box.schema.user.grant()
{options} ]) box.schema.user.grant(username, permissions, 'universe'[, nil, {options} ]) box.schema.user.grant(username, role-name[, nil, nil, {options} ])
Grant privileges to a user or to another role.
Parameters:
-
username(string) — the name of a user to grant privileges to -
permissions(string) — one or more permissions to grant to the user (for example,readorread,write) -
object-type(string) — a database object type to grant permissions to (for example,space,role, orfunction) -
object-name(string) — the name of a database object to grant permissions to -
role-name(string) — the name of a role to grant to the user -
options(table) —grantor,if_not_exists
If 'function','{object-name}' is
specified, then a [func]{#func} tuple with that object-name must exist.
Variation: instead of object-type, object-name say universe
which means 'all object-types and all objects'. In this case, object
name is omitted.
Variation: instead of permissions, object-type, object-name say
role-name (see section Roles).
Variation: instead of
box.schema.user.grant('{username}','usage,session','universe',nil, {if_not_exists=true}) say
box.schema.user.enable('{username}')
(see section box.schema.user.enable).
The possible options are:
grantor= grantor_name_or_id – string or number, for custom grantor,if_not_exists=true|false(default =false) - boolean;truemeans there should be no error if the user already has the privilege.
Example:
box.schema.user.grant('testuser', 'read', 'space', 'writers')box.schema.user.grant('testuser', 'read,write', 'space', 'books')box.session.su('testuser')local _, delete_writer_error = pcall(function()box.space.writers:delete(3)end)t.assert_equals(delete_writer_error:unpack().message, "Write access to space 'writers' is denied for user 'testuser'")box.session.su('admin')-- Revoke space reading --box.schema.user.revoke('testuser', 'write', 'space', 'books')-- End: Revoke space reading --box.session.su('testuser')local _, delete_book_error = pcall(function()box.space.books:delete(10)end)t.assert_equals(delete_book_error:unpack().message, "Write access to space 'books' is denied for user 'testuser'")box.session.su('admin')-- Revoke session --box.schema.user.revoke('testuser', 'session', 'universe')-- End: Revoke session --local _, change_user_error = pcall(function()box.session.su('testuser')end)t.assert_equals(change_user_error:unpack().message, "Session access to universe '' is denied for user 'testuser'")end)endg.test_user_dropped = function(cg)cg.server:exec(function()box.schema.user.create('testuser')-- Drop a user --box.schema.user.drop('testuser')-- End: Drop a user --t.assert_equals(box.schema.user.exists('testuser'), false)end)end
See also: access_control_users.