Details
-
Bug
-
Resolution: Fixed
-
Critical
-
5.0.0
-
Untriaged
-
No
Description
1. create an internal user named test with role as cluster_admin, password as password
2. create another internal user named queryselect with role as query_system_catalog.
3. create a bucket named test123.
4. Login cbq as test and try following scenarios:
[root@localhost bin]# ./cbq -u test -p password |
Connected to : http://localhost:8091/. Type Ctrl-D or \QUIT to exit. |
|
|
Path to history file for the shell : /root/.cbq_history |
cbq> grant query_select on test123 to test;
|
{
|
"requestID": "b4c4d148-d72f-488e-9899-bc4ae06885c2", |
"signature": null, |
"results": [ |
],
|
"status": "success", |
"metrics": { |
"elapsedTime": "12.42834ms", |
"executionTime": "12.411538ms", |
"resultCount": 0, |
"resultSize": 0 |
}
|
}
|
cbq> select * from test;
|
{
|
"requestID": "e6af2f3b-b329-4926-a1ca-b2222dc55f96", |
"errors": [ |
{
|
"code": 12003, |
"msg": "Keyspace not found keyspace test - cause: No bucket named test" |
}
|
],
|
"status": "fatal", |
"metrics": { |
"elapsedTime": "7.498839ms", |
"executionTime": "7.480361ms", |
"resultCount": 0, |
"resultSize": 0, |
"errorCount": 1 |
}
|
}
|
cbq> select * from test123;
|
{
|
"requestID": "8c8310f8-7974-4c50-8fc5-008a148bc6f9", |
"errors": [ |
{
|
"code": 4000, |
"msg": "No index available on keyspace test123 that matches your query. Use CREATE INDEX or CREATE PRIMARY INDEX to create an index, or check that your expected index is online." |
}
|
],
|
"status": "fatal", |
"metrics": { |
"elapsedTime": "9.07038ms", |
"executionTime": "9.008682ms", |
"resultCount": 0, |
"resultSize": 0, |
"errorCount": 1 |
}
|
}
|
cbq> create primary index on test123;
|
{
|
"requestID": "a2497047-5c4a-4885-8cee-a8df6b7bbea7", |
"signature": null, |
"results": [ |
],
|
"status": "success", |
"metrics": { |
"elapsedTime": "1.795736814s", |
"executionTime": "1.795711658s", |
"resultCount": 0, |
"resultSize": 0 |
}
|
}
|
cbq> grant admin to queryselect;
|
{
|
"requestID": "662a4fec-be93-4b11-8a88-efa1eac5a0ba", |
"signature": null, |
"results": [ |
],
|
"status": "success", |
"metrics": { |
"elapsedTime": "19.478884ms", |
"executionTime": "19.45731ms", |
"resultCount": 0, |
"resultSize": 0 |
}
|
}
|
|
|
|
The user with cluster admin role is able to change permissions of another users.
This should not be allowed.
Attachments
| For Gerrit Dashboard: MB-25384 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 81352,2 | MB-25384 check more specific permission for user data operations | master | query | Status: MERGED | +2 | +1 |