Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-50078

[BP 6.6.5] Enforce TLS: Established plaintext connections are not closed when plaintext listening socket is closed

    XMLWordPrintable

Details

    Description

      Build - 7.0.1 - 5962

      STEPS

      1. Create and deploy eventing handler.
      2. Push docs to src bucket, mutations are processed.
      3. Enforce tls.
      4. Push some more docs to src bucket.
        Mutations are getting processed which is unexpected behaviour.

      EXPECTED BEHAVIOUR
      Try pushing some new documents to the source bucket. Expectation: The eventing handler will not be able to process those mutations as memcached has now restricted it’s plain text connections to localhost if enforce TLS has been enabled.
      (As per specification document mentioned below)

      SPECIFICATION - https://docs.google.com/document/d/1mm9xHvWsBeL0n3CpWmzOquttf71ogjImywNHNE9zVTk/

      From Abhishek Jindal

      Hi Sujay, this is a KV issue. Problem here is that we / any DCP consumer or application expects KV to shutdown all non-TLS client connections to non-TLS port. However, in this case from netstat I see KV still has these connections open. Please feel free to open up a bug and assign to KV
      3:51
      Because, if we think like this - Say you have an application / CB SDK running outside the cluster running on non-TLS. Now we switch over from enforce TLS.
      We won't expect that application to automatically close out the connection and initiate on TLS. User should face a disruption in service due to Data node closing out the non-TLS connections.
      3:51
      Same is true to eventing (thinking of it as an application consuming from KV)
      3:52
      Hence, we expect KV to close all ESTABLISHED connections hence preventing any further mutations from being streamed.

       

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            Daniel Owen - Is there a ETA available for this ticket.

            ritam.sharma Ritam Sharma added a comment - Daniel Owen - Is there a ETA available for this ticket.

            Build couchbase-server-6.6.5-10068 contains kv_engine commit c7ce4bf with commit message:
            MB-50078: BP of M B 47707 - Enforce TLS

            build-team Couchbase Build Team added a comment - Build couchbase-server-6.6.5-10068 contains kv_engine commit c7ce4bf with commit message: MB-50078 : BP of M B 47707 - Enforce TLS
            sujay.gad Sujay Gad added a comment -

            Verified on 6.6.5-10070

            sujay.gad Sujay Gad added a comment - Verified on 6.6.5-10070

            Build couchbase-server-7.1.0-2020 contains kv_engine commit c7ce4bf with commit message:
            MB-50078: BP of M B 47707 - Enforce TLS

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.1.0-2020 contains kv_engine commit c7ce4bf with commit message: MB-50078 : BP of M B 47707 - Enforce TLS

            Build couchbase-server-7.0.4-7208 contains kv_engine commit c7ce4bf with commit message:
            MB-50078: BP of M B 47707 - Enforce TLS

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.0.4-7208 contains kv_engine commit c7ce4bf with commit message: MB-50078 : BP of M B 47707 - Enforce TLS

            People

              sujay.gad Sujay Gad
              sujay.gad Sujay Gad
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty