Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
MB-47905: Don't perform auth when client cert auth is used
... in dcp_proxy

+ make sure dcp streams are reestablished when client auth settings
change

Change-Id: Ibffc88785cf3f3291429db3a08b806db3aada2a9
Reviewed-on: https://review.couchbase.org/c/ns_server/+/173123
Well-Formed: Build Bot <build@couchbase.com>
Reviewed-by: Artem Stemkovski <artem@couchbase.com>
Tested-by: Timofey Barmin <timofey.barmin@couchbase.com>
  • Loading branch information
timofey-barmin committed Apr 7, 2022
1 parent 067f101 commit 3573089
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 3 deletions.
12 changes: 9 additions & 3 deletions src/dcp_proxy.erl
Expand Up @@ -251,9 +251,15 @@ connect(Type, ConnName, Node, Bucket, RepFeatures) ->
Password = ns_config:search_node_prop(Node, Cfg, memcached, admin_pass),

{ok, Sock} = connect_inner(Cfg, Node, RepFeatures),
ok = mc_client_binary:auth(Sock, {<<"PLAIN">>,
{list_to_binary(Username),
list_to_binary(Password)}}),

case proplists:get_bool(ssl, RepFeatures) andalso
proplists:get_bool(cert_auth, RepFeatures) andalso Node =/= node() of
true -> ok;
false ->
ok = mc_client_binary:auth(Sock, {<<"PLAIN">>,
{list_to_binary(Username),
list_to_binary(Password)}})
end,
ok = mc_client_binary:select_bucket(Sock, Bucket),

%% Negotiate XAttr and Snappy features if they are to be enabled.
Expand Down
2 changes: 2 additions & 0 deletions src/dcp_sup.erl
Expand Up @@ -72,6 +72,7 @@ kill_replicator(Bucket, {ProducerNode, RepFeatures} = ChildId) ->
%% This could mean that the ongoing rebalance can fail and we are ok with that
%% as it can be restarted.
get_replication_features() ->
CertAuth = ns_ssl_services_setup:client_cert_auth_state() =:= "mandatory",
FeatureSet = [%% Unconditionally setting 'xattr' to true as xattr feature
%% must be negotiated by default in post-5.0 clusters.
{xattr, true},
Expand All @@ -85,6 +86,7 @@ get_replication_features() ->
%% versions are no longer supported.
{del_times, true},
{ssl, misc:should_cluster_data_be_encrypted()},
{cert_auth, CertAuth},
%% Unconditionally setting 'set_consumer_name' and
%% 'json' to true as features are negotiated starting
%% with the 6.5 release
Expand Down

0 comments on commit 3573089

Please sign in to comment.