I am using Couchbase Enterprise 5.5.0 and Java SDK 2.7.4. I created a user my_app_user with following privileges
- Application Access
- Data Reader
- Query Select
- Query Manage Index
But while executing the following query I am getting error.
Query:
Select __meta.id from #CURRENT_BUCKET# where meta().id like ‘abc-%’ (__meta.id is a node in our documents)
Response:
{"msg":"User does not have credentials to run SELECT queries on the MY_BKT bucket. Add role query_select on MY_BKT to allow the query to run.","code":13014}
Documentation is not very clear. For example:
-
Application Access is no more applicable to 5.5, but it tells (web console tooltip) that it gives Data Reader and Data Writer privileges. The tooltip should be more elaborate.
-
query_select only gets execute permission. If I want to read data, i need at least query_manage_index. Why? And, if so, then why the error message asks me to give query_select privilege.
- In newer version of Couchbase (5.0+),
bucket_all_access is a replacement of Application Access , but in the doc, it does not tell whether a user with this role can have access to Web Console or not. To me it looks very broad - at least sounds broader than Application Access .
I feel it’s a bug. Can someone help me here to understand what privileges to setup?
This query should work with just QUERY SELECT permission on the bucket you are accessing.
I have tried to reproduce this using the current codebase, and I am seeing an unexpected result.
curl http://localhost:8093/query/service -d "statement=select __meta.id from mybucket where meta().id like \"abc-%\"" -u Administrator:password
Produces this result:
{ "requestID": "04fec7f7-cd50-47cf-bcb9-3aabfc5081e1", "errors": [{"code":1050,"msg":"No statement or prepared value"}], "status": "fatal", "metrics": {"elapsedTime": "88.878µs","executionTime": "35.299µs","resultCount": 0,"resultSize": 0,"errorCount": 1} }
The problem seems to be with the string in the LIKE clause. If I remove the percent sign, things work correctly, whether I try to use Administrator or another user I created with just QUERY SELECT permission.
OK, looks like I was running into a problem with CURL, not the server. With the current codebase, I see the code run correctly:
curl http://localhost:8093/query/service -H "Content-Type: application/json" -d '{"statement" :"select __meta.id from mybucket where meta().id like \"abc-%\""}' -u my_bucket_select:password
This is where user my_bucket_select has only role Query Select [mybucket].
If you are not able to run the query using the same sort of permissions, check whether the Query Select role is of the right type (i.e. on the right bucket).
If you are still having trouble, it would be useful to provide us with the result of the query select * from system:user_info run as Administrator.
Hello Johan, Unfortunately I cannot give entire information (because of organization restrictions), however, please find below the user_info for the user I created.
"user_info": {
"domain": "local",
"id": "my_app_user",
"name": "App User",
"password_change_date": "2019-04-25T16:48:46.000Z",
"roles": [
{
"bucket_name": "MY_BKT",
"role": "update"
},
{
"bucket_name": "MY_BKT",
"role": "select"
},
{
"bucket_name": "MY_BKT",
"role": "query_manage_index"
},
{
"bucket_name": "MY_BKT",
"role": "insert"
},
{
"bucket_name": "MY_BKT",
"role": "delete"
},
{
"bucket_name": "MY_BKT",
"role": "data_writer"
},
{
"bucket_name": "MY_BKT",
"role": "data_reader"
},
{
"bucket_name": "MY_BKT",
"role": "data_dcp_reader"
},
{
"bucket_name": "MY_BKT",
"role": "bucket_full_access"
},
{
"bucket_name": "MY_BKT",
"role": "bucket_admin"
}
]
}
I have been experimenting by adding a lot of privileges, but no luck till now 
One thing to notice is, in the web console, I have selected Query Select, but here I cannot see in the JSON response (check the attached screenshot). Is this a bug in Web Console?
@johan_larson Do you have any suggestion for this issue? Should I raise a bug?