Details
Description
STEPS TO REPRODUCE
- Create and deploy eventing handler named f3.
- Create local user user2 having eventing manage scope functions role such that user2 has insufficient privileges to perform operations on handler f3.
- Any eventing operation performed by user2 on f3 should fail with following msg - ERROR: Forbidden. User needs one of the following permissions.
OBSERVATION
Commands to deploy and undeploy function work as expected.
[root@node2-cb600-centos7 ~]# /opt/couchbase/bin//couchbase-cli eventing-function-setup -c 10.112.190.102 -u user2 -p asdasd --deploy --name f3 |
ERROR: Forbidden. User needs one of the following permissions: cluster.collection[src_bucket1:_default:.].eventing.function!manage
|
[root@node2-cb600-centos7 ~]# /opt/couchbase/bin//couchbase-cli eventing-function-setup -c 10.112.190.102 -u user2 -p asdasd --undeploy --name f3 |
ERROR: Forbidden. User needs one of the following permissions: cluster.collection[src_bucket1:_default:.].eventing.function!manage
|
Commands to pause, resume and delete function fail with key error.
[root@node2-cb600-centos7 ~]# /opt/couchbase/bin//couchbase-cli eventing-function-setup -c 10.112.190.102 -u user2 -p asdasd --pause --name f3 |
Traceback (most recent call last):
|
File "/opt/couchbase/lib/python/couchbase-cli", line 22, in <module> |
main()
|
File "/opt/couchbase/lib/python/couchbase-cli", line 17, in main |
cli.execute(args)
|
File "/opt/couchbase/lib/python/cbmgr.py", line 599, in execute |
opts.klass().execute(opts)
|
File "/opt/couchbase/lib/python/cbmgr.py", line 143, in decorator |
return fn(self, opts) |
File "/opt/couchbase/lib/python/cbmgr.py", line 4084, in execute |
self._pause_resume(opts, True)
|
File "/opt/couchbase/lib/python/cbmgr.py", line 4091, in _pause_resume |
_, err = self.rest.pause_resume_function(opts.name, pause)
|
File "/opt/couchbase/lib/python/cluster_manager.py", line 1828, in pause_resume_function |
return self._post_json(url, None) |
File "/opt/couchbase/lib/python/cluster_manager.py", line 51, in g |
return f(*args, **kwargs) |
File "/opt/couchbase/lib/python/cluster_manager.py", line 2286, in _post_json |
return self._handle_response(self.session.post(url, auth=(self.username, self.password), json=params, |
File "/opt/couchbase/lib/python/cluster_manager.py", line 2359, in _handle_response |
return None, [errors["message"] + ": " + ", ".join(errors["permissions"])] |
KeyError: 'message' |
[root@node2-cb600-centos7 ~]# /opt/couchbase/bin//couchbase-cli eventing-function-setup -c 10.112.190.102 -u user2 -p asdasd --resume --name f3 |
Traceback (most recent call last):
|
File "/opt/couchbase/lib/python/couchbase-cli", line 22, in <module> |
main()
|
File "/opt/couchbase/lib/python/couchbase-cli", line 17, in main |
cli.execute(args)
|
File "/opt/couchbase/lib/python/cbmgr.py", line 599, in execute |
opts.klass().execute(opts)
|
File "/opt/couchbase/lib/python/cbmgr.py", line 143, in decorator |
return fn(self, opts) |
File "/opt/couchbase/lib/python/cbmgr.py", line 4086, in execute |
self._pause_resume(opts, False)
|
File "/opt/couchbase/lib/python/cbmgr.py", line 4091, in _pause_resume |
_, err = self.rest.pause_resume_function(opts.name, pause)
|
File "/opt/couchbase/lib/python/cluster_manager.py", line 1828, in pause_resume_function |
return self._post_json(url, None) |
File "/opt/couchbase/lib/python/cluster_manager.py", line 51, in g |
return f(*args, **kwargs) |
File "/opt/couchbase/lib/python/cluster_manager.py", line 2286, in _post_json |
return self._handle_response(self.session.post(url, auth=(self.username, self.password), json=params, |
File "/opt/couchbase/lib/python/cluster_manager.py", line 2359, in _handle_response |
return None, [errors["message"] + ": " + ", ".join(errors["permissions"])] |
KeyError: 'message' |
// Some comments here
|
[root@node2-cb600-centos7 ~]# /opt/couchbase/bin//couchbase-cli eventing-function-setup -c 10.112.190.102 -u user2 -p asdasd --delete --name f3 |
Traceback (most recent call last):
|
File "/opt/couchbase/lib/python/couchbase-cli", line 22, in <module> |
main()
|
File "/opt/couchbase/lib/python/couchbase-cli", line 17, in main |
cli.execute(args)
|
File "/opt/couchbase/lib/python/cbmgr.py", line 599, in execute |
opts.klass().execute(opts)
|
File "/opt/couchbase/lib/python/cbmgr.py", line 143, in decorator |
return fn(self, opts) |
File "/opt/couchbase/lib/python/cbmgr.py", line 4076, in execute |
self._delete(opts)
|
File "/opt/couchbase/lib/python/cbmgr.py", line 4131, in _delete |
_, errors = self.rest.delete_function(opts.name)
|
File "/opt/couchbase/lib/python/cluster_manager.py", line 1817, in delete_function |
return self._delete(url, None) |
File "/opt/couchbase/lib/python/cluster_manager.py", line 51, in g |
return f(*args, **kwargs) |
File "/opt/couchbase/lib/python/cluster_manager.py", line 2319, in _delete |
return self._handle_response(self.session.delete(url, auth=(self.username, self.password), data=params, |
File "/opt/couchbase/lib/python/cluster_manager.py", line 2359, in _handle_response |
return None, [errors["message"] + ": " + ", ".join(errors["permissions"])] |
KeyError: 'message' |
List of rbac users created.
[root@node2-cb600-centos7 ~]# /opt/couchbase/bin//couchbase-cli user-manage -c 10.112.190.102 -u Administrator -p password --list |
[
|
{
|
"id": "user2", |
"domain": "local", |
"roles": [ |
{
|
"role": "eventing_manage_functions", |
"bucket_name": "src_bucket", |
"scope_name": "*", |
"origins": [ |
{
|
"type": "user" |
}
|
]
|
},
|
{
|
"role": "data_writer", |
"bucket_name": "metadata", |
"scope_name": "*", |
"collection_name": "*", |
"origins": [ |
{
|
"type": "user" |
}
|
]
|
},
|
{
|
"role": "data_reader", |
"bucket_name": "src_bucket", |
"scope_name": "*", |
"collection_name": "*", |
"origins": [ |
{
|
"type": "user" |
}
|
]
|
},
|
{
|
"role": "data_dcp_reader", |
"bucket_name": "src_bucket", |
"scope_name": "*", |
"collection_name": "*", |
"origins": [ |
{
|
"type": "user" |
}
|
]
|
},
|
{
|
"role": "data_dcp_reader", |
"bucket_name": "metadata", |
"scope_name": "*", |
"collection_name": "*", |
"origins": [ |
{
|
"type": "user" |
}
|
]
|
}
|
],
|
"groups": [], |
"external_groups": [], |
"name": "", |
"uuid": "f5f6625b-2692-4121-9c08-fe510a12b6a1", |
"password_change_date": "2021-10-18T17:59:04.000Z" |
},
|
{
|
"id": "user1", |
"domain": "local", |
"roles": [ |
{
|
"role": "eventing_admin", |
"origins": [ |
{
|
"type": "user" |
}
|
]
|
}
|
],
|
"groups": [], |
"external_groups": [], |
"name": "", |
"uuid": "a39c606d-c4c8-453c-aedb-41f159bf8341", |
"password_change_date": "2021-10-18T17:52:24.000Z" |
},
|
{
|
"id": "user3", |
"domain": "local", |
"roles": [ |
{
|
"role": "eventing_manage_functions", |
"bucket_name": "src_bucket1", |
"scope_name": "*", |
"origins": [ |
{
|
"type": "user" |
}
|
]
|
},
|
{
|
"role": "data_writer", |
"bucket_name": "metadata", |
"scope_name": "*", |
"collection_name": "*", |
"origins": [ |
{
|
"type": "user" |
}
|
]
|
},
|
{
|
"role": "data_reader", |
"bucket_name": "src_bucket1", |
"scope_name": "*", |
"collection_name": "*", |
"origins": [ |
{
|
"type": "user" |
}
|
]
|
},
|
{
|
"role": "data_dcp_reader", |
"bucket_name": "src_bucket1", |
"scope_name": "*", |
"collection_name": "*", |
"origins": [ |
{
|
"type": "user" |
}
|
]
|
},
|
{
|
"role": "data_dcp_reader", |
"bucket_name": "metadata", |
"scope_name": "*", |
"collection_name": "*", |
"origins": [ |
{
|
"type": "user" |
}
|
]
|
}
|
],
|
"groups": [], |
"external_groups": [], |
"name": "", |
"uuid": "55ba013b-b8a0-4372-a379-d67ed00f4fcc", |
"password_change_date": "2021-10-18T18:03:07.000Z" |
}
|
]
|
Attachments
Issue Links
- relates to
-
MB-29224 Allow Eventing functions to run as non-admin user
- Closed