Details
-
Bug
-
Resolution: Fixed
-
Critical
-
7.0.2, 7.1.0
-
None
-
Triaged
-
Centos 64-bit
-
-
1
-
No
-
KV-Engine Sprint 2021 August
Description
Build - 7.0.1 - 5962
STEPS
- Create and deploy eventing handler.
- Push docs to src bucket, mutations are processed.
- Enforce tls.
- Push some more docs to src bucket.
Mutations are getting processed which is unexpected behaviour.
EXPECTED BEHAVIOUR
Try pushing some new documents to the source bucket. Expectation: The eventing handler will not be able to process those mutations as memcached has now restricted it’s plain text connections to localhost if enforce TLS has been enabled.
(As per specification document mentioned below)
SPECIFICATION - https://docs.google.com/document/d/1mm9xHvWsBeL0n3CpWmzOquttf71ogjImywNHNE9zVTk/
From Abhishek Jindal
Hi Sujay, this is a KV issue. Problem here is that we / any DCP consumer or application expects KV to shutdown all non-TLS client connections to non-TLS port. However, in this case from netstat I see KV still has these connections open. Please feel free to open up a bug and assign to KV
3:51
Because, if we think like this - Say you have an application / CB SDK running outside the cluster running on non-TLS. Now we switch over from enforce TLS.
We won't expect that application to automatically close out the connection and initiate on TLS. User should face a disruption in service due to Data node closing out the non-TLS connections.
3:51
Same is true to eventing (thinking of it as an application consuming from KV)
3:52
Hence, we expect KV to close all ESTABLISHED connections hence preventing any further mutations from being streamed.
Attachments
Issue Links
- backports to
-
MB-50078 [BP 6.6.5] Enforce TLS: Established plaintext connections are not closed when plaintext listening socket is closed
- Closed