Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-40616

RBAC: granted user does not have an access to FTS index

    XMLWordPrintable

Details

    • Untriaged
    • Centos 64-bit
    • 1
    • Unknown

    Description

      Build: 7.0.0- 2672

      Steps to repro:

      • create bucket `bucket1`
      • create collections: `bucket1`.`scope1`.`collection1` and `bucket1`.`scope1`.`collection2`
      • perform the following inserts:

       

      insert into default:bucket1.scope1.collection1 (key,value) values ("key_1", {"type": "typ1", "val":"val1"})
      insert into default:bucket1.scope1.collection1 (key,value) values ("key_2", {"type": "typ1", "val":"val2"})
      insert into default:bucket1.scope1.collection2 (key,value) values ("key_1", {"type": "typ1", "val":"val3"})
      insert into default:bucket1.scope1.collection2 (key,value) values ("key_2", {"type": "typ1", "val":"val4"})
      

      • create the following fts index:\

      {
        "type": "fulltext-index",
        "name": "idx1",
        "uuid": "77a9e50849f2b829",
        "sourceType": "gocbcore",
        "sourceName": "bucket1",
        "sourceUUID": "05017e7ba56fd81571b332201ef018aa",
        "planParams": {
          "maxPartitionsPerPIndex": 171,
          "indexPartitions": 6
        },
        "params": {
          "doc_config": {
            "docid_prefix_delim": "",
            "docid_regexp": "",
            "mode": "scope.collection.type_field",
            "type_field": "type"
          },
          "mapping": {
            "analysis": {},
            "default_analyzer": "standard",
            "default_datetime_parser": "dateTimeOptional",
            "default_field": "_all",
            "default_mapping": {
              "dynamic": true,
              "enabled": false
            },
            "default_type": "_default",
            "docvalues_dynamic": true,
            "index_dynamic": true,
            "store_dynamic": false,
            "type_field": "_type",
            "types": {
              "scope1.collection1": {
                "dynamic": true,
                "enabled": true
              },
              "scope1.collection2": {
                "dynamic": true,
                "enabled": true
              }
            }
          },
          "store": {
            "indexType": "scorch"
          }
        },
        "sourceParams": {}
      }
      

      • create user user1 with the following permissions:

       

      Query Select [bucket1:scope1:collection1] 
      Search Reader [bucket1:scope1:collection1]
      

      • Log in as user1 - fts index will not be accessible. This is expected behavior since he does not have an access to bucket1.scope1.collection2.
      • add the following permissions to user1:

      Query Select [bucket1:scope1:collection2] 
      Search Reader [bucket1:scope1:collection2]

      • Log in as user1, try to use fts index: it's still invisible.
      • add the following permissions to user1:

      Query Select [*:*:*] 
      Search Reader [*:*:*]

      • Log in as user1, try to use fts index: it's accessible and return 4 docs.

      The problem is: fts index becomes accessible only after adding star permissions to bucket, but collection level permissions set should be enough.

       

       

      Attachments

        Activity

          People

            evgeny.makarenko Evgeny Makarenko (Inactive)
            evgeny.makarenko Evgeny Makarenko (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              PagerDuty