Trove/better-user-privileges

Trove's API at present has no way to grant or revoke specific privileges to or from users. Right now it's all or nothing, either 'ALL' or 'ACCESS'. I propose the following amendments to the API methods to facilitate more complete control over user grants and such. This approach maintains the list of databases to which a user has more than 'ACCESS' (no privileges) to, and adds a dictionary mapping each of those databases to a list of permissions. In keeping with the established contract, it is to be assumed that no mention in this "privileges" mapping means the default of 'ALL'.

Present-day create user request

POST /v1.0/1234/instances/dcc5c518-73c7-4471-83e1-15fae67a98eb/users HTTP/1.1 {       "users": [ {               "database": "databaseA", "name": "dbuser1", "password": "password" },            {                "databases": [ {                       "name": "databaseB" },                    {                        "name": "databaseC" }               ],                 "host": "10.0.0.1", "name": "dbuser2", "password": "password" },            {                "database": "databaseD", "name": "dbuser3", "password": "password" }       ]    }

Proposed create user request

POST /v1.0/1234/instances/dcc5c518-73c7-4471-83e1-15fae67a98eb/users HTTP/1.1 {       "users": [ {               "database": "databaseA", "name": "dbuser1", "password": "password" },            {                "databases": [ {                       "name": "databaseB" },                    {                        "name": "databaseC" }               ],                 "host": "10.0.0.1", "name": "dbuser2", "password": "password", "privileges": { "databaseB": [ "SELECT" ]               }            },             {                "database": "databaseD", "name": "dbuser3", "password": "password" }       ]    }

Present-day modify user (grant) request

PUT /v1.0/1234/instances/dcc5c518-73c7-4471-83e1-15fae67a98eb/users/dbuser1/databases HTTP/1.1 {       "databases": [ {               "name": "databaseE" }       ]    }

Proposed modify user (grant) request

PUT /v1.0/1234/instances/dcc5c518-73c7-4471-83e1-15fae67a98eb/users/dbuser1/databases HTTP/1.1 {       "databases": [ {               "name": "databaseE" }       ],        "privileges": { "databaseE": [ "ALTER", "CREATE", "DROP", "SELECT" ]       }    }

Present-day list user response

{       "user": { "databases": [ "testdb1" ],            "host": "%", "name": "dbuser1" }   }

Proposed list user response

{       "user": { "databases": [ "testdb1" ],            "host": "%", "name": "dbuser1", "privileges": { "testdb1": [ "SELECT" ] }           ]        }    }