Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-59797

User with data writer role is able to modify _system scope

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Critical
    • Trinity
    • Trinity
    • ns_server
    • Enterprise Edition 7.6.0 build 1813
    • Untriaged
    • Linux x86_64
    • 0
    • Unknown

    Description

      Issue

      As per my understanding only full admin users are allowed to manipulate _system scope. However, I am able to modify content of _system._query collection using Data writer role.
      Following change was made to allow only read access to _system scope for bucket_full_access rbac role - https://review.couchbase.org/c/ns_server/+/174907. I guess similar change must be done for Data writer role as well.

      Steps

      These are the steps which I used to repro this issue -

      1. Create an rbac user named abcd having following roles -

        Manage Scope Functions [*:*] , Data Writer [src_bucket:*:*] , Data Writer [metadata:*:*] , Data Reader [src_bucket:*:*] , Data Reader [metadata:*:*] , Data DCP Reader [src_bucket:*:*] , Data DCP Reader [metadata:*:*]
        

      2. Login as user abcd.
      3. Create an Eventing function which listens to changes at src_bucket._default._default collection and writes data to src_bucket._system._query collection.
      4. Load some data to src_bucket._default._default collection.

      Observation

      Write operations to _system scope succeed even though user has non full admin access.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            sujay.gad Sujay Gad
            sujay.gad Sujay Gad
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty