Config credentials

Author: andreyaksenov

doc/code_snippets/snippets/config/instances.enabled/credentials/README.md

@@ -0,0 +1,11 @@
+# Credentials
+
+A sample application demonstrating how configure user credentials in a YAML configuration.
+
+## Running
+
+Start the application by executing the following command in the [config](../../../config) directory:
+
+```console
+$ tt start credentials
+```

doc/code_snippets/snippets/config/instances.enabled/credentials/config.yaml

@@ -0,0 +1,35 @@
+credentials:
+  users:
+    admin:
+      password: 'T0p_Secret_P@$$w0rd'
+    replicator:
+      password: 'topsecret'
+      roles: [ replication ]
+    storage:
+      password: 'secret'
+      roles: [ sharding ]
+    sampleuser:
+      password: '123456'
+      roles: [ writers_space_reader ]
+      privileges:
+      - permissions: [ read, write ]
+        spaces: [ books ]
+  roles:
+    writers_space_reader:
+      privileges:
+      - permissions: [ read ]
+        spaces: [ writers ]
+
+groups:
+  group001:
+    replicasets:
+      replicaset001:
+        instances:
+          instance001:
+            iproto:
+              listen:
+              - uri: '127.0.0.1:3301'
+
+# Load sample data
+app:
+  file: 'myapp.lua'

doc/code_snippets/snippets/config/instances.enabled/credentials/instances.yml

@@ -0,0 +1 @@
+instance001:

doc/code_snippets/snippets/config/instances.enabled/credentials/myapp.lua

@@ -0,0 +1,36 @@
+function create_spaces()
+    box.schema.space.create('writers')
+    box.space.writers:format({
+        { name = 'id', type = 'unsigned' },
+        { name = 'name', type = 'string' }
+    })
+    box.space.writers:create_index('primary', { parts = { 'id' } })
+
+    box.schema.space.create('books')
+    box.space.books:format({
+        { name = 'id', type = 'unsigned' },
+        { name = 'title', type = 'string' },
+        { name = 'author_id', foreign_key = { space = 'writers', field = 'id' } },
+    })
+    box.space.books:create_index('primary', { parts = { 'id' } })
+end
+
+function load_data()
+    box.space.writers:insert { 1, 'Leo Tolstoy' }
+    box.space.writers:insert { 2, 'Fyodor Dostoevsky' }
+    box.space.writers:insert { 3, 'Alexander Pushkin' }
+
+    box.space.books:insert { 1, 'War and Peace', 1 }
+    box.space.books:insert { 2, 'Anna Karenina', 1 }
+    box.space.books:insert { 3, 'Resurrection', 1 }
+    box.space.books:insert { 4, 'Crime and Punishment', 2 }
+    box.space.books:insert { 5, 'The Idiot', 2 }
+    box.space.books:insert { 6, 'The Brothers Karamazov', 2 }
+    box.space.books:insert { 7, 'Eugene Onegin', 3 }
+    box.space.books:insert { 8, 'The Captain\'s Daughter', 3 }
+    box.space.books:insert { 9, 'Boris Godunov', 3 }
+    box.space.books:insert { 10, 'Ruslan and Ludmila', 3 }
+end
+
+create_spaces()
+load_data()

doc/code_snippets/snippets/config/instances.enabled/credentials_context_env/README.md

@@ -0,0 +1,18 @@
+# Credentials: environment variables
+
+A sample application demonstrating how set passwords in a YAML configuration using environment variables.
+
+## Running
+
+Before starting instances, set the `ADMIN_PASSWORD` and `REPLICATOR_PASSWORD` environment variables, for example:
+
+```console
+$ export ADMIN_PASSWORD='T0p_Secret_P@$$w0rd'
+$ export REPLICATOR_PASSWORD='topsecret'
+```
+
+Then, start the application by executing the following command in the [config](../../../config) directory:
+
+```console
+$ tt start credentials_context_env
+```

doc/code_snippets/snippets/config/instances.enabled/credentials_context_env/config.yaml

@@ -0,0 +1,26 @@
+config:
+  context:
+    admin_password:
+      from: env
+      env: ADMIN_PASSWORD
+    replicator_password:
+      from: env
+      env: REPLICATOR_PASSWORD
+
+credentials:
+  users:
+    admin:
+      password: '{{ context.admin_password }}'
+    replicator:
+      password: '{{ context.replicator_password }}'
+      roles: [ replication ]
+
+groups:
+  group001:
+    replicasets:
+      replicaset001:
+        instances:
+          instance001:
+            iproto:
+              listen:
+              - uri: '127.0.0.1:3301'

doc/code_snippets/snippets/config/instances.enabled/credentials_context_env/instances.yml

@@ -0,0 +1 @@
+instance001:

doc/code_snippets/snippets/config/instances.enabled/credentials_context_file/README.md

@@ -0,0 +1,11 @@
+# Credentials: files
+
+A sample application demonstrating how load passwords to a YAML configuration from files.
+
+## Running
+
+Start the application by executing the following command in the [config](../../../config) directory:
+
+```console
+$ tt start credentials_context_file
+```

doc/code_snippets/snippets/config/instances.enabled/credentials_context_file/config.yaml

@@ -0,0 +1,28 @@
+config:
+  context:
+    admin_password:
+      from: file
+      file: secrets/admin_password.txt
+      rstrip: true
+    replicator_password:
+      from: file
+      file: secrets/replicator_password.txt
+      rstrip: true
+
+credentials:
+  users:
+    admin:
+      password: '{{ context.admin_password }}'
+    replicator:
+      password: '{{ context.replicator_password }}'
+      roles: [ replication ]
+
+groups:
+  group001:
+    replicasets:
+      replicaset001:
+        instances:
+          instance001:
+            iproto:
+              listen:
+              - uri: '127.0.0.1:3301'

doc/code_snippets/snippets/config/instances.enabled/credentials_context_file/instances.yml

@@ -0,0 +1 @@
+instance001:

doc/code_snippets/snippets/config/instances.enabled/credentials_context_file/secrets/admin_password.txt

@@ -0,0 +1 @@
+T0p_Secret_P@$$w0rd

doc/code_snippets/snippets/config/instances.enabled/credentials_context_file/secrets/replicator_password.txt

@@ -0,0 +1 @@
+topsecret

doc/concepts/configuration.rst

@@ -451,5 +451,6 @@ To learn more about the persistence mechanism in Tarantool, see the :ref:`Persis
     configuration/configuration_etcd
     configuration/configuration_code
     configuration/configuration_connections
+    configuration/configuration_credentials
     configuration/configuration_authentication
     .. configuration/configuration_migrating

doc/concepts/configuration/configuration_credentials.rst

@@ -0,0 +1,96 @@
+..  _configuration_credentials:
+
+Credentials
+===========
+
+Tarantool enables flexible management of access to various database resources by providing specific privileges to users.
+You can read more about the main concepts of Tarantool access control system in the :ref:`authentication` section.
+
+This topic describes how to create users and grant them the specified privileges in the :ref:`credentials <configuration_reference_credentials>` section of a YAML configuration.
+This might be used to create specific users used in communications between Tarantool instances.
+For example, such users can be created to maintain replication and sharding in a Tarantool cluster.
+
+
+.. _configuration_credentials_managing_users_roles:
+
+Managing users and roles
+------------------------
+
+You can create new or configure credentials of the existing users in the :ref:`credentials.users <configuration_reference_credentials_users>` section.
+In the example below, a password for the built-in 'admin' user is set:
+
+..  literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/config.yaml
+    :language: yaml
+    :start-at: credentials:
+    :end-at: T0p_Secret
+    :dedent:
+
+To assign a role to a user, use the :ref:`credentials.users.\<username\>.roles <configuration_reference_credentials_users_name_roles>` option.
+In this example, the 'replicator' and 'storage' users get privileges granted to the 'replication' and 'sharding' built-in roles, respectively:
+
+..  literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/config.yaml
+    :language: yaml
+    :start-at: replicator:
+    :end-at: [ sharding ]
+    :dedent:
+
+To create a new role, define it in the :ref:`credentials.roles.* <configuration_reference_credentials_role>` section.
+In the example below, the 'writers_space_reader' role gets privileges to select data in the 'writers' space:
+
+..  literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/config.yaml
+    :language: yaml
+    :start-after: spaces: [ books ]
+    :end-at: spaces: [ writers ]
+    :dedent:
+
+Then, you can assign this role to a user using :ref:`credentials.users.\<username\>.roles <configuration_reference_credentials_users_name_roles>` ('sampleuser' in the example below):
+
+..  literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/config.yaml
+    :language: yaml
+    :start-at: sampleuser:
+    :end-at: [ writers_space_reader ]
+    :dedent:
+
+Apart from assigning a role to a user, you can grant specific privileges directly using :ref:`credentials.users.\<username\>.privileges <configuration_reference_credentials_users_name_privileges>`.
+In this example, 'sampleuser' get privileges to select and modify data in the 'books' space:
+
+..  literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/config.yaml
+    :language: yaml
+    :start-at: sampleuser:
+    :end-at: [ books ]
+    :dedent:
+
+You can find the full example here: `credentials <https://github.com/tarantool/doc/tree/latest/doc/code_snippets/snippets/config/instances.enabled/credentials>`_.
+
+
+
+.. _configuration_credentials_loading_secrets:
+
+Loading secrets from safe storage
+---------------------------------
+
+File:
+
+..  literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials_context_file/config.yaml
+    :language: yaml
+    :start-at: config:
+    :end-before: credentials:
+    :dedent:
+
+Env:
+
+..  literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials_context_env/config.yaml
+    :language: yaml
+    :start-at: config:
+    :end-before: credentials:
+    :dedent:
+
+Creds:
+
+..  literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials_context_env/config.yaml
+    :language: yaml
+    :start-at: credentials:
+    :end-at: roles: [ replication ]
+    :dedent:
+
+You can find the full examples here: `credentials_context_file <https://github.com/tarantool/doc/tree/latest/doc/code_snippets/snippets/config/instances.enabled/credentials_context_file>`_, `credentials_context_env <https://github.com/tarantool/doc/tree/latest/doc/code_snippets/snippets/config/instances.enabled/credentials_context_env>`_.