Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: 5.0.0
Affects Version/s: 5.0.0
Component/s: query
Labels:
- functional-test
- rbac

Triage:
Untriaged
Is this a Regression?:
No

Description

1. create an internal user named test with role as cluster_admin, password as password
2. create another internal user named queryselect with role as query_system_catalog.
3. create a bucket named test123.
4. Login cbq as test and try following scenarios:

[root@localhost bin]# ./cbq -u test -p password

 Connected to : http://localhost:8091/. Type Ctrl-D or \QUIT to exit.

 Path to history file for the shell : /root/.cbq_history

cbq> grant query_select on test123 to test;

    "requestID": "b4c4d148-d72f-488e-9899-bc4ae06885c2",

    "signature": null,

    "results": [

],

    "status": "success",

    "metrics": {

        "elapsedTime": "12.42834ms",

        "executionTime": "12.411538ms",

        "resultCount": 0,

        "resultSize": 0

cbq> select * from test;

    "requestID": "e6af2f3b-b329-4926-a1ca-b2222dc55f96",

    "errors": [

            "code": 12003,

            "msg": "Keyspace not found keyspace test - cause: No bucket named test"

],

    "status": "fatal",

    "metrics": {

        "elapsedTime": "7.498839ms",

        "executionTime": "7.480361ms",

        "resultCount": 0,

        "resultSize": 0,

        "errorCount": 1

cbq> select * from test123;

    "requestID": "8c8310f8-7974-4c50-8fc5-008a148bc6f9",

    "errors": [

            "code": 4000,

            "msg": "No index available on keyspace test123 that matches your query. Use CREATE INDEX or CREATE PRIMARY INDEX to create an index, or check that your expected index is online."

],

    "status": "fatal",

    "metrics": {

        "elapsedTime": "9.07038ms",

        "executionTime": "9.008682ms",

        "resultCount": 0,

        "resultSize": 0,

        "errorCount": 1

cbq> create primary index on test123;

    "requestID": "a2497047-5c4a-4885-8cee-a8df6b7bbea7",

    "signature": null,

    "results": [

],

    "status": "success",

    "metrics": {

        "elapsedTime": "1.795736814s",

        "executionTime": "1.795711658s",

        "resultCount": 0,

        "resultSize": 0

cbq> grant admin to queryselect;

    "requestID": "662a4fec-be93-4b11-8a88-efa1eac5a0ba",

    "signature": null,

    "results": [

],

    "status": "success",

    "metrics": {

        "elapsedTime": "19.478884ms",

        "executionTime": "19.45731ms",

        "resultCount": 0,

        "resultSize": 0

The user with cluster admin role is able to change permissions of another users.
This should not be allowed.

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Prerna Manaktala (Inactive)

Reporter:: Prerna Manaktala (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 24/Jul/17 11:24 AM

Updated:: 04/Aug/17 1:44 PM

Resolved:: 27/Jul/17 6:31 AM

Gerrit Reviews

There are no open Gerrit changes

Show There is 1 closed Gerrit change

Hide There is 1 closed Gerrit change

MB-25384 check more specific permission for user data operations: Gerrit Review:

[N1QL RBAC] User with cluster admin role able to grant permissions to other users

Details

Description

Attachments

Gerrit Reviews

Activity

People

Dates

Gerrit Reviews

PagerDuty