Uploaded image for project: 'Couchbase Python Client Library'
  1. Couchbase Python Client Library
  2. PYCBC-702

Python SDK mistakenly throwing MixedAuthError error, expecting certificate-based authentication, when trying to use username/password authentication over SSL

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.5.11
    • None
    • None
    • 1

    Description

      Back in the days, before introducing certificate based authentication, users were able to do a "normal/standard/traditional" username/password over SSL authentication. This would be done with something like:

      from couchbase.cluster import Cluster
      from couchbase.cluster import PasswordAuthenticator
       
      cluster = Cluster('couchbases://localhost?certpath=/home/vagrant/cbcert.pem')
      authenticator = PasswordAuthenticator('david', 'password')
      cluster.authenticate(authenticator)
      cb = cluster.open_bucket('BUCKET_NAME')
      

      This is documented in https://docs.couchbase.com/python-sdk/current/managing-connections.html#ssl

      But with the introduction of certificate based authentication, the Python SDK now (mistakenly) expects that when you pass “certpath”, that you need to use the CertAuthenticator. You would receive something like:

      raise MixedAuthError(str(self.critical_complaints))
      couchbase.cluster.MixedAuthError: <["clashing params: got authenticator type PasswordAuthenticator but parameters defaultdict(None, {'connstr': set(['certpath'])}) overlap on CertAuthenticator"]>
      

      But this should not happen because for certificate based (“passwordless”) authentication, you need two additional parameters “truststorepath” and “keypath” ... you also need to create the client certificates and set up the cluster to accept certificate based auth.

      It seems that the Python SDK now does not allow you to do “traditional” username/password based auth over SSL.

      The workaround is doing something like this:

      from couchbase.bucket import Bucket
      connstr='couchbases://localhost/{}?certpath=/home/vagrant/cbcert.pem'
      credentials=dict(username='david',password='password')
      cb = Bucket(connstr.format('BUCKET_NAME'),**credentials)
      

      But I think it is worth looking into it and fixing.

      I have only tested in 2.5.7, but this likely affect all versions since the implementation of certificate based authentication, likely since PYCBC-453

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          david.saadeh David Saadeh (Inactive) created issue -
          Ellis.Breen Ellis Breen made changes -
          Field Original Value New Value
          Status New [ 10003 ] Open [ 1 ]
          Ellis.Breen Ellis Breen made changes -
          Fix Version/s 2.5.10 [ 16322 ]
          david.saadeh David Saadeh (Inactive) made changes -
          Description Back in the days, before introducing certificate based authentication, users were able to do a "normal/standard/traditional" username/password over SSL authentication. This would be done with something like:

          {code:python}
          from couchbase.cluster import Cluster
          from couchbase.cluster import PasswordAuthenticator

          cluster = Cluster('couchbases://localhost?certpath=/home/vagrant/cbcert.pem&#39;)
          authenticator = PasswordAuthenticator('david', 'password')
          cluster.authenticate(authenticator)
          cb = cluster.open_bucket('BUCKET_NAME')
          {code}

          This is documented in https://docs.couchbase.com/python-sdk/current/managing-connections.html#ssl

          But with the introduction of certificate based authentication, the Python SDK now (mistakenly) expects that when you pass “certpath”, that you need to use the CertAuthenticator. You would receive something like:
          {code:python}
          raise MixedAuthError(str(self.critical_complaints))
          couchbase.cluster.MixedAuthError: <["clashing params: got authenticator type PasswordAuthenticator but parameters defaultdict(None, {'connstr': set(['certpath'])}) overlap on CertAuthenticator"]>
          {code}

          But this should not happen because for certificate based (“passwordless”) authentication, you need two additional parameters “truststorepath” and “keypath” ... you also need to create the client certificates and set up the cluster to accept certificate based auth.

          It seems that the Python SDK now does not allow you to do “traditional” username/password based auth over SSL.

          The workaround is doing something like this:
          {code:python}
          from couchbase.bucket import Bucket
          connstr='couchbases://localhost/{}?certpath=/home/vagrant/cbcert.pem'
          credentials=dict(username='david',password='password')
          cb = Bucket(connstr.format('BUCKET_NAME'),**credentials)
          {code}

          But I think it is worth looking into it and fixing.

          I have only tested in 2.5.7, but this likely affect all versions since the implementation of certificate based authentication, liked since PYCBC-453
          Back in the days, before introducing certificate based authentication, users were able to do a "normal/standard/traditional" username/password over SSL authentication. This would be done with something like:

          {code:python}
          from couchbase.cluster import Cluster
          from couchbase.cluster import PasswordAuthenticator

          cluster = Cluster('couchbases://localhost?certpath=/home/vagrant/cbcert.pem&#39;)
          authenticator = PasswordAuthenticator('david', 'password')
          cluster.authenticate(authenticator)
          cb = cluster.open_bucket('BUCKET_NAME')
          {code}

          This is documented in https://docs.couchbase.com/python-sdk/current/managing-connections.html#ssl

          But with the introduction of certificate based authentication, the Python SDK now (mistakenly) expects that when you pass “certpath”, that you need to use the CertAuthenticator. You would receive something like:
          {code:python}
          raise MixedAuthError(str(self.critical_complaints))
          couchbase.cluster.MixedAuthError: <["clashing params: got authenticator type PasswordAuthenticator but parameters defaultdict(None, {'connstr': set(['certpath'])}) overlap on CertAuthenticator"]>
          {code}

          But this should not happen because for certificate based (“passwordless”) authentication, you need two additional parameters “truststorepath” and “keypath” ... you also need to create the client certificates and set up the cluster to accept certificate based auth.

          It seems that the Python SDK now does not allow you to do “traditional” username/password based auth over SSL.

          The workaround is doing something like this:
          {code:python}
          from couchbase.bucket import Bucket
          connstr='couchbases://localhost/{}?certpath=/home/vagrant/cbcert.pem'
          credentials=dict(username='david',password='password')
          cb = Bucket(connstr.format('BUCKET_NAME'),**credentials)
          {code}

          But I think it is worth looking into it and fixing.

          I have only tested in 2.5.7, but this likely affect all versions since the implementation of certificate based authentication, likely since PYCBC-453
          Ellis.Breen Ellis Breen made changes -
          Fix Version/s 2.5.11 [ 16643 ]
          Fix Version/s 2.5.10 [ 16322 ]
          Ellis.Breen Ellis Breen made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Ellis.Breen Ellis Breen made changes -
          Resolution Fixed [ 1 ]
          Status In Progress [ 3 ] Resolved [ 5 ]
          brett19 Brett Lawson made changes -
          Story Points 1

          People

            Ellis.Breen Ellis Breen
            david.saadeh David Saadeh (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty