Description
CB Version:Enterprise Edition 7.1.0 build 2434
Steps to Reproduce:
- Create user with only read_write permissions on a collection. Try insert and it fails with NO_ACCESS as expected
- Create user with read_write along with query_insert or query_update permissions and try insert. It is successful instead of failing with NO_ACCESS.
package com.couchbase;
import com.couchbase.client.core.error.DocumentNotFoundException;
import com.couchbase.client.java.Bucket;
import com.couchbase.client.java.Cluster;
import com.couchbase.client.java.ClusterOptions;
import com.couchbase.client.java.Collection;
import com.couchbase.client.java.json.JsonObject;
import com.couchbase.client.java.manager.user.*;
import com.couchbase.constants.Strings;
import com.couchbase.transactions.Transactions;
import com.couchbase.transactions.config.TransactionConfigBuilder;
import com.couchbase.transactions.error.TransactionFailed;
import java.time.Duration;
import java.util.*;
import java.util.stream.Collectors;
import java.util.stream.Stream;
public class sample {
public static JsonObject initial = JsonObject.create().put(Strings.CONTENT_NAME, "initial");
public static Cluster cluster;
public static void main(String[] args) {
String clusterHostname = "172.23.111.139";
cluster = Cluster.connect(clusterHostname,
ClusterOptions.clusterOptions("Administrator", "password"));
// Collection testCollection = cluster.bucket("testBucket").defaultCollection();
Collection testCollection = cluster.bucket("testBucket").scope("testScope").collection("testCollection");
createUserAndRoles(testCollection);
cluster.disconnect();
cluster = Cluster.connect(clusterHostname,
ClusterOptions.clusterOptions("testuser", "password"));
//Collection testuserCollection = cluster.bucket("testBucket").defaultCollection();
Collection testuserCollection = cluster.bucket("testBucket").scope("testScope").collection("testCollection");
String docId = UUID.randomUUID().toString();
System.out.println("DocId:"+docId);
testuserCollection.insert(docId,initial);
System.out.println("DocContent: "+testuserCollection.get(docId));
}
static void createUserAndRoles(Collection collection) {
User rbacuser = new User("testuser");
rbacuser.password("password");
UserManager userManager = new UserManager(new AsyncUserManager(cluster.core()));
List<Role> allRolesForThisUser = new ArrayList<Role>();
allRolesForThisUser.add(new Role("data_reader", collection.bucketName(),collection.scopeName(),collection.name()));
allRolesForThisUser.add(new Role("query_insert", collection.bucketName(),collection.scopeName(),collection.name()));
//allRolesForThisUser.add(new Role("query_update", collection.bucketName(),collection.scopeName(),collection.name()));
rbacuser.roles(allRolesForThisUser);
userManager.upsertUser(rbacuser, UpsertUserOptions.upsertUserOptions().timeout(Duration.ofSeconds(10)));
try {
Thread.sleep(10*1000); //sleep for 10s so that the user and its roles are reflected across nodes.
} catch (InterruptedException e) {
e.printStackTrace();
}
}
}