-
Notifications
You must be signed in to change notification settings - Fork 36
Add 22ND1 and 22ND2 #412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
l-heemann
wants to merge
9
commits into
neo4j:dev
Choose a base branch
from
l-heemann:cops-301-update-to-notification-cannot-deny-with-auth-rule
base: dev
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+131
−1
Open
Add 22ND1 and 22ND2 #412
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
60e62c6
Add 22ND1 and 22ND2
l-heemann 8b6b463
Fix copy-paste error
l-heemann b0b661f
Remove changelog updates
l-heemann f569c20
Update sub-condition as it must be unique
l-heemann c45d64e
Remove version labels
l-heemann c2273f6
regenerate the index file
renetapopova 145e7ec
Apply suggestions from code review
l-heemann 33b2e67
Refer to existing examples instead of repeating them
l-heemann 9bc78bb
fix the anchors and regenerate the index file
renetapopova File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| = 22ND1 | ||
|
|
||
| == Status description | ||
| error: data exception - operation not allowed for roles that are granted to an `AUTH RULE`. Invalid input: `'{ <<query>> }'` is not allowed for roles that are granted to an `AUTH RULE`. | ||
|
|
||
| == Explanation | ||
|
|
||
| If an auth rule fails to evaluate, for example, because it depends on a claim that the user's auth token does not contain, Neo4j will default to not assigning that role to the user. | ||
|
|
||
| When a role contains denied privileges, not assigning the role actually removes the denies, which means the user ends up with more privileges than they should. | ||
| To avoid this, roles cannot have both `DENY` privileges and be granted to an auth rule. | ||
|
|
||
| This exception is thrown when attempting to `DENY` a privilege from a role that is already used by an auth rule. | ||
|
|
||
| [[example-scenario-22nd1]] | ||
| == Example scenario | ||
|
|
||
| Given that a role is used by an auth rule: | ||
| [source, cypher] | ||
| ---- | ||
| CYPHER 25 GRANT ROLE role TO AUTH RULE authrule | ||
| ---- | ||
|
|
||
| When attempting to deny privileges from the role: | ||
| [source, cypher] | ||
| ---- | ||
| DENY MATCH {*} ON GRAPH secret-db NODES * TO otherrole, role | ||
| ---- | ||
|
|
||
| The following error will be thrown: | ||
| [source] | ||
| ---- | ||
| error: data exception - operation not allowed for roles that are granted to an AUTH RULE. Invalid input: 'DENY MATCH {*} ON GRAPH secret-db NODES * TO role' is not allowed for roles that are granted to an AUTH RULE. | ||
| ---- | ||
|
|
||
| [NOTE] | ||
| ==== | ||
| The error message contains a subset of the original query that caused the issue. | ||
| Since `otherrole` is not granted to an auth rule, it is not included. | ||
| ==== | ||
|
|
||
| == Possible solutions | ||
|
|
||
| Consider if it is possible to implement the security model without using denied privileges. | ||
renetapopova marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| For example, you can replace the generic grant from the <<example-scenario-22nd1, Example scenario>> with the following more fine-grained alternative: | ||
| [source, cypher] | ||
| ---- | ||
| GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole | ||
| ---- | ||
|
|
||
|
|
||
| If a `DENY` is required, it must be set to a role that is directly assigned to users without using auth rules, to guarantee that it will always be applied. | ||
|
|
||
| ifndef::backend-pdf[] | ||
| [discrete.glossary] | ||
| == Glossary | ||
|
|
||
| include::partial$glossary.adoc[] | ||
| endif::[] | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| = 22ND2 | ||
|
|
||
| == Status description | ||
| error: data exception - operation not allowed for roles with `DENY` privileges. Invalid input: `'{ <<query>> }'` is not allowed for roles with `DENY` privileges. | ||
|
|
||
| == Explanation | ||
l-heemann marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| If an auth rule fails to evaluate, for example, because it depends on a claim that the user's auth token does not contain, Neo4j will default to not assigning that role to the user. | ||
|
|
||
|
|
||
| When a role contains denied privileges, not assigning the role actually removes the denies, which means the user ends up with more privileges than they should. | ||
| To avoid this, roles cannot have both `DENY` privileges and be granted to an auth rule. | ||
|
|
||
| This exception is thrown when attempting to grant a role to an auth rule when the role has denied privileges. | ||
|
|
||
l-heemann marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| [[example-scenario-22nd2]] | ||
| == Example scenario | ||
|
|
||
| Given that a role has denied privileges: | ||
l-heemann marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| [source, cypher] | ||
| ---- | ||
| DENY MATCH {*} ON GRAPH secret-db NODES * TO role | ||
| ---- | ||
|
|
||
| When attempting to assign the role to an auth rule: | ||
| [source, cypher] | ||
| ---- | ||
| CYPHER 25 GRANT ROLE otherrole, role TO AUTH RULE authrule | ||
| ---- | ||
|
|
||
| The following error will be thrown: | ||
| [source] | ||
| ---- | ||
| error: data exception - operation not allowed for roles with DENY privileges. Invalid input: 'CYPHER 25 GRANT ROLE role TO AUTH RULE authrule' is not allowed for roles with `DENY` privileges. | ||
| ---- | ||
|
|
||
| [NOTE] | ||
| ==== | ||
| The error message contains a subset of the original query that caused the issue. | ||
| Since `otherrole` does not have denied privileges, it is not included. | ||
| ==== | ||
|
|
||
| == Possible solutions | ||
|
|
||
| Consider whether it is possible to implement the security model without using denied privileges, for example, by revoking granted privileges or reducing the scope of the grant statements. | ||
|
|
||
| For example, you can replace the generic grant from the <<example-scenario-22nd2, Example scenario>> with the following more fine-grained alternative: | ||
| [source, cypher] | ||
| ---- | ||
| GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole | ||
| ---- | ||
|
|
||
| If a `DENY` is required, it must be set to a role that is directly assigned to users without using auth rules, to guarantee that it will always be applied. | ||
|
|
||
| ifndef::backend-pdf[] | ||
| [discrete.glossary] | ||
| == Glossary | ||
|
|
||
| include::partial$glossary.adoc[] | ||
| endif::[] | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.