Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-22758

simple SELECT is not correctly authorized

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 5.0.0
    • 5.0.0
    • ns_server
    • None

    Description

      To reproduce using build Enterprise Edition 5.0.0-1965 build 1965,

      • Create a bucket closed1 with a password.
      • Create a user with data_read permission on this bucket: curl -X PUT http://localhost:8091/settings/rbac/users/builtin/reader1 -d "name=Reader One&roles=data_reader[closed1]&password=pwreader1" -u Administrator:password
      • Using cbauth, authorize as reader1:pwreader1, and request permission 
        cluster.bucket[closed1].n1ql.select!execute. This permission is granted, but should not be.

      Unfortunately I don't have an end-to-end reproducer. The code in the query engine that asks for statement type permissions is currently commented out, since it would break access to open (no-password) buckets. Let me know if you need a specially-build query engine, and I'll provide one.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            arunkumar Arunkumar Senthilnathan (Inactive)
            johan.larson Johan Larson (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty