Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-4345

ns_server should use unique memcached admin/password for each cluster instance

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.8.1
    • Fix Version/s: 3.0
    • Component/s: ns_server
    • Security Level: Public
    • Labels:
    • Sprint:
      02/Sep/2013 - 20/Sep/2013

      Description

      steps to reproduce :

      1- create a cluster with 3 nodes
      2- shut down membase on one of the nodes
      3- create a new cluster with 3 nodes and reuse the public IP of one of the nodes
      4- now you will see that ns_server from the old cluster now is trying to reset the vbuckets on the new cluster

      ns_server should use the otpCookie authentication when running _set_vbucket_state command against memcached (alk: see my comment below)

      # Subject Project Status CR V
      For Gerrit Dashboard: &For+MB-4345=message:MB-4345

        Activity

        Hide
        alkondratenko Aleksey Kondratenko (Inactive) added a comment -

        we cannot use otp cookie authentication against memcached.

        Previously it was discussed that we should generate unique admin user and/or password for memcached.

        Looks like it's time.

        Show
        alkondratenko Aleksey Kondratenko (Inactive) added a comment - we cannot use otp cookie authentication against memcached. Previously it was discussed that we should generate unique admin user and/or password for memcached. Looks like it's time.
        Hide
        ingenthr Matt Ingenthron added a comment -

        I think it should just be a unique cluster ID and configuration clock. We probably already have one? This would just be an additional credential required when trying to do vbucket type managing operations.

        (sorry for the delayed reply)

        Show
        ingenthr Matt Ingenthron added a comment - I think it should just be a unique cluster ID and configuration clock. We probably already have one? This would just be an additional credential required when trying to do vbucket type managing operations. (sorry for the delayed reply)
        Hide
        alkondratenko Aleksey Kondratenko (Inactive) added a comment -

        Current cbcollect_info hardcodes this.

        I think we'll need to rewrite collect info in erlang to fix this and other issues where config is either not consulted at all or is consulted somewhat kludgy.

        Show
        alkondratenko Aleksey Kondratenko (Inactive) added a comment - Current cbcollect_info hardcodes this. I think we'll need to rewrite collect info in erlang to fix this and other issues where config is either not consulted at all or is consulted somewhat kludgy.
        Hide
        alkondratenko Aleksey Kondratenko (Inactive) added a comment -

        Discussed it with Aliaksey. There's related issue of replicating from unrelated cluster (if node was uninstalled/reinstalled without removing it from cluster). This is happening because ebucketmigrator is using bucket password to auth against both source and destination nodes. We may have ticket for that as well.

        Show
        alkondratenko Aleksey Kondratenko (Inactive) added a comment - Discussed it with Aliaksey. There's related issue of replicating from unrelated cluster (if node was uninstalled/reinstalled without removing it from cluster). This is happening because ebucketmigrator is using bucket password to auth against both source and destination nodes. We may have ticket for that as well.
        Hide
        alkondratenko Aleksey Kondratenko (Inactive) added a comment -

        merged to master (3.0). Backportable to 2.2.1 if there's interest. Which I assume might be the case given security aspect of this

        Show
        alkondratenko Aleksey Kondratenko (Inactive) added a comment - merged to master (3.0). Backportable to 2.2.1 if there's interest. Which I assume might be the case given security aspect of this

          People

          • Assignee:
            andreibaranouski Andrei Baranouski
            Reporter:
            farshid Farshid Ghods (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Agile