Details
-
Improvement
-
Resolution: Fixed
-
Major
-
Cheshire-Cat
-
1
Description
Historically n1ql privileges have had a string target and an int privilege, which at execution time gets converted in a cbauth privilege string, with namespaces being removed and targets being switched from n1ql paths to cbauth buckets.
This is a bit of a kerfuffle which could easily be avoided if we just embedded the cbauth privilege string into the authorize operator once and for all.
To make it more complicated the auth target string loses any notion of the path components and uses a separator different from cbauth, meaning that if a bucket name contains a special character (.), we parse the cbauth object incorrectly.
Also, there is a bit of a disconnect between datastore.Roles and auth.Privileges, in that the first do not have a namespaces but the second do, meaning we have to have special code to translate one into the other, and datastore needs to have a special AuthKey() method.
Sync up, cleanup and simplify, if possible.
Finally - privileges for system:keyspaces are set here, there and everywhere, auth, algebra, datastore, datastore/couchbase, whcih makes for privileges on system keyspaces being very difficult to maintain.
Required privileges for system keyspaces should be determined in one place (auth?) and set in algebra , and in particular we need to cleanup the delete privileges for system collections because they are checked inconsistently, or not at all!