Description
Product: Tarantool
Audience/target: admin
Root document: https://www.tarantool.io/en/doc/latest/admin/access_control/
SME: @ sergepetrenko
<…>ox.schema.user.grant('testuser', 'write', 'space', '_priv')
**|Executing code
To let testuser execute Lua code, grant the execute privilege to the lua_eval object:
box.schema.user.grant('testuser','execute','lua_eval')Similarly, executing an arbitrary SQL expression requires the execute privilege to the sql object:
box.schema.user.grant('testuser','execute','sql')|Example**
In the example below, the created Lua function is execut<…>
https://www.tarantool.io/en/doc/latest/admin/access_control/
Please mention explicitly that only 'admin' user can grant 'execute' privilege on 'lua_eval', 'lua_call', 'sql', 'universe'.
Generally speaking, any non-admin user, even the one having a 'super' privilege, cannot grant any privilege for an object that this user doesn't own. No one, except admin, "owns" 'lua_eval', 'lua_call', 'sql', 'universe' and so on.
This also means non-admin 'super' user cannot grant access to spaces (or functions or any other type of object) he hasn't created:
tarantool> _ = box.schema.space.create('test')
---
...
tarantool> box.schema.user.create('tester')
---
...
tarantool> box.schema.user.grant('tester', 'super')
---
...
tarantool> box.session.su('tester')
---
...
tarantool> box.schema.user.grant('guest', 'read', 'space', 'test')
---
- error: Grant access to space 'test' is denied for user 'tester'
...
tarantool>