diff options
author | Jan Lehnardt <jan@apache.org> | 2020-01-06 12:43:35 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-01-06 12:43:35 +0100 |
commit | 3e574519474662ddbc475e79c9c7f2f8a8fb4e25 (patch) | |
tree | aebf91846215bb76b083efdc74d2c53a64ea4567 | |
parent | a59540132c14b3801234c8212718b3cf15f9bb44 (diff) | |
download | couchdb-3e574519474662ddbc475e79c9c7f2f8a8fb4e25.tar.gz |
feat: add read-only _metrics role for _stats and _system endpoints (#2392)
Closes #1567
-rw-r--r-- | src/chttpd/src/chttpd_auth_request.erl | 14 | ||||
-rw-r--r-- | src/couch/include/couch_js_functions.hrl | 12 |
2 files changed, 21 insertions, 5 deletions
diff --git a/src/chttpd/src/chttpd_auth_request.erl b/src/chttpd/src/chttpd_auth_request.erl index 96dbf980c..fa47f5bfa 100644 --- a/src/chttpd/src/chttpd_auth_request.erl +++ b/src/chttpd/src/chttpd_auth_request.erl @@ -99,6 +99,10 @@ server_authorization_check(#httpd{path_parts=[<<"_dbs_info">>]}=Req) -> server_authorization_check(#httpd{method=Method, path_parts=[<<"_utils">>|_]}=Req) when Method =:= 'HEAD' orelse Method =:= 'GET' -> Req; +server_authorization_check(#httpd{path_parts=[<<"_node">>,_ , <<"_stats">>|_]}=Req) -> + require_metrics(Req); +server_authorization_check(#httpd{path_parts=[<<"_node">>,_ , <<"_system">>|_]}=Req) -> + require_metrics(Req); server_authorization_check(#httpd{path_parts=[<<"_", _/binary>>|_]}=Req) -> require_admin(Req). @@ -106,6 +110,16 @@ db_authorization_check(#httpd{path_parts=[DbName|_],user_ctx=Ctx}=Req) -> {_} = fabric:get_security(DbName, [{user_ctx, Ctx}]), Req. + +require_metrics(#httpd{user_ctx=#user_ctx{roles=UserRoles}}=Req) -> + IsAdmin = lists:member(<<"_admin">>, UserRoles), + IsMetrics = lists:member(<<"_metrics">>, UserRoles), + case {IsAdmin, IsMetrics} of + {true, _} -> Req; + {_, true} -> Req; + _ -> throw({unauthorized, <<"You are not a server admin or read-only metrics user">>}) + end. + require_admin(Req) -> ok = couch_httpd:verify_is_server_admin(Req), Req. diff --git a/src/couch/include/couch_js_functions.hrl b/src/couch/include/couch_js_functions.hrl index d969416d6..994382b8b 100644 --- a/src/couch/include/couch_js_functions.hrl +++ b/src/couch/include/couch_js_functions.hrl @@ -136,11 +136,13 @@ // no system roles in users db for (var i = 0; i < newDoc.roles.length; i++) { - if (newDoc.roles[i][0] === '_') { - throw({ - forbidden: - 'No system roles (starting with underscore) in users db.' - }); + if (newDoc.roles[i] !== '_metrics') { + if (newDoc.roles[i][0] === '_') { + throw({ + forbidden: + 'No system roles (starting with underscore) in users db.' + }); + } } } |