Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-33764

Changing Cluster CA and Node certificates need separate RBAC roles

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 6.0.1
    • Fix Version/s: 6.5.0, 6.0.2
    • Component/s: ns_server
    • Labels:
    • Triage:
      Untriaged
    • Is this a Regression?:
      Unknown

      Description

      When testing which RBAC roles are required to manage SSL Certificates from couchbase-cli, it appears that a single RBAC role (other than the "Full Admin" super-administrator role) is unable to manage both the cluster certificate, and the node certificates.

       

      Security Admins can upload Cluster CA certs, but not node certs:
      couchbase-cli ssl-manage -c 10.111.191.101:8091 -u security-admin -p password --upload-cluster-ca=root/ca.pem
      SUCCESS: Uploaded cluster certificate to http://10.111.191.101:8091

      couchbase-cli ssl-manage -c 10.111.191.101:8091 -u security-admin -p password --set-node-certificate
      ERROR: Forbidden. User needs one of the following permissions: cluster.admin.setup!write

       

      Cluster Admins can set node certs, but not CA certs (please ignore the fact the cert has expired):

      couchbase-cli ssl-manage -c 10.111.191.101:8091 -u cluster-admin -p password --set-node-certificate
      ERROR: "Incorrectly configured certificate chain. Error: cert_expired. Certificate: \"C=UA, O=My Company, CN=My Company Intermediate CA\""

      couchbase-cli ssl-manage -c 10.111.191.101:8091 -u cluster-admin -p password --upload-cluster-ca=root/ca.pem
      ERROR: Forbidden. User needs one of the following permissions: cluster.admin.security!write


      This seems counter-intuitive as one would expect both operations to be performed with the same role. Assigning multiple roles is possible, but widens the scope of operations that the user could do, somewhat lowering the effectiveness of RBAC's intentions.

        Attachments

        For Gerrit Dashboard: MB-33764
        # Subject Branch Project Status CR V

          Activity

          Hide
          ajit.yagaty Ajit Yagaty [X] (Inactive) added a comment -

          Phil Stott - Thanks a lot for pointing this out! Yes, a single role should allow the user to perform both the operations. Will fix it up.

          Show
          ajit.yagaty Ajit Yagaty [X] (Inactive) added a comment - Phil Stott - Thanks a lot for pointing this out! Yes, a single role should allow the user to perform both the operations. Will fix it up.
          Hide
          build-team Couchbase Build Team added a comment -

          Build couchbase-server-6.5.0-2935 contains ns_server commit ff2b2eb with commit message:
          Merge "MB-33764: Merge remote-tracking branch alice."

          Show
          build-team Couchbase Build Team added a comment - Build couchbase-server-6.5.0-2935 contains ns_server commit ff2b2eb with commit message: Merge " MB-33764 : Merge remote-tracking branch alice."
          Hide
          build-team Couchbase Build Team added a comment -

          Build couchbase-server-6.5.0-2935 contains ns_server commit 35aeba3 with commit message:
          MB-33764: Merge remote-tracking branch alice.

          Show
          build-team Couchbase Build Team added a comment - Build couchbase-server-6.5.0-2935 contains ns_server commit 35aeba3 with commit message: MB-33764 : Merge remote-tracking branch alice.
          Hide
          build-team Couchbase Build Team added a comment -

          Build couchbase-server-6.5.0-2935 contains ns_server commit 35aeba3 with commit message:
          MB-33764: Merge remote-tracking branch alice.

          Show
          build-team Couchbase Build Team added a comment - Build couchbase-server-6.5.0-2935 contains ns_server commit 35aeba3 with commit message: MB-33764 : Merge remote-tracking branch alice.
          Hide
          build-team Couchbase Build Team added a comment -

          Build couchbase-server-6.5.0-2935 contains ns_server commit 9b1b8d5 with commit message:
          MB-33764: Allow users, with security admin role...

          Show
          build-team Couchbase Build Team added a comment - Build couchbase-server-6.5.0-2935 contains ns_server commit 9b1b8d5 with commit message: MB-33764 : Allow users, with security admin role...
          Hide
          build-team Couchbase Build Team added a comment -

          Build couchbase-server-6.0.2-2356 contains ns_server commit 9b1b8d5 with commit message:
          MB-33764: Allow users, with security admin role...

          Show
          build-team Couchbase Build Team added a comment - Build couchbase-server-6.0.2-2356 contains ns_server commit 9b1b8d5 with commit message: MB-33764 : Allow users, with security admin role...

            People

            Assignee:
            ajit.yagaty Ajit Yagaty [X] (Inactive)
            Reporter:
            phil.stott Phil Stott (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes

                  PagerDuty