ACL read-only user permissions reject queries using query functions and variables

[danielmai]

What version of Dgraph are you using?

v20.03.3

Have you tried reproducing the issue with the latest release?

Yes

What is the hardware spec (RAM, OS)?

Ubuntu Linux (Docker)

Steps to reproduce the issue (command/config used to run Dgraph).

1. Run Dgraph cluster with ACLs enabled.
2. Log in as groot and set the following mutation:

   {"name": "Dgraph", "dgraph.type": "TypeName"}
   

3. Create a type called "TypeNamethat has thename` predicate.
4. Create an ACL group with read-only permissions to predicates.
5. Create a user and add it to the read-only group created in Add a Gitter chat badge to README.md #2 (i.e., it's not a guardian user).

type function

Query: Run a query using the type() function:

{ 
  q(func: type(TypeName))
}

Alpha logs show access denied for predicates "":

I0618 22:30:58.799588      16 access_ee.go:727] ACL-LOG Authorizing user "rouser" with groups "rogroup" on predicates "" for "Read", allowed:false

expand function

Query: Run a query using expand(_all_):

{ 
  q(func: has(name)) {
    expand(_all_)
  }
}

Alpha logs show access denied for predicates ",expand":

I0618 22:31:20.622734      16 access_ee.go:727] ACL-LOG Authorizing user "rouser" with groups "rogroup" on predicates ",expand" for "Read", allowed:false

val function and variables

Query: Run a query using val(v) and see an access denied log in Alpha:

{
  q1(func: has(name)) {
    v as name
  }
  
  q2(func: eq(val(v), "Dgraph")) {
    val(v)
  }
}

Expected response:

{
  "data": {
    "q1": [
      {
        "name": "Dgraph"
      }
    ],
    "q2": [
      {
        "val(n)": "Dgraph"
      }
    ]
  }

Actual response (q2 doesn't show up):

{
  "data": {
    "q1": [
      {
        "name": "Dgraph"
      }
    ]
  }

Alpha logs show access denied for predicates "name,v,val":

I0618 22:43:16.186675      16 access_ee.go:727] ACL-LOG Authorizing user "rouser" with groups "rogroup" on predicates "name,v,val" for "Read", allowed:false

uid function

Query: Run a query using the uid() function:

{
  q(func: uid(0x5)) {
    uid
    name
  }
}

Query returned expected results:

{
  "data": {
    "q": [
      {
        "uid": "0x5",
        "name": "Dgraph"
      }
    ]
  }
}

But, Alpha logs show access denied for predicates "".

I0618 22:52:28.803228      16 access_ee.go:727] ACL-LOG Authorizing user "rouser" with groups "rogroup" on predicates "" for "Read", allowed:false

Expected behaviour and actual result.

These queries from a read-only user should return back the expected data.

It looks like ACL rules are looking at built-in functions and variable names as part of rule set for ACLs.

[all-seeing-code]

Identifying different related issues below:

Set-up for repro:

Schema:

name: string @index(hash).
class: string @index(exact, trigram) .
type TypeName {
    name: string
    class: string
}

Data:

<1> <name> "Anurag" .
<1> <class> "first" .
<1> <dgraph.type> "TypeName" .

<2> <name> "Brad" .
<2> <class> "second" .
<2> <dgraph.type> "TypeName" .

Login via non-groot user which has read only permission for name predicate.

Queries and observations:

Query 1

{ 
  q(func: type(TypeName)){
    name
    class
  }
}

Result

"q": [
      {
        "name": "Anurag"
      },
      {
        "name": "Brad"
      }
    ]

Observations: The result is as expected. But Alpha has following erroneous log message: ACL-LOG Authorizing user "basic" with groups "Base" on predicates ",name,class" for "Read", allowed:false

Query 2

q(func: has(name)) {
   expand(_all_)
  }

Result

"q": []

Observations: The result is as expected since user doesn't have access to class predicate. Do we want to support expand query such that it expands to only those predicates to which user has access? Alpha log message: ACL-LOG Authorizing user "basic" with groups "Base" on predicates "name,expand" for "Read", allowed:false

Query 3

{
  q1(func: has(name)) {
    v as name
  }
  
  q2(func: eq(val(v), "Anurag")) {
    val(v)
  }
}

Result

"q1": [
      {
        "name": "Anurag"
      },
      {
        "name": "Brad"
      }
    ]

Observations: Alpha log message ACL-LOG Authorizing user "basic" with groups "Base" on predicates "name,v,val" for "Read", allowed:false The result should also include results from q2.

Query 4

None

Without any query, alpha periodically logs:

ACL-LOG Authorizing user "basic" with groups "Base" on predicates "" for "Read", allowed:false

This leads to confusion as reported.

[all-seeing-code]

I have a PR: #5733 that fixes expand(_all_) query. See Query 2 above. I feel the fix for Query 3 should be a separate PR. I am still working on that one.

[all-seeing-code]

The second PR: #5945 fixes val(variable) query. See Query 3 above. This has also been merged.