Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-16654

cbbackup "error: SASL auth failed"

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 3.1.0
    • 3.0.1
    • tools
    • Security Level: Public
    • Untriaged
    • Unknown

    Description

      We're running into a problem where backups are failing under the following circumstances:

      • Server is on Couchbase 3.0.1 community edition
      • The bucket being backed up is either using SASL auth with an empty password OR it is using a dedicated port without any authentication
      • The environment variable $CB_REST_PASSWORD is set to some non-empty value

      How to reproduce:
      1. Create a bucket and give it a dedicated port
      2. Setup some convenience variables (these handy for using couchbase-cli)

      export CB_REST_USERNAME=Administrator
      		 
      export CB_REST_PASSWORD=<password>

      3. Attempt to take a backup:

      cbbackup http://localhost:8091 /var/tmp/backups -b <bucket> -u $CB_REST_USERNAME -p $CB_REST_PASSWORD

      The error given is:

      error: SASL auth failed: <hostname>:11210, user: <user>

      It is possible to successfully get a backup by using a different environment variable name for the password. Continuing the earlier command sequence this will workaround the problem:

      export FOO=$CB_REST_PASSWORD
      		 
      unset CB_REST_PASSWORD
      		 
      cbbackup http://localhost:8091 /var/tmp/backups -b <bucket> -u $CB_REST_USERNAME -p $FOO

      I have dug through pump_dcp.py and determined that what's going on here is that the code is actually attempting to use the value of $CB_REST_PASSWORD as a SASL auth password which clearly makes no sense. Here is that code (lines 442-443):

      github link:
      https://github.com/couchbase/couchbase-cli/blob/master/pump_dcp.py#L442

                  sasl_user = str(self.source_bucket.get("name", pump.get_username(self.opts.username)))
      		 
                  sasl_pswd = str(self.source_bucket.get("saslPassword", pump.get_password(self.opts.password)))

      pump.get_username() and pump.get_password() are the functions that are pulling the rest username/password from the $CB_REST_* environment variables as a fallback when the value passed in is empty. This is always the wrong thing to do here since we're trying to get the username/password for the bucket instead.

      I propose the following instead:

                  sasl_user = str(self.source_bucket.get("name", self.opts.username))
      		 
                  sasl_pswd = str(self.source_bucket.get("saslPassword", self.opts.password))

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            mikew Mike Wiederhold [X] (Inactive)
            bweir bweir
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty