SG Basic Auth Problem

[Todd Freese]

I need to make REST calls to Sync Gateway using Basic Auth and can not get it to work. Just trying to use curl for now.

Here is my curl:

curl -X GET -H "Authorization: Basic dG9kZGZyZWVzZTpjd2Zjd2Y=" -H "Content-Type: application/json" https://db.mydb.com:4984/mydb/7E28B6F9-0D49-4452-9E7F-8B8D5F2574E7

where dG9kZGZyZWVzZTpjd2Zjd2Y= is a base64 encode of username:password

The response I get is:

{"error":"Forbidden","reason":"forbidden"}

I know that the username and password are correctly defined in the SG.

Am I missing something here?

Todd

[Todd Freese]

I have also tried this with creating a session ID on the SG:

curl -X POST https://db.mydb.com:4985/mydb/_session -H "Content-Type:application/json" -d '{"name":"foo", "password":"bar"}'

Which returns: {"session_id":"09ff83fd94f814d100dee291ac2f5f268a9d764e","expires":"2015-10-16T13:54:48.553412097-04:00","cookie_name":"SyncGatewaySession"}

curl --cookie "SyncGatewaySession=09ff83fd94f814d100dee291ac2f5f268a9d764e" -X GET https://db.mydb.com:4984/mydb/7E28B6F9-0D49-4452-9E7F-8B8D5F2574E7

And I get {"error":"Forbidden","reason":"forbidden"}.

Todd

[Jens Alfke]

On Oct 15, 2015, at 10:47 AM, Todd Freese <to...@filmworkers.com> wrote:

curl -X GET -H "Authorization: Basic dG9kZGZyZWVzZTpjd2Zjd2Y=" -H "Content-Type: application/json" https://db.mydb.com:4984/mydb/7E28B6F9-0D49-4452-9E7F-8B8D5F2574E7

FYI: It's easier to use the --user and/or --password flags to curl; that way you don’t have to work out the base64 encoding.

Check the SG logs. If you got the authentication right, the username will show up in square brackets at the end of the “HTTP:” log line showing the request.

If it does, then the problem is that the user doesn’t have access to any of the channels that document is in. See the “Troubleshooting Channels” documentation for help.

—Jens

[ajres]

I tested basic auth against SG master

User was defined in the sync gateway.json

"users": {

    "GUEST": {"disabled": true, "admin_channels": []},

    "crashtest": {"disabled": false, "password":"crashtest", "admin_channels": ["*"]}

}

I tried using the base64 command on MAC OS X to encode 'crashtest:crashtest' but this gave an incompatible encoded string.

I then used this online encoder

Which gave 'Y3Jhc2h0ZXN0OmNyYXNodGVzdA=='

I used the following curl:

curl -X GET -H "Authorization: Basic Y3Jhc2h0ZXN0OmNyYXNodGVzdA==" http://localhost:4984/db/doc1

{"_id":"doc1","_rev":"1-cd809becc169215072fd567eebd8b8de","foo":"bar"}

Using an invalid encoded string should give the response:

{"error":"Unauthorized","reason":"Login required"}

You could validate this by using an invalid base64 encoded value.

Generally {"error":"Forbidden","reason":"forbidden"} indicates that your user does not have access to the requested document (via channel access)

[Jens Alfke]

On Oct 15, 2015, at 11:29 AM, ajres <an...@couchbase.com> wrote:

I tried using the base64 command on MAC OS X to encode 'crashtest:crashtest' but this gave an incompatible encoded string.

If you used ‘echo’ to send the string to the base64 tool, you probably forgot to use the -n flag to suppress the trailing newline. (So did I the first time I tried it just now…) With -n it outputs the correct value.

$  echo 'crashtest:crashtest' | base64
Y3Jhc2h0ZXN0OmNyYXNodGVzdAo=
$  echo -n 'crashtest:crashtest' | base64
Y3Jhc2h0ZXN0OmNyYXNodGVzdA==

—Jens

[Todd Freese]

It was the new line character in my base64.

Thanks!

Todd

[Todd Freese]

Hey Jens,

So my basic auth is working for normal things like GET docs.

However, when I try to do a GET against a sync gateway design doc view, it does not allow it. 

My REST call to 4984:

https://db.mydb.com/shotbotdb/_design/scenes_for_job/_view/scenes_for_job?startkey=[%22-9t43hswLaiNa3qymE7MU9U%22]&endkey=[%22-9t43hswLaiNa3qymE7MU9U{}%22]&stale=false

Here is the log from SG:

2015-10-15T17:02:13.900-04:00 HTTP:  #11803: GET /shotbotdb/_design/scenes_for_job/_view/scenes_for_job?startkey=[%22-9t43hswLaiNa3qymE7MU9U%22]&endkey=[%22-9t43hswLaiNa3qymE7MU9U{}%22]&stale=false  (as toddfreese)

2015-10-15T17:02:13.901-04:00 HTTP: JSON view "scenes_for_job"/"scenes_for_job" - opts map[endkey:[-9t43hswLaiNa3qymE7MU9U{}] stale:false startkey:[-9t43hswLaiNa3qymE7MU9U]]

2015-10-15T17:02:13.901-04:00 HTTP: #11803:     --> 403 forbidden  (0.7 ms)

As you can see, it looks like the auth part worked as it says "(as toddfreese)".

Do I need to do something different for SG design doc views?

Todd

[Jens Alfke]

On Oct 15, 2015, at 2:08 PM, Todd Freese <to...@filmworkers.com> wrote:

However, when I try to do a GET against a sync gateway design doc view, it does not allow it. 

What version of SG is this? The support for letting users query views was added in March (commit ec92040b) so it should be in 1.1.

—Jens

[Todd Freese]

Version 1.1. I'm using the official release. NOT build from source.

What's interesting is, if I send the exact same view query to the admin port, it works great. So I know my views are working correctly. Just not on the non-admin port of SG.

Todd

[Jens Alfke]

On Oct 15, 2015, at 2:30 PM, Todd Freese <to...@filmworkers.com> wrote:

Version 1.1. I'm using the official release. NOT build from source.

I did some more digging … it looks like this feature was disabled for the 1.1 release (#862) but re-enabled on the master branch, for inclusion in 1.2.

So if you did build from source, this feature would work…

—Jens

[Todd Freese]

I've built SG on Mac before with no problems.

However, this server is EC2 Red hat.

Is there any build instructions for building on Red Hat? I didn't see any in the repo's wiki.

Todd

[Jens Alfke]

> On Oct 15, 2015, at 3:21 PM, Todd Freese <to...@filmworkers.com> wrote:
>
> Is there any build instructions for building on Red Hat? I didn't see any in the repo's wiki.

Build steps should be identical, once you install Go.

—Jens

[Todd Freese]

Is there any docs on installing GCC for CGO on red hat?

I have go 1.4 installed, but when I try to run build.sh, I get the following:

./go.sh: line 5: go: command not found

./go.sh: line 6: bc: command not found

./go.sh: line 7: go: command not found

*** Go 1.3 or higher is required to build Sync Gateway; you have

Please visit http://golang.org/doc/install or use your package manager to upgrade.

I see that GCC for CGO is required and can't seem to find any info via googling.

Todd

[Jens Alfke]

You may have Go installed, but it doesn’t look like the ‘go’ command is in your shell’s search path. Or maybe it was installed since you started the shell, and you need to enter ‘rehash’ to re-search the path.

Try typing ‘go version’ and see what you get. According to the logs you posted, it’s not returning any output, i.e. the command failed.

—Jens

[Todd Freese]

So this is turning into a big project....  :-(

I got the GOROOT and GOPATH vars setup so go version shows the correct info.

But it is still failing. Basically, I am running Red Hat on EC2. So this is a very locked down env. build.sh is calling into go.sh which is calling bc and bc is not avail in my distro.

Do you guys do nightly builds or anything like that?

Todd

[Jens Alfke]

On Oct 16, 2015, at 7:49 AM, Todd Freese <to...@filmworkers.com> wrote:

Do you guys do nightly builds or anything like that?

Yup, let me find the URL …

…

… OK, it’s http://latestbuilds.hq.couchbase.com/couchbase-sync-gateway/0.0.0/0.0.0-466/

—Jens

[Todd Freese]

Awesome! Thanks so much for all the help.

Todd

[Todd Freese]

So the nightly build solved my problem accessing SG views.

FYI, I had to re-submit my view design docs to the SGs for this to work. Do these views get stored in the backing db? In my case it is couchbase. 

Todd

[Jens Alfke]

On Oct 16, 2015, at 11:56 AM, Todd Freese <to...@filmworkers.com> wrote:

FYI, I had to re-submit my view design docs to the SGs for this to work. Do these views get stored in the backing db? In my case it is couchbase. 

They’re stored in Couchbase Server, but they have to be added via SG because it needs to modify the map function (to add user access control.)

—Jens

[Todd Freese]

So they persist over restarts of SG? Thought it was strange that after updating SG build, that I needed to resend the views to SG.

T