Even non-admin user can disable other user [JIRA: RCS-336]

[bluesalt]

I have created two users, admin which is the administrator account and jeff which is a non-admin account.

s3curl --id admin -- -H "Accept: application/json"  http://localhost:8080/riak-cs/users # return user list
s3curl --id jeff -- -H "Accept: application/json"  http://localhost:8080/riak-cs/users # 403 access denied

Yes, that is the result I have expected. But following commands: SRUCMM8RH9MFUNZKLTZ4 is another non-admin user's key id.

s3curl --id admin -- -X PUT -H "Content-Type: application/json"  -H "Accept: application/json" -d '{"status" : "enabled"}' http://localhost:8080/riak-cs/user/SRUCMM8RH9MFUNZKLTZ4 # 200 returned
s3curl --id jeff -- -X PUT -H "Content-Type: application/json"  -H "Accept: application/json" -d '{"status" : "disabled"}' http://localhost:8080/riak-cs/user/SRUCMM8RH9MFUNZKLTZ4 # 200 returned

Both have 200 status code returned. Why can a non-admin user disable/enable another account ?

[kellymclaughlin]

Sounds like a bug to me. We'll investigate and let you know more.

[kellymclaughlin]

I tested this out and I am not able to reproduce any unexpected behavior here. Is it that case that SRUCMM8RH9MFUNZKLTZ4 is the key_id for the jeff user? User accounts are allowed to disable their own accounts and admin users may disable any account, but other normal users cannot disable other user accounts.

[kuenishi]

Sorry, I deleted my wrong comment. Silly me :'(

[bluesalt]

I am sure that SRUCMM8RH9MFUNZKLTZ4 is not the key_id for jeff. Anyway, I will investigate more and let you know. I doubt it is caused by the s3curl.

[reiddraper]

I have also not been able to reproduce this issue. That being said I've been testing the release/1.4 branch, not 1.3.1.

[bluesalt]

I guess I found the reason. That is because I allow creating user anonymously . I have set {anonymous_user_creation, true}, in /etc/riak-cs/app.conf . Maybe this is not a bug. But I have found another strange behavior when creating user anonymously is allowed : non-admin user can PUT other users but failed to GET other users.

s3curl.pl --id jeff -- -X PUT -H "Content-Type: application/json"  -H "Accept: application/json" -d '{"status" : "enabled"}' http://localhost:8080/riak-cs/user/8UDZCKH2WX4H4AWNYK-1   # 200 returned
s3curl.pl --id jeff -- -X GET -H  "Accept: application/json" http://localhost:8080/riak-cs/user/8UDZCKH2WX4H4AWNYK-1   # 403 returned

Maybe this is not a bug since creating user anonymously is usually not allowed in practice. But this is kind of confused. BTW, I installed the riak-cs in ubuntu 12.04 from the deb http://apt.basho.com precise main repo. And the version is 1.3.1-1 .

[kellymclaughlin]

Hmm, it could still be a bug. anonymous_user_creation should just be for creation. I bet there are some corner cases there so we can leave this open until we do a little more investigation. Thanks for taking the time to dig in more on it!

[shino]

There is another question from a user. Just a quick look of code, but the lines around https://github.com/basho/riak_cs/blob/3576c2c0683e3267718e1f5a395ef40c564880dd/src/riak_cs_wm_user.erl#L69 seems odd.

[shino]

Label "bug" is added, but it's better to confirm reproducibility at the latest version.

Not related with this issue directly, separating admin listener and S3 service listener is good idea, generally.