Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
-
1
Description
Problem
When using the following the Administrator user the following error is produce:
Apr 17, 2018 10:55:06 AM com.couchbase.client.core.CouchbaseCore <init>
|
INFO: CouchbaseEnvironment: {sslEnabled=false, sslKeystoreFile='null', sslTruststoreFile='null', sslKeystorePassword=false, sslTruststorePassword=false, sslKeystore=null, sslTruststore=null, bootstrapHttpEnabled=true, bootstrapCarrierEnabled=true, bootstrapHttpDirectPort=8091, bootstrapHttpSslPort=18091, bootstrapCarrierDirectPort=11210, bootstrapCarrierSslPort=
|
11207, ioPoolSize=8, computationPoolSize=8, responseBufferSize=16384, requestBufferSize=16384, kvServiceEndpoints=1, viewServiceEndpoints=12, queryServiceEndpoints=12, searchServiceEndpoints=12, configPollInterval=2500, configPollFloorInterval=50, ioPool=NioEventLoopGroup, kvIoPool=null, viewIoPool=null, searchIoPool=null, queryIoPool=null, coreScheduler=CoreSch
|
eduler, memcachedHashingStrategy=DefaultMemcachedHashingStrategy, eventBus=DefaultEventBus, packageNameAndVersion=couchbase-java-client/2.5.7 (git: 2.5.6-7-g17b4f94, core: 1.5.6-3-gca2bb88), retryStrategy=BestEffort, maxRequestLifetime=75000, retryDelay=ExponentialDelay{growBy 1.0 MICROSECONDS, powers of 2; lower=100, upper=100000}, reconnectDelay=ExponentialDel
|
ay{growBy 1.0 MILLISECONDS, powers of 2; lower=32, upper=4096}, observeIntervalDelay=ExponentialDelay{growBy 1.0 MICROSECONDS, powers of 2; lower=10, upper=100000}, keepAliveInterval=30000, continuousKeepAliveEnabled=true, keepAliveErrorThreshold=4, keepAliveTimeout=2500, autoreleaseAfter=2000, bufferPoolingEnabled=true, tcpNodelayEnabled=true, mutationTokensEna
|
bled=false, socketConnectTimeout=1000, callbacksOnIoPool=false, disconnectTimeout=25000, requestBufferWaitStrategy=com.couchbase.client.core.env.DefaultCoreEnvironment$2@4157f54e, certAuthEnabled=false, coreSendHook=null, forceSaslPlain=false, queryTimeout=75000, viewTimeout=75000, searchTimeout=75000, analyticsTimeout=75000, kvTimeout=2500, connectTimeout=5000,
|
dnsSrvEnabled=false}
|
Authenticating as administrator
|
Opening the bucket test
|
Apr 17, 2018 10:55:07 AM com.couchbase.client.core.endpoint.AbstractGenericHandler exceptionCaught
|
WARNING: [localhost/127.0.0.1:11210][KeyValueEndpoint]: Caught unknown exception: the input string is not according to the spec
|
java.lang.IllegalArgumentException: the input string is not according to the spec
|
at com.couchbase.client.core.security.sasl.ShaSaslClient.decodeAttributes(ShaSaslClient.java:353)
|
at com.couchbase.client.core.security.sasl.ShaSaslClient.evaluateChallenge(ShaSaslClient.java:119)
|
at com.couchbase.client.core.endpoint.kv.KeyValueAuthHandler.handleAuthResponse(KeyValueAuthHandler.java:244)
|
at com.couchbase.client.core.endpoint.kv.KeyValueAuthHandler.channelRead0(KeyValueAuthHandler.java:178)
|
at com.couchbase.client.core.endpoint.kv.KeyValueAuthHandler.channelRead0(KeyValueAuthHandler.java:53)
|
at com.couchbase.client.deps.io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
|
at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
|
at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
|
at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
|
at com.couchbase.client.deps.io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102)
|
at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
|
at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
|
at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
|
at com.couchbase.client.deps.io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:438)
|
at com.couchbase.client.deps.io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:312)
|
at com.couchbase.client.deps.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:286)
|
at com.couchbase.client.deps.io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:253)
|
at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
|
at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
|
at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
|
at com.couchbase.client.deps.io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286)
|
at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
|
at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
|
at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
|
at com.couchbase.client.deps.io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1302)
|
at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
|
at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
|
at com.couchbase.client.deps.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
|
at com.couchbase.client.deps.io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:135)
|
at com.couchbase.client.deps.io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:646)
|
at com.couchbase.client.deps.io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:581)
|
at com.couchbase.client.deps.io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
|
at com.couchbase.client.deps.io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:460)
|
at com.couchbase.client.deps.io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:131)
|
at com.couchbase.client.deps.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
|
at java.lang.Thread.run(Thread.java:745)
|
The warning:
WARNING: [localhost/127.0.0.1:11210][KeyValueEndpoint]: Caught unknown exception: the input string is not according to the spec
|
Step to reproduce
- Setup local Couchbase 5.0.0
- Run the following script:
import com.couchbase.client.core.message.kv.subdoc.multi.Lookup;
import com.couchbase.client.java.Bucket;
import com.couchbase.client.java.Cluster;
import com.couchbase.client.java.CouchbaseCluster;
import com.couchbase.client.java.subdoc.*;
public class GetTTL
{public static void main(String [] args)
{Cluster cluster = CouchbaseCluster.create("localhost");
System.out.println("Authenticating as administrator");
cluster.authenticate("Administrator", "password");
// Open the test bucket.
System.out.println("Opening the bucket test");
Bucket test = cluster.openBucket("test");
}}
If I change Administrator to another user it works fine.
Expectation
Depending if the expectation is that the Administrator should not be used from the SDK (which personally I think Administrator should not have access from the SDK) then the error message should explain this. If the SDK is incorrectly "blocking" the Administrator user then this should be changed.
Notes
A few examples use the Administrator user, these might need updating:
Attachments
Issue Links
- relates to
-
MB-29289 SASL-AUTH SCRAM-SHA512 fails just for the Administrator user
-
- Closed
-
Gerrit Reviews
| For Gerrit Dashboard: JVMCBC-528 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 92844,3 | JVMCBC-528: Provide more information during sasl failure. | master | couchbase-jvm-core | Status: MERGED | +2 | +1 |
Activity
Forcing Java to use PLAIN, works around the problem:
CouchbaseEnvironment env = DefaultCouchbaseEnvironment.builder().forceSaslPlain(true).build(); |
Cluster cluster = CouchbaseCluster.create(env, "localhost"); |
The questions are:
- Why does the Server fail SCRAM-SHA512 with the "Administrator" user and not the "test" user
- Should the server be returning the exception error to the client: {{"error":{"context":"An exception occurred","ref":"2aa6d411-b5b8-4eb8-7141-30bb8083cbe7"}}. The client is not expected to handle JSON in this case.
Both questions for a MB.
Just ran into this hitting a production environment, but not our production active workflow. Only 1 of our many clusters has this issue occurring. Switching to PLAIN instead resolved the problem. Any security implications with using PLAIN?
Using a debug, with the help of Michael Nitschinger a break point was placed on ShaSaslClient.java#L353. The string variable was returning:
{"error":{"context":"An exception occurred","ref":"2aa6d411-b5b8-4eb8-7141-30bb8083cbe7"}}From the memcached log the following is printed:
2018-04-17T15:42:25.664194+01:00 NOTICE 47: HELO [{"a":"couchbase-java-client/2.5.7 (git: 2.5.6-7-g17b4f94, core: 1.5.6-3-gca2bb88) (Mac OS X/10.13.4 x86_64; Java HotSpot(TM) 64-Bit Server VM 1.8.0_92-b14)","i":"2B291CEDFD320B27/FFFFFFFF809C4A4E"}] TCP NODELAY, XATTR, Select Bucket, XERROR [ 127.0.0.1:50183 - 127.0.0.1:11210 (not authenticated) ]2018-04-17T15:42:25.827595+01:00 WARNING 47: StartSaslAuthTask::execute(): UUID:[2aa6d411-b5b8-4eb8-7141-30bb8083cbe7] An exception occurred: cb::cbsasl::User::getPassword: requested mechanism not availablecbc works using the details above
$ cbc-subdoc -U couchbase://localhost/test -u Administrator -P passwordsubdoc> get -x $document.value_bytes PerryPerry CAS=0x15263eecd53900000. Size=2, RC=0x00 Success (Not an error)701. Size=70, RC=0x00 Success (Not an error){"click": "to edit", "with JSON": "there are no reserved field names"}subdoc>cbc is using PLAIN, where Java is using SCRAM-SHA512, so not fair to compair.