From f08e7f8697457b529d71cbe1e8bc95ba9644cbad Mon Sep 17 00:00:00 2001 From: Abhijeeth Nuthan Date: Thu, 15 Oct 2020 16:59:44 -0700 Subject: [PATCH] MB-41765: Change permissions for managing collection per scope Creating/deleting collection in scope only require following permission, "cluster.collection[::*].collections!write". Change-Id: Icd6c8164a76631f9dd0e6eb8d6e33ee4653f7c25 Reviewed-on: http://review.couchbase.org/c/ns_server/+/138324 Tested-by: Abhijeeth Nuthan Well-Formed: Build Bot Reviewed-by: Artem Stemkovski --- src/menelaus_web.erl | 4 ++-- src/menelaus_web_rbac.erl | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/menelaus_web.erl b/src/menelaus_web.erl index d90afb33e..d8effd142 100644 --- a/src/menelaus_web.erl +++ b/src/menelaus_web.erl @@ -774,7 +774,7 @@ get_action(Req, {AppRoot, IsSSL, Plugins}, Path, PathTokens) -> fun menelaus_web_collections:handle_ensure_manifest/3, [Id, ManifestId]}; ["pools", "default", "buckets", Id, "collections", Scope] -> - {{[{bucket, Id}, collections], write}, + {{[{collection, [Id, Scope, all]}, collections], write}, fun menelaus_web_collections:handle_post_collection/3, [Id, Scope]}; ["pools", "default", "buckets", Id, "collections"] -> @@ -862,7 +862,7 @@ get_action(Req, {AppRoot, IsSSL, Plugins}, Path, PathTokens) -> [Id, Name]}; ["pools", "default", "buckets", Id, "collections", Scope, Name] -> - {{[{bucket, Id}, collections], write}, + {{[{collection, [Id, Scope, all]}, collections], write}, fun menelaus_web_collections:handle_delete_collection/4, [Id, Scope, Name]}; ["pools", "default", "buckets", Id, "docs", DocId] -> diff --git a/src/menelaus_web_rbac.erl b/src/menelaus_web_rbac.erl index 7122a8b63..8df6ed63d 100644 --- a/src/menelaus_web_rbac.erl +++ b/src/menelaus_web_rbac.erl @@ -1320,6 +1320,8 @@ handle_check_permission_for_cbauth(Req) -> menelaus_util:reply_text(Req, "", 401) end. +vertex_param_to_list(all) -> + "*"; vertex_param_to_list(any) -> "."; vertex_param_to_list(Param) ->