Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-9928

XDCR-SSL : uni-xdcr - if remote cluster's certificate changes, existing replication(s) simply stops + no clarity on how to trace the source clusters for certificate updation

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Critical
    • 3.0
    • 2.5.0
    • ns_server
    • Security Level: Public
    • None
    • all platforms

    Description

      Scenario
      -------------

      Let's assume uni-xdcr for:
      cluster A -----> cluster E
      cluster B -----> cluster E
      cluster C -----> cluster E

      Now we add cluster D -->cluster E. While doing so, the inbound xdcr for E info is not available on GUI(not sure if we have REST API call). If the user regenerates the cluster certificate for E, all replications from A,B,C will fail/stop with the not-so-useful replication errors :[Vb Rep] Error replicating vbucket <nnn>. Please see logs for details.
      In this case,
      1. cluster admins of A,B,C will have no clue why replication suddenly stopped - no indication even in xdcr log.
      2. user who regenerated E's certificate will not know which other cluster(s) to update(with E's new certificate).

      The above is an exaggerated version of my test scenario, a simple A->B. B's certificate changes, replication simply stops as detailed above. Attaching screenshots.

      Expectation
      ----------------
      Although adding a meaningful error message would tell the admins of A,B,C that replication failed due to an external error, I'm more concerned about the case where the user regenerating E's certificate, would not even know which other clusters to update with it. What's the recommended solution?

      Maybe add inbound xdcr info for a cluster on GUI/API/CLI as warning while trying to regenerate its certificate?

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MB-10041 there are no error/message on source cluster if ssl sertificate was regenerated on destination

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MB-9941 Errors in XDCR need to be informative

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Task - A task that needs to be done. MB-9940 2.5 Release Note - XDCR-SSL : when updating certificate, need to update in both source and dest

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              alkondratenko Aleksey Kondratenko (Inactive)
              apiravi Aruna Piravi (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty