Details
Description
This is an extension of https://issues.couchbase.com/browse/MB-61656.
Since I know that the UDF is run using the definer authorization and not the caller authorization I tried a different scenario.
1. Created two users `testuser1` and `testuser2`.
2. Granted CREATE,DROP function privilege to `testuser1`.
grant create,drop function to testuser1;
|
3. Tried to create a UDF using `testuser1` auth with reference to a collection but got an error as expected.
create analytics function Default.Default.testfunc(){select * from Default.Default.D0gkWB6Cuzv61p};
|
User must have permission (cluster.analytics.grant.COLLECTION[Default:Default:D0gkWB6Cuzv61p]!SELECT)
|
4. Granted SELECT privilege on the collection to `testuser1`
grant select on collection D0gkWB6Cuzv61p to testuser1;
|
I was now able to create the UDF.
5. Granted EXECUTE privilege on testfunc to `testuser2`
grant execute on function testfunc to testuser2;
|
6. Ran the UDF using `testuser2` auth which returned results as expected.
"results": [ |
{
|
"D0gkWB6Cuzv61p": { |
"name": "F0pJdWfOAaiME9e7fl2", |
"email": "N7pZmaT0aeWGPAwtM98HbZMcd6lSvm8jBz@JOPMO8F3hN.com", |
"mutated": 0.0, |
"padding": "", |
"country": "Sierra Leone", |
"address": "gaXiystescgALnTmVWsVBjK5AmZFtJFZpYg30eNhnCgXMojT9g8Fs5zIE9XWdP6e1mXO7rlD", |
"free_parking": 0, |
"document_size": 1024, |
"city": "ArSwGB", |
"type": "Hotel", |
"characters_without_spaces": "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", |
"url": "www.N7pZmaT0aeWGPAwtM98HbZMcd6lSvm8jBz.JOPMO8F3hN.com", |
"reviews": [ |
{
|
"date": "Fri Apr 26 15:55:32 IST 2024", |
"author": "cQDnGeXIdQl", |
"rating": { |
"cleanliness": 6.904136562021412, |
"overall": 8.020691122580567, |
"value": 3.2584230710185667 |
}
|
},
|
{
|
"date": "Fri Apr 26 15:55:32 IST 2024", |
"author": "xQWFoqxGCkVpXzK Pv", |
"rating": { |
"cleanliness": 3.0076382694184947, |
"overall": 9.583520014885906, |
"value": 6.150101794568794 |
}
|
},
|
{
|
"date": "Fri Apr 26 15:55:32 IST 2024", |
"author": "EGyfXzQIAOgGS", |
"rating": { |
"cleanliness": 5.360686836960344, |
"overall": 1.2494411666750782, |
"value": 1.4874874071150324 |
}
|
},
|
{
|
"date": "Fri Apr 26 15:55:32 IST 2024", |
"author": "LpHOUtCtgpSwxGi", |
"rating": { |
"cleanliness": 9.626969206804096, |
"overall": 1.4840576785160131, |
"value": 2.883689409563417 |
}
|
},
|
{
|
"date": "Fri Apr 26 15:55:32 IST 2024", |
"author": "bSwNuBwZBzru", |
"rating": { |
"cleanliness": 9.471510718570743, |
"overall": 8.192064271233663, |
"value": 7.326342013125147 |
}
|
}
|
],
|
"phone": 5112796, |
"price": 5000.0, |
"avg_rating": 0.8416077775659097, |
"characters_with_spaces": "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ", |
"free_breakfast": 1, |
"public_likes": [ |
"sqzt331RuTAud", |
"BlGsUl8nHGRIm0", |
"wPn2JkvCg5", |
"lAJl6QMMHLR", |
"dScrAPqU2S", |
"G RHtZyWeoYFpLauAaBu", |
"5jeLV 9Zj2FX2", |
"8XPTxxQSqTY3", |
" GrUJk961g6tk" |
]
|
}
|
}
|
5. Revoked SELECT privilege from `testuser1`
revoke select on collection D0gkWB6Cuzv61p from testuser1;
|
6. Ran the UDF again with 'testuser2` auth. I am still able to get the results
"results": [ |
{
|
"D0gkWB6Cuzv61p": { |
"name": "F0pJdWfOAaiME9e7fl2", |
"email": "N7pZmaT0aeWGPAwtM98HbZMcd6lSvm8jBz@JOPMO8F3hN.com", |
"mutated": 0.0, |
"padding": "", |
"country": "Sierra Leone", |
"address": "gaXiystescgALnTmVWsVBjK5AmZFtJFZpYg30eNhnCgXMojT9g8Fs5zIE9XWdP6e1mXO7rlD", |
"free_parking": 0, |
"document_size": 1024, |
"city": "ArSwGB", |
"type": "Hotel", |
"characters_without_spaces": "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", |
"url": "www.N7pZmaT0aeWGPAwtM98HbZMcd6lSvm8jBz.JOPMO8F3hN.com", |
"reviews": [ |
{
|
"date": "Fri Apr 26 15:55:32 IST 2024", |
"author": "cQDnGeXIdQl", |
"rating": { |
"cleanliness": 6.904136562021412, |
"overall": 8.020691122580567, |
"value": 3.2584230710185667 |
}
|
},
|
{
|
"date": "Fri Apr 26 15:55:32 IST 2024", |
"author": "xQWFoqxGCkVpXzK Pv", |
"rating": { |
"cleanliness": 3.0076382694184947, |
"overall": 9.583520014885906, |
"value": 6.150101794568794 |
}
|
},
|
{
|
"date": "Fri Apr 26 15:55:32 IST 2024", |
"author": "EGyfXzQIAOgGS", |
"rating": { |
"cleanliness": 5.360686836960344, |
"overall": 1.2494411666750782, |
"value": 1.4874874071150324 |
}
|
},
|
{
|
"date": "Fri Apr 26 15:55:32 IST 2024", |
"author": "LpHOUtCtgpSwxGi", |
"rating": { |
"cleanliness": 9.626969206804096, |
"overall": 1.4840576785160131, |
"value": 2.883689409563417 |
}
|
},
|
{
|
"date": "Fri Apr 26 15:55:32 IST 2024", |
"author": "bSwNuBwZBzru", |
"rating": { |
"cleanliness": 9.471510718570743, |
"overall": 8.192064271233663, |
"value": 7.326342013125147 |
}
|
}
|
],
|
"phone": 5112796, |
"price": 5000.0, |
"avg_rating": 0.8416077775659097, |
"characters_with_spaces": "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ", |
"free_breakfast": 1, |
"public_likes": [ |
"sqzt331RuTAud", |
"BlGsUl8nHGRIm0", |
"wPn2JkvCg5", |
"lAJl6QMMHLR", |
"dScrAPqU2S", |
"G RHtZyWeoYFpLauAaBu", |
"5jeLV 9Zj2FX2", |
"8XPTxxQSqTY3", |
" GrUJk961g6tk" |
]
|
}
|
}
|
So it seems like we are only checking for privileges while creating the function and not in the subsequent execution request which I am not sure is safe.