Reputation: 11
CosmosDB UserPermission with ResourcePartitionKey not Enforced
I'm trying to implement the behaviour described in this CosmosDB document with the additional ResourcePartitionKey restrictions on the User Permissions to constrain a resource token to only accessing documents that belong to the specified partition key however I can't make it work.
With the SQL REST API, I receive no errors with the POST to create the UserPermission object with the resourcepartitionkey keypair and both the initial returned object as well as subsequent GET's also show the "resourcepartitionkey" present when fetching the resource token.
Using the resource token against the appropriate collection specified in the permission, I can list all documents in the collection. When using a "x-ms-documentdb-partitionkey" header, I can target any paritionkey I like. Without "x-ms-documentdb-partitionkey" header, it simply returns the whole collection.
The collection is a brand new, Unlimited, 1000 RU's with a partition key of '/rpk'. Post creation query of the collection shows the partition key configured as follows
"partitionKey": {
"paths": [
"\/rpk"
],
"kind": "Hash"
}
Below is the User Permission returned during creation showing the "resourcepartitionkey" present
{
"resource": "dbs/dbName/colls/collectionName/",
"id": "read-collection",
"resourcepartitionkey": "rpk1",
"permissionMode": "read",
"_rid": "lH9FACGGKwAhslfihB0pAA==",
"_self": "dbs\/lH9FAA==\/users\/lH9FACGGKwA=\/permissions\/lH9FACGGKwAhslfihB0pAA==\/",
"_etag": "\"0000ba07-0000-0000-0000-5b7418770000\"",
"_ts": 1534335095,
"_token": "type=resource&ver=1&sig=<resource token signature>"
}
The following is the request for documents using the resource token above. I would expect this to fail due to the missing "x-ms-documentdb-partitionkey" header against a partitioned collection but it both succeeds and proceeds to return records from all partition keys in the collection (only 2 in my test dataset)
GET https://accountname.documents.azure.com/dbs/dbName/colls/collectionName/docs HTTP/1.1
authorization: type%3dresource%26ver%3d1%26sig<resource token signature>
x-ms-version: 2017-02-22
x-ms-max-item-count: -1
x-ms-date: Wed, 15 Aug 2018 12:11:35 GMT
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-AU) WindowsPowerShell/5.1.17134.165
Content-Type: application/json
Host: accountname.documents.azure.com
Response Body from request above showing documents from the partition keys rpk1 and rpk2 even though the user permission is configured to rpk1.
{
"_rid": "lH9FAKbDh4c=",
"Documents": [
{
"id": "blue",
"rpk": "rpk1",
"_rid": "lH9FAKbDh4cCAAAAAAAAAA==",
"_self": "dbs\/lH9FAA==\/colls\/lH9FAKbDh4c=\/docs\/lH9FAKbDh4cCAAAAAAAAAA==\/",
"_etag": "\"ec012ca1-0000-0000-0000-5b73ab440000\"",
"_attachments": "attachments\/",
"_ts": 1534307140
},
{
"id": "red",
"rpk": "rpk2",
"_rid": "lH9FAKbDh4cDAAAAAAAAAA==",
"_self": "dbs\/lH9FAA==\/colls\/lH9FAKbDh4c=\/docs\/lH9FAKbDh4cDAAAAAAAAAA==\/",
"_etag": "\"ec012da1-0000-0000-0000-5b73ab580000\"",
"_attachments": "attachments\/",
"_ts": 1534307160
}
],
"_count": 2
}
I'm assuming I've missed something obvious, or using an incorrect value for 'resourcepartitionkey' in the UserPermission but I can't determine what. Any thoughts greatly appreciated.
Upvotes: 0
Views: 162
Answers (1)
Reputation: 11
After many more hours of trial and error, I have finally resolved my issue which is caused during the POST creation of the user permission.
Firstly, whilst the creation of the user permission will validate the name "resourcePartitionKey", it does not check case sensitivity. With the incorrect sensitivity, the returned UserPermission object has the value present but does not provide any security controls (dangerous situation #1)
Secondly, the input value is not validated for being of type array. Once again it is accepted and returned to you in the user permission object but again provides no security control (dangerous situation #2)
A full working example is below where the permission ID is called "read-collection" and the resourcePartitionKey is configured to 'rpk1' finally exhibits the expected behaviour of requiring "x-ms-documentdb-partitionkey" for the request and only returns values from the specified partition key.
POST https://accountname.documents.azure.com/dbs/dbName/users/userName/permissions HTTP/1.1
authorization: type%3dmaster%26ver%3d1.0%26sig<signature>
x-ms-version: 2017-02-22
x-ms-date: Thu, 16 Aug 2018 04:09:44 GMT
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-AU) WindowsPowerShell/5.1.17134.165
Content-Type: application/json
Host: accountname.documents.azure.com
Content-Length: 215
{
"resource": "dbs/dbName/colls/collectionName/",
"id": "read-collection",
"resourcePartitionKey": [
"rpk1"
],
"permissionMode": "read"
}
If someone knows where to log a DCR or bug for the CosmosDB SQL Rest API, please let me know as without the proper validation during resource permission creation, resource tokens may be distributed to low trust clients that can gain unexpected full access to collection data.
Upvotes: 1
Related Questions
- Cannot assign Azure Role for cosmos db
- Azure Cosmos DB read data using role based access control
- Azure Cosmos DB client throws "HttpRequestException: attempt was made to access a socket in a way forbidden by its access permissions" underneath
- CosmosDb - 'PartitionKey extracted from document doesn't match the one specified in the header'
- CosmosDB System.ArgumentNullException: 'Value cannot be null. (Parameter 'authKeyOrResourceToken')'
- ParitionKey extracted from document doesn't match the one specified in the header - C#
- Require unique username when Users container has userId as partition key
- Cannot get permission to read/write collection throughput using Cosmos DB role-based access control
- DocumentDB User Permissions - By Partition Key?
- CosmosDB ReadOnly Keys throws authorization error