Description
The cbstats command accepts a "-a" argument to list stats for all buckets. It requires that you use _admin _admin for the bucketname and password, like this:
cbstats -a cluster-host:11210 all _admin _admin
This works now, regardless if cluster-host is localhost or some remote host. This seems to be a security bug, since sasl_auth for the bucket is ignored.
There's no secure replacement for this, though. One option would be to accept _admin _admin if the connection comes from localhost, but reject it otherwise. This would be more secure, but would make it harder to aggregate stats from multiple nodes.
Another option would be to have cbstats accept the Administrator user/pass, ask the REST API for auth info for the different buckets, and then use that info for sasl auth to memcached.