Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Duplicate
-
7.1.0
-
None
-
Neo
-
1
Description
Basically here is the concern, in a multi tenant environment, users could step on each others toes because the libraries are currently shared across everyone.
A simple example:
user1 - creates library math
user2- also creates a library math after user 1, currently user2's library math will override user1's library. User1's functions could no longer even exist, or maybe user2's library uses the same function name as user1 but the method itself does different things. Now user1 may not know their function is now doing something else.
Should users be interacting with a shared set of libraries or should libraries be specific to each user in a multi tenant environment? I would think each user would expect to have their own set of libraries
Attachments
Issue Links
- duplicates
-
MB-49127 query_manage_global_functions & query_manage_scope_functions privilege should be sufficient to create JS UDFs in evaluator embedded in Query service
-
- Closed
-
This is actually a bug and a duplicate of
MB-49127. Since N1QL UDFs already support RBAC, it is imperative that JS UDFs which are used as part of broad N1QL-UDFs must also support RBAC. And it is sufficiently trivial to fix the same. Since UDF itself executes in the context of the user who triggered UDF execution, we don't have any privilege escalation issues. js-evaluator only needs to add bucket.scope to it's metadata and check for necessary permissions during REST CRUD as part ofMB-49127. That should address all the open issues.