You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@couchdb.apache.org by ja...@apache.org on 2020/01/04 12:59:00 UTC

[couchdb] branch feat/readonly-metrics-role created (now 6a4e7b0)

This is an automated email from the ASF dual-hosted git repository.

jan pushed a change to branch feat/readonly-metrics-role
in repository https://gitbox.apache.org/repos/asf/couchdb.git.


      at 6a4e7b0  feat: add read-only _metrics role for _stats and _system endpoints

This branch includes the following new commits:

     new 6a4e7b0  feat: add read-only _metrics role for _stats and _system endpoints

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[couchdb] 01/01: feat: add read-only _metrics role for _stats and _system endpoints

Posted by ja...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

jan pushed a commit to branch feat/readonly-metrics-role
in repository https://gitbox.apache.org/repos/asf/couchdb.git

commit 6a4e7b0bfd693ae8de379f21a23887f88459eec1
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Sat Jan 4 13:58:15 2020 +0100

    feat: add read-only _metrics role for _stats and _system endpoints
    
    Closes #1567
---
 src/chttpd/src/chttpd_auth_request.erl   | 14 ++++++++++++++
 src/couch/include/couch_js_functions.hrl | 12 +++++++-----
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/src/chttpd/src/chttpd_auth_request.erl b/src/chttpd/src/chttpd_auth_request.erl
index 96dbf98..fa47f5b 100644
--- a/src/chttpd/src/chttpd_auth_request.erl
+++ b/src/chttpd/src/chttpd_auth_request.erl
@@ -99,6 +99,10 @@ server_authorization_check(#httpd{path_parts=[<<"_dbs_info">>]}=Req) ->
 server_authorization_check(#httpd{method=Method, path_parts=[<<"_utils">>|_]}=Req)
   when Method =:= 'HEAD' orelse Method =:= 'GET' ->
     Req;
+server_authorization_check(#httpd{path_parts=[<<"_node">>,_ , <<"_stats">>|_]}=Req) ->
+    require_metrics(Req);
+server_authorization_check(#httpd{path_parts=[<<"_node">>,_ , <<"_system">>|_]}=Req) ->
+    require_metrics(Req);
 server_authorization_check(#httpd{path_parts=[<<"_", _/binary>>|_]}=Req) ->
     require_admin(Req).
 
@@ -106,6 +110,16 @@ db_authorization_check(#httpd{path_parts=[DbName|_],user_ctx=Ctx}=Req) ->
     {_} = fabric:get_security(DbName, [{user_ctx, Ctx}]),
     Req.
 
+
+require_metrics(#httpd{user_ctx=#user_ctx{roles=UserRoles}}=Req) ->
+    IsAdmin = lists:member(<<"_admin">>, UserRoles),
+    IsMetrics = lists:member(<<"_metrics">>, UserRoles),
+    case {IsAdmin, IsMetrics} of
+        {true, _} -> Req;
+        {_, true} -> Req;
+        _ -> throw({unauthorized, <<"You are not a server admin or read-only metrics user">>})
+    end.
+
 require_admin(Req) ->
     ok = couch_httpd:verify_is_server_admin(Req),
     Req.
diff --git a/src/couch/include/couch_js_functions.hrl b/src/couch/include/couch_js_functions.hrl
index d969416..994382b 100644
--- a/src/couch/include/couch_js_functions.hrl
+++ b/src/couch/include/couch_js_functions.hrl
@@ -136,11 +136,13 @@
 
         // no system roles in users db
         for (var i = 0; i < newDoc.roles.length; i++) {
-            if (newDoc.roles[i][0] === '_') {
-                throw({
-                    forbidden:
-                    'No system roles (starting with underscore) in users db.'
-                });
+            if (newDoc.roles[i] !== '_metrics') {
+              if (newDoc.roles[i][0] === '_') {
+                  throw({
+                      forbidden:
+                      'No system roles (starting with underscore) in users db.'
+                  });
+              }
             }
         }