Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-18340

ns_server RBAC related error messages have issues

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 4.5.0
    • 4.5.0
    • ns_server
    • Security Level: Public
    • Untriaged
    • Unknown

    Description

      I used the Security->Internal User/Roles UI to create a read only admin, test2/123456. Negative tests on XDCR + RBAC using this read only admin yielded expected results – all GET rest APIs succeeded and all POST/DELETE rest APIs failed.

      I did notice issues with some error messages that ns_server produced, though.

      "Yus-MacBook-Pro:goxdcr yu$ curl -X POST -u test2:123456 http://127.0.0.1:9000/settings/replications/d3f3abd8c7c6169f92e74eb59b1d0f80%2Fdefault%2Ftarget -d pauseRequested=true

      {"message":"Forbidden. User needs one of the following permissions","permissions":["cluster.bucket[?].xdcr!execute","cluster.bucket[?].xdcr!write”]}

      "

      The bucket name is displayed as a “?” — the same happened with other error messages with bucket name in them.
      The error message is not entirely accurate. When only one setting, pauseRequest, is specified, it requires one and only one permission, cluster.bucket.xdcr!execute. If the setting specified had been something else, e.g., checkpointInterval, that would have required one and only one other permission, cluster.bucket.xdcr!write. If both pauseRequested and some other setting had been specified, both of, not either of, “!execute” and “!write” permissions would have been required.
      The error messages produced by XDCR is more accurate:

      Yus-MacBook-Pro:goxdcr yu$ curl -X POST -u test2:123456 http://127.0.0.1:13000/settings/replications/d3f3abd8c7c6169f92e74eb59b1d0f80%2Fdefault%2Ftarget -d pauseRequested=true

      {"message":"Forbidden. User needs one of the following permissions.","permissions":["cluster.bucket[default].xdcr!execute”]}

      Yus-MacBook-Pro:goxdcr yu$ curl -X POST -u test2:123456 http://127.0.0.1:13000/settings/replications/d3f3abd8c7c6169f92e74eb59b1d0f80%2Fdefault%2Ftarget -d checkpointInterval=2000

      {"message":"Forbidden. User needs one of the following permissions.","permissions":["cluster.bucket[default].xdcr!write”]}

      Yus-MacBook-Pro:goxdcr yu$ curl -X POST -u test2:123456 http://127.0.0.1:13000/settings/replications/16f4e226be57b4337434faa638c53cdc%2Fdefault%2Ftarget -d checkpointInterval=200 -d pauseRequested=true

      {"message":"Forbidden. User needs all of the following permissions","permissions":["cluster.bucket[default].xdcr!execute","cluster.bucket[default].xdcr!write"]}

      Attachments

        Issue Links

          depends on

          Bug - A problem which impairs or prevents the functions of the product. MB-18796 xdcr test uses incorrect url to delete replication

          • Major - Major loss of function.
          • Closed
          For Gerrit Dashboard: MB-18340
          # Subject Branch Project Status CR V
          61683,3 MB-18340 do not check permissions before proxying to goxdcr master ns_server Status: MERGED +2 +1
          62245,2 MB-18340 do not check permissions before proxying to goxdcr master ns_server Status: MERGED +2 +1

          Activity

            People

              artem Artem Stemkovski
              yu Yu Sui (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty