Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-48311

New api for cbauth Creds

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Unresolved
    • Major
    • Morpheus
    • None
    • cbauth
    • None
    • 1

    Description

      For eventing rbac support, user who creates/deploys function will own the function and all the dcp, metadata ops will be done using users permission. So if user lost his permission or got deleted eventing needs to undeploy functions.
      Since cbauth don't give notification when user lost their permission, eventing will poll for permission of the user.
      cbauth currently exposes IsAllowed(permission) to check if user still has the permission or not.
      https://github.com/couchbase/cbauth/blob/7b0c203a21afbd59127e8722950a7145ef18fd2a/cbauth.go#L104
      Steps to check permission for a particular user:
      1. Create http.Request with "@eventing" credentials(can be done only once).
      2. Add "cb-on-behalf-of" header with user and domain
      3. Call AuthWebCreds(req)
      4. creds.IsAllowed(permission)

      Requesting "IsAllowedUser(user, domain, permission) (bool, error)"
      api to check for the permission for a user which can eliminate step 2,3 (maybe only exposed to known users).

      With polling, there will be a delta between 2 checks. This can cause user getting removed and then again new user getting created with the same name and domain between 2 checks. Currently there is no way for eventing to detect whether thats a same user or not.
      Requesting "UserId(username, domain) string" which gives the userid for a particular user and that can be used to verify its the same user or not.

      Attachments

        Activity

          People

            jon.strabala Jon Strabala
            ankit.prabhu Ankit Prabhu
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

              Created:
              Updated:

              PagerDuty