search

bitnine-oss / agensgraph

AgensGraph, a transactional graph database based on PostgreSQL
http://www.agensgraph.org
Other
1.32k stars 146 forks source link

Readonly user deletes the records #624

Open ns-berumalu opened 10 months ago

ns-berumalu commented 10 months ago

Hi Team, We have a readonly user "xy_read_only" with granted readonly role which have all select permissions on objects. But this user still able to deletes the records. Could you please check if any mistakes in the grants.

agensgraph version : agens (AgensGraph) 2.12

Below are privileges given.

CREATE ROLE readonly; ALTER ROLE readonly LOGIN; GRANT readonly TO "xy_read_only";

GRANT USAGE ON SCHEMA xyz TO readonly; GRANT SELECT ON ALL TABLES IN SCHEMA xyz TO readonly; GRANT SELECT ON ALL SEQUENCES IN SCHEMA xyz TO readonly;

Assign permissions to read all newly tables created in the future

ALTER DEFAULT PRIVILEGES IN SCHEMA xyz GRANT SELECT ON SEQUENCES TO group readonly; ALTER DEFAULT PRIVILEGES IN SCHEMA xyz GRANT SELECT ON TABLES TO group readonly; ALTER DEFAULT PRIVILEGES for user abc GRANT SELECT ON TABLES TO group readonly;

Connected to the db with xy_read_only user

prod=> set graph_path=xyz; SET prod=> MATCH (n{'property':'132'}) WHERE NOT EXISTS ((n)-[*1]-()) return n limit 1; n

application[222]{"property": "132", "ID": "xx"} (1 row)

prod=> MATCH (n{'property':'132'}) WHERE NOT EXISTS ((n)-[1]-()) delete n; UPDATE 15 prod=> MATCH (n{'property':'132'}) WHERE NOT EXISTS ((n)-[1]-()) return n limit 1; n

(0 rows)

as you can see, a read only user able to delete. Could you please check asap as its prod environment.

ns-berumalu commented 10 months ago

Hi Team, Any update on this issue

yjy44 commented 10 months ago

Sorry too late. Maybe some auth logic is mismatching. So we'll find why readonly doesn't applied.

And I have a question, is some reason why use 2.12 instead of 2.13?

ns-berumalu commented 10 months ago

Hi @yjy44 , we have not yet migrated to 2.13. Could you please prioritise this ticket

seo-kw commented 10 months ago

Thanks for the report. Currently, We are resolving this issue.

ns-berumalu commented 10 months ago

HI @seo-kw , when we can expect solution for this bug..

seo-kw commented 10 months ago

HI @seo-kw , when we can expect solution for this bug..

Ohh.. Currently, I'm doing it personally so, I'm not sure about the date.

Also, the only I can do currently is just PR. because I don't have any permission to push or something.

maybe needs to be merged by those who have permission.

Sorry about the bad news...!

ns-berumalu commented 10 months ago

HI @seo-kw , any update on this. Did you test this scenario.

ns-berumalu commented 9 months ago

Hi @seo-kw , any update on this issue

ns-berumalu commented 8 months ago

Hi @seo-kw , did you get chance to look at this

ns-berumalu commented 6 months ago

Hi @seo-kw , any update on this

ns-berumalu commented 2 months ago

Hi @seo-kw , any update on this