Details
-
Improvement
-
Resolution: Fixed
-
Critical
-
None
-
1
Description
For eventing rbac support user who creates the function will be the owner of the function and all the operation is done with their identity. Eventing will store their identity(Name and domain) and use it as on-behalf-of header.
This identity is obtained by cbauth.Creds.
Looking at the Creds.Domain(), it will return "builtin" for "admin" or "ro-admin"
https://github.com/couchbase/cbauth/blob/175a49323ecfe55182d3ceada1ab739485dd41b9/cbauthimpl/impl.go#L200
Using it in IsAllowed function will return "function clause" error since there is no 'builtin' domain.
https://github.com/couchbase/ns_server/blob/abf8bb99ec99c2a058591ec6b2e465618b9c4e13/src/menelaus_roles.erl#L904
{path,"/_cbauth/checkPermission"},
|
{method,'GET'},
|
{type,exit},
|
{what,
|
{{function_clause,
|
[{menelaus_roles,get_roles,
|
[{"Administrator",builtin}],
|
[{file,"src/menelaus_roles.erl"},
|
{line,906}]},
|
{menelaus_roles,build_compiled_roles,1,
|
[{file,"src/menelaus_roles.erl"},
|
{line,993}]},
|
{versioned_cache,handle_call,3,
|
[{file,"src/versioned_cache.erl"},
|
{line,73}]},
|
{gen_server,try_handle_call,4,
|
[{file,"gen_server.erl"},{line,661}]},
|
{gen_server,handle_msg,6,
|
[{file,"gen_server.erl"},{line,690}]},
|
{proc_lib,init_p_do_apply,3,
|
[{file,"proc_lib.erl"},{line,249}]}]},
|
{gen_server,call,
|
[compiled_roles_cache,
|
{get_and_cache,
|
{"Administrator",builtin}}]}}},
|
{trace,
|
[{gen_server,call,2,
|
[{file,"gen_server.erl"},{line,215}]},
|
{menelaus_roles,is_allowed,2,
|
[{file,"src/menelaus_roles.erl"},
|
{line,769}]},
|
{menelaus_web_rbac,
|
handle_check_permission_for_cbauth,1,
|
[{file,"src/menelaus_web_rbac.erl"},
|
{line,1470}]},
|
{request_throttler,do_request,3,
|
[{file,"src/request_throttler.erl"},
|
{line,58}]},
|
{menelaus_util,handle_request,2,
|
[{file,"src/menelaus_util.erl"},
|
{line,217}]},
|
{mochiweb_http,headers,6,
|
[{file,
|
"/Users/couchbase/Neo/couchdb/src/mochiweb/mochiweb_http.erl"},
|
{line,150}]},
|
{proc_lib,init_p_do_apply,3,
|
[{file,"proc_lib.erl"},{line,249}]}]}]
|
Request is to have an api 'Creds.RealDomain()' which will return the true domain of the user.
Attachments
| For Gerrit Dashboard: MB-48550 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 162207,2 | MB-48550: Introduce new User API in creds | master | cbauth | Status: MERGED | +2 | +1 |