Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-26589

Support x.509 client cert auth in query

    XMLWordPrintable

Details

    Attachments

      Issue Links

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          For Setup use -
          https://docs.google.com/document/d/1sC_He6DZdiZBw63jIvOdwqD_2uGAkELzSA1BqxGuNCA/edit#
          https://developer.couchbase.com/documentation/server/current/security/security-x509certsintro.html

          Test -
          curl --cacert ./root/ca.pem --cert-type PEM --cert ./client/client/chain.pem --key-type PEM --key ./client/client/client.key https://localhost:18093/query/service -d "statement=select 1"

          isha Isha Kandaswamy (Inactive) added a comment - For Setup use - https://docs.google.com/document/d/1sC_He6DZdiZBw63jIvOdwqD_2uGAkELzSA1BqxGuNCA/edit# https://developer.couchbase.com/documentation/server/current/security/security-x509certsintro.html Test - curl --cacert ./root/ca.pem --cert-type PEM --cert ./client/client/chain.pem --key-type PEM --key ./client/client/client.key https://localhost:18093/query/service -d "statement=select 1"

          Build couchbase-server-5.5.0-1889 contains query commit b062b560fc85349e9940e66220b740734a100b4e with commit message:
          MB-26589, MB-27525 : Support X509 client authentication for query and use RegisterTLSRefreshCallback API in query
          https://github.com/couchbase/query/commit/b062b560fc85349e9940e66220b740734a100b4e

          build-team Couchbase Build Team added a comment - Build couchbase-server-5.5.0-1889 contains query commit b062b560fc85349e9940e66220b740734a100b4e with commit message: MB-26589 , MB-27525 : Support X509 client authentication for query and use RegisterTLSRefreshCallback API in query https://github.com/couchbase/query/commit/b062b560fc85349e9940e66220b740734a100b4e

          Rbac Fails with client cert - Build - Enterprise Edition 5.5.0 build 1898

          Client_conf.json

          {"state" : "enable","prefixes" : [\{ "path" : "subject.cn", "prefix" : "www.cb-", "delimiter" : "." }]}

          Client config:

          [ req ]

          default_bits       = 1024

          distinguished_name = req_distinguished_name

          req_extensions     = req_ext

          prompt             = no

           

          [ req_distinguished_name ]

          countryName         = UA

          stateOrProvinceName = California

          localityName        = Mountain View

          organizationName    = My Company

          commonName          = www.cb-cbadminbucket.com

           

          [ req_ext ]

          subjectAltName = @alt_names

           

          [alt_names]

          DNS.1 = us.travel-agent1.com

          URI.1 = www.travel-agent2.com

           

          a) Created a user cbadminbucket on Couchbase server, as an admin

          2018-02-15 11:28:57,936 - root - INFO - **** add 'admin' role to 'cbadminbucket' user ****

          b) Create server and client cert. SSL handshake is successful but fails on authorization. 

          ('{\n"requestID": "baefa052-a0b5-4cc8-b315-3810eec530f8",\n"signature": null,\n"results": [\n],\n"errors": [\{"code":13014,"msg":"User does not have credentials to run index operations. Add role query_manage_index on default to allow the query to run."}],\n"status": "stopped",\n"metrics": {"elapsedTime": "37.14568ms","executionTime": "37.11862ms","resultCount": 0,"resultSize": 0,"errorCount": 1}

           

          Login to UI via the same user, user is able to create index. 

          ritam.sharma Ritam Sharma added a comment - Rbac Fails with client cert - Build - Enterprise Edition 5.5.0 build 1898 Client_conf.json {"state" : "enable","prefixes" : [\{ "path" : "subject.cn", "prefix" : "www.cb-", "delimiter" : "." }] } Client config: [ req ] default_bits       = 1024 distinguished_name = req_distinguished_name req_extensions     = req_ext prompt             = no   [ req_distinguished_name ] countryName         = UA stateOrProvinceName = California localityName        = Mountain View organizationName    = My Company commonName          = www.cb-cbadminbucket.com   [ req_ext ] subjectAltName = @alt_names   [alt_names] DNS.1 = us.travel-agent1.com URI.1 = www.travel-agent2.com   a) Created a user cbadminbucket on Couchbase server, as an admin 2018-02-15 11:28:57,936 - root - INFO - **** add 'admin' role to 'cbadminbucket' user **** b) Create server and client cert. SSL handshake is successful but fails on authorization.  ('{\n"requestID": "baefa052-a0b5-4cc8-b315-3810eec530f8",\n"signature": null,\n"results": [\n] ,\n"errors": [\{"code":13014,"msg":"User does not have credentials to run index operations. Add role query_manage_index on default to allow the query to run."}] ,\n"status": "stopped",\n"metrics": {"elapsedTime": "37.14568ms","executionTime": "37.11862ms","resultCount": 0,"resultSize": 0,"errorCount": 1}   Login to UI via the same user, user is able to create index. 

          Ritam Sharma : There is a bug to track this. MB-27531 Since this isn't related to X509, is it ok if we close this and track it on that bug ?

          isha Isha Kandaswamy (Inactive) added a comment - Ritam Sharma : There is a bug to track this. MB-27531 Since this isn't related to X509, is it ok if we close this and track it on that bug ?

          Isha Kandaswamy - Thanks. Yes we can close the issue and work on other defect. I will put my current testing details on that defect.

          ritam.sharma Ritam Sharma added a comment - Isha Kandaswamy - Thanks. Yes we can close the issue and work on other defect. I will put my current testing details on that defect.

          People

            ritam.sharma Ritam Sharma
            djp Don Pinto [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty