and when I add username/password of CB administrator by
curl -v http://Administrator:password@127.0.0.1:8093/query/service --data-urlencode 'statement=PREPARE queryCount FROM SELECT count(*) AS count FROM default; '
@matthew.groves As blog show that CB DP has new RDBC feature, but how about when I want to create PREPARE statement with user1,and execute this PREPARE with user2 ?
I add Query Select on default or add Query System Catalog on default,even on Query Manage Index on default to the new user,and when I query with the new user by
curl -v http://queryuser:password@127.0.0.1:8093/query/service --data-urlencode 'statement=PREPARE queryCount FROM SELECT count(*) AS count FROM default; '
I got the following error
"results": [
],
"errors": [
{
"code": 10000,
"msg": "User does not belong to a specified role. Keyspace default"
}
],
"status": "stopped",
I don’t have a lot of information for you, because this is definitely a work in progress still. This is why I limited my blog post to the scope of FTS and didn’t go into any N1QL stuff.
I’m tagging @don and @geraldss who might have some more information for you.
My question for you is: how would you expect it to work? Since this is a work in progress, it’s your chance to provide feedback on what you think should work and what you think shouldn’t work.
may be we need new roles on PREPARE statement and new roles on PREPARED statement for selected bucket.because this is different from Query Select. so,
user with PREPARE role on selected bucket can create PREPARE REST API,
and user with PREPARED role on selected bucket can execute PREPARE REST API.
And we can post credentials by request parameter,like
curl -v http://localhost:8093/query/service \
-d 'statement=SELECT t.text FROM tweets t
JOIN users u KEY t.uid LIMIT 1
&creds=[{"user": "local:tweets", "pass":"pAss1"}]'
First of all, thank you for trying out our developer builds and for your feedback!
So that we can understand the scenario well :
Can you describe what users you created in Couchbase? IF you login as a full administrator into the web console, you can now create users under the security tab.
What are the roles given to each of these users?
We have not yet completed the upgrade code, and developer builds typically require a fresh install. Did you do a fresh install of Couchbase , or upgrade a particular instance?
Would be good to get @marcog’s take on this. He and I have discussed this at a high level before, and arguably if the prepare always maps to the same plan for that node, then it should not matter when executed. Of course, any access permissions must be honored.
Yes, it looks like we are applying credentials at prepare time, while this should be postponed to execution.
And, as @atom_yang indicates, there probably is scope to have a prepare role.
Let me investigate a bit more…
I will investigate more thoroughly later today, but the way prepared statements are supposed to work is that you need the same permissions to prepare a statement and to execute a prepared statement as you would to run the underlying statement directly.
I have been doing a bit of code digging, and indeed, as @johan_larson says, in order to prepare, you need to have enough privileges to actually execute the request.
This said, I can’t get a select to prepare unless the user preparing it has admin privileges (I get 10000 as @atom_yang does).
Maybe @johan_larson can shed some light.
do you mean that I need I full admin privileges to create PREPARE statement,
and I need prepare role to execute this PREPARE?
if so, I think It will be ok.
The intended behaviour is that you need select privileges on the keyspace both on the prepare and the execute.
However right now it seems unless you have admin privileges, neither the prepare nor the select go through.
For create a PREPARE REST API, I need select privileges on the keyspace both on the prepare and the execute.
And for execute the PREPARE REST API,I need select privileges on the keyspace the execute.
Am I right?
@johan_larson kindly points out that you need the data reader role on default as well query select on default.
After you grant those to both users, it all works.