Customers can delete `guardians` group and lose access


Report a Dgraph Bug

Customers can delete guardians group and lose ability to create groups/users after logging out. There’s no discernable way to gain administrative access back, even for the groot account.

What version of Dgraph are you using?

v20.03.4

Have you tried reproducing the issue with the latest release?

Yes. v20.07.0

What is the hardware spec (RAM, OS)?

  • Ubuntu as from Docker Image: ubuntu:latest

Steps to reproduce the issue (command/config used to run Dgraph).

  1. DGRAPH_VERSION=v20.03.4 docker-compose up -d (see below)
  2. login: groot , create alice , Add alice to guardians group , Log out
  3. login alice , delete guardians group , Log out
  4. login: groot, create guardians group
version: "3.5"
services:
  zero1:
    image: dgraph/dgraph:$DGRAPH_VERSION
    container_name: zero1
    working_dir: /data/zero1
    ports:
      - 5080:5080
      - 6080:6080
    command: dgraph zero --my=zero1:5080 --replicas 1 --idx 1

  alpha1:
    image: dgraph/dgraph:$DGRAPH_VERSION
    container_name: alpha1
    working_dir: /data/alpha1
    volumes:
      - type: bind
        # acl/hmac-secret: 1234567890123456789012345678901
        source: ./acl/hmac-secret
        target: /dgraph-acl/hmac-secret
        read_only: true
    ports:
      - 8080:8080
      - 9080:9080
    command: dgraph alpha --my=alpha1:7080 --lru_mb=1024 --zero=zero1:5080 --acl_secret_file /dgraph-acl/hmac-secret --whitelist 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.20.0.0/12

  ratel:
    image: dgraph/dgraph:$DGRAPH_VERSION
    ports:
      - 8000:8000
    command: dgraph-ratel
    container_name: ratel

For another version:

docker-compose stop && docker-compose rm
DGRAPH_VERSION=v20.07.0 docker-compose up -d 

Expected behavior and actual result.

The Expected Behavior is that (1) there will always be an administrative account that always has such privileges, superuser account, and that (2) with a super user account, an administrative group, e.g. guardians, can be created after logout, so that other users can get privileges, and (3) related to this, superuser account can never be deleted (only renamed).

The Actual Results is that users no longer have an account that can create users or groups. They will get this message:

Could not create group: t: mutation addGroup failed because Dgraph execution failed because rpc error: code = PermissionDenied desc = unauthorized to mutate following predicates: dgraph.xid dgraph.type

Notes

If the customer did not log out, they can re-create guardians. After logging out, they cannot recreate guardians.

@LGalatin I had a discussion with @dmai regarding this: similar to the password reset process, the Guardians account could be restored. So this could be resolved in documentation, which I could add. It would be interesting to get feedback/input from engineering, considering the customer perspective.

The groot account could be deleted, and there’s no notion of a superuser account, or user privileges. These are only set in groups, which is awkward. But that’s a deeper question, different scope.

Fixed in https://github.com/dgraph-io/dgraph/pull/6580