Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-48318

[Mix Mode Cluster]bucket-name/sasl-password auth doesn't work

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.0.2
    • Fix Version/s: Neo
    • Component/s: ns_server, query
    • Labels:
    • Environment:
      Tested on Mixed mode cluster with 7.0.2 build 6635 and 6.6.4 build 9904

      Description

      Loaded travel-sample bucket and executed query: "Select * from `travel-sample`limit 20;"

      And error observed as :"msg": "Primary index def_primary not online.",

      Where on Index page , travel-sample indexes are on created state not on ready state.

      When checked in logs, error observed as:

      Loading sample bucket travel-sample failed. Samples loader exited with status 1. Loader's output was: 2021/09/03 02:25:05 Creating `travel-sample` bucket 2021/09/03 02:25:26 Bucket `travel-sample` created 2021/09/03 02:25:27 Reading index definitions from travel-sample/design_docs/indexes.json 2021/09/03 02:25:43 ERRO: [13014] User does not have credentials to run index operations. Add role query_manage_index on default:travel-sample to allow the query to run. – docloader.(*jsonSampleImporter).Queries() at sample_importer.go:210 2021/09/03 02:25:47 ERRO: [13014] User does not have credentials to run index operations. Add role query_manage_index on default:travel-sample to allow the query to run. – docloader.(*jsonSampleImporter).Queries() at sample_importer.go:210 2021/09/03 02:25:47 ERRO: [13014] User does not have credentials to run index operations. Add role query_manage_index on default:travel-sample to allow the query to run. – docloader.(*jsonSampleImporter).Queries() at sample_importer.go:210 2021/09/03 02:25:47 ERRO: [13014] User does not have credentials to run index operations. Add role query_manage_index on default:travel-sample to allow the query to run. – docloader.(*jsonSampleImporter).Queries() at sample_importer.go:210 2021/09/03 02:25:47 ERRO: [13014] User does not have credentials to run index operations. Add role query_manage_index on default:travel-sample to allow the query to run. – docloader.(*jsonSampleImporter).Queries() at sample_importer.go:210 2021/09/03 02:25:47 ERRO: [5000] GSI index def_city not found. – docloader.(*jsonSampleImporter).Queries() at sample_importer.go:210 2021/09/03 02:25:47 Loading data into the travel-sample bucket Errors occurred during the index creation phase. See logs for details. 2021/09/03 02:29:07 Loaded 31591 items into the travel-sample bucket

       

       

       

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

            Hide
            steve.watanabe Steve Watanabe added a comment - - edited

            It was this change that broke the bucket authentication http://review.couchbase.org/c/ns_server/+/155065. With a proposed fix on a mixed 6.x and 7.x cluster the checkPermissions works on both nodes

            $ curl -s -u travel-sample:1383eed528df9da6b19a19048c446925 http://127.0.0.1:9000/pools/default/checkPermissions -d 'cluster.bucket[travel-sample].n1ql.index.!write'
            {"cluster.bucket[travel-sample].n1ql.index.!write":true}
             
            $ curl -s -u travel-sample:1383eed528df9da6b19a19048c446925 http://127.0.0.1:9001/pools/default/checkPermissions -d 'cluster.bucket[travel-sample].n1ql.index.!write'
            {"cluster.bucket[travel-sample].n1ql.index.!write":true}
            

            and creating the indexes from each node works

            $ curl -u travel-sample:1383eed528df9da6b19a19048c446925 http://127.0.0.1:9498/query/service -d 'statement=CREATE PRIMARY INDEX def_primary on `travel-sample` USING GSI WITH {"defer_build":true}'
            {
            "requestID": "fad28665-e6b0-4274-af95-3b40358bc17a",
            "signature": null,
            "results": [
            ],
            "status": "success",
            "metrics": {"elapsedTime": "209.537853ms","executionTime": "209.499171ms","resultCount": 0,"resultSize": 0,"serviceLoad": 2}
            }
            

            Drop the def_primary index using the UI and then

            $ curl -u travel-sample:1383eed528df9da6b19a19048c446925 http://127.0.0.1:9499/query/service -d 'statement=CREATE PRIMARY INDEX def_primary on `travel-sample` USING GSI WITH {"defer_build":true}'
            {
            "requestID": "0c3f88ef-ff0d-42af-b09d-cb7cbdd610d9",
            "signature": null,
            "results": [
            ],
            "status": "success",
            "metrics": {"elapsedTime": "785.437588ms","executionTime": "785.387024ms","resultCount": 0,"resultSize": 0}
            }
            

            One thing...I'm unable to delete the def_primary index from the UI on the 7.x node logged in as Administrator and see this

            Show
            steve.watanabe Steve Watanabe added a comment - - edited It was this change that broke the bucket authentication http://review.couchbase.org/c/ns_server/+/155065 . With a proposed fix on a mixed 6.x and 7.x cluster the checkPermissions works on both nodes $ curl -s -u travel-sample:1383eed528df9da6b19a19048c446925 http://127.0.0.1:9000/pools/default/checkPermissions -d 'cluster.bucket[travel-sample].n1ql.index.!write' {"cluster.bucket[travel-sample].n1ql.index.!write":true}   $ curl -s -u travel-sample:1383eed528df9da6b19a19048c446925 http://127.0.0.1:9001/pools/default/checkPermissions -d 'cluster.bucket[travel-sample].n1ql.index.!write' {"cluster.bucket[travel-sample].n1ql.index.!write":true} and creating the indexes from each node works $ curl -u travel-sample:1383eed528df9da6b19a19048c446925 http://127.0.0.1:9498/query/service -d 'statement=CREATE PRIMARY INDEX def_primary on `travel-sample` USING GSI WITH {"defer_build":true}' { "requestID": "fad28665-e6b0-4274-af95-3b40358bc17a", "signature": null, "results": [ ], "status": "success", "metrics": {"elapsedTime": "209.537853ms","executionTime": "209.499171ms","resultCount": 0,"resultSize": 0,"serviceLoad": 2} } Drop the def_primary index using the UI and then $ curl -u travel-sample:1383eed528df9da6b19a19048c446925 http://127.0.0.1:9499/query/service -d 'statement=CREATE PRIMARY INDEX def_primary on `travel-sample` USING GSI WITH {"defer_build":true}' { "requestID": "0c3f88ef-ff0d-42af-b09d-cb7cbdd610d9", "signature": null, "results": [ ], "status": "success", "metrics": {"elapsedTime": "785.437588ms","executionTime": "785.387024ms","resultCount": 0,"resultSize": 0} } One thing...I'm unable to delete the def_primary index from the UI on the 7.x node logged in as Administrator and see this
            Hide
            steve.watanabe Steve Watanabe added a comment -

            James Lee Is the observed inability to drop the index from the 7.x node a known issue? I'm guessing it's a separate issue from that tracked via this ticket.

            Show
            steve.watanabe Steve Watanabe added a comment - James Lee Is the observed inability to drop the index from the 7.x node a known issue? I'm guessing it's a separate issue from that tracked via this ticket.
            Hide
            james.lee James Lee added a comment -

            Steve Watanabe other that you highlighting it above, I'd not heard of this issue before; it sounds like a separate issue.

            Show
            james.lee James Lee added a comment - Steve Watanabe other that you highlighting it above, I'd not heard of this issue before; it sounds like a separate issue.
            Hide
            steve.watanabe Steve Watanabe added a comment -

            Recipe to test fix

            • configure 6.x node with kv, index
            • load travel-sample bucket
            • add/rebalance in a 7.1 node which as the fix for this ticket with kv, index
            • get the bucket password

              {ok,[{uuid,<<"1bd43395cac8461b9be67e969075acd2">>},
                   {auth_type,sasl},
                   {replica_index,true},
              <snip>
                   {sasl_password,"8686fb3be3d6f0c3982510f9ff53c2fb"},
              

            • Issue a curl command using the bucket-name/sasl-password against the 7.1 node. It will succeed and return results.

              $ curl -u travel-sample:8686fb3be3d6f0c3982510f9ff53c2fb localhost:9001/pools/default
              

            • From the 7.1 UI, rebalance out/remove the 6.x node
            • Issue the same curl command as above and it will now fail with 401 Unauthorized

            Once the cluster compat mode is bumped to 7.0 (which occurs when all nodes in the cluster are upgraded to 7.0 or later), the bucket-name/sasl-password authentication is no longer allowed.

            Show
            steve.watanabe Steve Watanabe added a comment - Recipe to test fix configure 6.x node with kv, index load travel-sample bucket add/rebalance in a 7.1 node which as the fix for this ticket with kv, index get the bucket password {ok,[{uuid,<<"1bd43395cac8461b9be67e969075acd2">>}, {auth_type,sasl}, {replica_index,true}, <snip> {sasl_password,"8686fb3be3d6f0c3982510f9ff53c2fb"}, Issue a curl command using the bucket-name/sasl-password against the 7.1 node. It will succeed and return results. $ curl -u travel-sample:8686fb3be3d6f0c3982510f9ff53c2fb localhost:9001/pools/default From the 7.1 UI, rebalance out/remove the 6.x node Issue the same curl command as above and it will now fail with 401 Unauthorized Once the cluster compat mode is bumped to 7.0 (which occurs when all nodes in the cluster are upgraded to 7.0 or later), the bucket-name/sasl-password authentication is no longer allowed.
            Hide
            build-team Couchbase Build Team added a comment -

            Build couchbase-server-7.1.0-1296 contains ns_server commit 239cb91 with commit message:
            MB-48318 Bucket authentication for mixed versions

            Show
            build-team Couchbase Build Team added a comment - Build couchbase-server-7.1.0-1296 contains ns_server commit 239cb91 with commit message: MB-48318 Bucket authentication for mixed versions

              People

              Assignee:
              steve.watanabe Steve Watanabe
              Reporter:
              deepika.verma Deepika Verma
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes

                    PagerDuty