Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-51515

Missing Privilege issue at Scope Collection level when audit is enabled

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • 7.1.0
    • 7.0.1
    • memcached
    • None
    • Triaged
    • 1
    • Unknown

    Description

      When Security > Audit is enabled and DML commands are performed (i.e. Delete, Update, Insert) using N1QL as a user which has the roles assigned at Scope or Collection level then we get following error of missing privilege as there is  a mismatch of permissions for that user between KV and cbq-engine.

      2022-03-16T22:56:18.713198+00:00 INFO 87 RBAC [ {"ip":"127.0.0.1","port":41396} - {"ip":"127.0.0.1","port":11210} (System, <ud>@cbq-engine</ud>) ] missing privilege Delete for DELETE in bucket:[travel-sample] with context: [Stats,IdleConnection,SystemSettings] UUID:[3914a29a-fc06-4142-976b-b18b3e183e09]
      		 
      2022-03-16T22:56:18.729824+00:00 INFO 100 RBAC [ {"ip":"127.0.0.1","port":42696} - {"ip":"127.0.0.1","port":11210} (System, <ud>@cbq-engine</ud>) ] missing privilege Delete for DELETE in bucket:[travel-sample] with context: [Stats,IdleConnection,SystemSettings] UUID:[ae73b7a7-1603-4bd3-32e2-d0cc6238df5a]

      Whereas if the roles are at bucket level it works as expected.

      For example : 

      • Audit is enabled  and the Group >user has following roles, Query Update role at bucket level but Query Delete at scope > collection level
      • and  running commands same user : Update works just fine whereas Delete doesn't work because of privilege issue

      • from memcached  

        2022-03-16T22:56:18.713198+00:00 INFO 87 RBAC [ {"ip":"127.0.0.1","port":41396} - {"ip":"127.0.0.1","port":11210} (System, <ud>@cbq-engine</ud>) ] missing privilege Delete for DELETE in bucket:[travel-sample] with context: [Stats,IdleConnection,SystemSettings] UUID:[3914a29a-fc06-4142-976b-b18b3e183e09]
        		 
        2022-03-16T22:56:18.729824+00:00 INFO 100 RBAC [ {"ip":"127.0.0.1","port":42696} - {"ip":"127.0.0.1","port":11210} (System, <ud>@cbq-engine</ud>) ] missing privilege Delete for DELETE in bucket:[travel-sample] with context: [Stats,IdleConnection,SystemSettings] UUID:[ae73b7a7-1603-4bd3-32e2-d0cc6238df5a]

      • from audit.log  

        {"description":"Access to command is not allowed","effective_userid":{"domain":"local","user":"test_user_sc"},"id":20484,"local":{"ip":"127.0.0.1","port":11210},"name":"command access failure","packet":">100 Access to command is not allowed:\n>100 0x08 0x04 0x0d 0x0d\n>100 0x00 0x00 0x03 0x9b\n>100 0x00 0x00 0x00 0x1a\n>100 0x00 0x00 0x08 0xa4\n>100 0x00 0x00 0x00 0x00\n>100 0x00 0x00 0x00 0x00\n>100 0x4c 0x74 0x65 0x73\n>100 0x74 0x5f 0x75 0x73\n","real_userid":{"domain":"local","user":"@cbq-engine"},"remote":{"ip":"127.0.0.1","port":42696},"timestamp":"2022-03-16T22:56:18.729859Z"}

       

       

       

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MB-47904 impersonated user with role data_writer[test:_default:default] is not able to create document in default collection

          • Major - Major loss of function.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              anusha.mathur Anusha Mathur
              anusha.mathur Anusha Mathur
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty