Authorization doesn't work for query service when using certificates

Description

CB build 5.5.0-1899

Tested via Java SDK version 2.5.5

 

Setup and configuration steps:

cd SSLCA  (attached)
mkdir /opt/couchbase/var/lib/couchbase/inbox/
cp chain.pem /opt/couchbase/var/lib/couchbase/inbox/chain.pem
cp nodedir/pkey.key /opt/couchbase/var/lib/couchbase/inbox/pkey.key
curl -X POST --data-binary "@./rootdir/ca.pem" http://Administrator:password@localhost:8091/controller/uploadClusterCA
curl -X POST http://Administrator:password@localhost:8091/node/controller/reloadCertificate
curl -X POST -u Administrator:password -d@config.json [http://localhost:8091/settings/clientCertAuth]

 

Test code:

public static void main(String[] args){

{{ DefaultCouchbaseEnvironment.Builder builder = DefaultCouchbaseEnvironment}}
{{ .builder()}}
{{ .sslEnabled(true)}}
{{ .sslKeystoreFile("/tmp/ssl/SSLCA/client.keystore")}}
{{ .sslKeystorePassword("storepass")}}
{{ .certAuthEnabled(true);}}

{{ CouchbaseEnvironment env = builder.build();}}

{{ Cluster cluster = CouchbaseCluster.create(env, "172.23.99.211");}}
{{ Bucket bucket = cluster.openBucket("bucket-1");}}
{{ System.out.println(bucket.get("1").toString());}}

{{ N1qlQueryResult res = bucket.query(N1qlQuery.simple("select * from `bucket-1` use keys [\"1\"]"));}}
{{ System.out.print(res.errors().toString());}}
{{}}}

 

Test output:

KV operation:
JsonDocument{id='1', cas=1518658728579956736, expiry=0, content={"field":"value"}, mutationToken=null}

Query operation:
[{"msg":"User does not have credentials to run SELECT queries on the bucket-1 bucket. Add role query_select on bucket-1 to allow the query to run.","code":13014}]

 

Since KV fetch works fine I assume its not a configuration issue.
Although when I tried to test the query service  via REST call mentioned in PRD I've got at error as well.

curl --cacert ./rootdir/ca.pem --cert-type PEM --cert ./chain.pem --key-type PEM --key ./nodedir/pkey.key https://172.23.99.211:18093/query/service -d "statement=select 1"{{curl: }}

(51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

 

And because it fails via REST as well I'm posting this issue under MB project.

Components

Affects versions

Fix versions

Environment

OS: CentOS 7 CPU: E5-2680 v3 (48 vCPU) Memory: 256 GB Disk: Samsung PM863

Link to Log File, atop/blg, CBCollectInfo, Core dump

None

Release Notes Description

None

Attachments

2
  • 15 Feb 2018, 02:04 AM
  • 15 Feb 2018, 02:03 AM

Activity

Show:

Ritam Sharma March 1, 2018 at 6:28 PM

Bulk closing Duplicate, Won'f fix defects./

Isha Kandaswamy February 15, 2018 at 7:21 AM
Edited

Essentially, Once we authenticate the connection, we try to authorize the request using the Auth header. Because there are no credentials being passed, the Authorization fails, and you get an error saying the user doesn't have access to query. 

There is a bug to track this. https://couchbasecloud.atlassian.net/browse/MB-27531#icft=MB-27531. The changes to support X509 has exposed this. Since this isn't related to X509, I shall close this bug and track it on the other issue.

Duplicate
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Isha Kandaswamy(Deactivated)

Reporter

Is this a Regression?

Unknown

Triage

Untriaged

Priority

Instabug

Open Instabug

PagerDuty

Sentry

Zendesk Support

Created February 15, 2018 at 2:09 AM
Updated May 30, 2018 at 10:16 PM
Resolved May 23, 2018 at 10:25 PM
Instabug