diff --git a/modules/ROOT/content-nav.adoc b/modules/ROOT/content-nav.adoc index dc2854a3..78b62e58 100644 --- a/modules/ROOT/content-nav.adoc +++ b/modules/ROOT/content-nav.adoc @@ -160,6 +160,8 @@ **** xref:errors/gql-errors/22NBD.adoc[] **** xref:errors/gql-errors/22NBE.adoc[] **** xref:errors/gql-errors/22NBF.adoc[] +**** xref:errors/gql-errors/22ND1.adoc[] +**** xref:errors/gql-errors/22ND2.adoc[] *** xref:errors/gql-errors/index.adoc#invalid-transaction-state[Invalid transaction state] **** xref:errors/gql-errors/25G02.adoc[] **** xref:errors/gql-errors/25N01.adoc[] diff --git a/modules/ROOT/pages/errors/gql-errors/22ND1.adoc b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc new file mode 100644 index 00000000..f1f00fd7 --- /dev/null +++ b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc @@ -0,0 +1,60 @@ += 22ND1 + +== Status description +error: data exception - operation not allowed for roles that are granted to an `AUTH RULE`. Invalid input: `'{ <> }'` is not allowed for roles that are granted to an `AUTH RULE`. + +== Explanation + +If an auth rule fails to evaluate, for example, because it depends on a claim that the user's auth token does not contain, Neo4j will default to not assigning that role to the user. + +When a role contains denied privileges, not assigning the role actually removes the denies, which means the user ends up with more privileges than they should. +To avoid this, roles cannot have both `DENY` privileges and be granted to an auth rule. + +This exception is thrown when attempting to `DENY` a privilege from a role that is already used by an auth rule. + +[[example-scenario-22nd1]] +== Example scenario + +Given that a role is used by an auth rule: +[source, cypher] +---- +CYPHER 25 GRANT ROLE role TO AUTH RULE authrule +---- + +When attempting to deny privileges from the role: +[source, cypher] +---- +DENY MATCH {*} ON GRAPH secret-db NODES * TO otherrole, role +---- + +The following error will be thrown: +[source] +---- +error: data exception - operation not allowed for roles that are granted to an AUTH RULE. Invalid input: 'DENY MATCH {*} ON GRAPH secret-db NODES * TO role' is not allowed for roles that are granted to an AUTH RULE. +---- + +[NOTE] +==== +The error message contains a subset of the original query that caused the issue. +Since `otherrole` is not granted to an auth rule, it is not included. +==== + +== Possible solutions + +Consider if it is possible to implement the security model without using denied privileges. + +For example, you can replace the generic grant from the <> with the following more fine-grained alternative: +[source, cypher] +---- +GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole +---- + + +If a `DENY` is required, it must be set to a role that is directly assigned to users without using auth rules, to guarantee that it will always be applied. + +ifndef::backend-pdf[] +[discrete.glossary] +== Glossary + +include::partial$glossary.adoc[] +endif::[] diff --git a/modules/ROOT/pages/errors/gql-errors/22ND2.adoc b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc new file mode 100644 index 00000000..7a51cf43 --- /dev/null +++ b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc @@ -0,0 +1,60 @@ += 22ND2 + +== Status description +error: data exception - operation not allowed for roles with `DENY` privileges. Invalid input: `'{ <> }'` is not allowed for roles with `DENY` privileges. + +== Explanation + +If an auth rule fails to evaluate, for example, because it depends on a claim that the user's auth token does not contain, Neo4j will default to not assigning that role to the user. + + +When a role contains denied privileges, not assigning the role actually removes the denies, which means the user ends up with more privileges than they should. +To avoid this, roles cannot have both `DENY` privileges and be granted to an auth rule. + +This exception is thrown when attempting to grant a role to an auth rule when the role has denied privileges. + +[[example-scenario-22nd2]] +== Example scenario + +Given that a role has denied privileges: +[source, cypher] +---- +DENY MATCH {*} ON GRAPH secret-db NODES * TO role +---- + +When attempting to assign the role to an auth rule: +[source, cypher] +---- +CYPHER 25 GRANT ROLE otherrole, role TO AUTH RULE authrule +---- + +The following error will be thrown: +[source] +---- +error: data exception - operation not allowed for roles with DENY privileges. Invalid input: 'CYPHER 25 GRANT ROLE role TO AUTH RULE authrule' is not allowed for roles with `DENY` privileges. +---- + +[NOTE] +==== +The error message contains a subset of the original query that caused the issue. +Since `otherrole` does not have denied privileges, it is not included. +==== + +== Possible solutions + +Consider whether it is possible to implement the security model without using denied privileges, for example, by revoking granted privileges or reducing the scope of the grant statements. + +For example, you can replace the generic grant from the <> with the following more fine-grained alternative: +[source, cypher] +---- +GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole +---- + +If a `DENY` is required, it must be set to a role that is directly assigned to users without using auth rules, to guarantee that it will always be applied. + +ifndef::backend-pdf[] +[discrete.glossary] +== Glossary + +include::partial$glossary.adoc[] +endif::[] diff --git a/modules/ROOT/pages/errors/gql-errors/index.adoc b/modules/ROOT/pages/errors/gql-errors/index.adoc index 6b82c856..827bced7 100644 --- a/modules/ROOT/pages/errors/gql-errors/index.adoc +++ b/modules/ROOT/pages/errors/gql-errors/index.adoc @@ -644,6 +644,14 @@ Status description:: error: data exception - invalid vector dimensions. Invalid Status description:: error: data exception - property value too big. Property value of type `{ <> }` is too big (more than `{ <> }` bytes): `{ <> }` +=== xref:errors/gql-errors/22ND1.adoc[22ND1] + +Status description:: error: data exception - operation not allowed for roles that are granted to an `AUTH RULE`. Invalid input: `'{ <> }'` is not allowed for roles that are granted to an `AUTH RULE`. + +=== xref:errors/gql-errors/22ND2.adoc[22ND2] + +Status description:: error: data exception - operation not allowed for roles with `DENY` privileges. Invalid input: `'{ <> }'` is not allowed for roles with `DENY` privileges. + [[invalid-transaction-state]] == Invalid transaction state @@ -1059,7 +1067,7 @@ Status description:: error: syntax error or access rule violation - missing LOOK === xref:errors/gql-errors/42I62.adoc[42I62] -Status description:: error: syntax error or access rule violation - unsupported distance metric. Unknown distance metric: `{ <> }`. +Status description:: error: syntax error or access rule violation - unsupported distance metric. Unknown distance metric: `{ <> }`. === xref:errors/gql-errors/42I63.adoc[42I63]