[jira] [Commented] (COUCHDB-2990) admins not honored in _security

[Jan Lehnardt (JIRA)]

    [ 
https://issues.apache.org/jira/browse/COUCHDB-2990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15262550#comment-15262550
 ] 

Jan Lehnardt commented on COUCHDB-2990:
---------------------------------------

After some debugging and IRC-ing with rnewson:

Disabling cassim ([cassim] enable = false) and deleting /_metadata before 
running this makes it all work as expected. E.g. core code is fine. When having 
cassim enabled, the doc for the _security object looks as expected. So 
something is off between cassim and how we validate admins.

While digging through this, I found that the code that enforces the _security 
settings for db admins uses the `security` field in the #db record. But I 
haven’t found any trace in the database opening code where the _security object 
is loaded from cassim.

The question then is:

1. is the code enforcing _security wrong and should it query cassim instead of 
looking into the #db record?
or 2. should the database opening code query cassim when opening the database?

cc [~chewbranca]

> admins not honored in _security
> -------------------------------
>
>                 Key: COUCHDB-2990
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2990
>             Project: CouchDB
>          Issue Type: Bug
>          Components: BigCouch
>            Reporter: Sebastian Rothbucher
>            Priority: Blocker
>              Labels: needs-pr
>
> Setting a user as admin (by name) and invoking a command (giving credentials 
> via Basic Auth) comes back saying the user is no DB admin. 
> Certainly minor thing for 2.1+ but 2 keep in mind; steps 2 reproduce (sorry 4 
> the C&P error earlier):
> {noformat}
> [root@localhost couchdb]# curl -X PUT 'http://localhost:15984/play'
> {"ok":true}
> [root@localhost couchdb]# curl -X PUT 
> 'http://localhost:15984/_users/org.couchdb.user:jerry' -d 
> '{"_id":"org.couchdb.user:jerry","name":"jerry","password":"mouse","type":"user","roles":[]}'
> {"ok":true,"id":"org.couchdb.user:jerry","rev":"1-f97ddcb58c67b47084168f5945217d10"}
> [root@localhost couchdb]# curl -X PUT 'http://localhost:15984/play/_security' 
> -d '{"admins": {"names": ["jerry"]}}'
> {"ok":true,"id":"db/play/_security.1461053645","rev":"2-dfe4d0fbab9b154d2100a95cefa66a92"}
> [root@localhost couchdb]# curl -X PUT 'http://localhost:15984/play/test' -d 
> '{}' -u jerry:mouseee
> {"error":"unauthorized","reason":"Name or password is incorrect."}
> [root@localhost couchdb]# curl -X PUT 'http://localhost:15984/play/test' -d 
> '{}' -u jerry:mouse
> {"ok":true,"id":"test","rev":"1-967a00dff5e02add41819138abb3284d"}
> [root@localhost couchdb]# curl -X PUT 
> 'http://localhost:15984/play/_design/test' -d '{}' -u jerry:mouse
> {"error":"forbidden","reason":"You are not a db or server admin."}
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)