Open bluesalt opened 11 years ago
Sounds like a bug to me. We'll investigate and let you know more.
I tested this out and I am not able to reproduce any unexpected behavior here. Is it that case that SRUCMM8RH9MFUNZKLTZ4
is the key_id
for the jeff user? User accounts are allowed to disable their own accounts and admin users may disable any account, but other normal users cannot disable other user accounts.
Sorry, I deleted my wrong comment. Silly me :'(
I am sure that SRUCMM8RH9MFUNZKLTZ4
is not the key_id for jeff
. Anyway, I will investigate more and let you know. I doubt it is caused by the s3curl
.
I have also not been able to reproduce this issue. That being said I've been testing the release/1.4
branch, not 1.3.1.
I guess I found the reason. That is because I allow creating user anonymously . I have set {anonymous_user_creation, true},
in /etc/riak-cs/app.conf
. Maybe this is not a bug. But I have found another strange behavior when creating user anonymously is allowed : non-admin user can PUT
other users but failed to GET
other users.
s3curl.pl --id jeff -- -X PUT -H "Content-Type: application/json" -H "Accept: application/json" -d '{"status" : "enabled"}' http://localhost:8080/riak-cs/user/8UDZCKH2WX4H4AWNYK-1 # 200 returned
s3curl.pl --id jeff -- -X GET -H "Accept: application/json" http://localhost:8080/riak-cs/user/8UDZCKH2WX4H4AWNYK-1 # 403 returned
Maybe this is not a bug since creating user anonymously is usually not allowed in practice. But this is kind of confused. BTW, I installed the riak-cs in ubuntu 12.04 from the deb http://apt.basho.com precise main
repo. And the version is 1.3.1-1 .
Hmm, it could still be a bug. anonymous_user_creation
should just be for creation. I bet there are some corner cases there so we can leave this open until we do a little more investigation. Thanks for taking the time to dig in more on it!
There is another question from a user. Just a quick look of code, but the lines around https://github.com/basho/riak_cs/blob/3576c2c0683e3267718e1f5a395ef40c564880dd/src/riak_cs_wm_user.erl#L69 seems odd.
Label "bug" is added, but it's better to confirm reproducibility at the latest version.
Not related with this issue directly, separating admin listener and S3 service listener is good idea, generally.
I have created two users,
admin
which is the administrator account andjeff
which is a non-admin account.Yes, that is the result I have expected. But following commands:
SRUCMM8RH9MFUNZKLTZ4
is another non-admin user's key id.Both have 200 status code returned. Why can a non-admin user disable/enable another account ?