Details
Description
I used the Security->Internal User/Roles UI to create a read only admin, test2/123456. Negative tests on XDCR + RBAC using this read only admin yielded expected results – all GET rest APIs succeeded and all POST/DELETE rest APIs failed.
I did notice issues with some error messages that ns_server produced, though.
"Yus-MacBook-Pro:goxdcr yu$ curl -X POST -u test2:123456 http://127.0.0.1:9000/settings/replications/d3f3abd8c7c6169f92e74eb59b1d0f80%2Fdefault%2Ftarget -d pauseRequested=true
{"message":"Forbidden. User needs one of the following permissions","permissions":["cluster.bucket[?].xdcr!execute","cluster.bucket[?].xdcr!write”]}"
The bucket name is displayed as a “?” — the same happened with other error messages with bucket name in them.
The error message is not entirely accurate. When only one setting, pauseRequest, is specified, it requires one and only one permission, cluster.bucket.xdcr!execute. If the setting specified had been something else, e.g., checkpointInterval, that would have required one and only one other permission, cluster.bucket.xdcr!write. If both pauseRequested and some other setting had been specified, both of, not either of, “!execute” and “!write” permissions would have been required.
The error messages produced by XDCR is more accurate:
Yus-MacBook-Pro:goxdcr yu$ curl -X POST -u test2:123456 http://127.0.0.1:13000/settings/replications/d3f3abd8c7c6169f92e74eb59b1d0f80%2Fdefault%2Ftarget -d pauseRequested=true
{"message":"Forbidden. User needs one of the following permissions.","permissions":["cluster.bucket[default].xdcr!execute”]}Yus-MacBook-Pro:goxdcr yu$ curl -X POST -u test2:123456 http://127.0.0.1:13000/settings/replications/d3f3abd8c7c6169f92e74eb59b1d0f80%2Fdefault%2Ftarget -d checkpointInterval=2000
{"message":"Forbidden. User needs one of the following permissions.","permissions":["cluster.bucket[default].xdcr!write”]}Yus-MacBook-Pro:goxdcr yu$ curl -X POST -u test2:123456 http://127.0.0.1:13000/settings/replications/16f4e226be57b4337434faa638c53cdc%2Fdefault%2Ftarget -d checkpointInterval=200 -d pauseRequested=true
{"message":"Forbidden. User needs all of the following permissions","permissions":["cluster.bucket[default].xdcr!execute","cluster.bucket[default].xdcr!write"]}Attachments
Issue Links
- depends on
-
MB-18796 xdcr test uses incorrect url to delete replication
- Closed
For Gerrit Dashboard: MB-18340 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
61683,3 | MB-18340 do not check permissions before proxying to goxdcr | master | ns_server | Status: MERGED | +2 | +1 |
62245,2 | MB-18340 do not check permissions before proxying to goxdcr | master | ns_server | Status: MERGED | +2 | +1 |