Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: 7.1.0
Affects Version/s: 7.1.0
Component/s: query
Labels:
None
Environment:
7.1.0-2193

Triage:
Untriaged
Story Points:
1
Is this a Regression?:
Unknown

Description

To repro:

create test bucket with 2 scopes: user1 and user2
create user1 with : Manage Scopes [test:user1] , Query Select [test:user1:*] , Manage Scope External Functions [test:user1] , Execute Scope External Functions [test:user1]
create user2 with: Manage Scopes [test:user2] , Query Select [test:user2:*] , Manage Scope External Functions [test:user2] , Execute Scope External Functions [test:user2]
create scope library math for user1: curl -k -X POST 'http://localhost:8093/evaluator/v1/libraries/math?bucket=test&scope=user1' -u user1:password -H 'content-type: application/json' -d 'function add(a,b) { return a + b; }'

create scope library math for user2: curl -k -X POST 'http://localhost:8093/evaluator/v1/libraries/math?bucket=test&scope=user2' -u user2:password -H 'content-type: application/json' -d 'function multiply(a,b) { return a * b; }'

As user1, you can create and execute add function from test:user1:math:

cbq> create or replace function default:test.user1.add(a,b) LANGUAGE JAVASCRIPT AS "add" AT "test:user1:math";

    "requestID": "e1b94116-f0db-4186-be97-dd8e37ff1f4b",

    "signature": null,

    "results": [

],

    "status": "success",

    "metrics": {

        "elapsedTime": "17.902291ms",

        "executionTime": "17.639032ms",

        "resultCount": 0,

        "resultSize": 0,

        "serviceLoad": 6

cbq> execute function default:test.user1.add(10,20);

    "requestID": "484c50ff-03fc-48b4-8c01-1225da5070f2",

    "signature": null,

    "results": [

],

You can also create/execute multiply function using test:user:math library which should not be allowed since user1 has access to test.user1 scope only

cbq> create or replace function default:test.user1.multiply(a,b) LANGUAGE JAVASCRIPT AS "multiply" AT "test:user2:math";

    "requestID": "2a5cc623-0b70-425b-822f-75588a9303a0",

    "signature": null,

    "results": [

],

    "status": "success",

    "metrics": {

        "elapsedTime": "7.306181ms",

        "executionTime": "7.143912ms",

        "resultCount": 0,

        "resultSize": 0,

        "serviceLoad": 6

cbq> execute function default:test.user1.multiply(10,20);

    "requestID": "bef7ea43-90d6-45f3-b3b0-364bf5124816",

    "signature": null,

    "results": [

],

    "status": "success",

Attachments

Issue Links

relates to

DOC-9806 Update Query Functions REST API

Resolved

MB-49127 query_manage_global_functions & query_manage_scope_functions privilege should be sufficient to create JS UDFs in evaluator embedded in Query service

Closed

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Pierre Regazzoni

Reporter:: Pierre Regazzoni

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 01/Feb/22 10:51 AM

Updated:: 09/Mar/22 12:32 PM

Resolved:: 07/Feb/22 9:38 AM

Gerrit Reviews

There are no open Gerrit changes

Show There are 2 closed Gerrit changes

Hide There are 2 closed Gerrit changes

MB-50735 : As per the discussion in the MB, don't allow absolute library names if query also passes a storage context: Gerrit Review:

MB-50735 restrict javascript library usage in function creation: Gerrit Review:

[UDF] scope user can create function using another user scope library

Details

Description

Attachments

Issue Links

Gerrit Reviews

Activity

People

Dates

Gerrit Reviews

PagerDuty