Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Duplicate
-
7.1.0
-
None
-
Neo
-
1
Description
Basically here is the concern, in a multi tenant environment, users could step on each others toes because the libraries are currently shared across everyone.
A simple example:
user1 - creates library math
user2- also creates a library math after user 1, currently user2's library math will override user1's library. User1's functions could no longer even exist, or maybe user2's library uses the same function name as user1 but the method itself does different things. Now user1 may not know their function is now doing something else.
Should users be interacting with a shared set of libraries or should libraries be specific to each user in a multi tenant environment? I would think each user would expect to have their own set of libraries
Attachments
Issue Links
- duplicates
-
-
- Closed
-
Activity
Jeelan Poola your plan fixes the capella offering, but it breaks sharing the same javascript libraries across multiple scopes for non cloud environment.
We need both modes of operations, otherwise for on prem usage, people will have to duplicate the same library over and over again, and do the same every time they want to change the same javascript code.
This is actually a bug and a duplicate of
MB-49127. Since N1QL UDFs already support RBAC, it is imperative that JS UDFs which are used as part of broad N1QL-UDFs must also support RBAC. And it is sufficiently trivial to fix the same. Since UDF itself executes in the context of the user who triggered UDF execution, we don't have any privilege escalation issues. js-evaluator only needs to add bucket.scope to it's metadata and check for necessary permissions during REST CRUD as part ofMB-49127. That should address all the open issues.