Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-31639

cbbackupmgr fails to backup cluster with eventing service for user with 'Data Backup & Restore' role

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reopened
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.5.0, 6.0.0, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 6.0.1, 6.0.2, 5.5.4, 6.0.3, 5.5.5, 5.5.6, 6.0.4, 6.5.1, 6.6.0
    • Fix Version/s: CheshireCat.Next
    • Component/s: eventing
    • Labels:
    • Triage:
      Untriaged
    • Is this a Regression?:
      Unknown

      Description

      1. Create a 1-node cluster with all services initialized
      2. Create default bucket and load it
      3. Create a RBAC user with role 'Data Backup & Restore' on default
      4. Try to backup the cluster using cbbackupmgr - error:

      018-10-12T23:02:32.413+00:00 [INFO][FDB] Forestdb closed database file /tmp/entbackup/backup/2018-10-12T23_02_29.766904304Z/default-500bc771ef6468e83e92b496f6f6e56d/data/shard_0.fdb
      2018-10-12T23:02:32.414+00:00 (Plan) Data transfer completed after 2.117670137s
      2018-10-12T23:02:32.415+00:00 (Plan) Transfering Eventing metadata
      2018-10-12T23:02:32.416+00:00 (Rest) GET http://10.111.170.101:8091/pools/default/nodeServices 200
      2018-10-12T23:02:32.418+00:00 (Rest) GET http://10.111.170.101:8096/api/v1/export 403
      2018-10-12T23:02:32.418+00:00 ERRO: : – plan.(*events).execute() at events.go:43
      2018-10-12T23:02:32.418+00:00 (Plan) Transfer plan failed due to error :
      2018-10-12T23:02:32.418+00:00 (Cmd) Error backing up cluster: :

      Looks like 'Data backup & Restore role' is not given access to eventing service as it is returning 403 - backup works fine only if we give the user full admin access - even if we give all other roles except full admin it does not work

      server logs: https://s3.amazonaws.com/bugdb/jira/oct12/collectinfo-2018-10-12T232013-ns_1%40127.0.0.1.zip

      attaching logs and screenshots

        Attachments

          Issue Links

          For Gerrit Dashboard: MB-31639
          # Subject Branch Project Status CR V

            Activity

            Hide
            jeelan.poola Jeelan Poola added a comment -

            Daniel Owen Unfortunately this is not on the list for MH. We have it planned for post MH. Hope this helps.

            Show
            jeelan.poola Jeelan Poola added a comment - Daniel Owen Unfortunately this is not on the list for MH. We have it planned for post MH. Hope this helps.
            Hide
            amarantha.kulkarni Amarantha Kulkarni added a comment -

            Release notes summary:
            The `cbbackupmgr` utility fails to backup a cluster with Eventing service for a user with "Data Backup & Restore" role.

            Show
            amarantha.kulkarni Amarantha Kulkarni added a comment - Release notes summary: The `cbbackupmgr` utility fails to backup a cluster with Eventing service for a user with "Data Backup & Restore" role.
            Hide
            jeelan.poola Jeelan Poola added a comment -

            This is related to the larger RBAC support in eventing EPIC. Proposing to move to CC.Next to keep the focus on Collections in CC.

            Show
            jeelan.poola Jeelan Poola added a comment - This is related to the larger RBAC support in eventing EPIC. Proposing to move to CC.Next to keep the focus on Collections in CC.
            Hide
            malarky Chris Malarky added a comment -

            Jeelan Poola Can you confirm that this affects all releases since 5.5.0, and that the only role that can be used successfully is Full Admin?

            We are still regularly getting customers ask about this - wondering if it is worth updating the Release Notes / MB to explicitly say that Full Admin is required?

            Show
            malarky Chris Malarky added a comment - Jeelan Poola Can you confirm that this affects all releases since 5.5.0, and that the only role that can be used successfully is Full Admin? We are still regularly getting customers ask about this - wondering if it is worth updating the Release Notes / MB to explicitly say that Full Admin is required?
            Hide
            jeelan.poola Jeelan Poola added a comment -

            Chris Malarky Yes, it affects all releases since 5.5.0. ATM, we need full admin permissions for eventing. We need on-behalf-of authentication in cbauth to be able to support RBAC fully in eventing. I believe it's documented as well. Will check and log a DOC ticket if that's not the case. CC Jon Strabala

            Show
            jeelan.poola Jeelan Poola added a comment - Chris Malarky Yes, it affects all releases since 5.5.0. ATM, we need full admin permissions for eventing. We need on-behalf-of authentication in cbauth to be able to support RBAC fully in eventing. I believe it's documented as well. Will check and log a DOC ticket if that's not the case. CC Jon Strabala

              People

              Assignee:
              jeelan.poola Jeelan Poola
              Reporter:
              arunkumar Arunkumar Senthilnathan
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

                Dates

                Created:
                Updated:

                  PagerDuty