priveledge any user can be given access to non-persistent functions The function may be defined after the priviledge is given Fixes #3628 --- doc/admin/access_control.rst | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/doc/admin/access_control.rst b/doc/admin/access_control.rst index 927f761785..8e5d641de6 100644 --- a/doc/admin/access_control.rst +++ b/doc/admin/access_control.rst @@ -797,7 +797,31 @@ To give the ability to execute a function named 'sum', grant the following privi box.schema.user.grant('testuser','execute','function','sum') +.. _access_control_grant_lua_functions_execute: +Executing lua functions +*********************** + +Granting the 'execute' privilege on ``lua_call`` permits the user to call any global (accessible via the ``_G`` Lua table) +user-defined Lua function with the ``IPROTO_CALL`` request. To grant permission to any non-persistent function, you need to +specify its name when granting the ``lua_call`` privilege. + +.. NOTE:: + + The function doesn't need to be defined at the time privileges are granted, meaning that the access to the function will be provided for the user once this function is defined. + +.. code-block:: lua + + function my_func_1() end + function my_func_2() end + box.cfg({listen = 3301}) + box.schema.user.create('alice', {password = 'secret'}) + conn = require('net.box').connect(box.cfg.listen, {user = 'alice', password = 'secret'}) + box.schema.user.grant('alice', 'execute', 'lua_call', 'my_func_1') + conn:call('my_func_1') -- ok + conn:call('my_func_2') -- access denied + box.schema.user.grant('alice', 'execute', 'lua_call', 'box.session.su') + conn:call('box.session.su', {'admin'}) -- ok