Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-61397

Investigate menelaus_roles to memcached_permissions



    • Bug
    • Resolution: Not a Bug
    • Major
    • Morpheus
    • 7.6.1
    • ns_server
    • None
    • Untriaged
    • 0
    • Unknown


      To translate a set of compiled roles' permissions to memcached_privileges, we:

      • Iterate over each bucket, scope, collection and [] and use them as a collection param.
      • For each collection param, we check whether any of the memcached privileges are allowed (using menelaus_roles:is_allowed)

      In doing so:

      • We assume each collection param can be iterated over independent of the other
      • [] translates to collection [any, any, any]

      It appears that in the set of permissions for each role:

      • we rely on ordering to determine the first object match and the list of allowed permissions
      • we usually designate [] at the end, it looks like a catch-all for objects that do not match any previously listed object pattern

      Given the above, is it possible to: specify a smaller subset of a previously mentioned collection param using either [] or

      {collection, [bucket, scope, collection]}

      i.e. is it possible to specify permissions for a proper subset of previous object patterns using [] (or a particular sequence of {collection, ...})? If so, it isn't sufficient to iterate over each collection param independently. It would be a correctness issue.

      For optimization purposes, do we need to consider ordering? Currently, we use lists:usort which may not translate to the smallest set of memcached privileges.


        No reviews matched the request. Check your Options in the drop-down menu of this sections header.



            neelima.premsankar Neelima Premsankar
            neelima.premsankar Neelima Premsankar
            0 Vote for this issue
            2 Start watching this issue



              Gerrit Reviews

                There are no open Gerrit changes