Riak security permission not inherited correctly.

[lukebakken]

Testing 2.0.0pre10.

Expected: retrieving default bucket type properties as lbakken user should work since lbakken is in the admin role, and riak_core.get_bucket_type permission has been granted to admin role.

Observed: lbakken user is denied permission, however, admin user (once given password), can retrieve the data.

# riak-admin security add-user admin
# riak-admin security add-user lbakken 'password=Pass@word1' 'roles=admin'
# riak-admin security add-source admin 127.0.0.1/32 password
# riak-admin security grant riak_core.get_bucket_type ON ANY TO admin
# riak-admin security print-users
+----------+---------------+----------------------------------------+------------------------------+
| username |     roles     |                password                |           options            |
+----------+---------------+----------------------------------------+------------------------------+
| lbakken  |     admin     |0463dba5e0793529363e91a8c985eea7946f4934|              []              |
|  admin   |               |                                        |              []              |
+----------+---------------+----------------------------------------+------------------------------+

# riak-admin security print-sources
+--------------------+------------+----------+----------+
|       users        |    cidr    |  source  | options  |
+--------------------+------------+----------+----------+
|       admin        |127.0.0.1/32| password |    []    |
+--------------------+------------+----------+----------+

# riak-admin security print-user admin

Inherited permissions

+--------------------+----------+----------+----------------------------------------+
|        role        |   type   |  bucket  |                 grants                 |
+--------------------+----------+----------+----------------------------------------+

Applied permissions

+----------+----------+----------------------------------------+
|   type   |  bucket  |                 grants                 |
+----------+----------+----------------------------------------+
|    *     |    *     |       riak_core.get_bucket_type        |
+----------+----------+----------------------------------------+

# riak-admin security print-user lbakken

Inherited permissions

+--------------------+----------+----------+----------------------------------------+
|        role        |   type   |  bucket  |                 grants                 |
+--------------------+----------+----------+----------------------------------------+
|       admin        |    *     |    *     |       riak_core.get_bucket_type        |
+--------------------+----------+----------+----------------------------------------+

Applied permissions

+----------+----------+----------------------------------------+
|   type   |  bucket  |                 grants                 |
+----------+----------+----------------------------------------+
|    *     |    *     |       riak_core.get_bucket_type        |
+----------+----------+----------------------------------------+

# curl -k -u 'lbakken:Pass@word1' 'https://localhost:8443/types/default/props'
<html><head><title>401 Unauthorized</title></head><body><h1>Unauthorized</h1>Unauthorized<p><hr><address>mochiweb+webmachine web server</address></body></html>

# riak-admin security alter-user admin 'password=Pass@word2'

# curl -k -u 'admin:Pass@word2' 'https://localhost:8443/types/default/props'

{"props":{"allow_mult":true,"basic_quorum":false,"big_vclock":50,"chash_keyfun":{"mod":"riak_core_util","fun":"chash_std_keyfun"},"dw":"quorum","last_write_wins":false,"linkfun":{"mod":"riak_kv_wm_link_walker","fun":"mapreduce_linkfun"},"n_val":3,"notfound_ok":true,"old_vclock":86400,"postcommit":[],"pr":0,"precommit":[],"pw":0,"r":"quorum","rw":"quorum","small_vclock":50,"w":"quorum","young_vclock":20}}

[lukebakken]

Additional steps taken to try and grant this permission to the lbakken user, results in a stacktrace:

# riak-admin security grant riak_core.get_bucket_type ON ANY TO lbakken

# curl -k -u 'lbakken:Pass@word1' 'https://localhost:8443/types/default/props'
<html><head><title>401 Unauthorized</title></head><body><h1>Unauthorized</h1>Unauthorized<p><hr><address>mochiweb+webmachine web server</address></body></html>

# riak-admin security del-user admin

# curl -k -u 'lbakken:Pass@word1' 'https://localhost:8443/types/default/props'
<html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1>The server encountered an error while processing this request:<br><pre>{error,function_clause,
       [{riak_core_security,'-authenticate/3-fun-0-',
                            [{{<<"admin">>,{{127,0,0,1},32}},['$deleted']},[]],
                            [{file,"src/riak_core_security.erl"},{line,231}]},
        {riak_core_metadata,fold_it,3,
                            [{file,"src/riak_core_metadata.erl"},{line,130}]},
        {riak_core_security,authenticate,3,
                            [{file,"src/riak_core_security.erl"},{line,231}]},
        {riak_api_web_security,is_authorized,1,
                               [{file,"src/riak_api_web_security.erl"},
                                {line,21}]},
        {riak_kv_wm_bucket_type,is_authorized,2,
                                [{file,"src/riak_kv_wm_bucket_type.erl"},
                                 {line,108}]},
        {webmachine_resource,resource_call,3,
                             [{file,"src/webmachine_resource.erl"},
                              {line,186}]},
        {webmachine_resource,do,3,
                             [{file,"src/webmachine_resource.erl"},
                              {line,142}]},
        {webmachine_decision_core,resource_call,1,
                                  [{file,"src/webmachine_decision_core.erl"},
                                   {line,48}]}]}</pre><P><HR><ADDRESS>mochiweb+webmachine web server</ADDRESS></body></html>

[lukebakken]

OK, it appears that sources are not inherited, as this command fixes the initial issue:

riak-admin security add-source lbakken 127.0.0.1/32 password

I'm not sure if roles should also cause sources to be inherited.

[Vagabond]

I don't think sources should be inherited, authentication is seperate from authorization.

[lukebakken]

Doesn't the current behavior require many add-source commands to be run to set up sources for a set of users that are all in the same role? You could use add-source all but that may be too permissive.

[Vagabond]

The stacktrace should be fixed, however.

[Vagabond]

I guess my concern is that it becomes a lot less clear what source a user is using to log in if we allow sources to be inherited. It also opens up the issue of figuring out which source should be used, in the case where multiple ones are found that match the user.

[lukebakken]

OK great we'll get this documented ... paging @lucperkins

I can test the stacktrace fix whenever its available.

Thanks!

[Vagabond]

By the way, what version of Riak threw that stacktrace, was it something recent?

[lukebakken]

2.0.0pre10

[Vagabond]

Fix for the stack trace is linked to this issue.

[lukebakken]

Authentication records in pg_hba.conf for postgres do allow specifying users or roles. I only mention this here because PG authentication/authorization was used as a model for Riak's.

http://www.postgresql.org/docs/9.3/static/auth-pg-hba-conf.html

Specifies which database user name(s) this record matches. The value all specifies that it matches all users. Otherwise, this is either the name of a specific database user, or a group name preceded by +. (Recall that there is no real distinction between users and groups in PostgreSQL; a + mark really means "match any of the roles that are directly or indirectly members of this role", while a name without a + mark matches only that specific role.)

[Vagabond]

Good point. I would be OK with implementing the + syntax. My main concern was it being implicit.

[Vagabond]

But it will not make 2.0.

[jaredmorrow]

@Vagabond milestone added for 2.0.1