Details
-
Bug
-
Resolution: Fixed
-
Major
-
7.1.0
-
Untriaged
-
1
-
Unknown
Description
If you create a user whose role is Query Select for a single scope or collection, e.g. [travel-sample:inventory:*] or [travel-sample:inventory:airline], such a user is not permitted to see or use the Document Viewer UI.
Currently, the Document Viewer UI relies on cluster.collection[].collections.read permission, which at present is only available with the Bucket -> Manage Scopes role. Without that permission, the client can't use the REST API for listing scopes and collections, which is needed to select a bucket, scope, and collection to retrieve Documents.
A workaround is possible using the query service. A user with scope or collection Query Select is allowed to retrieve a list of only the permitted scopes and collections using the 'select * from system:keyspaces' query. We should re-work the Document Viewer menu code to use N1QL to return the available scopes and collections. However, this code must be able to fall back to the REST API should the cluster not have any query service.
Attachments
For Gerrit Dashboard: MB-51546 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
177488,2 | MB-51546: use query to get scopes and collections | neo | query-ui | Status: MERGED | +2 | +1 |