[GitHub] [couchdb] adrienverge opened a new issue #3356: Editing user roles is not instantaneous and produces HTTP 403

Fri, 29 Jan 2021 08:09:29 -0800 


adrienverge opened a new issue #3356:
URL: https://github.com/apache/couchdb/issues/3356


   Hello, I think this is a bug, although I'm not 100% sure. I haven't found 
any similar issues.
   
   Problem: changes to user roles (to allow her to access a database) are not 
taken into account immediately, so this user gets a `HTTP 403 Forbidden` error 
when accessing the database. Waiting a few seconds solves the problem.
   
   To reproduce (on the latest version, CouchDB 3.1.1):
   1. As admin, create a user without roles:
      ```
      (admin) PUT /_users/org.couchdb.user:user
      ```
   2. Perform any request as this user (this is important):
      ```
      (user) GET /
      ```
   3. As admin, create a database and protect it with a role:
      ```
      (admin) PUT /base
      (admin) PUT /base/_security
              {"members": {"roles": ["allowed_to_access_base"]}}
      ```
   4. As admin, update user to give the `allowed_to_access_base` role:
      ```
      (admin) GET /_users/org.couchdb.user:user
      (admin) PUT /_users/org.couchdb.user:user
              {…, "roles": ["allowed_to_access_base"], …}
      ```
   5. As user, request the base (`HEAD`, `GET`...):
      ```
      (user) GET /base
      ```
      Result: sometimes response is a `HTTP 200`, sometimes it's a `HTTP 403`.
      Expected behavior: always get a `HTTP 200`.
   
   I've [attached a Python 
script](https://github.com/apache/couchdb/files/5894838/bug_reproduction.py.txt)
 to reproduce automatically. On my computer, the bug happens:
   - ~ 70 times out of 100 attempts, on a 1-node cluster
   - ~ 30 times out of 100 attempts, on a 3-node cluster
   
   The bug disappears:
   - If we wait for a little while between steps 4 and 5.
   - If step 2 is skipped.
   - If the user is created (step 1) with `allowed_to_access_base` role already.
   
   At first, I thought it was an inconstistency problem between nodes in a 
cluster. But the bug happens even when doing all HTTP calls on the same node, 
and also on a single-node cluster.
   
   Do you know where it could come from?
   I'd be happy to dig further if you have an idea.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to