Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-51110

Incorrect Audit event logs is observed when a user with incorrect permission tries to execute select query

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 7.1.0
    • 7.1.0
    • analytics
    • 7.1.0-2335

    Description

      Steps to reproduce -

      1. Have a 4 node cluster with 2 kv and 2 cbas node.
      2. Load buckets, scopes and collections on KV and load data into them.
      3. Create dataverses and datasets on cbas.
      4. Create a user with cluster_admin role.
      5. Try to execute a select query on cbas using the above user.

      In 7.1.0-2284, following audit event was generated -

      {u'isAdHoc': True, u'clientContextId': u'null', u'description': u'A N1QL SELECT statement was executed', u'userAgent': u'Python-httplib2/$Rev: 259 $', u'remote': {u'ip': u'172.23.106.162', u'port': 33756}, u'local': {u'ip': u'172.23.105.231', u'port': 8095}, u'requestId': u'ea399661-0aaf-4862-afdf-4e1ad284510c', u'name': u'SELECT statement', u'statement': u'select count(*) from QzlDKMmd.JOQyC.XjhjIw82YCDbjth;', u'id': 36867, u'metrics': {u'resultCount': 0, u'processedObjects': 0, u'executionTime': 85183528, u'resultSize': 0, u'errorCount': 1, u'elapsedTime': 110751907}, u'errors': [{u'msg': u'User must have permission (cluster.collection[.:.:.].analytics!select)', u'code': 20001}], u'real_userid': {u'domain': u'local', u'user': u'test_user'}, u'status': u'errors', u'timestamp': u'2022-02-11T16:22:50.000419-08:00'}
      

      In 7.1.0-2335, following audit event is generated -

      {"clientContextId":"null","description":"An UNRECOGNIZED N1QL statement was encountered","errors":[{"code":20001,"msg":"User must have permission (cluster.collection[.:.:.].analytics!select)"}],"id":36879,"isAdHoc":true,"local":{"ip":"10.112.205.102","port":8095},"metrics":{"elapsedTime":7283206,"errorCount":1,"executionTime":0,"processedObjects":0,"resultCount":0,"resultSize":0},"name":"UNRECOGNIZED statement","real_userid":{"domain":"local","user":"test_user"},"remote":{"ip":"10.112.205.1","port":59516},"requestId":"c668f326-71a1-49d0-9be5-f3a20b06eb73","statement":"select count(*) from `9M53I`.h.nKkC8osDhUY;","status":"errors","timestamp":"2022-02-21T02:23:25.000874-08:00","userAgent":"Python-httplib2/$Rev: 259 $"}

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          umang.agrawal Umang added a comment -

          Same is observed while trying to execute a DDL and a DML statement using a user, who does not have proper permission to execute those queries.

          For DDL statement -

          Expected -
          {u'isAdHoc': True, u'clientContextId': u'null', u'description': u'A N1QL CREATE DATASET statement was executed', u'userAgent': u'Python-httplib2/$Rev: 259 $', u'remote': {u'ip': u'172.23.106.162', u'port': 52202}, u'local': {u'ip': u'172.23.122.97', u'port': 8095}, u'requestId': u'4ddb9136-7f71-4a8c-8c15-d6dac7478f0a', u'name': u'CREATE DATASET statement', u'statement': u'create dataset iMx2fGcaCB5X.egvahrPdEuV.AmIq49e3aeNcbXg5WEKtCYDK0m on `agv03xpJnZu5zwf4xtkhO_wkL6qT54ac2yMG_QLxINpux4N2TgiPLcwWwdMkdcoY9IJH712m-49-456000`._default._default;', u'id': 36870, u'metrics': {u'resultCount': 0, u'processedObjects': 0, u'executionTime': 16260562, u'resultSize': 0, u'errorCount': 1, u'elapsedTime': 18796549}, u'errors': [{u'msg': u'User must have permission (cluster.collection[.:.:.].analytics!select)', u'code': 20001}], u'real_userid': {u'domain': u'local', u'user': u'test_user'}, u'status': u'errors', u'timestamp': u'2022-02-12T09:06:07.000941-08:00'}
           
          Actual-
          {"clientContextId":"null","description":"An UNRECOGNIZED N1QL statement was encountered","errors":[{"code":20001,"msg":"User must have permission (cluster.collection[.:.:.].analytics!select)"}],"id":36879,"isAdHoc":true,"local":{"ip":"10.112.205.102","port":8095},"metrics":{"elapsedTime":7820197,"errorCount":1,"executionTime":0,"processedObjects":0,"resultCount":0,"resultSize":0},"name":"UNRECOGNIZED statement","real_userid":{"domain":"local","user":"test_user"},"remote":{"ip":"10.112.205.1","port":61466},"requestId":"fe759364-340c-4bff-99ef-0b47ef974589","statement":"create dataset PoHNBe.Pa8.nE8FiEXPBxrX on `XPRbO-654`._default._default;","status":"errors","timestamp":"2022-02-21T03:05:11.000566-08:00","userAgent":"Python-httplib2/$Rev: 259 $"}
          {"description":"Session to the cluster has terminated","id":20493,"local":{"ip":"127.0.0.1","port":11209},"name":"session terminated","real_userid":{"domain":"local","user":"@ns_server"},"reason_for_termination":"Client closed connection","remote":{"ip":"127.0.0.1","port":57204},"timestamp":"2022-02-21T03:05:41.574444-08:00"}

          For DML -

          Expected -
          {u'isAdHoc': True, u'clientContextId': u'null', u'description': u'A N1QL DISCONNECT LINK statement was executed', u'userAgent': u'Python-httplib2/$Rev: 259 $', u'remote': {u'ip': u'172.23.106.162', u'port': 43892}, u'local': {u'ip': u'172.23.105.231', u'port': 8095}, u'requestId': u'd3c505d9-8bac-4f6d-beb7-fb86ba0a067d', u'name': u'DISCONNECT LINK statement', u'statement': u'disconnect link Default.Local;', u'id': 36878, u'metrics': {u'resultCount': 0, u'processedObjects': 0, u'executionTime': 212130621, u'resultSize': 0, u'errorCount': 1, u'elapsedTime': 330720366}, u'errors': [{u'msg': u'User must have permission (cluster.collection[.:.:.].analytics!select)', u'code': 20001}], u'real_userid': {u'domain': u'local', u'user': u'test_user'}, u'status': u'errors', u'timestamp': u'2022-02-11T16:30:52.000897-08:00'}
           
          Actual -
          {"clientContextId":"null","description":"An UNRECOGNIZED N1QL statement was encountered","errors":[{"code":20001,"msg":"User must have permission (cluster.collection[.:.:.].analytics!select)"}],"id":36879,"isAdHoc":true,"local":{"ip":"10.112.205.102","port":8095},"metrics":{"elapsedTime":74397060,"errorCount":1,"executionTime":0,"processedObjects":0,"resultCount":0,"resultSize":0},"name":"UNRECOGNIZED statement","real_userid":{"domain":"local","user":"test_user"},"remote":{"ip":"10.112.205.1","port":62806},"requestId":"af652802-169d-4501-b7d8-fdd102ddd4b6","statement":"disconnect link Default.Local;","status":"errors","timestamp":"2022-02-21T03:38:12.000554-08:00","userAgent":"Python-httplib2/$Rev: 259 $"}

          umang.agrawal Umang added a comment - Same is observed while trying to execute a DDL and a DML statement using a user, who does not have proper permission to execute those queries. For DDL statement - Expected - {u'isAdHoc': True, u'clientContextId': u'null', u'description': u'A N1QL CREATE DATASET statement was executed', u'userAgent': u'Python-httplib2/$Rev: 259 $', u'remote': {u'ip': u'172.23.106.162', u'port': 52202}, u'local': {u'ip': u'172.23.122.97', u'port': 8095}, u'requestId': u'4ddb9136-7f71-4a8c-8c15-d6dac7478f0a', u'name': u'CREATE DATASET statement', u'statement': u'create dataset iMx2fGcaCB5X.egvahrPdEuV.AmIq49e3aeNcbXg5WEKtCYDK0m on `agv03xpJnZu5zwf4xtkhO_wkL6qT54ac2yMG_QLxINpux4N2TgiPLcwWwdMkdcoY9IJH712m-49-456000`._default._default;', u'id': 36870, u'metrics': {u'resultCount': 0, u'processedObjects': 0, u'executionTime': 16260562, u'resultSize': 0, u'errorCount': 1, u'elapsedTime': 18796549}, u'errors': [{u'msg': u'User must have permission (cluster.collection[.:.:.].analytics!select)', u'code': 20001}], u'real_userid': {u'domain': u'local', u'user': u'test_user'}, u'status': u'errors', u'timestamp': u'2022-02-12T09:06:07.000941-08:00'}   Actual- {"clientContextId":"null","description":"An UNRECOGNIZED N1QL statement was encountered","errors":[{"code":20001,"msg":"User must have permission (cluster.collection[.:.:.].analytics!select)"}],"id":36879,"isAdHoc":true,"local":{"ip":"10.112.205.102","port":8095},"metrics":{"elapsedTime":7820197,"errorCount":1,"executionTime":0,"processedObjects":0,"resultCount":0,"resultSize":0},"name":"UNRECOGNIZED statement","real_userid":{"domain":"local","user":"test_user"},"remote":{"ip":"10.112.205.1","port":61466},"requestId":"fe759364-340c-4bff-99ef-0b47ef974589","statement":"create dataset PoHNBe.Pa8.nE8FiEXPBxrX on `XPRbO-654`._default._default;","status":"errors","timestamp":"2022-02-21T03:05:11.000566-08:00","userAgent":"Python-httplib2/$Rev: 259 $"} {"description":"Session to the cluster has terminated","id":20493,"local":{"ip":"127.0.0.1","port":11209},"name":"session terminated","real_userid":{"domain":"local","user":"@ns_server"},"reason_for_termination":"Client closed connection","remote":{"ip":"127.0.0.1","port":57204},"timestamp":"2022-02-21T03:05:41.574444-08:00"} For DML - Expected - {u'isAdHoc': True, u'clientContextId': u'null', u'description': u'A N1QL DISCONNECT LINK statement was executed', u'userAgent': u'Python-httplib2/$Rev: 259 $', u'remote': {u'ip': u'172.23.106.162', u'port': 43892}, u'local': {u'ip': u'172.23.105.231', u'port': 8095}, u'requestId': u'd3c505d9-8bac-4f6d-beb7-fb86ba0a067d', u'name': u'DISCONNECT LINK statement', u'statement': u'disconnect link Default.Local;', u'id': 36878, u'metrics': {u'resultCount': 0, u'processedObjects': 0, u'executionTime': 212130621, u'resultSize': 0, u'errorCount': 1, u'elapsedTime': 330720366}, u'errors': [{u'msg': u'User must have permission (cluster.collection[.:.:.].analytics!select)', u'code': 20001}], u'real_userid': {u'domain': u'local', u'user': u'test_user'}, u'status': u'errors', u'timestamp': u'2022-02-11T16:30:52.000897-08:00'}   Actual - {"clientContextId":"null","description":"An UNRECOGNIZED N1QL statement was encountered","errors":[{"code":20001,"msg":"User must have permission (cluster.collection[.:.:.].analytics!select)"}],"id":36879,"isAdHoc":true,"local":{"ip":"10.112.205.102","port":8095},"metrics":{"elapsedTime":74397060,"errorCount":1,"executionTime":0,"processedObjects":0,"resultCount":0,"resultSize":0},"name":"UNRECOGNIZED statement","real_userid":{"domain":"local","user":"test_user"},"remote":{"ip":"10.112.205.1","port":62806},"requestId":"af652802-169d-4501-b7d8-fdd102ddd4b6","statement":"disconnect link Default.Local;","status":"errors","timestamp":"2022-02-21T03:38:12.000554-08:00","userAgent":"Python-httplib2/$Rev: 259 $"}

          Build couchbase-server-7.1.0-2371 contains cbas-core commit 5698f5c with commit message:
          MB-51110: Delay request auth until request sent to CC

          build-team Couchbase Build Team added a comment - Build couchbase-server-7.1.0-2371 contains cbas-core commit 5698f5c with commit message: MB-51110 : Delay request auth until request sent to CC
          umang.agrawal Umang added a comment -

          Verified with 7.1.0-2373

          umang.agrawal Umang added a comment - Verified with 7.1.0-2373

          People

            umang.agrawal Umang
            umang.agrawal Umang
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty