Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
5.5.0
Attachments
Issue Links
- blocks
-
MB-21991 AuthN : Client-Server Certificate Authentication
-
- Resolved
-
Activity
Build couchbase-server-5.5.0-1889 contains query commit b062b560fc85349e9940e66220b740734a100b4e with commit message:
MB-26589, MB-27525 : Support X509 client authentication for query and use RegisterTLSRefreshCallback API in query
https://github.com/couchbase/query/commit/b062b560fc85349e9940e66220b740734a100b4e
Rbac Fails with client cert - Build - Enterprise Edition 5.5.0 build 1898
Client_conf.json
{"state" : "enable","prefixes" : [\{ "path" : "subject.cn", "prefix" : "www.cb-", "delimiter" : "." }]}
Client config:
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = UA
stateOrProvinceName = California
localityName = Mountain View
organizationName = My Company
commonName = www.cb-cbadminbucket.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = us.travel-agent1.com
URI.1 = www.travel-agent2.com
a) Created a user cbadminbucket on Couchbase server, as an admin
2018-02-15 11:28:57,936 - root - INFO - **** add 'admin' role to 'cbadminbucket' user ****
b) Create server and client cert. SSL handshake is successful but fails on authorization.
('{\n"requestID": "baefa052-a0b5-4cc8-b315-3810eec530f8",\n"signature": null,\n"results": [\n],\n"errors": [\{"code":13014,"msg":"User does not have credentials to run index operations. Add role query_manage_index on default to allow the query to run."}],\n"status": "stopped",\n"metrics": {"elapsedTime": "37.14568ms","executionTime": "37.11862ms","resultCount": 0,"resultSize": 0,"errorCount": 1}
Login to UI via the same user, user is able to create index.
Ritam Sharma : There is a bug to track this. MB-27531 Since this isn't related to X509, is it ok if we close this and track it on that bug ?
Isha Kandaswamy - Thanks. Yes we can close the issue and work on other defect. I will put my current testing details on that defect.
For Setup use -
https://docs.google.com/document/d/1sC_He6DZdiZBw63jIvOdwqD_2uGAkELzSA1BqxGuNCA/edit#
https://developer.couchbase.com/documentation/server/current/security/security-x509certsintro.html
Test -
curl --cacert ./root/ca.pem --cert-type PEM --cert ./client/client/chain.pem --key-type PEM --key ./client/client/client.key https://localhost:18093/query/service -d "statement=select 1"