Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-30997

Mobile Reader RBAC role

    XMLWordPrintable

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 6.5.0
    • None
    • rbac
    • None

    Description

      This is a stub ticket for the email thread titled: Re: RBAC permissions for Sync Gateway

      I will spec out the requirements and update the ticket.

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            As mentioned by Adam Fraser in an email thread, since the "Application Access" role is being deprecated, the Mobile RBAC role would need to be a combination of the following:

            Cluster Level

            • Read-Only Admin  (needed to read the "metadata purge interval", since SG has minimum requirements for this value)

            Bucket Level, for each bucket accessible by Sync Gateway (or "all_buckets")

            • Query System Catalog
            • Data Reader
            • Data Writer
            • Data DCP Reader
            • Views Reader
            • Query Select
            • Query Manage Index

            Don Pinto [X] let me know what else you'd need from our side to kick this off?  If you think it would be useful, I can schedule a meeting to discuss.

             

            traun Traun Leyden (Inactive) added a comment - As mentioned by Adam Fraser in an email thread, since the "Application Access" role is being deprecated, the Mobile RBAC role would need to be a combination of the following: Cluster Level Read-Only Admin  (needed to read the "metadata purge interval", since SG has minimum requirements for this value) Bucket Level, for each bucket accessible by Sync Gateway (or "all_buckets") Query System Catalog Data Reader Data Writer Data DCP Reader Views Reader Query Select Query Manage Index Don Pinto [X] let me know what else you'd need from our side to kick this off?  If you think it would be useful, I can schedule a meeting to discuss.  

            Traun Leyden looks like we also need the Views Admin (more specifically, views!write) to add views.

            Worth noting that we probably want these defined at the "low" level (i.e. views!write rather than "Views Admin") so the Sync Gateway role would be a high level one on the same footing as Application Access (see definitions here).

            Finally, I wonder if it would make more sense to instead expose the metadata purge interval in a different location, perhaps pushing it down to a bucket level and exposing it as an individual property for each bucket?

            James Flather James Flather (Inactive) added a comment - Traun Leyden looks like we also need the Views Admin (more specifically, views!write) to add views. Worth noting that we probably want these defined at the "low" level (i.e. views!write rather than "Views Admin") so the Sync Gateway role would be a high level one on the same footing as Application Access (see definitions here ). Finally, I wonder if it would make more sense to instead expose the metadata purge interval in a different location, perhaps pushing it down to a bucket level and exposing it as an individual property for each bucket?

            Action items from meeting w/ Don Pinto [X], Adam Fraser, Daniel Petersen:

             

            • Don Pinto [X] to find "implementors guide" for adding new RBAC roles to ns-server and forward 
            • Don Pinto [X] to send out info regarding encrypting any credentials stored on the filesystem
            traun Traun Leyden (Inactive) added a comment - Action items from meeting w/ Don Pinto [X] , Adam Fraser , Daniel Petersen :   Don Pinto [X] to find "implementors guide" for adding new RBAC roles to ns-server and forward  Don Pinto [X] to send out info regarding encrypting any credentials stored on the filesystem
            adamf Adam Fraser added a comment -

            If this is delivered in conjunction with Mad Hatter, I expect we'll need also want 'Scope Level' and 'Collection Level' versions of the mobile RBAC role.  This would be similar to the changes being made for the rest of the Bucket Level privileges listed above.

            adamf Adam Fraser added a comment - If this is delivered in conjunction with Mad Hatter, I expect we'll need also want 'Scope Level' and 'Collection Level' versions of the mobile RBAC role.  This would be similar to the changes being made for the rest of the Bucket Level privileges listed above.

            Shivani Gupta for awareness on the collection side of things. +1 from me.

            djp Don Pinto [X] (Inactive) added a comment - Shivani Gupta for awareness on the collection side of things. +1 from me.

            Traun Leyden Spec out details for mobile_gateway and mobile-admin RBAC roles

            priya.rajagopal Priya Rajagopal added a comment - Traun Leyden Spec out details for mobile_gateway and mobile-admin RBAC roles

            People

              traun Traun Leyden (Inactive)
              traun Traun Leyden (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty