Details
-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Untriaged
-
0
-
Unknown
Description
I ran into this while working on MB-60611:
{data_dcp_reader, ?RBAC_COLLECTION_PARAMS,
|
[{name, <<"Data DCP Reader">>},
|
{folder, data},
|
{desc, <<"Can initiate DCP streams for a given bucket, scope or "
|
"collection. This user cannot access the web console and is "
|
"intended only for application access. "
|
"This user can read data.">>}],
|
[{[{collection, ?RBAC_COLLECTION_PARAMS}, data, docs], [read]},
|
{[{collection, ?RBAC_COLLECTION_PARAMS}, data, dcpstream], [read]},
|
{[{collection, ?RBAC_COLLECTION_PARAMS}, data, sxattr], [read]},
|
{[{collection, ?RBAC_COLLECTION_PARAMS}, data, system], [read]},
|
{[{collection, ?RBAC_COLLECTION_PARAMS}, collections], [read]},
|
{[{bucket, bucket_name}, data, dcp], [read]},
|
{[{bucket, bucket_name}, data, system], [read]},
|
{[{bucket, bucket_name}, settings], [read]},
|
{[admin, memcached, idle], [write]},
|
{[pools], [read]}]},
|
If I replace data, [docs|dcpstream|sxattr|system] read with just data, [read] (because all the collection privileges are present) and similarly at the bucket level, data, [dcp|system] read with just data, [read]...
I think data, [read] memcached privilege is inherited in memcached_permissions.erl and replaced although these map to a different set of privileges at the bucket/collection level (DcpProducer, SystemCollectionLookup at bucket level and DcpStream, SXattrRead, Docs, SystemCollectionLookup at the collection level).
For now, I'm spelling them all out instead of collapsing them to data, [read] at the bucket and collection levels.
I looked through menelaus_roles to check if this problem exists for any current roles; it doesn't.