ING-1368: unknown permission errors

gateway/dapiimpl/server_v1/dataapi_subdoc.go

@@ -250,7 +250,7 @@ func (s *DataApiServer) MutateInDocument(
 		} else if errors.Is(err, memdx.ErrUnknownScopeName) {
 			return nil, s.errorHandler.NewScopeMissingStatus(err, in.BucketName, in.ScopeName).Err()
 		} else if errors.Is(err, memdx.ErrAccessError) {
-			return nil, s.errorHandler.NewCollectionNoReadAccessStatus(err, in.BucketName, in.ScopeName, in.CollectionName).Err()
+			return nil, s.errorHandler.NewCollectionNoWriteAccessStatus(err, in.BucketName, in.ScopeName, in.CollectionName).Err()
 		} else if errors.Is(err, memdx.ErrValueTooLarge) {
 			if in.Body.StoreSemantic != nil && *in.Body.StoreSemantic == dataapiv1.StoreSemanticInsert {
 				return nil, s.errorHandler.NewValueTooLargeStatus(err, in.BucketName, in.ScopeName, in.CollectionName, in.DocumentKey, false).Err()

gateway/dataimpl/server_v1/bucketadminserver.go

@@ -46,6 +46,10 @@ func (s *BucketAdminServer) ListBuckets(
 		OnBehalfOf: oboInfo,
 	})
 	if err != nil {
+		if errors.Is(err, cbmgmtx.ErrAccessDenied) {
+			return nil, s.errorHandler.NewBucketAccessDeniedStatus(err, "").Err()
+		}
+
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
 

gateway/dataimpl/server_v1/collectionadminserver.go

@@ -60,7 +60,10 @@ func (s *CollectionAdminServer) ListCollections(
 	if err != nil {
 		if errors.Is(err, cbmgmtx.ErrBucketNotFound) {
 			return nil, s.errorHandler.NewBucketMissingStatus(err, in.BucketName).Err()
+		} else if errors.Is(err, cbmgmtx.ErrAccessDenied) {
+			return nil, s.errorHandler.NewCollectionAccessDeniedStatus(err, "").Err()
 		}
+
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
 
@@ -117,7 +120,10 @@ func (s *CollectionAdminServer) CreateScope(
 			return nil, s.errorHandler.NewBucketMissingStatus(err, in.BucketName).Err()
 		} else if errors.Is(err, cbmgmtx.ErrScopeExists) {
 			return nil, s.errorHandler.NewScopeExistsStatus(err, in.BucketName, in.ScopeName).Err()
+		} else if errors.Is(err, cbmgmtx.ErrAccessDenied) {
+			return nil, s.errorHandler.NewScopeAccessDeniedStatus(err, in.ScopeName).Err()
 		}
+
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
 
@@ -157,7 +163,10 @@ func (s *CollectionAdminServer) DeleteScope(
 			return nil, s.errorHandler.NewBucketMissingStatus(err, in.BucketName).Err()
 		} else if errors.Is(err, cbmgmtx.ErrScopeNotFound) {
 			return nil, s.errorHandler.NewScopeMissingStatus(err, in.BucketName, in.ScopeName).Err()
+		} else if errors.Is(err, cbmgmtx.ErrAccessDenied) {
+			return nil, s.errorHandler.NewScopeAccessDeniedStatus(err, in.ScopeName).Err()
 		}
+
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
 
@@ -221,6 +230,8 @@ func (s *CollectionAdminServer) CreateCollection(
 			return nil, s.errorHandler.NewCollectionExistsStatus(err, in.BucketName, in.ScopeName, in.CollectionName).Err()
 		} else if errors.Is(err, cbmgmtx.ErrScopeNotFound) {
 			return nil, s.errorHandler.NewScopeMissingStatus(err, in.BucketName, in.ScopeName).Err()
+		} else if errors.Is(err, cbmgmtx.ErrAccessDenied) {
+			return nil, s.errorHandler.NewCollectionAccessDeniedStatus(err, in.CollectionName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
@@ -264,7 +275,10 @@ func (s *CollectionAdminServer) DeleteCollection(
 			return nil, s.errorHandler.NewCollectionMissingStatus(err, in.BucketName, in.ScopeName, in.CollectionName).Err()
 		} else if errors.Is(err, cbmgmtx.ErrScopeNotFound) {
 			return nil, s.errorHandler.NewScopeMissingStatus(err, in.BucketName, in.ScopeName).Err()
+		} else if errors.Is(err, cbmgmtx.ErrAccessDenied) {
+			return nil, s.errorHandler.NewCollectionAccessDeniedStatus(err, in.CollectionName).Err()
 		}
+
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
 
@@ -330,6 +344,8 @@ func (s *CollectionAdminServer) UpdateCollection(
 			return nil, s.errorHandler.NewScopeMissingStatus(err, in.BucketName, in.ScopeName).Err()
 		} else if errors.Is(err, cbmgmtx.ErrServerInvalidArg) {
 			return nil, s.errorHandler.NewCollectionInvalidArgStatus(err, "", in.BucketName, in.ScopeName, in.CollectionName).Err()
+		} else if errors.Is(err, cbmgmtx.ErrAccessDenied) {
+			return nil, s.errorHandler.NewCollectionAccessDeniedStatus(err, in.CollectionName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}

gateway/dataimpl/server_v1/errorhandler.go

@@ -737,6 +737,32 @@ func (e ErrorHandler) NewCollectionNoWriteAccessStatus(baseErr error, bucketName
 	return st
 }
 
+func (e ErrorHandler) NewScopeAccessDeniedStatus(baseErr error, scopeName string) *status.Status {
+	msg := "No permissions to perform scope management operation."
+	st := status.New(codes.PermissionDenied, msg)
+
+	st = e.tryAttachStatusDetails(
+		st, &epb.ResourceInfo{
+			ResourceType: "scope",
+			ResourceName: scopeName,
+			Description:  "",
+		})
+	return st
+}
+
+func (e ErrorHandler) NewCollectionAccessDeniedStatus(baseErr error, collectionName string) *status.Status {
+	msg := "No permissions to perform collection management operation."
+	st := status.New(codes.PermissionDenied, msg)
+
+	st = e.tryAttachStatusDetails(
+		st, &epb.ResourceInfo{
+			ResourceType: "collection",
+			ResourceName: collectionName,
+			Description:  "",
+		})
+	return st
+}
+
 func (e ErrorHandler) NewSdDocTooDeepStatus(baseErr error, bucketName, scopeName, collectionName, docId string) *status.Status {
 	st := status.New(codes.FailedPrecondition,
 		fmt.Sprintf("Document '%s' JSON was too deep to parse in '%s/%s/%s'.",

gateway/dataimpl/server_v1/kvserver.go

@@ -1391,7 +1391,15 @@ func (s *KvServer) GetAllReplicas(in *kv_v1.GetAllReplicasRequest, out kv_v1.KvS
 		}
 	}
 
-	return replicaError
+	if replicaError != nil {
+		if errors.Is(replicaError, memdx.ErrAccessError) {
+			return s.errorHandler.NewCollectionNoReadAccessStatus(replicaError, in.BucketName, in.ScopeName, in.CollectionName).Err()
+		}
+
+		return s.errorHandler.NewGenericStatus(replicaError).Err()
+	}
+
+	return nil
 }
 
 func (s *KvServer) checkKey(key string) *status.Status {

gateway/dataimpl/server_v1/queryadminserver.go

@@ -140,6 +140,15 @@ func (s *QueryIndexAdminServer) GetAllIndexes(
 		OnBehalfOf:     oboInfo,
 	})
 	if err != nil {
+		if errors.Is(err, cbqueryx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewQueryIndexAuthenticationFailureStatus(
+				err,
+				in.GetBucketName(),
+				in.GetScopeName(),
+				in.GetCollectionName(),
+			).Err()
+		}
+
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
 
@@ -269,6 +278,15 @@ func (s *QueryIndexAdminServer) CreatePrimaryIndex(
 				msg).Err()
 		}
 
+		if errors.Is(err, cbqueryx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewQueryIndexAuthenticationFailureStatus(
+				err,
+				in.BucketName,
+				in.GetScopeName(),
+				in.GetCollectionName(),
+			).Err()
+		}
+
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
 
@@ -363,6 +381,15 @@ func (s *QueryIndexAdminServer) CreateIndex(
 				msg).Err()
 		}
 
+		if errors.Is(err, cbqueryx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewQueryIndexAuthenticationFailureStatus(
+				err,
+				in.BucketName,
+				in.GetScopeName(),
+				in.GetCollectionName(),
+			).Err()
+		}
+
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
 
@@ -436,6 +463,15 @@ func (s *QueryIndexAdminServer) DropPrimaryIndex(
 					rErr.CollectionName).Err()
 			}
 		}
+
+		if errors.Is(err, cbqueryx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewQueryIndexAuthenticationFailureStatus(
+				err,
+				in.GetBucketName(),
+				in.GetScopeName(),
+				in.GetCollectionName()).Err()
+		}
+
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
 
@@ -509,6 +545,15 @@ func (s *QueryIndexAdminServer) DropIndex(
 					rErr.CollectionName).Err()
 			}
 		}
+
+		if errors.Is(err, cbqueryx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewQueryIndexAuthenticationFailureStatus(
+				err,
+				in.GetBucketName(),
+				in.GetScopeName(),
+				in.GetCollectionName()).Err()
+		}
+
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
 
@@ -550,6 +595,26 @@ func (s *QueryIndexAdminServer) BuildDeferredIndexes(
 		OnBehalfOf:     oboInfo,
 	})
 	if err != nil {
+		var rErr *cbqueryx.ResourceError
+		if errors.As(err, &rErr) {
+			if errors.Is(rErr.Cause, cbqueryx.ErrAuthenticationFailure) {
+				return nil, s.errorHandler.NewQueryIndexAuthenticationFailureStatus(
+					err,
+					rErr.BucketName,
+					rErr.ScopeName,
+					rErr.CollectionName).Err()
+			}
+		}
+
+		if errors.Is(err, cbqueryx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewQueryIndexAuthenticationFailureStatus(
+				err,
+				in.BucketName,
+				in.GetScopeName(),
+				in.GetCollectionName(),
+			).Err()
+		}
+
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
 

gateway/dataimpl/server_v1/searchserver.go

@@ -197,6 +197,8 @@ func (s *SearchServer) SearchQuery(in *search_v1.SearchQueryRequest, out search_
 	if err != nil {
 		if errors.Is(err, cbsearchx.ErrIndexNotFound) {
 			return s.errorHandler.NewSearchIndexMissingStatus(err, in.IndexName).Err()
+		} else if errors.Is(err, cbsearchx.ErrAuthenticationFailure) {
+			return s.errorHandler.NewQueryNoAccessStatus(err).Err()
 		}
 		return s.errorHandler.NewGenericStatus(err).Err()
 	}

gateway/test/bucket_mgmt_test.go

@@ -47,6 +47,13 @@ func (s *GatewayOpsTestSuite) RunCommonBucketMgmtErrorCases(
 		})
 		assertRpcStatus(s.T(), err, codes.PermissionDenied)
 	})
+	s.Run("NoPermissions", func() {
+		_, err := fn(&commonBucketMgmtErrorTestData{
+			BucketName: uuid.NewString()[:6],
+			Creds:      s.getNoPermissionRpcCreds(),
+		})
+		assertRpcStatus(s.T(), err, codes.PermissionDenied)
+	})
 }
 
 func (s *GatewayOpsTestSuite) TestCreateBucket() {