config: credential `sharding` role

[TarantoolBot]

Related dev. issue(s): tarantool/tarantool#8862
Parent doc issue: #3666

Product: Tarantool
Since: 3.0
Root document: https://www.tarantool.io/en/doc/latest/book/admin/vshard_admin/
SME: @ ImeevMA

Details

The credential sharding role is a new credential role. This is the
default credential role, but it is different from other default
credential roles because it is created by the config module. Other
default credential roles are already described in the bootstrap.snap
file.

This role has different privileges depending on the replicaset sharding
role. For replicasets with the sharding storage role, the credential
sharding role will have rights to execute necessary vshard.storage.*
functions and the credential replicaset role. If the replicaset does
not have the sharding storage role, the credential sharding role
does not have any privileges.

A sharding storage user must have the credential sharding role among
their credential roles, if the user is in credentials.users. If the
user is not in credentials.users we do not check its privileges.
Requested by @ ImeevMA in tarantool/tarantool@14938b3.

[andreyaksenov]

Mentioned in:

• Getting started with vshard: https://www.tarantool.io/en/doc/latest/how-to/vshard_quick/#step-1-configuring-credentials
• Access control: https://www.tarantool.io/en/doc/latest/book/admin/access_control/#roles