Details
-
Bug
-
Resolution: Fixed
-
Major
-
7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0
-
Untriaged
-
1
-
Unknown
Description
1 node cluster, bucket "test"
2 users:
writer : Data Writer [test:*:*]
writerdefault: Data Writer [test:_default:_default]
execute the following in erlang console to get memcached password:
(n_0@127.0.0.1)1> ns_config_auth:get_password(special).
"de82a99335e46546b3e7be3c749be78f"
Substitute the password in attached go code, which tries to create a doc in _default collection of bucket "test" using @eventing user impersonating 2 users above
Run the go code
Result:
authentication failure | {"status_code":36,"document_id":"testDoc","bucket":"test","scope":"_default","collection":"_default","error_name":"EACCESS","error_description":"Not authorized for command","opaque":8,"context":"Authorization failure: can't execute SET operation without the Upsert privilege","ref":"6dab4ce8-d286-40ae-7adf-42a9bfbfa38e","last_dispatched_to":"127.0.0.1:12000","last_dispatched_from":"127.0.0.1:64161","last_connection_id":"1e26efea57222b56/142258cd88ef82ed"}
|
INSERTED
|
So user "writer" can create a doc, but user "writerdefault" cannot
Corresponding entries in memcached.rbac
"writerdefault": {
|
"buckets": {
|
"test": {
|
"scopes": {
|
"0": {
|
"collections": {
|
"0": {
|
"privileges": [
|
"Delete",
|
"Insert",
|
"Upsert",
|
"XattrWrite"
|
]
|
}
|
}
|
}
|
}
|
}
|
},
|
"privileges": [
|
"SystemSettings"
|
],
|
"domain": "local"
|
},
|
"writer": {
|
"buckets": {
|
"test": {
|
"privileges": [
|
"Delete",
|
"Insert",
|
"Upsert",
|
"XattrWrite"
|
]
|
}
|
},
|
"privileges": [
|
"SystemSettings"
|
],
|
"domain": "local"
|
}
|
Interestingly when you connect with "writerdefault" directly without using impersonation feature it is able to create doc.
Attachments
Issue Links
For Gerrit Dashboard: MB-47904 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
159561,3 | MB-47904: Always look up SID/CID when EUID is used | master | kv_engine | Status: MERGED | +2 | +1 |