Details
-
Bug
-
Resolution: Fixed
-
Major
-
7.6.4
-
Untriaged
-
0
-
No
-
Analytics Sprint 48
Description
For MB-62604,
ns_server cannot determine the full set of privileges available to a SAML user, using just the username and domain (if the user resides on an external IDP but not in CB).
To fix it, cbauth AuthWebCreds populates additional context in Creds.
cb-on-behalf-of requests contain the username and domain.
To maintain backward compatibility, I'm not touching the existing cb-on-behalf-of header and/or Creds.User() functions.
I'm adding a cb-on-behalf-extras header which is extensible:
and contains kv pairs separated by a ';'.
For now, only context is populated (context:...).
cbauth AuthWebCreds caches context in Creds.
Creds.IsAllowed() will automatically pass the context to ns_server.
ns_server uses Username, Domain and context (if any) to determine the privileges.
cbas doesn't use cbauth endpoints directly.
It appears that cbas extracts the user from cb-on-behalf-of header and then calls _cbauth to determine the username and domain:
_cbauth endpoint:
[ns_server:debug,2024-08-19T12:13:42.866-07:00,n_0@127.0.0.1:<0.2286.0>:menelaus_cbauth:handle_cbauth_post:540]AuthnRes:{authn_res,tmp,undefined,undefined,
|
{"neelima.premsankar@couchbase.com",external},
|
[],[],undefined}
|
Then that user is supplied to checkPermission and the ns_server cbauth checkPermission endpoint is called:
127.0.0.1 - @cbas [19/Aug/2024:10:28:13 -0700] "GET /_cbauth/checkPermission?user=neelima.premsankar%40couchbase.com&domain=external&permission=cluster.collection%5B.%3A.%3A.%5D.analytics%21select HTTP/1.1" 401 0 - "couchbase-analytics/7.6.3" 0
|
|
This is missing "context:" so it won't work as is.
context must be parsed:
https://review.couchbase.org/c/cbauth/+/214565/1/cbauth.go#223
If such a request is forwarded to other services, please ensure that these headers are preserved (if cb-on-behalf-of is populated, then cb-on-behalf-extras should also be forwarded). I think this is already the case.
Attachments
For Gerrit Dashboard: MB-63214 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
214647,6 | MB-63214: include context if present on permission check | trinity | cbas-core | Status: MERGED | +2 | +1 |
215079,15 | MB-62604, MB-63208, MB-63214: Add SAML test cases | master | ns_server | Status: MERGED | +2 | +1 |
215143,3 | MB-63214: ensure user context is propagated on (de)serialization if present | trinity | cbas-core | Status: MERGED | +2 | +1 |