Details
-
Bug
-
Resolution: Fixed
-
Major
-
None
-
None
-
None
-
1
Description
Back in the days, before introducing certificate based authentication, users were able to do a "normal/standard/traditional" username/password over SSL authentication. This would be done with something like:
from couchbase.cluster import Cluster |
from couchbase.cluster import PasswordAuthenticator |
|
cluster = Cluster('couchbases://localhost?certpath=/home/vagrant/cbcert.pem') |
authenticator = PasswordAuthenticator('david', 'password') |
cluster.authenticate(authenticator)
|
cb = cluster.open_bucket('BUCKET_NAME') |
This is documented in https://docs.couchbase.com/python-sdk/current/managing-connections.html#ssl
But with the introduction of certificate based authentication, the Python SDK now (mistakenly) expects that when you pass “certpath”, that you need to use the CertAuthenticator. You would receive something like:
raise MixedAuthError(str(self.critical_complaints)) |
couchbase.cluster.MixedAuthError: <["clashing params: got authenticator type PasswordAuthenticator but parameters defaultdict(None, {'connstr': set(['certpath'])}) overlap on CertAuthenticator"]> |
But this should not happen because for certificate based (“passwordless”) authentication, you need two additional parameters “truststorepath” and “keypath” ... you also need to create the client certificates and set up the cluster to accept certificate based auth.
It seems that the Python SDK now does not allow you to do “traditional” username/password based auth over SSL.
The workaround is doing something like this:
from couchbase.bucket import Bucket |
connstr='couchbases://localhost/{}?certpath=/home/vagrant/cbcert.pem' |
credentials=dict(username='david',password='password') |
cb = Bucket(connstr.format('BUCKET_NAME'),**credentials) |
But I think it is worth looking into it and fixing.
I have only tested in 2.5.7, but this likely affect all versions since the implementation of certificate based authentication, likely since PYCBC-453