Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-48275

Modified permission for backup roles

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.0.2
    • Fix Version/s: Neo, 7.0.2
    • Component/s: query
    • Story Points:
      1

      Description

      In order to be able to backup and restore N1QL metadata (currently, UDF definitions, may be expanded later), a user needs to have both the data_backup role and query_system_catalog role for bucket backups, so that access to the query system keyspaces is still restricted to authorised personnel.
      Both Patrick Varley and myself think this is cumbersome, and it would be better to add ad hoc privileges to the backup roles, so that no extra roles are required to complete backups when UDFs are present.

      Artem Stemkovski could you add the following permissions to the data_backup

      {[{bucket, bucket_name}, n1ql, meta], [backup]},
      

      I intend to also use cluster.n1ql.meta!backup for cluster backups, but I believe nothing needs to be added because the backup admin essentially already has full admin privileges.

      Once you're done, could you pass this MB to me, and I'll amend query as necessary.

      Ta much!

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

          Hide
          marco.greco Marco Greco added a comment -

          Pierre Regazzoni query_system_catalog is no longer required to backup and restore scope udfs.
          The data_backup role has been given privileges to access udfs in individual buckets.

          Show
          marco.greco Marco Greco added a comment - Pierre Regazzoni query_system_catalog is no longer required to backup and restore scope udfs. The data_backup role has been given privileges to access udfs in individual buckets.
          Hide
          build-team Couchbase Build Team added a comment -

          Build couchbase-server-7.0.2-6640 contains query commit e816a46 with commit message:
          MB-48275 remove need for system_catalog_read privilege for udf backup

          Show
          build-team Couchbase Build Team added a comment - Build couchbase-server-7.0.2-6640 contains query commit e816a46 with commit message: MB-48275 remove need for system_catalog_read privilege for udf backup
          Hide
          build-team Couchbase Build Team added a comment -

          Build couchbase-server-7.1.0-1237 contains query commit cbdd37e with commit message:
          MB-48275 remove need for system_catalog_read privilege for udf backup

          Show
          build-team Couchbase Build Team added a comment - Build couchbase-server-7.1.0-1237 contains query commit cbdd37e with commit message: MB-48275 remove need for system_catalog_read privilege for udf backup
          Hide
          marco.greco Marco Greco added a comment -

          Pierre Regazzoni that is the correct behaviour, the data_backup role does not have rights to access cluster information, hence you have to limit yourself to bucket backups if using the data_backup role.

          Show
          marco.greco Marco Greco added a comment - Pierre Regazzoni that is the correct behaviour, the data_backup role does not have rights to access cluster information, hence you have to limit yourself to bucket backups if using the data_backup role.
          Hide
          pierre.regazzoni Pierre Regazzoni added a comment -

          Verified on 7.0.2-6640 and 7.1.0-1237

          Show
          pierre.regazzoni Pierre Regazzoni added a comment - Verified on 7.0.2-6640 and 7.1.0-1237

            People

            Assignee:
            pierre.regazzoni Pierre Regazzoni
            Reporter:
            marco.greco Marco Greco
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                PagerDuty