Authorization doesn't work for query service when using certificates
Description
Components
Affects versions
Fix versions
Labels
Environment
OS: CentOS 7
CPU: E5-2680 v3 (48 vCPU)
Memory: 256 GB
Disk: Samsung PM863
Link to Log File, atop/blg, CBCollectInfo, Core dump
None
Release Notes Description
None
Attachments
2
- 15 Feb 2018, 02:04 AM
- 15 Feb 2018, 02:03 AM
relates to
Activity
Show:
Ritam Sharma March 1, 2018 at 6:28 PM
Bulk closing Duplicate, Won'f fix defects./
Isha Kandaswamy February 15, 2018 at 7:21 AMEdited
Essentially, Once we authenticate the connection, we try to authorize the request using the Auth header. Because there are no credentials being passed, the Authorization fails, and you get an error saying the user doesn't have access to query.
There is a bug to track this. https://couchbasecloud.atlassian.net/browse/MB-27531#icft=MB-27531. The changes to support X509 has exposed this. Since this isn't related to X509, I shall close this bug and track it on the other issue.
Duplicate
Pinned fields
Click on the next to a field label to start pinning.
Details
Assignee
Reporter
Alex Gyryk
Alex GyrykIs this a Regression?
Unknown
Triage
Untriaged
Priority
Major
Instabug
Open Instabug
PagerDuty
PagerDuty Incident
PagerDuty Incident
Sentry
Linked Issues
Linked Issues
Zendesk Support
Linked Tickets
Linked Tickets
Created February 15, 2018 at 2:09 AM
Updated May 30, 2018 at 10:16 PM
Resolved May 23, 2018 at 10:25 PM
Instabug
CB build 5.5.0-1899
Tested via Java SDK version 2.5.5
Setup and configuration steps:
cd SSLCA (attached)
mkdir /opt/couchbase/var/lib/couchbase/inbox/
cp chain.pem /opt/couchbase/var/lib/couchbase/inbox/chain.pem
cp nodedir/pkey.key /opt/couchbase/var/lib/couchbase/inbox/pkey.key
curl -X POST --data-binary "@./rootdir/ca.pem" http://Administrator:password@localhost:8091/controller/uploadClusterCA
curl -X POST http://Administrator:password@localhost:8091/node/controller/reloadCertificate
curl -X POST -u Administrator:password -d@config.json [http://localhost:8091/settings/clientCertAuth]
Test code:
public static void main(String[] args){
{{ DefaultCouchbaseEnvironment.Builder builder = DefaultCouchbaseEnvironment}}
{{ .builder()}}
{{ .sslEnabled(true)}}
{{ .sslKeystoreFile("/tmp/ssl/SSLCA/client.keystore")}}
{{ .sslKeystorePassword("storepass")}}
{{ .certAuthEnabled(true);}}
{{ CouchbaseEnvironment env = builder.build();}}
{{ Cluster cluster = CouchbaseCluster.create(env, "172.23.99.211");}}
{{ Bucket bucket = cluster.openBucket("bucket-1");}}
{{ System.out.println(bucket.get("1").toString());}}
{{ N1qlQueryResult res = bucket.query(N1qlQuery.simple("select * from `bucket-1` use keys [\"1\"]"));}}
{{ System.out.print(res.errors().toString());}}
{{}}}
Test output:
KV operation:
JsonDocument{id='1', cas=1518658728579956736, expiry=0, content={"field":"value"}, mutationToken=null
}Query operation:
[{"msg":"User does not have credentials to run SELECT queries on the bucket-1 bucket. Add role query_select on bucket-1 to allow the query to run.","code":13014}]
Since KV fetch works fine I assume its not a configuration issue.
Although when I tried to test the query service via REST call mentioned in PRD I've got at error as well.
curl --cacert ./rootdir/ca.pem --cert-type PEM --cert ./chain.pem --key-type PEM --key ./nodedir/pkey.key https://172.23.99.211:18093/query/service -d "statement=select 1"
{{curl: }}(51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
And because it fails via REST as well I'm posting this issue under MB project.