Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-49127

query_manage_global_functions & query_manage_scope_functions privilege should be sufficient to create JS UDFs in evaluator embedded in Query service

    XMLWordPrintable

Details

    • Untriaged
    • 1
    • Unknown

    Description

      It appears like the perms/privilege list should actually be supplied to the js-evaluator by the embedding service during initialisation. Can be discussed further.

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            Jeelan Poola Abhishek Jindal Marco Greco please provide a 1-pager for scoped libraries for multi-tenancy so that we can test it accurately. How are global UDFs are handled with this implementation ?

            mihir.kamdar Mihir Kamdar (Inactive) added a comment - Jeelan Poola Abhishek Jindal Marco Greco please provide a 1-pager for scoped libraries for multi-tenancy so that we can test it accurately. How are global UDFs are handled with this implementation ?

            Reopening for additional validation

            mihir.kamdar Mihir Kamdar (Inactive) added a comment - Reopening for additional validation
            abhishek.jindal Abhishek Jindal added a comment - Hi Mihir Kamdar Please find the updated page with RBAC support here: https://docs.google.com/document/d/1lEJe-PTqHQfjsZ5Xg-qDsmms35WtThaHYMyfHUAKbfQ/edit

            Build couchbase-server-7.1.0-2227 contains query commit 9ec9df2 with commit message:
            MB-49127 : Use "/" separated path for StorageContext

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.1.0-2227 contains query commit 9ec9df2 with commit message: MB-49127 : Use "/" separated path for StorageContext

            verified in 7.1.0-2333 via steps in a document that marco provided detailing the new rbac behavior.

            created user1 and user2, each with access to their own scope, created the same library name and method name with different bodies, each scope had the correct data in it, also tried a global library name with the same, changing one had no effect on the others as expected, and a user that didn't have manage privileges could not update the other library in the scope they did not have perms for.

            ajay.bhullar Ajay Bhullar added a comment - verified in 7.1.0-2333 via steps in a document that marco provided detailing the new rbac behavior. created user1 and user2, each with access to their own scope, created the same library name and method name with different bodies, each scope had the correct data in it, also tried a global library name with the same, changing one had no effect on the others as expected, and a user that didn't have manage privileges could not update the other library in the scope they did not have perms for.

            People

              ajay.bhullar Ajay Bhullar
              jeelan.poola Jeelan Poola
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  PagerDuty