Uploaded image for project: 'Couchbase Documentation'
  1. Couchbase Documentation
  2. DOC-2586

[N1QL RBAC UPGRADE] Incorrect error message for select on password protected bucket in mixed node cluster

    XMLWordPrintable

Details

    • DOC-S2-Nov03, DOC-S3-Nov17, DOC-S4-Dec01, DOC-S5-Dec15, DOC-S6-Dec29, DOC-S7-Jan12, DOC-S8-Jan26

    Description

      1. create a 2node cluster with following configuration:
      a. 1 node with 4.6.1-3652 having kv,index and n1ql on it.
      b. second node with 5.0.0-3088 having kv,index and n1ql on it.
      2. create a bucket bucket0 with password as password and bucket bucket1 with password as password1.
      3. Enable pam authentication on node with version 4.6.1-3652.
      4. create a user hello with role bucket_admin on bucket-1 as shown in screenshot.
      5. Add password to user hello through pam:
      [root@localhost bin]# useradd hello
      [root@localhost bin]# passwd hello

      6. Try accessing bucket0 as follows:

      cbq> [root@localhost bin]# ./cbq -u hello -p password
      		 
       Connected to : http://localhost:8091/. Type Ctrl-D or \QUIT to exit.
      		 
       
      		 
       Path to history file for the shell : /root/.cbq_history 
      cbq> select * from `bucket0` limit 1;
      		 
      {
      		 
          "requestID": "798239c2-b1e6-4017-b6a1-6c2c598ae074",
      		 
          "signature": {
      		 
              "*": "*"
      		 
          },
      		 
          "results": [
      		 
          ],
      		 
          "errors": [
      		 
              {
      		 
                  "code": 13014,
      		 
                  "msg": "User does not have credentials to access privilege cluster.bucket[bucket0].n1ql.select!execute. Add role Query Select [bucket0] to allow the query to run."
      		 
              }
      		 
          ],
      		 
          "status": "stopped",
      		 
          "metrics": {
      		 
              "elapsedTime": "9.654247ms",
      		 
              "executionTime": "9.593159ms",
      		 
              "resultCount": 0,
      		 
              "resultSize": 0,
      		 
              "errorCount": 1
      		 
          }
      		 
      }
      		 
      cbq> select * from `bucket0` limit 1;
      		 
      {
      		 
          "requestID": "169767cf-c90f-480a-b043-25fe38f1721a",
      		 
          "signature": {
      		 
              "*": "*"
      		 
          },
      		 
          "results": [
      		 
          ],
      		 
          "errors": [
      		 
              {
      		 
                  "code": 10000,
      		 
                  "msg": "Authorization Failed Keyspace bucket0"
      		 
              }
      		 
          ],
      		 
          "status": "stopped",
      		 
          "metrics": {
      		 
              "elapsedTime": "25.475994ms",
      		 
              "executionTime": "25.389368ms",
      		 
              "resultCount": 0,
      		 
              "resultSize": 0,
      		 
              "errorCount": 1
      		 
          }
      		 
      }
      		 
      cbq> 
       

      The error message should always be "Authorization Failed Keyspace bucket0".
      In this particular cluster there is no query select[bucket0] role in UI.Hence the user cannot select that.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            simon.dew Simon Dew
            Prerna.Manaktala Prerna Manaktala (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty