Details
Description
CB build 5.5.0-1899
Tested via Java SDK version 2.5.5
Setup and configuration steps:
cd SSLCA (attached)
mkdir /opt/couchbase/var/lib/couchbase/inbox/
cp chain.pem /opt/couchbase/var/lib/couchbase/inbox/chain.pem
cp nodedir/pkey.key /opt/couchbase/var/lib/couchbase/inbox/pkey.key
curl -X POST --data-binary "@./rootdir/ca.pem" http://Administrator:password@localhost:8091/controller/uploadClusterCA
curl -X POST http://Administrator:password@localhost:8091/node/controller/reloadCertificate
curl -X POST -u Administrator:password -d@config.json http://localhost:8091/settings/clientCertAuth
Test code:
public static void main(String[] args){
{{ DefaultCouchbaseEnvironment.Builder builder = DefaultCouchbaseEnvironment}}
{{ .builder()}}
{{ .sslEnabled(true)}}
{{ .sslKeystoreFile("/tmp/ssl/SSLCA/client.keystore")}}
{{ .sslKeystorePassword("storepass")}}
{{ .certAuthEnabled(true);}}
{{ CouchbaseEnvironment env = builder.build();}}
{{ Cluster cluster = CouchbaseCluster.create(env, "172.23.99.211");}}
{{ Bucket bucket = cluster.openBucket("bucket-1");}}
{{ System.out.println(bucket.get("1").toString());}}
{{ N1qlQueryResult res = bucket.query(N1qlQuery.simple("select * from `bucket-1` use keys [\"1\"]"));}}
{{ System.out.print(res.errors().toString());}}
}
Test output:
KV operation:
JsonDocument{id='1', cas=1518658728579956736, expiry=0, content={"field":"value"}, mutationToken=null}
Query operation:
[\{"msg":"User does not have credentials to run SELECT queries on the bucket-1 bucket. Add role query_select on bucket-1 to allow the query to run.","code":13014}]
Since KV fetch works fine I assume its not a configuration issue.
Although when I tried to test the query service via REST call mentioned in PRD I've got at error as well.
curl --cacert ./rootdir/ca.pem --cert-type PEM --cert ./chain.pem --key-type PEM --key ./nodedir/pkey.key https://172.23.99.211:18093/query/service -d "statement=select 1"{{curl: }}
(51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
And because it fails via REST as well I'm posting this issue under MB project.
Attachments
Issue Links
- relates to
-
MB-27531 Don't mandate the presence of auth-headers in query REST APIs
- Closed