Details
Description
What's the issue?
In 7.1.0 we introduced the ability to authenticate with the cluster using client certificate authentication (mTLS).
Part of this change, was that users could now either supply a username/password pair, or mTLS related flags (e.g. client cert/key).
Given these flags are all used when we create a REST client, the natural home for this validation was our rest_initiliser decorator (source).
We missed the case where it's valid to not supply any credentials at all; this results in the false positive where flag validation kicks in, requiring the user to supply a username/password when it's not necessary.
What's the fix?
- We should add a condition to the initializer that allows certain sub-commands to not have any authentication flags provided.
- We should verify that we haven't made any new assumptions that at least one of these authentication methods will be provided.
- We should go through the supported commands and make sure that - where required - authentication flags are made optional.
Is there a workaround?
Prior to the cluster being initialized, you can use placeholders for the username/password.
$ couchbase-cli node-init -c 172.20.1.1:8091 --node-init-data-path /opt/couchbase/var/lib/couchbase/data --node-init-index-path /opt/couchbase/var/lib/couchbase/data --node-init-eventing-path /opt/couchbase/var/lib/couchbase/data --node-init-analytics-path /opt/couchbase/var/lib/couchbase/data --node-init-hostname 127.0.0.1 --ipv4 --username asdf --password asdf
|
WARNING: Could not import cb_version, setting VERSION to 0.0.0-0000-community
|
SUCCESS: Node initialized
|
After the cluster has been initialized, the actual username/password must be supplied.
$ couchbase-cli ./couchbase-cli node-init -c 172.20.1.1:8091 --node-init-data-path /opt/couchbase/var/lib/couchbase/data --node-init-index-path /opt/couchbase/var/lib/couchbase/data --node-init-eventing-path /opt/couchbase/var/lib/couchbase/data --node-init-analytics-path /opt/couchbase/var/lib/couchbase/data --node-init-hostname 127.0.0.1 --ipv4 --username Administrator --password asdasd
|
WARNING: Could not import cb_version, setting VERSION to 0.0.0-0000-community
|
SUCCESS: Node initialized
|
Affected sub-commands
- node-init