Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
Morpheus
-
None
-
Untriaged
-
0
-
Unknown
Description
The cluster has been configured to require client certificate for authentication. The contexts is that for the conflict logging feature in XDCR, it needs to write to a designated buckets called conflict buckets. So a single node needs to connect to all KV nodes in an encrypted manner.
The client certs which are passed as CLI arguments to goxdcr are used to authenticate with memcached nodes. As I understand, these certs are meant for node-2-node encryption which has SAN with internal user. Following is the cert info at the path $SRC/ns_server/data/n_1/config/certs/client_chain.pem:
openssl x509 -in /Users/sudeepjathar/cb/clog/ns_server/data/n_1/config/certs/client_chain.pem -text
|
|
|
...
|
X509v3 Subject Alternative Name:
|
email:internal@internal.couchbase.com
|
...
|
When used, this results into authorization (select_bucket failed - No access) issue as given below (from memcached log):
2024-08-28T15:52:04.137417+01:00 INFO 4: Client {"ip":"127.0.0.1","port":60100} using cipher 'TLS_AES_256_GCM_SHA384' authenticated as '@internal' via X.509 certificate
|
2024-08-28T15:52:04.137937+01:00 INFO 4: select_bucket failed - No access. {"cid":"127.0.0.1:60100/0","connection":"[ {"ip":"127.0.0.1","port":60100} - {"ip":"127.0.0.1","port":11994} (System, @internal) ]","bucket":"B1"}
|
2024-08-28T15:52:04.138159+01:00 WARNING 4 - Client [ {"ip":"127.0.0.1","port":60100} - {"ip":"127.0.0.1","port":11994} (System, @internal) ] not aware of extended error code (no access). Disconnecting
|
In this case, the cbauth's user/passwd were not used as the understanding is that they are not needed when using client certs.
So the questions are:
- When using client certs, do we still need to use cbauth's creds? I can confirm that client certs + cbauth's creds work
- If not then shouldn't the internal user '@internal' needs to have appropriate permissions?