Details
Critical Description
Steps to reproduce -
- Have a 4 node cluster with 2 kv and 2 cbas node.
- Load buckets, scopes and collections on KV and load data into them.
- Create dataverses and datasets on cbas.
- Create a user with cluster_admin role.
- Try to execute a select query on cbas using the above user.
In 7.1.0-2284, following audit event was generated -
{u'isAdHoc': True, u'clientContextId': u'null', u'description': u'A N1QL SELECT statement was executed', u'userAgent': u'Python-httplib2/$Rev: 259 $', u'remote': {u'ip': u'172.23.106.162', u'port': 33756}, u'local': {u'ip': u'172.23.105.231', u'port': 8095}, u'requestId': u'ea399661-0aaf-4862-afdf-4e1ad284510c', u'name': u'SELECT statement', u'statement': u'select count(*) from QzlDKMmd.JOQyC.XjhjIw82YCDbjth;', u'id': 36867, u'metrics': {u'resultCount': 0, u'processedObjects': 0, u'executionTime': 85183528, u'resultSize': 0, u'errorCount': 1, u'elapsedTime': 110751907}, u'errors': [{u'msg': u'User must have permission (cluster.collection[.:.:.].analytics!select)', u'code': 20001}], u'real_userid': {u'domain': u'local', u'user': u'test_user'}, u'status': u'errors', u'timestamp': u'2022-02-11T16:22:50.000419-08:00'}
|
In 7.1.0-2335, following audit event is generated -
{"clientContextId":"null","description":"An UNRECOGNIZED N1QL statement was encountered","errors":[{"code":20001,"msg":"User must have permission (cluster.collection[.:.:.].analytics!select)"}],"id":36879,"isAdHoc":true,"local":{"ip":"10.112.205.102","port":8095},"metrics":{"elapsedTime":7283206,"errorCount":1,"executionTime":0,"processedObjects":0,"resultCount":0,"resultSize":0},"name":"UNRECOGNIZED statement","real_userid":{"domain":"local","user":"test_user"},"remote":{"ip":"10.112.205.1","port":59516},"requestId":"c668f326-71a1-49d0-9be5-f3a20b06eb73","statement":"select count(*) from `9M53I`.h.nKkC8osDhUY;","status":"errors","timestamp":"2022-02-21T02:23:25.000874-08:00","userAgent":"Python-httplib2/$Rev: 259 $"}
|