Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

[client certificate auth] Only mark the tuple a match if it contains an existing user

Description

When a username is extracted from a client certificate, we don't check user for existence. We need to add this check before stopping the matching process.
In other words, current algorithm is:

1. We start from the first tuple in the list: (path, prefix, delimiter).
2. If we can extract the username from the certificate using that tuple the authentication is successful, we return extracted username.
3. If this is the last tuple, authentication has failed, stop.
4. Switch to the next tuple, and go to step 2.

We should modify it the following way:

1. We start from the first tuple in the list: (path, prefix, delimiter).
2. If we can extract the username from the certificate using that tuple and that local user exists in couchbase-server the authentication is successful, we return extracted username.
3. If this is the last tuple, authentication has failed, stop.
4. Switch to the next tuple, and go to step 2.

Components

Affects versions

Fix versions

Labels

Environment

None

Link to Log File, atop/blg, CBCollectInfo, Core dump

None

Release Notes Description

None

Activity

Show:

CB robot February 25, 2025 at 2:17 AM

Build couchbase-columnar-1.2.0-1009 contains ns_server commit 07b30b9 with commit message:
MB-62413: Merge branch 'couchbase/trinity' into cypher

CB robot February 25, 2025 at 2:17 AM

Build couchbase-columnar-1.2.0-1009 contains ns_server commit 5d43793 with commit message:
MB-62413: Merge branch 'cypher' into master

Nirvair Bhinder January 7, 2025 at 8:10 PM

, please disregard my question below. I see that it was answered months ago by Timofey.

Nirvair Bhinder January 7, 2025 at 8:03 PM

Hi , I see very specific versions listed as affected here. Can you please confirm that this issues impacts only those?

Timofey Barmin December 9, 2024 at 7:14 PM

Sorry I am confused. Is that two options or one?

It is hard for me to phrase it in one sentence. If that’s a requirement, then I think your descriptions are good enough.

Here is my attempt:

When a username is extracted from a client certificate, the candidate username is checked for its existance in couchbase-server. If such user doesn't exist, algorithm now doesn't stop, but tries to extract another candidate username.

Feel free to take it and rephrase it the way you like.

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Is this a Regression?

Unknown

Triage

Untriaged

Issue Impact

external

Story Points

Priority

Instabug

Open Instabug

PagerDuty

Sentry

Zendesk Support

Created June 19, 2024 at 4:07 PM
Updated March 21, 2025 at 2:45 AM
Resolved August 9, 2024 at 9:55 PM
Instabug