Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-48969

[Couchbase-cli] Eventing RBAC changes cause keyerror to be thrown for certain eventing operations when user has insufficient privileges.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 7.1.0
    • 7.1.0
    • tools
    • Enterprise Edition 7.1.0 build 1504
    • Untriaged
    • Centos 64-bit
    • 1
    • No
    • Tools 2021 Dec

    Description

      STEPS TO REPRODUCE

      • Create and deploy eventing handler named f3.
      • Create local user user2 having eventing manage scope functions role such that user2 has insufficient privileges to perform operations on handler f3.
      • Any eventing operation performed by user2 on f3 should fail with following msg - ERROR: Forbidden. User needs one of the following permissions.

      OBSERVATION
      Commands to deploy and undeploy function work as expected.

      [root@node2-cb600-centos7 ~]# /opt/couchbase/bin//couchbase-cli eventing-function-setup -c 10.112.190.102 -u user2 -p asdasd --deploy --name f3
      ERROR: Forbidden. User needs one of the following permissions: cluster.collection[src_bucket1:_default:.].eventing.function!manage
      [root@node2-cb600-centos7 ~]# /opt/couchbase/bin//couchbase-cli eventing-function-setup -c 10.112.190.102 -u user2 -p asdasd --undeploy --name f3
      ERROR: Forbidden. User needs one of the following permissions: cluster.collection[src_bucket1:_default:.].eventing.function!manage
      

      Commands to pause, resume and delete function fail with key error.

      [root@node2-cb600-centos7 ~]# /opt/couchbase/bin//couchbase-cli eventing-function-setup -c 10.112.190.102 -u user2 -p asdasd --pause --name f3
      Traceback (most recent call last):
        File "/opt/couchbase/lib/python/couchbase-cli", line 22, in <module>
          main()
        File "/opt/couchbase/lib/python/couchbase-cli", line 17, in main
          cli.execute(args)
        File "/opt/couchbase/lib/python/cbmgr.py", line 599, in execute
          opts.klass().execute(opts)
        File "/opt/couchbase/lib/python/cbmgr.py", line 143, in decorator
          return fn(self, opts)
        File "/opt/couchbase/lib/python/cbmgr.py", line 4084, in execute
          self._pause_resume(opts, True)
        File "/opt/couchbase/lib/python/cbmgr.py", line 4091, in _pause_resume
          _, err = self.rest.pause_resume_function(opts.name, pause)
        File "/opt/couchbase/lib/python/cluster_manager.py", line 1828, in pause_resume_function
          return self._post_json(url, None)
        File "/opt/couchbase/lib/python/cluster_manager.py", line 51, in g
          return f(*args, **kwargs)
        File "/opt/couchbase/lib/python/cluster_manager.py", line 2286, in _post_json
          return self._handle_response(self.session.post(url, auth=(self.username, self.password), json=params,
        File "/opt/couchbase/lib/python/cluster_manager.py", line 2359, in _handle_response
          return None, [errors["message"] + ": " + ", ".join(errors["permissions"])]
      KeyError: 'message'
      

      [root@node2-cb600-centos7 ~]# /opt/couchbase/bin//couchbase-cli eventing-function-setup -c 10.112.190.102 -u user2 -p asdasd --resume --name f3
      Traceback (most recent call last):
        File "/opt/couchbase/lib/python/couchbase-cli", line 22, in <module>
          main()
        File "/opt/couchbase/lib/python/couchbase-cli", line 17, in main
          cli.execute(args)
        File "/opt/couchbase/lib/python/cbmgr.py", line 599, in execute
          opts.klass().execute(opts)
        File "/opt/couchbase/lib/python/cbmgr.py", line 143, in decorator
          return fn(self, opts)
        File "/opt/couchbase/lib/python/cbmgr.py", line 4086, in execute
          self._pause_resume(opts, False)
        File "/opt/couchbase/lib/python/cbmgr.py", line 4091, in _pause_resume
          _, err = self.rest.pause_resume_function(opts.name, pause)
        File "/opt/couchbase/lib/python/cluster_manager.py", line 1828, in pause_resume_function
          return self._post_json(url, None)
        File "/opt/couchbase/lib/python/cluster_manager.py", line 51, in g
          return f(*args, **kwargs)
        File "/opt/couchbase/lib/python/cluster_manager.py", line 2286, in _post_json
          return self._handle_response(self.session.post(url, auth=(self.username, self.password), json=params,
        File "/opt/couchbase/lib/python/cluster_manager.py", line 2359, in _handle_response
          return None, [errors["message"] + ": " + ", ".join(errors["permissions"])]
      KeyError: 'message'
      

      // Some comments here
      [root@node2-cb600-centos7 ~]# /opt/couchbase/bin//couchbase-cli eventing-function-setup -c 10.112.190.102 -u user2 -p asdasd --delete --name f3
      Traceback (most recent call last):
        File "/opt/couchbase/lib/python/couchbase-cli", line 22, in <module>
          main()
        File "/opt/couchbase/lib/python/couchbase-cli", line 17, in main
          cli.execute(args)
        File "/opt/couchbase/lib/python/cbmgr.py", line 599, in execute
          opts.klass().execute(opts)
        File "/opt/couchbase/lib/python/cbmgr.py", line 143, in decorator
          return fn(self, opts)
        File "/opt/couchbase/lib/python/cbmgr.py", line 4076, in execute
          self._delete(opts)
        File "/opt/couchbase/lib/python/cbmgr.py", line 4131, in _delete
          _, errors = self.rest.delete_function(opts.name)
        File "/opt/couchbase/lib/python/cluster_manager.py", line 1817, in delete_function
          return self._delete(url, None)
        File "/opt/couchbase/lib/python/cluster_manager.py", line 51, in g
          return f(*args, **kwargs)
        File "/opt/couchbase/lib/python/cluster_manager.py", line 2319, in _delete
          return self._handle_response(self.session.delete(url, auth=(self.username, self.password), data=params,
        File "/opt/couchbase/lib/python/cluster_manager.py", line 2359, in _handle_response
          return None, [errors["message"] + ": " + ", ".join(errors["permissions"])]
      KeyError: 'message'
      

      List of rbac users created.

      [root@node2-cb600-centos7 ~]# /opt/couchbase/bin//couchbase-cli user-manage -c 10.112.190.102  -u Administrator -p password --list
      [
        {
          "id": "user2",
          "domain": "local",
          "roles": [
            {
              "role": "eventing_manage_functions",
              "bucket_name": "src_bucket",
              "scope_name": "*",
              "origins": [
                {
                  "type": "user"
                }
              ]
            },
            {
              "role": "data_writer",
              "bucket_name": "metadata",
              "scope_name": "*",
              "collection_name": "*",
              "origins": [
                {
                  "type": "user"
                }
              ]
            },
            {
              "role": "data_reader",
              "bucket_name": "src_bucket",
              "scope_name": "*",
              "collection_name": "*",
              "origins": [
                {
                  "type": "user"
                }
              ]
            },
            {
              "role": "data_dcp_reader",
              "bucket_name": "src_bucket",
              "scope_name": "*",
              "collection_name": "*",
              "origins": [
                {
                  "type": "user"
                }
              ]
            },
            {
              "role": "data_dcp_reader",
              "bucket_name": "metadata",
              "scope_name": "*",
              "collection_name": "*",
              "origins": [
                {
                  "type": "user"
                }
              ]
            }
          ],
          "groups": [],
          "external_groups": [],
          "name": "",
          "uuid": "f5f6625b-2692-4121-9c08-fe510a12b6a1",
          "password_change_date": "2021-10-18T17:59:04.000Z"
        },
        {
          "id": "user1",
          "domain": "local",
          "roles": [
            {
              "role": "eventing_admin",
              "origins": [
                {
                  "type": "user"
                }
              ]
            }
          ],
          "groups": [],
          "external_groups": [],
          "name": "",
          "uuid": "a39c606d-c4c8-453c-aedb-41f159bf8341",
          "password_change_date": "2021-10-18T17:52:24.000Z"
        },
        {
          "id": "user3",
          "domain": "local",
          "roles": [
            {
              "role": "eventing_manage_functions",
              "bucket_name": "src_bucket1",
              "scope_name": "*",
              "origins": [
                {
                  "type": "user"
                }
              ]
            },
            {
              "role": "data_writer",
              "bucket_name": "metadata",
              "scope_name": "*",
              "collection_name": "*",
              "origins": [
                {
                  "type": "user"
                }
              ]
            },
            {
              "role": "data_reader",
              "bucket_name": "src_bucket1",
              "scope_name": "*",
              "collection_name": "*",
              "origins": [
                {
                  "type": "user"
                }
              ]
            },
            {
              "role": "data_dcp_reader",
              "bucket_name": "src_bucket1",
              "scope_name": "*",
              "collection_name": "*",
              "origins": [
                {
                  "type": "user"
                }
              ]
            },
            {
              "role": "data_dcp_reader",
              "bucket_name": "metadata",
              "scope_name": "*",
              "collection_name": "*",
              "origins": [
                {
                  "type": "user"
                }
              ]
            }
          ],
          "groups": [],
          "external_groups": [],
          "name": "",
          "uuid": "55ba013b-b8a0-4372-a379-d67ed00f4fcc",
          "password_change_date": "2021-10-18T18:03:07.000Z"
        }
      ]
      

      Attachments

        Issue Links

          Activity

            People

              sujay.gad Sujay Gad
              sujay.gad Sujay Gad
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                PagerDuty