Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
7.6.0
-
None
-
None
-
Untriaged
-
0
-
Unknown
Description
For external users (even when groups/roles are defined in Couchbase), if the groups/roles are modified in Couchbase - there's a 10 min delay in propagating them to memcached.
memcached sends ns_server a list of active external users every 10 minutes at which point we push the rbac record info for each of the specified users.
In the 10 minutes, if roles/groups are revoked for a user, we may continue to honor authorizations in an existing memcached connection for the user. For authorizations via cbauth, they are not cached and hit ns_server each time. Similarly, addition of groups/roles are reflected in cbauth sooner than they are in memcached.
We may want to propagate changes in known external users' rbac records (if groups/roles associated with them change in ns_server) - or establish this is expected behavior. The behavior is different across memcached and other components.
In MB-62465, we realized that for Impersonate checks, other services do perform authorization checks via cbauth over and above the authorization checks in memcached - for Impersonate commands. The behavior is different in at least this respect.
If the authorization check for Impersonate is done via ns_server, we pick up updated roles sooner and revoke privileges, whereas memcached has rbac records that can be stale by 10 minutes. This could result in weird behavior where Impersonate via another component (other than memcached) has different privileges from those on a memcached connection.
We probably need to at least understand/document what the expected behavior is.
Attachments
Issue Links
- relates to
-
MB-62465 External saml users do not receive group roles from memcached_auth_server
- Resolved