Uploaded image for project: 'Couchbase C client library libcouchbase'
  1. Couchbase C client library libcouchbase
  2. CCBC-885

HTTP/View request with blank bucket password do not work after upgrading to 5.0

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.8.3
    • Fix Version/s: 2.8.4
    • Component/s: library
    • Labels:
      None

      Description

      Steps to Reproduce

      1. Setup a Couchbase 4.6.3 1 node cluster using vagrant
      2. Enable the beer-sample
      3. Execute the view via CURL (This is the same http request that python uses)

        curl "http://10.111.163.101:8092/beer-sample/_design/beer/_view/brewery_beers?connection_timeout=60000&inclusive_end=true&limit=6&skip=0&stale=false"
        

      4. Look at the bucket map via CURL (SDKs fall back to this end point)

        curl "http://h10.111.163.101:8091/pools/default/buckets/beer-sample"
        

      5. Add a 5.0.0 node to the cluster ()
      6. Execute the view via CURL against the 5.0.0 node (This is the same http request that python uses)

        curl "http://10.111.163.102:8092/beer-sample/_design/beer/_view/brewery_beers?connection_timeout=60000&inclusive_end=true&limit=6&skip=0&stale=false"
        

      7. Look at the bucket map via CURL against the 5.0.0 node (SDKs fall back to this end point)

        curl "http://10.111.163.102:8091/pools/default/buckets/beer-sample"
        

      8. Remove the 4.6.3 node
      9. Execute the view curl again, this time it fails with 401 error.

        curl "http://10.111.163.102:8092/beer-sample/_design/beer/_view/brewery_beers?connection_timeout=60000&inclusive_end=true&limit=6&skip=0&stale=false"
        

      10. Execute the vbucket curl again, this time it fails with 401 error.

        curl "http://10.111.163.102:8091/pools/default/buckets/beer-sample"
        

      Problem
      Breaking API change, when there was a passwordless bucket those endpoint were accessible without authentication. The python SDK does not set authentication on view request.

      Expectation
      For the old SDK to work during an upgrade to 5.0.0

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

            Hide
            avsej Sergey Avseyev added a comment -

            Just to clarify, old server will work well when we send Authorization header with username and empty password, right?

            Show
            avsej Sergey Avseyev added a comment - Just to clarify, old server will work well when we send Authorization header with username and empty password, right?
            Hide
            dfinlay Dave Finlay added a comment -

            Yes, I verified that on my build prior to upgrading.

            Show
            dfinlay Dave Finlay added a comment - Yes, I verified that on my build prior to upgrading.
            Hide
            avsej Sergey Avseyev added a comment -

            I mean old server versions prior 4.6.3, because it seems like libcouchbase always skipped Authentication header when password is empty

            Show
            avsej Sergey Avseyev added a comment - I mean old server versions prior 4.6.3, because it seems like libcouchbase always skipped Authentication header when password is empty
            Hide
            avsej Sergey Avseyev added a comment -
            Show
            avsej Sergey Avseyev added a comment - Fixed in http://review.couchbase.org/c/86844/
            Hide
            dfinlay Dave Finlay added a comment -

            Ah, I didn't verify that. Looking at the code, I think it should work fine. If there's no password, access is always granted and if the password is empty then supplying "bucket-name:" in the authorization header will match.

            But would be better if Artem Stemkovski commented on this.

            Show
            dfinlay Dave Finlay added a comment - Ah, I didn't verify that. Looking at the code, I think it should work fine. If there's no password, access is always granted and if the password is empty then supplying "bucket-name:" in the authorization header will match. But would be better if Artem Stemkovski commented on this.

              People

              • Assignee:
                avsej Sergey Avseyev
                Reporter:
                pvarley Patrick Varley
              • Votes:
                0 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.