[CB DP 5.0.0-MarchDB] Invalid username/password when post to query service in CB 5.0.0-2194 Enterprise Edition (build-2194)

query
n1ql

#1

Before CB DP 5.0.0-MarchDB, I can create prepared REST by

curl -v http://127.0.0.1:8093/query/service --data-urlencode 'statement=PREPARE queryCount FROM SELECT count(*) AS count FROM default; '

but in CB DP 5.0.0-MarchDB I got the following error

    "results": [
    ],
    "errors": [
        {
            "code": 13011,
            "msg": "Invalid username/password."
        }
    ],
    "status": "stopped",

and when I add username/password of CB administrator by

curl -v http://Administrator:password@127.0.0.1:8093/query/service --data-urlencode 'statement=PREPARE queryCount FROM SELECT count(*) AS count FROM default; '

it works.
but If I Request with authentication - request parameter by

curl -v http://127.0.0.1:8093/query/service --data-urlencode 'statement=PREPARE queryCount FROM SELECT count(*) AS count FROM default &creds=[{"user": "local:Administrator", "pass":"password"}"] '

or

curl -v http://127.0.0.1:8093/query/service --data-urlencode 'statement=PREPARE queryCount FROM SELECT count(*) AS count FROM default &creds=[{"user": "Administrator", "pass":"password"}"] '

it will return the same error

    "results": [
    ],
    "errors": [
        {
            "code": 13011,
            "msg": "Invalid username/password."
        }
    ],
    "status": "stopped",

#2

@matthew.groves As blog show that CB DP has new RDBC feature, but how about when I want to create PREPARE statement with user1,and execute this PREPARE with user2 ?
I add Query Select on default or add Query System Catalog on default,even on Query Manage Index on default to the new user,and when I query with the new user by

curl -v http://queryuser:password@127.0.0.1:8093/query/service --data-urlencode 'statement=PREPARE queryCount FROM SELECT count(*) AS count FROM default; '

I got the following error

    "results": [
    ],
    "errors": [
        {
            "code": 10000,
            "msg": "User does not belong to a specified role. Keyspace default"
        }
    ],
    "status": "stopped",

#3

Hi @atom_yang,

I don’t have a lot of information for you, because this is definitely a work in progress still. This is why I limited my blog post to the scope of FTS and didn’t go into any N1QL stuff.

I’m tagging @don and @geraldss who might have some more information for you.

My question for you is: how would you expect it to work? Since this is a work in progress, it’s your chance to provide feedback on what you think should work and what you think shouldn’t work.


#4

may be we need new roles on PREPARE statement and new roles on PREPARED statement for selected bucket.because this is different from Query Select. so,
user with PREPARE role on selected bucket can create PREPARE REST API,
and user with PREPARED role on selected bucket can execute PREPARE REST API.

And we can post credentials by request parameter,like

curl -v http://localhost:8093/query/service \
      -d 'statement=SELECT t.text FROM tweets t 
      JOIN users u KEY t.uid LIMIT 1
      &creds=[{"user": "local:tweets", "pass":"pAss1"}]'


#5

Hello atom_yang,

First of all, thank you for trying out our developer builds and for your feedback!

So that we can understand the scenario well :

  1. Can you describe what users you created in Couchbase? IF you login as a full administrator into the web console, you can now create users under the security tab.
  2. What are the roles given to each of these users?
  3. We have not yet completed the upgrade code, and developer builds typically require a fresh install. Did you do a fresh install of Couchbase , or upgrade a particular instance?

Thanks,
Don Pinto, Couchbase Server PM Team

CC: @johan_larson


#6

Would be good to get @marcog’s take on this. He and I have discussed this at a high level before, and arguably if the prepare always maps to the same plan for that node, then it should not matter when executed. Of course, any access permissions must be honored.


#7

I created user named “queryuser” by click Security/Add User;

I add Query Select on default/Query System Catalog on default/Query Manage Index on default to “queryuser” user

I do a freash install of Couchbase on my MAC by

 rm -rf ~/Library/Application\ Support/Couchbase
 rm -rf ~/Library/Application\ Support/Membase

and then unzip file to the Applications folder.


#8

Yes, it looks like we are applying credentials at prepare time, while this should be postponed to execution.
And, as @atom_yang indicates, there probably is scope to have a prepare role.
Let me investigate a bit more…


#9

I will investigate more thoroughly later today, but the way prepared statements are supposed to work is that you need the same permissions to prepare a statement and to execute a prepared statement as you would to run the underlying statement directly.


#10

I have been doing a bit of code digging, and indeed, as @johan_larson says, in order to prepare, you need to have enough privileges to actually execute the request.
This said, I can’t get a select to prepare unless the user preparing it has admin privileges (I get 10000 as @atom_yang does).
Maybe @johan_larson can shed some light.


#11

do you mean that I need I full admin privileges to create PREPARE statement,
and I need prepare role to execute this PREPARE?
if so, I think It will be ok.


#12

The intended behaviour is that you need select privileges on the keyspace both on the prepare and the execute.
However right now it seems unless you have admin privileges, neither the prepare nor the select go through.


#13

The developer builds are still “in-the-work” snapshots, so expect more fixes to come in as we integrate and stabilize RBAC.

@atom_yang, we appreciate your feedback and trying out the developer builds as we are churning them out

Thanks,
Don


#14

For create a PREPARE REST API, I need select privileges on the keyspace both on the prepare and the execute.
And for execute the PREPARE REST API,I need select privileges on the keyspace the execute.
Am I right?


#15

@johan_larson kindly points out that you need the data reader role on default as well query select on default.
After you grant those to both users, it all works.


#16

with the role Query Select[default] and Data Reader[default], I can create prepared Queries And execute the prepared.

I think it is better if CB can provide different role to create prepared Queries And execute the prepared for security reason.