Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-49856

Javascript libraries are not setup for multi tenancy

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 7.1.0
    • 7.1.0
    • js-evaluator
    • None
    • Neo
    • 1

    Description

      Basically here is the concern, in a multi tenant environment, users could step on each others toes because the libraries are currently shared across everyone.

      A simple example:
      user1 - creates library math
      user2- also creates a library math after user 1, currently user2's library math will override user1's library. User1's functions could no longer even exist, or maybe user2's library uses the same function name as user1 but the method itself does different things. Now user1 may not know their function is now doing something else.

      Should users be interacting with a shared set of libraries or should libraries be specific to each user in a multi tenant environment? I would think each user would expect to have their own set of libraries

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            jeelan.poola Jeelan Poola added a comment -

            This is actually a bug and a duplicate of MB-49127. Since N1QL UDFs already support RBAC, it is imperative that JS UDFs which are used as part of broad N1QL-UDFs must also support RBAC. And it is sufficiently trivial to fix the same. Since UDF itself executes in the context of the user who triggered UDF execution, we don't have any privilege escalation issues. js-evaluator only needs to add bucket.scope to it's metadata and check for necessary permissions during REST CRUD as part of MB-49127. That should address all the open issues.

            jeelan.poola Jeelan Poola added a comment - This is actually a bug and a duplicate of MB-49127 . Since N1QL UDFs already support RBAC, it is imperative that JS UDFs which are used as part of broad N1QL-UDFs must also support RBAC. And it is sufficiently trivial to fix the same. Since UDF itself executes in the context of the user who triggered UDF execution, we don't have any privilege escalation issues. js-evaluator only needs to add bucket.scope to it's metadata and check for necessary permissions during REST CRUD as part of MB-49127 . That should address all the open issues.
            marco.greco Marco Greco added a comment -

            Jeelan Poola your plan fixes the capella offering, but it breaks sharing the same javascript libraries across multiple scopes for non cloud environment.
            We need both modes of operations, otherwise for on prem usage, people will have to duplicate the same library over and over again, and do the same every time they want to change the same javascript code.

            marco.greco Marco Greco added a comment - Jeelan Poola your plan fixes the capella offering, but it breaks sharing the same javascript libraries across multiple scopes for non cloud environment. We need both modes of operations, otherwise for on prem usage, people will have to duplicate the same library over and over again, and do the same every time they want to change the same javascript code.
            jeelan.poola Jeelan Poola added a comment -

            Marco Greco Moving the conversation to MB-49127.

            jeelan.poola Jeelan Poola added a comment - Marco Greco Moving the conversation to MB-49127 .

            People

              jeelan.poola Jeelan Poola
              ajay.bhullar Ajay Bhullar
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty