Skip to content

config: sync users with config on reload#11828

Merged
sergos merged 1 commit intotarantool:masterfrom
mandesero:mandesero/gh-11827-sync-users-with-config
Sep 30, 2025
Merged

config: sync users with config on reload#11828
sergos merged 1 commit intotarantool:masterfrom
mandesero:mandesero/gh-11827-sync-users-with-config

Conversation

@mandesero
Copy link
Contributor

@mandesero mandesero commented Sep 8, 2025
edited
Loading

Previously, if a user or role was removed from credentials.users or credentials.roles in config, it still remained in the instance after reload. This was intentional to prevent bricking when an empty credentials section was rolled out, but it left stale accounts and roles in the system, which is a security risk.

Now both users and roles are synchronized with config on reload:

  • users/roles missing from config are dropped,
  • users/roles present in config are created/updated,
  • manually created users/roles remain untouched.

Closes #11827

Totktonada
Totktonada reviewed Sep 8, 2025
View reviewed changes
Totktonada
Totktonada reviewed Sep 8, 2025
View reviewed changes
@mandesero mandesero force-pushed the mandesero/gh-11827-sync-users-with-config branch 3 times, most recently from 3321ef6 to f4a8e21 Compare September 11, 2025 19:15
@coveralls
Copy link

coveralls commented Sep 11, 2025
edited
Loading

Coverage Status

coverage: 87.628% (+0.008%) from 87.62%
when pulling ed72d08 on mandesero:mandesero/gh-11827-sync-users-with-config
into 309409e
on tarantool:master.

mandesero
mandesero commented Sep 12, 2025
View reviewed changes
@mandesero mandesero marked this pull request as ready for review September 15, 2025 08:20
@mandesero mandesero requested a review from a team as a code owner September 15, 2025 08:20
@mandesero mandesero force-pushed the mandesero/gh-11827-sync-users-with-config branch from f4a8e21 to b3220f5 Compare September 15, 2025 09:30
@georgiy-belyanin georgiy-belyanin self-requested a review September 16, 2025 10:24
@georgiy-belyanin georgiy-belyanin self-assigned this Sep 16, 2025
Totktonada
Totktonada reviewed Sep 16, 2025
View reviewed changes
Totktonada
Totktonada reviewed Sep 16, 2025
View reviewed changes
Totktonada
Totktonada reviewed Sep 16, 2025
View reviewed changes
@mandesero mandesero force-pushed the mandesero/gh-11827-sync-users-with-config branch from b3220f5 to e8d5edb Compare September 16, 2025 14:12
Totktonada
Totktonada reviewed Sep 16, 2025
View reviewed changes
Totktonada
Totktonada reviewed Sep 16, 2025
View reviewed changes
@mandesero mandesero force-pushed the mandesero/gh-11827-sync-users-with-config branch from e8d5edb to 5a52d71 Compare September 17, 2025 13:59
@mandesero mandesero force-pushed the mandesero/gh-11827-sync-users-with-config branch from 5a52d71 to 51af3c3 Compare September 18, 2025 23:18
@mandesero mandesero requested a review from locker September 22, 2025 07:17
@locker locker removed their assignment Sep 23, 2025
@mandesero mandesero force-pushed the mandesero/gh-11827-sync-users-with-config branch 2 times, most recently from cde04b5 to 75d662f Compare September 24, 2025 18:28
mandesero
mandesero commented Sep 24, 2025
View reviewed changes
Totktonada
Totktonada reviewed Sep 24, 2025
View reviewed changes
Totktonada
Totktonada reviewed Sep 24, 2025
View reviewed changes
Totktonada
Totktonada reviewed Sep 25, 2025
View reviewed changes
Totktonada
Totktonada reviewed Sep 25, 2025
View reviewed changes
Totktonada
Totktonada reviewed Sep 25, 2025
View reviewed changes
Totktonada
Totktonada reviewed Sep 25, 2025
View reviewed changes
Totktonada
Totktonada reviewed Sep 25, 2025
View reviewed changes
Totktonada
Totktonada reviewed Sep 25, 2025
View reviewed changes
georgiy-belyanin
georgiy-belyanin reviewed Sep 25, 2025
View reviewed changes
maryiaLichko
maryiaLichko approved these changes Sep 25, 2025
View reviewed changes
Copy link

@maryiaLichko maryiaLichko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

chagelog is ok for me. if changed -> request review again

@mandesero mandesero force-pushed the mandesero/gh-11827-sync-users-with-config branch 3 times, most recently from a86d5de to d662fc4 Compare September 25, 2025 14:21
Totktonada
Totktonada reviewed Sep 25, 2025
View reviewed changes
@mandesero mandesero force-pushed the mandesero/gh-11827-sync-users-with-config branch from d662fc4 to 13a364f Compare September 25, 2025 14:55
Totktonada
Totktonada reviewed Sep 25, 2025
View reviewed changes
Totktonada
Totktonada reviewed Sep 25, 2025
View reviewed changes
Totktonada
Totktonada approved these changes Sep 25, 2025
View reviewed changes
Copy link
Contributor

@Totktonada Totktonada left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the decent work!

Of course, it would be nice to move to runtime users and privileges. I hope it will be some of our next steps.

@mandesero mandesero force-pushed the mandesero/gh-11827-sync-users-with-config branch from 13a364f to fd9f258 Compare September 26, 2025 09:22
@mandesero mandesero added the full-ci Enables all tests for a pull request label Sep 26, 2025
georgiy-belyanin
georgiy-belyanin reviewed Sep 26, 2025
View reviewed changes
georgiy-belyanin
georgiy-belyanin reviewed Sep 29, 2025
View reviewed changes
georgiy-belyanin
georgiy-belyanin approved these changes Sep 29, 2025
View reviewed changes
Copy link
Member

@georgiy-belyanin georgiy-belyanin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! This is some really neat work!

@mandesero mandesero force-pushed the mandesero/gh-11827-sync-users-with-config branch from fd9f258 to 2039aa9 Compare September 29, 2025 13:22
@mandesero
config: sync users and roles with config on reload
ed72d08 
Previously, if a user or role was removed from
`credentials.users` or `credentials.roles` in config,
it still remained in the instance after reload. This was
intentional to prevent bricking when an empty `credentials`
section was rolled out, but it left stale accounts and roles
in the system, which is a security risk.

Now both users and roles are synchronized with config on reload:
 - users/roles missing from config are dropped,
 - users/roles present in config are created/updated,
 - manually created users/roles remain untouched.

Closes tarantool#11827

NO_DOC=bugfix
@mandesero mandesero force-pushed the mandesero/gh-11827-sync-users-with-config branch from 2039aa9 to ed72d08 Compare September 29, 2025 13:26
@mandesero mandesero added full-ci Enables all tests for a pull request and removed full-ci Enables all tests for a pull request labels Sep 29, 2025
@sergos sergos merged commit 93906a4 into tarantool:master Sep 30, 2025
45 of 65 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@locker locker locker approved these changes

@georgiy-belyanin georgiy-belyanin georgiy-belyanin approved these changes

@maryiaLichko maryiaLichko maryiaLichko approved these changes

+1 more reviewer

@Totktonada Totktonada Totktonada approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@georgiy-belyanin georgiy-belyanin

Labels

full-ci Enables all tests for a pull request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

config: users are not synced with config on reload

7 participants

@mandesero @coveralls @Totktonada @locker @georgiy-belyanin @maryiaLichko @sergos