Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Riak security permission not inherited correctly. #469

Open
lukebakken opened this Issue Jan 12, 2014 · 14 comments

Comments

Projects
None yet
3 participants
Contributor

lukebakken commented Jan 12, 2014

Testing 2.0.0pre10.

Expected: retrieving default bucket type properties as lbakken user should work since lbakken is in the admin role, and riak_core.get_bucket_type permission has been granted to admin role.

Observed: lbakken user is denied permission, however, admin user (once given password), can retrieve the data.

# riak-admin security add-user admin
# riak-admin security add-user lbakken 'password=Pass@word1' 'roles=admin'
# riak-admin security add-source admin 127.0.0.1/32 password
# riak-admin security grant riak_core.get_bucket_type ON ANY TO admin
# riak-admin security print-users
+----------+---------------+----------------------------------------+------------------------------+
| username |     roles     |                password                |           options            |
+----------+---------------+----------------------------------------+------------------------------+
| lbakken  |     admin     |0463dba5e0793529363e91a8c985eea7946f4934|              []              |
|  admin   |               |                                        |              []              |
+----------+---------------+----------------------------------------+------------------------------+

# riak-admin security print-sources
+--------------------+------------+----------+----------+
|       users        |    cidr    |  source  | options  |
+--------------------+------------+----------+----------+
|       admin        |127.0.0.1/32| password |    []    |
+--------------------+------------+----------+----------+

# riak-admin security print-user admin

Inherited permissions

+--------------------+----------+----------+----------------------------------------+
|        role        |   type   |  bucket  |                 grants                 |
+--------------------+----------+----------+----------------------------------------+

Applied permissions

+----------+----------+----------------------------------------+
|   type   |  bucket  |                 grants                 |
+----------+----------+----------------------------------------+
|    *     |    *     |       riak_core.get_bucket_type        |
+----------+----------+----------------------------------------+

# riak-admin security print-user lbakken

Inherited permissions

+--------------------+----------+----------+----------------------------------------+
|        role        |   type   |  bucket  |                 grants                 |
+--------------------+----------+----------+----------------------------------------+
|       admin        |    *     |    *     |       riak_core.get_bucket_type        |
+--------------------+----------+----------+----------------------------------------+

Applied permissions

+----------+----------+----------------------------------------+
|   type   |  bucket  |                 grants                 |
+----------+----------+----------------------------------------+
|    *     |    *     |       riak_core.get_bucket_type        |
+----------+----------+----------------------------------------+

# curl -k -u 'lbakken:Pass@word1' 'https://localhost:8443/types/default/props'
<html><head><title>401 Unauthorized</title></head><body><h1>Unauthorized</h1>Unauthorized<p><hr><address>mochiweb+webmachine web server</address></body></html>

# riak-admin security alter-user admin 'password=Pass@word2'

# curl -k -u 'admin:Pass@word2' 'https://localhost:8443/types/default/props'

{"props":{"allow_mult":true,"basic_quorum":false,"big_vclock":50,"chash_keyfun":{"mod":"riak_core_util","fun":"chash_std_keyfun"},"dw":"quorum","last_write_wins":false,"linkfun":{"mod":"riak_kv_wm_link_walker","fun":"mapreduce_linkfun"},"n_val":3,"notfound_ok":true,"old_vclock":86400,"postcommit":[],"pr":0,"precommit":[],"pw":0,"r":"quorum","rw":"quorum","small_vclock":50,"w":"quorum","young_vclock":20}}
Contributor

lukebakken commented Jan 12, 2014

Additional steps taken to try and grant this permission to the lbakken user, results in a stacktrace:

# riak-admin security grant riak_core.get_bucket_type ON ANY TO lbakken

# curl -k -u 'lbakken:Pass@word1' 'https://localhost:8443/types/default/props'
<html><head><title>401 Unauthorized</title></head><body><h1>Unauthorized</h1>Unauthorized<p><hr><address>mochiweb+webmachine web server</address></body></html>

# riak-admin security del-user admin

# curl -k -u 'lbakken:Pass@word1' 'https://localhost:8443/types/default/props'
<html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1>The server encountered an error while processing this request:<br><pre>{error,function_clause,
       [{riak_core_security,'-authenticate/3-fun-0-',
                            [{{<<"admin">>,{{127,0,0,1},32}},['$deleted']},[]],
                            [{file,"src/riak_core_security.erl"},{line,231}]},
        {riak_core_metadata,fold_it,3,
                            [{file,"src/riak_core_metadata.erl"},{line,130}]},
        {riak_core_security,authenticate,3,
                            [{file,"src/riak_core_security.erl"},{line,231}]},
        {riak_api_web_security,is_authorized,1,
                               [{file,"src/riak_api_web_security.erl"},
                                {line,21}]},
        {riak_kv_wm_bucket_type,is_authorized,2,
                                [{file,"src/riak_kv_wm_bucket_type.erl"},
                                 {line,108}]},
        {webmachine_resource,resource_call,3,
                             [{file,"src/webmachine_resource.erl"},
                              {line,186}]},
        {webmachine_resource,do,3,
                             [{file,"src/webmachine_resource.erl"},
                              {line,142}]},
        {webmachine_decision_core,resource_call,1,
                                  [{file,"src/webmachine_decision_core.erl"},
                                   {line,48}]}]}</pre><P><HR><ADDRESS>mochiweb+webmachine web server</ADDRESS></body></html>
Contributor

lukebakken commented Jan 12, 2014

OK, it appears that sources are not inherited, as this command fixes the initial issue:

riak-admin security add-source lbakken 127.0.0.1/32 password

I'm not sure if roles should also cause sources to be inherited.

Contributor

Vagabond commented Jan 15, 2014

I don't think sources should be inherited, authentication is seperate from authorization.

Contributor

lukebakken commented Jan 15, 2014

Doesn't the current behavior require many add-source commands to be run to set up sources for a set of users that are all in the same role? You could use add-source all but that may be too permissive.

Contributor

Vagabond commented Jan 15, 2014

The stacktrace should be fixed, however.

Contributor

Vagabond commented Jan 15, 2014

I guess my concern is that it becomes a lot less clear what source a user is using to log in if we allow sources to be inherited. It also opens up the issue of figuring out which source should be used, in the case where multiple ones are found that match the user.

Contributor

lukebakken commented Jan 15, 2014

OK great we'll get this documented ... paging @lucperkins

I can test the stacktrace fix whenever its available.

Thanks!

Contributor

Vagabond commented Jan 15, 2014

By the way, what version of Riak threw that stacktrace, was it something recent?

Contributor

lukebakken commented Jan 15, 2014

2.0.0pre10

@Vagabond Vagabond referenced this issue in basho/riak_core Jan 15, 2014

Merged

Handle tombstones when accumulating sources #506

Contributor

Vagabond commented Jan 15, 2014

Fix for the stack trace is linked to this issue.

Contributor

lukebakken commented Jan 16, 2014

Authentication records in pg_hba.conf for postgres do allow specifying users or roles. I only mention this here because PG authentication/authorization was used as a model for Riak's.

http://www.postgresql.org/docs/9.3/static/auth-pg-hba-conf.html

Specifies which database user name(s) this record matches. The value all specifies that it matches all users. Otherwise, this is either the name of a specific database user, or a group name preceded by +. (Recall that there is no real distinction between users and groups in PostgreSQL; a + mark really means "match any of the roles that are directly or indirectly members of this role", while a name without a + mark matches only that specific role.)

Contributor

Vagabond commented Jan 16, 2014

Good point. I would be OK with implementing the + syntax. My main concern was it being implicit.

Contributor

Vagabond commented Jan 16, 2014

But it will not make 2.0.

Contributor

jaredmorrow commented Mar 24, 2014

@Vagabond milestone added for 2.0.1

@jaredmorrow jaredmorrow added this to the 2.0.1 milestone Mar 24, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment