Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-51222

RBAC: Permissions asymmetry data.docs.read vs data.docs.write

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 7.1.0
    • 7.1.0
    • UI
    • None
    • Untriaged
    • 1
    • Unknown

    Description

      I've been testing various RBAC combinations in the UI, and I found the following situation.

      • I created a user with the Query Select role for travel-sample.inventory.*
      • When I check permissions for cluster.collection[travel-sample:.:.].data.docs!read, it is true, which makes total sense
      • I add the role Query Update for travel-sample.inventory.*.
      • Now cluster.collection[travel-sample:.:.].data.docs!upsert as true, which also makes sense.
      • I add the role Query Insert and Query Delete for travel-sample.inventory.*
      • Oddly, cluster.collection[travel-sample:.:.].data.docs!write remains false. That doesn't make sense.
      • In fact, I can add the Data Writer role for travel-sample.inventory.*, and still the permissions check returns false for cluster.collection[travel-sample:.:.].data.docs!write.

      If I log in as Administrator, data.docs!write is true, but it's not clear what role I can add to another user to enable data.docs!write.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            eben Eben Haber
            eben Eben Haber
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty