Description
MB-50708 describes what appears to be a privilege escalation in query in that a user with the Query Select role on a bucket is able to query document metadata for documents in that bucket. I was under the impression that this required the MetaRead privilege and Query Select doesn't grant that privilege. However, it turns out that most of the document metadata doesn't currently require MetaRead, Read alone is sufficient. Not all, though: expiration and some other metadata fields are available via the GET_META command - which does require MetaRead. However, it further turns out that these fields are available via virtual XATTRs such as the $document XATTR and if a user is able to read this virtual XATTR, this information is available.
In any case, while discussing MB-50708, it became clear that we should review what meta information about documents should require what permissions. For instance perhaps we should just define everything that is available via the $document virtual XATTR to just require the Read privilege on that document. We should also figure out what the XattrRead permission grants a user too. Once this is done we should figure out what the implications of this are and to what extent we have privilege escalations in Query and ns_server which routinely fetch documents out of memcached on behalf of users.
Attachments
Issue Links
- is parent task of
-
MB-50842 Observe should only require Read privilege for the document key
- Closed
-
MB-50843 Remove privilege for "user-level" XAttr read and write
- Closed
-
MB-50844 Observe_seqno should require Read privilege
- Closed
-
MB-50845 Get[q]WithMeta should require Read privilege
- Closed
-
MB-50848 GetAllVbSeqnos should test the Read privilege
- Closed
-
MB-50849 LastClosedCheckpoint should require Read privilege
- Closed
- relates to
-
MB-51655 [XDCR] Create replication fails for any src to 7.1.0 target with XDCR Inbound remote user
- Closed