Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-29289

SASL-AUTH SCRAM-SHA512 fails just for the Administrator user

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: User Error
    • 5.0.0
    • None
    • memcached
    • None
    • MacOS 10.13.4 BETA
    • Untriaged
    • Unknown

    Description

      Background
      This is a follow on from JVMCBC-528

      Problem

      When trying to authenticate as "Administrator" user using SCRAM-SHA512 the following error is reported in the memcached.log:

      2018-04-17T15:42:25.664194+01:00 NOTICE 47: HELO [{"a":"couchbase-java-client/2.5.7 (git: 2.5.6-7-g17b4f94, core: 1.5.6-3-gca2bb88) (Mac OS X/10.13.4 x86_64; Java HotSpot(TM) 64-Bit Server VM 1.8.0_92-b14)","i":"2B291CEDFD320B27/FFFFFFFF809C4A4E"}] TCP NODELAY, XATTR, Select Bucket, XERROR [ 127.0.0.1:50183 - 127.0.0.1:11210 (not authenticated) ]
      2018-04-17T15:42:25.827595+01:00 WARNING 47: StartSaslAuthTask::execute(): UUID:[2aa6d411-b5b8-4eb8-7141-30bb8083cbe7] An exception occurred: cb::cbsasl::User::getPassword: requested mechanism not available
      

      This error message is also passed back to the client in the following format

      {{"error":{"context":"An exception occurred","ref":"2aa6d411-b5b8-4eb8-7141-30bb8083cbe7"}}
      

      When any of the other users are used, it authenticates successfully.

      Steps to reproduce

      • Couchbase 5.0.0 on MacOS
      • Java SDK 2.5.7
      1. Setup a single bucket
      2. Run the following code:

        import com.couchbase.client.java.Bucket;
        import com.couchbase.client.java.Cluster;
        import com.couchbase.client.java.CouchbaseCluster;
         
        public class GetTTL
        {
            public static void main(String [] args)
            {
         
                Cluster cluster = CouchbaseCluster.create("localhost");
         
                System.out.println("Authenticating as administrator");
                cluster.authenticate("Administrator", "password");
         
                // Open the test bucket.
                System.out.println("Opening the bucket test");
                Bucket test = cluster.openBucket("test");
            }
        }
        

      Request

      • What is cause the failure?
      • Should the Server be passing the exception error back to the client
        • If it should is it in the correct format?

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            trond Trond Norbye added a comment - - edited

            Can you post the Administrator entry in isasl.pw? It should contain 

            {
              "users": [
                {
                  "n": "Administrator",
                  "plain": "something",
                  "sha512": {
                    "h": "something",
                    "s": "something",
                    "i": 4000
                  },
                  "sha256": {
                    "h": "something",
                    "s": "something",
                    "i": 4000
                  },
                  "sha1": {
                    "h": "something",
                    "s": "something",
                    "i": 4000
                  }
                }
              }
            }

            If you upgraded your server from "an old version" of Couchbase (prior to SCRAM support), ns_server only had the hashed password for Administrator and couldn't generate the "sha" entries in there. You can try to reset the Administrator password to have ns_server regenerate the entry for Administrator.

            trond Trond Norbye added a comment - - edited Can you post the Administrator entry in isasl.pw? It should contain  {   "users": [     {       "n": "Administrator",       "plain": "something",       "sha512": {         "h": "something",         "s": "something",         "i": 4000       },       "sha256": {         "h": "something",         "s": "something",         "i": 4000       },       "sha1": {         "h": "something",         "s": "something",         "i": 4000       }     } } } If you upgraded your server from "an old version" of Couchbase (prior to SCRAM support), ns_server only had the hashed password for Administrator and couldn't generate the "sha" entries in there. You can try to reset the Administrator password to have ns_server regenerate the entry for Administrator.

            If you upgraded your server from "an old version" of Couchbase (prior to SCRAM support), ns_server only had the hashed password for Administrator and couldn't generate the "sha" entries in there. You can try to reset the Administrator password to have ns_server regenerate the entry for Administrator.

            That is indeed the case:

            {
              "users": [
                {
                  "n": "Administrator",
                  "plain": "B6BglU/DhHs/eYA8DI0jEo7sMHDrNaqD2U7x9eyWW7eWyfir"
                },
            

            On point two, should that message have been passed back to the client, is too much information being given away (leaking information)

            pvarley Patrick Varley added a comment - If you upgraded your server from "an old version" of Couchbase (prior to SCRAM support), ns_server only had the hashed password for Administrator and couldn't generate the "sha" entries in there. You can try to reset the Administrator password to have ns_server regenerate the entry for Administrator. That is indeed the case: { "users": [ { "n": "Administrator", "plain": "B6BglU/DhHs/eYA8DI0jEo7sMHDrNaqD2U7x9eyWW7eWyfir" }, On point two, should that message have been passed back to the client, is too much information being given away (leaking information)
            drigby Dave Rigby added a comment -

            On point two, should that message have been passed back to the client, is too much information being given away (leaking information)

            I don't think the following is any security leak, at worst it's a bit noisy / verbose:

            {{"error":{"context":"An exception occurred","ref":"2aa6d411-b5b8-4eb8-7141-30bb8083cbe7"}}
            

            As such I don't consider this something we need to fix for Vulcan. I'm resolving this as "User Error" based on the fact the failing login is expected behaviour for pre-SCRAM upgrades. Patrick Varley If you feel we should clean up the error message then please raise a new MB.

            drigby Dave Rigby added a comment - On point two, should that message have been passed back to the client, is too much information being given away (leaking information) I don't think the following is any security leak, at worst it's a bit noisy / verbose: {{"error":{"context":"An exception occurred","ref":"2aa6d411-b5b8-4eb8-7141-30bb8083cbe7"}} As such I don't consider this something we need to fix for Vulcan. I'm resolving this as "User Error" based on the fact the failing login is expected behaviour for pre-SCRAM upgrades. Patrick Varley If you feel we should clean up the error message then please raise a new MB.

            I don't think the following is any security leak, at worst it's a bit noisy / verbose:

            Dave Rigby Will all exceptions in this code path get thrown back to the client?

            pvarley Patrick Varley added a comment - I don't think the following is any security leak, at worst it's a bit noisy / verbose: Dave Rigby Will all exceptions in this code path get thrown back to the client?
            drigby Dave Rigby added a comment -

            Uncaught ones will be at present.

            drigby Dave Rigby added a comment - Uncaught ones will be at present.
            pvarley Patrick Varley added a comment - - edited

            Any risk of those ones leaking information that is sensitive? If so I will open a new MB, if not we can close this.

            pvarley Patrick Varley added a comment - - edited Any risk of those ones leaking information that is sensitive? If so I will open a new MB, if not we can close this.
            drigby Dave Rigby added a comment - - edited

            So I checked the code - any unhandled exception simply sets the status code to CBSASL_FAIL; and then sets the context to the fixed string "An exception occurred":

            http://src.couchbase.org/source/xref/trunk/kv_engine/daemon/sasl_tasks.cc#60

            So there's no danger of additional detail leaking.

            drigby Dave Rigby added a comment - - edited So I checked the code - any unhandled exception simply sets the status code to CBSASL_FAIL; and then sets the context to the fixed string "An exception occurred": http://src.couchbase.org/source/xref/trunk/kv_engine/daemon/sasl_tasks.cc#60 So there's no danger of additional detail leaking.

            People

              pvarley Patrick Varley
              pvarley Patrick Varley
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty