How does the Sync Gateway authenticate to Couchbase Server?

[Pascal]

I'm trying to create a Vagrant/Ansible setup that builds a box hosting Couchbase Server and the Sync Gateway. Getting the server installed, initialized and creating a bucket works just fine, thanks to the scripts available at https://github.com/couchbaselabs/ansible-couchbase-server. I can also install the sync gateway using apt. However when starting the gateway with "./sync_gateway -url http://localhost:8091 -bucket mybucket" I get a 401 Unauthorized response. What I haven't been able to figure out from the docs is:

a) if it's correct that the sync gateway connects to the admin port (8091 by default) instead of the API port – the docs do not mention either but always use the default admin port

b) how the sync gateway authenticates with the server – there are no documented command line or config options for authentication

Any clues?

[Jens Alfke]

On Feb 22, 2015, at 11:59 PM, Pascal <phase.o...@gmail.com> wrote:

a) if it's correct that the sync gateway connects to the admin port (8091 by default) instead of the API port – the docs do not mention either but always use the default admin port

I’m not clear on the distinction between those ports. 8091 is the REST API that’s used to discover the cluster topology and find the API address/ports of the individual nodes.

b) how the sync gateway authenticates with the server – there are no documented command line or config options for authentication

There are optional “username” and “password” fields in the db config object.

—Jens

[Pascal]

Thanks Jens. I wanted to test that suggestion but sync-gateway (1.0.3) doesn't accept any config files:

$ /opt/couchbase-sync-gateway/bin/sync_gateway -url http://localhost:8091 -bucket eponyms couchbase-sync-gateway.json

16:43:21.989336 FATAL: Error reading config file couchbase-sync-gateway.json: json: cannot unmarshal array into Go value of type db.PrincipalConfig -- rest.ParseCommandLine() at config.go:294

$ /opt/couchbase-sync-gateway/bin/sync_gateway -url http://localhost:8091 -bucket eponyms 

16:43:26.697926 ==== Couchbase Sync Gateway/1.0.3(81;fa9a6e7) ====

16:43:26.698367 Opening db /eponyms as bucket "eponyms", pool "default", server <http://localhost:8091>

16:43:26.698529 Opening Couchbase database eponyms on <http://localhost:8091>

16:43:26.703177 FATAL: Error opening database: 502 Unable to connect to server: HTTP error 401 Unauthorized getting "http://localhost:8091/pools":  -- rest.RunServer() at config.go:415

I stripped the config file down to the following, still no success:

$ cat couchbase-sync-gateway.json 

{

"interface": ":4984",

"adminInterface": ":4985",

"log": ["REST"],

"databases": {

"eponyms": {

"server": "http://localhost:8091",

"bucket": "eponyms",

"users": {

"GUEST": {"disabled": false},

"admin_channels": ["public"]

}

}

}

}

Any ideas what might be causing this? Seems to be valid JSON.

Thanks

Pascal

[Jens Alfke]

On Feb 27, 2015, at 8:49 AM, Pascal <phase.o...@gmail.com> wrote:

"users": {

"GUEST": {"disabled": false},

"admin_channels": ["public"]

}

That’s wrong — the “admin_channels” property needs to be inside the “GUEST”: { … } object. Instead you’ve got it as a separate user and its format is wrong for that.

—Jens

[Pascal]

Ah indeed, d'oh! Thanks a lot Jens!

Interestingly, it does NOT work when I specify username/password, but works if I don't specify anything and have sync-gateway and server running on the same machine. I guess I'm still not understanding how authentication between the two works.

In any case, I've created Ansible scripts to install and setup Sync Gateway on a Linux box, I'm using these together with the server roles provided by Couchbase. If anybody is interested, a first commit is here:

https://github.com/p2/ansible-couchbase-sync-gateway

Thanks again!

[Jens Alfke]

On Mar 2, 2015, at 3:19 AM, Pascal <phase.o...@gmail.com> wrote:

Interestingly, it does NOT work when I specify username/password, but works if I don't specify anything and have sync-gateway and server running on the same machine. I guess I'm still not understanding how authentication between the two works.

Could you give more detail?

About “running on the same machine” — by default, for security reasons, the admin port (4985) is only accessible on the loopback interface, not over a network. This is done by giving it the address “127.0.0.1:4985”, since 127.0.0.1 is the loopback interface. If you want it network-accessible, change the address to e.g. just “:4985”. But only do this if the host running SG is on a secure network!

—Jens

[Pascal]

On Monday, March 2, 2015 at 5:55:30 PM UTC+1, Jens Alfke wrote:

On Mar 2, 2015, at 3:19 AM, Pascal <phase.o...@gmail.com> wrote:

Interestingly, it does NOT work when I specify username/password, but works if I don't specify anything and have sync-gateway and server running on the same machine. I guess I'm still not understanding how authentication between the two works.

Could you give more detail?

I'm installing both server and sync gateway on the same machine, standard ports. I just realized that accessing localhost:8091 does NOT prompt to enter username/password, but accessing from my VM's host machine does. So that makes sense. Still, adding "username" and "password" to the sync gateway's configuration throws an error when starting sync gateway:

20:48:36.376695 Enabling logging: [REST]

20:48:36.377534 ==== Couchbase Sync Gateway/1.0.3(81;fa9a6e7) ====

20:48:36.377845 Opening db /mydb as bucket "mydb", pool "default", server <http://localhost:8091>

20:48:36.378092 Opening Couchbase database mydb on <http://localhost:8091> as user "admin"

20:48:36.440077 WARNING: Error from Incr in _reserveSequences(0): MCResponse status=0x20, opcode=SASL_AUTH, opaque=0, msg: Auth failure -- db.(*sequenceAllocator)._reserveSequences() at sequence_allocator.go:59

20:48:36.440498 FATAL: Error opening database: MCResponse status=0x20, opcode=SASL_AUTH, opaque=0, msg: Auth failure -- rest.RunServer() at config.go:415

Since it works without specifying username/password and since this is secure because it only works locally all is well and I'm satisfied. I just tried to understand how sync gateway would talk to a non-local Couchbase server. Is that not something people do?

 

About “running on the same machine” — by default, for security reasons, the admin port (4985) is only accessible on the loopback interface, not over a network. This is done by giving it the address “127.0.0.1:4985”, since 127.0.0.1 is the loopback interface. If you want it network-accessible, change the address to e.g. just “:4985”. But only do this if the host running SG is on a secure network!

Yes, thanks, I don't think I'll need that. I was confused about the server's admin access, not the gateway's.

Thanks a lot for your patience

Pascal

[Pascal]

Just found that Couchbase actually has a nice board with a lot of answers, thanks, I'll stop spamming the list. :)

https://forums.couchbase.com/t/sync-gateway-with-couchbase-server/1947

[Jens Alfke]

On Mar 2, 2015, at 12:55 PM, Pascal <phase.o...@gmail.com> wrote:

Since it works without specifying username/password and since this is secure because it only works locally all is well and I'm satisfied. I just tried to understand how sync gateway would talk to a non-local Couchbase server. Is that not something people do?

In all but the smallest deployments, SG will be running on a different host from the server. (Especially since you’d be scaling up by running both systems on multiple hosts.)

The error you showed in the logs is an auth failure from Couchbase Server. ("opcode=SASL_AUTH … msg: Auth failure”.) So it looks like if you connect to a bucket on the same host you shouldn’t use its username/password. But I’m far from an expert on Couchbase Server security.

—Jens