Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-28150

Authorization doesn't work for query service when using certificates

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • 5.5.0
    • 5.5.0
    • query
    • OS: CentOS 7
      CPU: E5-2680 v3 (48 vCPU)
      Memory: 256 GB
      Disk: Samsung PM863
    • Untriaged
    • Unknown

    Description

      CB build 5.5.0-1899

      Tested via Java SDK version 2.5.5

       

      Setup and configuration steps:

      cd SSLCA  (attached)
      mkdir /opt/couchbase/var/lib/couchbase/inbox/
      cp chain.pem /opt/couchbase/var/lib/couchbase/inbox/chain.pem
      cp nodedir/pkey.key /opt/couchbase/var/lib/couchbase/inbox/pkey.key
      curl -X POST --data-binary "@./rootdir/ca.pem" http://Administrator:password@localhost:8091/controller/uploadClusterCA
      curl -X POST http://Administrator:password@localhost:8091/node/controller/reloadCertificate
      curl -X POST -u Administrator:password -d@config.json http://localhost:8091/settings/clientCertAuth

       

      Test code:

      public static void main(String[] args){

      {{ DefaultCouchbaseEnvironment.Builder builder = DefaultCouchbaseEnvironment}}
      {{ .builder()}}
      {{ .sslEnabled(true)}}
      {{ .sslKeystoreFile("/tmp/ssl/SSLCA/client.keystore")}}
      {{ .sslKeystorePassword("storepass")}}
      {{ .certAuthEnabled(true);}}

      {{ CouchbaseEnvironment env = builder.build();}}

      {{ Cluster cluster = CouchbaseCluster.create(env, "172.23.99.211");}}
      {{ Bucket bucket = cluster.openBucket("bucket-1");}}
      {{ System.out.println(bucket.get("1").toString());}}

      {{ N1qlQueryResult res = bucket.query(N1qlQuery.simple("select * from `bucket-1` use keys [\"1\"]"));}}
      {{ System.out.print(res.errors().toString());}}
      }

       

      Test output:

      KV operation:
      JsonDocument{id='1', cas=1518658728579956736, expiry=0, content={"field":"value"}, mutationToken=null}

      Query operation:
      [\{"msg":"User does not have credentials to run SELECT queries on the bucket-1 bucket. Add role query_select on bucket-1 to allow the query to run.","code":13014}]

       

      Since KV fetch works fine I assume its not a configuration issue.
      Although when I tried to test the query service  via REST call mentioned in PRD I've got at error as well.

      curl --cacert ./rootdir/ca.pem --cert-type PEM --cert ./chain.pem --key-type PEM --key ./nodedir/pkey.key https://172.23.99.211:18093/query/service -d "statement=select 1"{{curl: }}

      (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

       

      And because it fails via REST as well I'm posting this issue under MB project.

      Attachments

        1. cbcollect.zip
          23.00 MB
        2. SSLCA.zip
          13 kB

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MB-27531 Don't mandate the presence of auth-headers in query REST APIs

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              isha Isha Kandaswamy (Inactive)
              oleksandr.gyryk Alex Gyryk (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty