Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-62622

DELETE on system:tasks_cache can be executed by user without correct role

    XMLWordPrintable

Details

    • Untriaged
    • 0
    • Unknown

    Description

      DELETE on system:tasks_cache can be performed by user without correct RBAC.

      This means that any user can cancel any scheduled/running tasks.

      For example, active ADVISOR sessions can be cancelled by any user.

       

      Steps to repro:

      1. Create a user without any roles assigned to it.

      2. As the created user, run the statement below:

       

      DELETE FROM system:tasks_cache;

      The statement successfully executes which is incorrect. The user should have query_system_catalog role to perform the DELETE statement.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            pierre.regazzoni Pierre Regazzoni
            dhanya.gowrish Dhanya Gowrish
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty