Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-47567

[Enforce-TLS]: Support cbepctl & cbstats usage over memcached ssl port

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Unresolved
    • Major
    • Morpheus
    • 7.0.1
    • couchbase-bucket
    • None
    • Centos 7 64 bit; CB EE 7.0.1
    • 1

    Description

      Issue
      Currently, cbstats & cbecptl don't support connecting to memcached over an ssl port. It fails like this, for example:

      /opt/couchbase/bin/cbstats -u Administrator -p password -b default localhost:11207 timings
      		 

       
      		 
      Traceback (most recent call last):   File "/opt/couchbase/lib/python/cbstats", line 1010, in <module>     main()   File "/opt/couchbase/lib/python/cbstats", line 1007, in main     c.execute()   File "/opt/couchbase/lib/python/clitool.py", line 83, in execute     f[0](mc, *args[2:], **opts.__dict__)   File "/opt/couchbase/lib/python/cbstats", line 49, in g     f(*args, **kwargs)   File "/opt/couchbase/lib/python/cli_auth_utils.py", line 79, in g     mc.sasl_auth_plain(username, password)   File "/opt/couchbase/lib/python/mc_bin_client.py", line 488, in sasl_auth_plain     return self.sasl_auth_start('PLAIN', '\0'.join([foruser, user, password]))   File "/opt/couchbase/lib/python/mc_bin_client.py", line 484, in sasl_auth_start     return self._doCmd(memcacheConstants.CMD_SASL_AUTH, mech, data)   File "/opt/couchbase/lib/python/mc_bin_client.py", line 303, in _doCmd     return self._handleSingleResponse(opaque)   File "/opt/couchbase/lib/python/mc_bin_client.py", line 296, in _handleSingleResponse     cmd, opaque, cas, keylen, extralen, data = self._handleKeyedResponse(myopaque)   File "/opt/couchbase/lib/python/mc_bin_client.py", line 281, in _handleKeyedResponse     cmd, errcode, opaque, cas, keylen, extralen, rv = self._recvMsg()   File "/opt/couchbase/lib/python/mc_bin_client.py", line 250, in _recvMsg     data = self._socketRecv(MIN_RECV_PACKET - len(response))   File "/opt/couchbase/lib/python/mc_bin_client.py", line 244, in _socketRecv     return self.s.recv(amount) ConnectionResetError: [Errno 104] Connection reset by peer

      Why supporting this could be useful
      1. With enforce TLS feature, if n2n encryption is set at level "strict", then 11210 port (non ssl memcached port) would get blocked on non-loopback address. So this would mean some users will not be able to issue cbstats commands from outside the cluster.
      2. IIRC, encrypting data on loopback address is a P2 feature as part of enforce TLS; so this would mean that at some point in time, 11210 port will be blocked even on localhost and hence cbstats won't work.
      3. Other commands like mcstat take --ssl flag to support talking over ssl memcached port ie; this works

      /opt/couchbase/bin/mcstat --ssl --user=Administrator --password=password -b default -p 11207

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MB-48114 cbstats errors out when tls is enforced

          • Major - Major loss of function.
          • Resolved
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. MB-51703 [Enforce-TLS]: Support cbepctl usage over memcached ssl port

          • Major - Major loss of function.
          • Closed
          For Gerrit Dashboard: MB-47567
          # Subject Branch Project Status CR V
          173358,3 MB-47567: Add support for error map in cb_bin_client master couchbase-cli Status: ABANDONED -1 +1

          Activity

            People

              owend Daniel Owen
              sumedh.basarkod Sumedh Basarkod (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty