Details
-
Bug
-
Resolution: Fixed
-
Major
-
7.6.0
-
Untriaged
-
0
-
Unknown
Description
When a SAML user attempts to use the documents page in the UI, with privileges only provided by a SAML group, the request makes it to memcached, but then memcached doesn't receive the group's privileges via memcached_auth_server, ns_memcached to crash.:
[ns_server:debug,2024-06-25T11:08:13.913+01:00,n_10@127.0.0.1:<0.2286.0>:menelaus_roles:build_compiled_roles:1209]Compile roles for user {"<ud>testuser2</ud>",external}
|
[ns_server:warn,2024-06-25T11:08:13.915+01:00,n_10@127.0.0.1:<0.1866.0>:ns_memcached:worker_loop:249]Call {get_keys,[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15],
|
[{collection_uid,0},
|
{include_docs,false},
|
{inclusive_end,true},
|
{limit,1000},
|
{start_key,undefined},
|
{end_key,undefined}],
|
{"testuser2",external}} (return value {error,closed}) compromised connection for bucket "test". Reconnecting.[error_logger:error,2024-06-25T11:08:13.916+01:00,n_10@127.0.0.1:<0.1866.0>:ale_error_logger_h
|
andler:do_log:99]
|
=========================CRASH REPORT=========================
|
crasher:
|
initial call: erlang:apply/2
|
pid: <0.1866.0>
|
registered_name: []
|
exception error: {compromised_reply,{error,closed}}
|
in function ns_memcached:worker_loop/3 (/Users/petersearby/Dev/server/master/ns_server/
|
apps/ns_server/src/ns_memcached.erl, line 253)
|
ancestors: ['ns_memcached-test',<0.1838.0>,'single_bucket_kv_sup-test',
|
ns_bucket_sup,ns_bucket_worker_sup,ns_server_sup,
|
ns_server_nodes_sup,<0.291.0>,ns_server_cluster_sup,
|
root_sup,<0.156.0>]
|
message_queue_len: 0
|
messages: []
|
links: [<0.1839.0>]
|
dictionary: [{last_call,
|
{get_keys,
|
[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15],
|
[{collection_uid,0},
|
{include_docs,false},
|
{inclusive_end,true},
|
{limit,1000},
|
{start_key,undefined},
|
{end_key,undefined}],
|
{"testuser2",external}}},
|
{sockname,{{127,0,0,1},49322}}]
|
trap_exit: false
|
status: running
|
heap_size: 6772
|
stack_size: 28
|
reductions: 47245
|
neighbours:
|
A related "missing privilege" log message is also found in the memcached.log, for example:
2024-06-25T11:09:12.468403+01:00 WARNING 59 RBAC [ {"ip":"127.0.0.1","port":49967} - {"ip":"127.0.0.1","port":11959} (System, @ns_server) ] missing privilege: {"UUID":"5b0f36a8-c3d0-4dbb-a67f-542cfc158840","bucket":"test","collection":"0x0","command":"GET_KEYS","context":"[Stats,NodeSupervisor,Administrator,Audit,IdleConnection,BucketThrottleManagement,Unthrottled,Unmetered,Impersonate,SystemSettings]","euid":{"context":"[none]","domain":"external","user":"<ud>testuser2</ud>"},"privilege":"Read","scope":"0x0"}
|
For easy reproduction, see this addition to the relevant cluster test: https://review.couchbase.org/c/ns_server/+/211782
The only workaround for accessing the docs page of the UI is to not use SAML, or to explicitly create an entry for the external user, with the required privilege (Data Reader for example).
Attachments
Issue Links
| For Gerrit Dashboard: MB-62465 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 212113,2 | MB-62465: Refactor capi_crud to use maps | trinity | ns_server | Status: NEW | 0 | 0 |
| 212114,2 | MB-62465:WIP: fix for saml group privilege issue | trinity | ns_server | Status: NEW | 0 | 0 |
| 211782,8 | MB-62465: Test memcached access to /docs | master | ns_server | Status: MERGED | +2 | +1 |
| 213067,5 | MB-62465: Internal connections checks access with cbauth... | trinity | kv_engine | Status: MERGED | +2 | +1 |
| 214036,1 | Merge remote-tracking branch 'couchbase/trinity' into cypher | cypher | kv_engine | Status: MERGED | +2 | +1 |
| 214038,2 | Merge remote-tracking branch 'couchbase/cypher' into trunk | master | kv_engine | Status: MERGED | +2 | +1 |