Inherited permissions showing up as applied permissions #505

Closed
lucperkins opened this Issue Jan 13, 2014 · 4 comments

Comments

Projects
None yet
3 participants

I ran the following sequence of commands:

riak-admin security add-user riakuser
riak-admin security grant riak_kv.get ON ANY shopping_list TO riakuser
riak-admin security add-user admin
riak-admin security grant riak_kv.get,riak_kv.put,riak_kv.delete ON ANY TO admin
riak-admin security alter-user riakuser roles=admin

The expected behavior is that no permissions inherited from admin should show up under Applied Permissions. However, running riak-admin security print-user riakuser produces the following output:

Inherited permissions

+--------------------+----------+----------+----------------------------------------+
|        role        |   type   |  bucket  |                 grants                 |
+--------------------+----------+----------+----------------------------------------+
|       admin        |    *     |    *     |      riak_kv.get, riak_kv.delete,      |
|                    |          |          |              riak_kv.put               |
+--------------------+----------+----------+----------------------------------------+

Applied permissions

+----------+-------------+----------------------------------------+
|   type   |   bucket    |                 grants                 |
+----------+-------------+----------------------------------------+
|    *     |      *      |      riak_kv.get, riak_kv.delete,      |
|          |             |              riak_kv.put               |
|   ANY    |shopping_list|              riak_kv.get               |
+----------+-------------+----------------------------------------+

AFAIK, only the riak_kv.get permission on bucket shopping_list should show up under Applied permissions, as the get,put, and delete could only have been inherited.

If I remove the admin role from riakuser, then running print-user riakuser results in precisely what one should expect:

Inherited permissions

+--------------------+----------+----------+----------------------------------------+
|        role        |   type   |  bucket  |                 grants                 |
+--------------------+----------+----------+----------------------------------------+

Applied permissions

+----------+-------------+----------------------------------------+
|   type   |   bucket    |                 grants                 |
+----------+-------------+----------------------------------------+
|   ANY    |shopping_list|              riak_kv.get               |
+----------+-------------+----------------------------------------+

BTW, this behavior has been confirmed on pre9 and pre10

jrwest added this to the 2.0-RC milestone Mar 24, 2014

Contributor

jrwest commented Mar 24, 2014

found issue in complete feature. marked milestone 2.0-RC

Contributor

macintux commented May 23, 2014

All but certain this is no longer an issue; I reworked the grant printing mechanism (now print-grants) to display 3 separate tables. @lucperkins if you have time to check this again, I'd appreciate it.

Contributor

macintux commented May 26, 2014

Yes, this problem is resolved, although it does highlight a misconception about the grant syntax.

Inherited permissions (user/riakuser)

+--------------------+----------+----------+----------------------------------------+
|       group        |   type   |  bucket  |                 grants                 |
+--------------------+----------+----------+----------------------------------------+
|       admin        |    *     |    *     |      riak_kv.get, riak_kv.delete,      |
|                    |          |          |              riak_kv.put               |
+--------------------+----------+----------+----------------------------------------+

Dedicated permissions (user/riakuser)

+----------+-------------+----------------------------------------+
|   type   |   bucket    |                 grants                 |
+----------+-------------+----------------------------------------+
|   any    |shopping_list|              riak_kv.get               |
+----------+-------------+----------------------------------------+

Cumulative permissions (user/riakuser)

+----------+-------------+----------------------------------------+
|   type   |   bucket    |                 grants                 |
+----------+-------------+----------------------------------------+
|    *     |      *      |      riak_kv.get, riak_kv.delete,      |
|          |             |              riak_kv.put               |
|   any    |shopping_list|              riak_kv.get               |
+----------+-------------+----------------------------------------+

Need to update the riak-admin usage statement to make it clear that one can grant on any or to <type> <bucket>, but not any <bucket>.

macintux closed this May 26, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment