Details
-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
None
-
None
-
None
-
1
Description
Hi Graham,
I have created an RBAC user which has no permissions on the metadata collection.
Then tried to execute a single query transaction. Expectation was this transaction would fail since it has no permissions for metadata collection. But surprisingly its passing. Could you please check and fix this.
public static void main(String[] args) { |
JsonObject initialQuery = JsonObject.create().put("content", "initial-query"); |
|
//Connect as Administrator |
Cluster cluster = Cluster.connect("localhost","Administrator", "password"); |
|
// create a rbac user with "query_insert" role on transaction operation collection i.e collection_transactionOps |
// Note that This user has no permissions at all on metadataCollection and default collection |
User user = new User("query_insert_user") |
.password("password") |
.roles(new Role("query_insert", "default", "custom_scope","collection_transactionOps")); |
cluster.users().upsertUser(user);
|
cluster.disconnect();
|
|
//Now connect as the rbac user |
TransactionKeyspace keyspace =TransactionKeyspace.create("default","custom_scope","metadataCollection"); |
ClusterEnvironment env = ClusterEnvironment.builder()
|
// Adding metadata collection for transactions |
.transactionsConfig(TransactionsConfig.builder().metadataCollection(keyspace))
|
.build();
|
Cluster newcluster = Cluster.connect("localhost",ClusterOptions.clusterOptions("query_insert_user", "password").environment(env)); |
|
try{ |
String docId = UUID.randomUUID().toString();
|
String queryStmt = "INSERT INTO `default`.`custom_scope`.`collection_transactionOps` VALUES ('" + docId + "', " + initialQuery + ")"; |
newcluster.query(queryStmt);
|
|
// This docId is not supposed to be present but I could see in UI its present in `default`.`custom_scope`.`collection_transactionOps`. You can add any assertion here |
System.out.println("DocId: "+docId); |
System.out.println("queryStmt: "+queryStmt); |
|
}catch (TransactionFailedException e){ |
System.out.println("Caught TransactionFailedException:"); |
// Some exception handling |
}catch (CouchbaseException ce){ |
System.out.println("Caught CouchbaseException: "+ce); |
}catch (RuntimeException re){ |
System.out.println("Caught RuntimeException:"); |
}
|
}
|