Details
-
Bug
-
Resolution: Not a Bug
-
Major
-
7.6.0
-
Untriaged
-
0
-
No
Description
Ran into this while reproducing MB-62604.
I created a SAML user whose credentials live on Okta - meaning the user doesn't exist in Couchbase.
Using SSO, I logged in as this user. Since we haven't addressed MB-62604, I expect all UI requests to the various services to fail.
UI requests are forwarded to services using cb-on-behalf-of header.
All cbauth and Impersonate requests should be specifying the user in cb-on-behalf-of-header - whose accesses will all fail. (They fail because none of the cbauth/Impersonate calls account for anything but username, domain and the user doesn't exist in Couchbase. We have to fix this to pass around authentication context for SAML/JWT in cbauth/Impersonate.) Until MB-62604 is fixed, I expect no permissions to be found for the cb-on-behalf-of user from ns_server.
Indexes:
When I attempt to drop an index that is displayed in Indexes or open it in Workbench, it does fail - which is expected.
checkPermissions for the cb-on-behalf-of user will be empty.
It looks like a bug that Indexes are displayed in the first place.
Also, I don't see any checkPermission call using the cb-on-behalf-of user for:
@index or @projector
I'm not sure if the two are related.