Customers can delete `guardians` group and lose access

joaquin · August 21, 2020, 8:15pm

Report a Dgraph Bug

Customers can delete guardians group and lose ability to create groups/users after logging out. There’s no discernable way to gain administrative access back, even for the groot account.

What version of Dgraph are you using?

v20.03.4

Have you tried reproducing the issue with the latest release?

Yes. v20.07.0

What is the hardware spec (RAM, OS)?

Ubuntu as from Docker Image: ubuntu:latest

Steps to reproduce the issue (command/config used to run Dgraph).

DGRAPH_VERSION=v20.03.4 docker-compose up -d (see below)
login: groot , create alice , Add alice to guardians group , Log out
login alice , delete guardians group , Log out
login: groot, create guardians group

version: "3.5"
services:
  zero1:
    image: dgraph/dgraph:$DGRAPH_VERSION
    container_name: zero1
    working_dir: /data/zero1
    ports:
      - 5080:5080
      - 6080:6080
    command: dgraph zero --my=zero1:5080 --replicas 1 --idx 1

  alpha1:
    image: dgraph/dgraph:$DGRAPH_VERSION
    container_name: alpha1
    working_dir: /data/alpha1
    volumes:
      - type: bind
        # acl/hmac-secret: 1234567890123456789012345678901
        source: ./acl/hmac-secret
        target: /dgraph-acl/hmac-secret
        read_only: true
    ports:
      - 8080:8080
      - 9080:9080
    command: dgraph alpha --my=alpha1:7080 --lru_mb=1024 --zero=zero1:5080 --acl_secret_file /dgraph-acl/hmac-secret --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.20.0.0/12

  ratel:
    image: dgraph/dgraph:$DGRAPH_VERSION
    ports:
      - 8000:8000
    command: dgraph-ratel
    container_name: ratel

For another version:

docker-compose stop && docker-compose rm
DGRAPH_VERSION=v20.07.0 docker-compose up -d

Expected behavior and actual result.

The Expected Behavior is that (1) there will always be an administrative account that always has such privileges, superuser account, and that (2) with a super user account, an administrative group, e.g. guardians, can be created after logout, so that other users can get privileges, and (3) related to this, superuser account can never be deleted (only renamed).

The Actual Results is that users no longer have an account that can create users or groups. They will get this message:

Could not create group: t: mutation addGroup failed because Dgraph execution failed because rpc error: code = PermissionDenied desc = unauthorized to mutate following predicates: dgraph.xid dgraph.type

Notes

If the customer did not log out, they can re-create guardians. After logging out, they cannot recreate guardians.

joaquin · August 25, 2020, 1:21am

@LGalatin I had a discussion with @dmai regarding this: similar to the password reset process, the Guardians account could be restored. So this could be resolved in documentation, which I could add. It would be interesting to get feedback/input from engineering, considering the customer perspective.

The groot account could be deleted, and there’s no notion of a superuser account, or user privileges. These are only set in groups, which is awkward. But that’s a deeper question, different scope.

rajas · October 22, 2020, 4:56pm

Fixed in Fix(ACL) : Disallow deleting of groot user and guardians group by vmrajas · Pull Request #6580 · dgraph-io/dgraph · GitHub

Topic		Replies	Views
ACL bug - The groot user is gone Dgraph dgraph , status:accepted , kind:bug , area:commercial:acl	1	797	September 5, 2020
Authentication issue with groot after dgraph live import Dgraph	0	579	January 25, 2022
Guardians of the Galaxy only has permission Dgraph Cloud	3	604	October 22, 2021
Dgraph ACL error with username "groot" Dgraph kind:bug	5	2294	August 5, 2020
Deleted node appears after alpha restart Dgraph kind:bug	0	525	November 21, 2021