Details
-
Bug
-
Resolution: Fixed
-
Major
-
Morpheus, 7.0.6, 7.1.7, 7.2.6, 7.6.4
-
Untriaged
-
0
-
Unknown
Description
When a username is extracted from a client certificate, we don't check user for existence. We need to add this check before stopping the matching process.
In other words, current algorithm is:
1. We start from the first tuple in the list: (path, prefix, delimiter).
2. If we can extract the username from the certificate using that tuple the authentication is successful, we return extracted username.
3. If this is the last tuple, authentication has failed, stop.
4. Switch to the next tuple, and go to step 2.
We should modify it the following way:
1. We start from the first tuple in the list: (path, prefix, delimiter).
2. If we can extract the username from the certificate using that tuple and that local user exists in couchbase-server the authentication is successful, we return extracted username.
3. If this is the last tuple, authentication has failed, stop.
4. Switch to the next tuple, and go to step 2.
Attachments
Issue Links
- causes
-
MB-63001 Client certificate authentication for cluster admin failing in 7.2.6/7.6.3
- Closed
- is cloned by
-
MB-62945 [client certificate auth] Only mark the tuple a match if it contains an existing user
- Resolved
- relates to
-
MB-62945 [client certificate auth] Only mark the tuple a match if it contains an existing user
- Resolved
For Gerrit Dashboard: MB-62413 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
213324,4 | MB-62413: Only match cert user if exists locally | neo | ns_server | Status: MERGED | +2 | +1 |
213388,2 | MB-62413: Merge branch 'couchbase/neo' into trinity | trinity | ns_server | Status: ABANDONED | +2 | -1 |
213395,2 | MB-62413: fix test by mocking menelaus_users | neo | ns_server | Status: MERGED | +2 | +1 |
213398,1 | MB-62413: Merge branch 'couchbase/neo' into trinity | trinity | ns_server | Status: MERGED | +2 | +1 |
213434,1 | Merge branch 'couchbase/trinity' into cypher | cypher | ns_server | Status: MERGED | +2 | +1 |
213435,1 | Merge branch 'couchbase/cypher' into master | master | ns_server | Status: MERGED | +2 | +1 |
214263,2 | MB-62413: Merge branch 'couchbase/neo' into trinity | trinity | ns_server | Status: ABANDONED | +2 | +1 |
214271,1 | MB-62413: fix cluster-tests client_certs | trinity | ns_server | Status: ABANDONED | 0 | 0 |
214281,3 | MB-62413: [cluster_tests] Fix client cert ui login tests | trinity | ns_server | Status: MERGED | +2 | +1 |
214315,1 | MB-62413: Merge trinity into cypher | cypher | ns_server | Status: ABANDONED | 0 | 0 |
214321,2 | MB-62413: Merge branch 'cypher' into trinity | trinity | ns_server | Status: ABANDONED | +2 | +1 |
214323,1 | MB-62413: Merge branch 'couchbase/neo' into trinity | trinity | ns_server | Status: MERGED | +2 | +1 |
214328,2 | MB-62413: Merge branch 'couchbase/trinity' into cypher | cypher | ns_server | Status: MERGED | +2 | +1 |
214338,2 | MB-62413: Merge branch 'cypher' into master | master | ns_server | Status: MERGED | +2 | +1 |