Details
-
Bug
-
Resolution: Fixed
-
Critical
-
7.6.0
-
Untriaged
-
0
-
No
Description
1. Create a user with these privileges:
Manage Scopes [*:*] , XDCR Inbound [*] , Query Update [*:*:*] , Query Select [*:*:*] , Query Manage Index [*:*:*] , Manage Scope Functions [*:*] , Manage Scope External Functions [*:*] , Query Insert [*:*:*] , Query Delete [*:*:*] , Search Admin [*] , Data Writer [*:*:*] , Analytics Manager [*] , Manage Global Functions , Manage Global External Functions
|
2. Use cbq (or from UI) and run:
../install/bin/cbq -u np -p asdasd -e "http://localhost:9499"
|
Connected to : http://localhost:9499/. Type Ctrl-D or \QUIT to exit.
|
Path to history file for the shell : /Users/neelimapremsankar/.cbq_history
cbq> UPDATE `travel-sample`.`_system`.`_query` USE KEYS "cbo::00000000::_default._default" SET docCount = 1530 RETURNING docCount;
|
{
|
"requestID": "ff1d1620-b157-4a31-938f-224826585d97",
|
"signature": {
|
"docCount": "json"
|
},
|
"results": [
|
{
|
"docCount": 1530
|
}
|
],
|
"status": "success",
|
"metrics": {
|
"elapsedTime": "5.681ms",
|
"executionTime": "5.558333ms",
|
"resultCount": 1,
|
"resultSize": 32,
|
"serviceLoad": 2,
|
"mutationCount": 1
|
}
|
}
|
The write to the system collection succeeds.
Note that the memcached.rbac permissions for the user doesn't contain SystemCollectionMutation.
"np": {
|
"buckets": {
|
"travel-sample": {
|
"privileges": [
|
"Delete",
|
"Insert",
|
"MetaWrite",
|
"RangeScan",
|
"Read",
|
"SimpleStats",
|
"SystemCollectionLookup",
|
"SystemXattrRead",
|
"SystemXattrWrite",
|
"Upsert"
|
]
|
}
|
},
|
"privileges": [
|
"SystemSettings"
|
],
|
"domain": "local"
|
}
|
Note: Using SDK to go straight to memcached doesn't work.
Upsert CAS:
|
AuthenticationException(<ec=6, category=couchbase.common, message=authentication_failure (6). Possible reasons: incorrect authentication configuration, bucket doesn't exist or bucket may be hibernated., context=KeyValueErrorContext:{'retry_attempts': 0, 'key': 'airline_8091', 'bucket_name': 'travel-sample', 'scope_name': '_system', 'collection_name': '_query', 'opaque': 11, 'status_code': 36, 'error_map_info': {'code': 36, 'name': 'EACCESS', 'description': 'Not authorized for command', 'attributes': {7}}, 'extended_error_info': {'reference': '34c03dd0-f882-4be6-88d4-84743bc14d8c', 'context': "Authorization failure: can't execute SET operation without the SystemCollectionMutation privilege"}}, C Source=/Users/couchbase/jenkins/workspace/python/sdk/python-packaging-pipeline/py-client/src/kv_ops.cxx:651>) |
|
Similarly using UI to modify document in _system scope doesn't work. However, using the query workbench on the UI with the similar query as above with cbq works.
I suspect it is an on-behalf of issue.