wohali commented on issue #1781: Cluster Setup doesn't set consistent admin user URL: https://github.com/apache/couchdb/issues/1781#issuecomment-445315292 @janl I'm afraid this is still a bug. In this example, `couchdb1/` `couchdb2/` and `couchdb3/` are all full installs of CouchDB. Each has been modified to run at ports `{1|2|3}5984/{1|2|3}5986`. Each is running and unconfigured at the start of the test: ``` $ curl localhost:15984/_node/_local/_config/admins {} $ curl localhost:25984/_node/_local/_config/admins {} $ curl localhost:35984/_node/_local/_config/admins {} ``` Our instructions then tell users [to set an initial admin username and password on each node independently](http://docs.couchdb.org/en/stable/setup/cluster.html#the-cluster-setup-api). In this example, I don't set a password on node 2, but I do on nodes 1 and 3: ``` $ curl -X POST -H "Content-Type: application/json" http://localhost:15984/_cluster_setup -d '{"action": "enable_cluster", "bind_address":"0.0.0.0", "username": "admin", "password":"password", "node_count":"3"}' {"ok":true} $ grep "admin =" couchdb1/etc/local.ini admin = -pbkdf2-818168f1162fb7312621227520bae09a41ebe8d6,42c6f5d002106cbd8768419a34f6c1ef,10 $ curl -X POST -H "Content-Type: application/json" localhost:35984/_cluster_setup -d '{"action": "enable_cluster", "bind_address":"0.0.0.0", "port":"35984", "username": "admin", "password":"password", "node_count":"3"}' {"ok":true} $ grep "^admin =" couchdb3/etc/local.ini admin = -pbkdf2-0fe0bc68ab3fdb12e790203fa21e668e31035d26,481f201c37df287ea3221bc6ccd44583,10 ``` Note the different salts - at this point, this is expected. Now I proceed to join the nodes into the cluster. Node 2 goes as expected: ``` $ curl -X POST -H "Content-Type: application/json" http://admin:password@localhost:15984/_cluster_setup -d '{"action": "enable_cluster", "bind_address":"0.0.0.0", "username": "admin", "password":"password", "port": 25984, "node_count": "3", "remote_node": "127.0.0.1"}' {"ok":true} $ curl localhost:25984/_node/_local/_config/admins {"error":"unauthorized","reason":"You are not a server admin."} $ grep "^admin" couchdb2/etc/local.ini admin = -pbkdf2-818168f1162fb7312621227520bae09a41ebe8d6,42c6f5d002106cbd8768419a34f6c1ef,10 ``` But node 3 doesn't work: ``` $ curl -X POST -H "Content-Type: application/json" http://admin:password@localhost:15984/_cluster_setup -d '{"action": "enable_cluster", "bind_address":"0.0.0.0", "username": "admin", "password":"password", "port": 35984, "node_count": "3", "remote_node": "127.0.0.1"}' {"ok":true} $ curl localhost:35984/_node/_local/_config/admins {"error":"unauthorized","reason":"You are not a server admin."} $ grep "^admin" couchdb3/etc/local.ini admin = -pbkdf2-0fe0bc68ab3fdb12e790203fa21e668e31035d26,481f201c37df287ea3221bc6ccd44583,10 ``` Oops, I thought, I forgot to include the `remote_current_user/password` and it's incorrectly telling me that everything was fine. I mean, how could it possibly change anything without a valid admin/password for node 3? Even specifying the value doesn't change the result: ``` $ curl -X POST -H "Content-Type: application/json" http://admin:password@localhost:15984/_cluster_setup -d '{"action": "enable_cluster", "bind_address":"0.0.0.0", "username": "admin", "password":"password", "port": 35984, "node_count": "3", "remote_node": "127.0.0.1", "remote_current_user": "admin", "remote_current_password": "password"}' {"ok":true} $ curl localhost:35984/_node/_local/_config/admins {"error":"unauthorized","reason":"You are not a server admin."} $ grep "^admin" couchdb3/etc/local.ini admin = -pbkdf2-0fe0bc68ab3fdb12e790203fa21e668e31035d26,481f201c37df287ea3221bc6ccd44583,10 ``` ----- OK, I thought, maybe I should start with random logins per node and then create a new, *different* admin user using the setup wizard. Same initial config setup: 3 nodes, unconfigured. ``` $ curl localhost:15984/_node/_local/_config/admins {} $ curl localhost:25984/_node/_local/_config/admins {} $ curl localhost:35984/_node/_local/_config/admins {} ``` Set up a unique admin user per node with the cluster setup API: ``` $ curl -X POST -H "Content-Type: application/json" http://localhost:15984/_cluster_setup -d '{"action": "enable_cluster", "bind_address":"0.0.0.0", "username": "admin1", "password":"password1", "node_count":"3"}' {"ok":true} $ curl -X POST -H "Content-Type: application/json" http://localhost:25984/_cluster_setup -d '{"action": "enable_cluster", "bind_address":"0.0.0.0", "username": "admin2", "password":"password2", "node_count":"3"}' {"ok":true} $ curl -X POST -H "Content-Type: application/json" http://localhost:35984/_cluster_setup -d '{"action": "enable_cluster", "bind_address":"0.0.0.0", "username": "admin3", "password":"password3", "node_count":"3"}' {"ok":true} $ grep ^admin couchdb1/etc/local.ini admin1 = -pbkdf2-68f22a1cdaee4128066489da65ddf0bd5d3b7cf6,f398ebdfb8b31c3765dbe6e3e7b1c088,10 $ grep ^admin couchdb2/etc/local.ini admin2 = -pbkdf2-fe9036152614bf8b68fc87ccf87742b073924bdf,048ef75cf6cf1c69c8eb3ed6f6a43d47,10 $ grep ^admin couchdb3/etc/local.ini admin3 = -pbkdf2-a558c85a5a1b4597eb2017bfc3ef9aa848e706dc,5f9a033e7d85e8447eb5e37db8e87098,10 $ ``` Now let's try and create a unified `admin1` user across all nodes: ``` $ curl -X POST -H "Content-Type: application/json" http://admin1:password1@localhost:15984/_cluster_setup -d '{"action": "enable_cluster", "bind_address":"0.0.0.0", "username": "admin1", "password":"password1", "port": 25984, "node_count": "3", "remote_node": "127.0.0.1", "remote_current_user": "admin2", "remote_current_password": "password2" }' {"ok":true} $ curl -X POST -H "Content-Type: application/json" http://admin1:password1@localhost:15984/_cluster_setup -d '{"action": "enable_cluster", "bind_address":"0.0.0.0", "username": "admin1", "password":"password1", "port": 35984, "node_count": "3", "remote_node": "127.0.0.1", "remote_current_user": "admin3", "remote_current_password": "password3" }' {"ok":true} $ $ grep ^admin couchdb1/etc/local.ini admin1 = -pbkdf2-68f22a1cdaee4128066489da65ddf0bd5d3b7cf6,f398ebdfb8b31c3765dbe6e3e7b1c088,10 $ grep ^admin couchdb2/etc/local.ini admin2 = -pbkdf2-fe9036152614bf8b68fc87ccf87742b073924bdf,048ef75cf6cf1c69c8eb3ed6f6a43d47,10 $ grep ^admin couchdb3/etc/local.ini admin3 = -pbkdf2-a558c85a5a1b4597eb2017bfc3ef9aa848e706dc,5f9a033e7d85e8447eb5e37db8e87098,10 ``` Something's broken - either our documentation is wrong, the code is wrong, or both.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
