Trouble creating a user

alon.schachter · May 8, 2018, 9:51am

Hi,

This line returns success=false with message=null and exception=null. So I have no idea what the problem is.

IResult result = clusterManager.UpsertUser(AuthenticationDomain.Local, "testUser", "test1!", null, new Role { Name = "bucket_sasl", BucketName = "*" });

I’m using .NET SDK 2.5.8.0 and Couchbase 5.1

MikeGoldsmith · May 8, 2018, 9:57am

Hi @alon.schachter

The SDK must be authenticated using a profile that has the “Full Administrator” role (Cluster administrator also works). Have you authenticated the SDK before trying to use the cluster manager and are you able to perform other actions, eg get / upsert documents?

alon.schachter · May 8, 2018, 10:01am

Yes I did.
I am able to create buckets.

MikeGoldsmith · May 8, 2018, 10:28am

It doesn’t look like the SDK doesn’t track the failure reason from the HTTPResponse - I’ve raised NCBC-1680 to correct that.

Your sample code looks fine but I don’t recognise the ‘bucket_sasl’ role name and when I try it locally, I get 400 (Bad Request) back from the server. Where did you get the role name / what are you trying to do?

alon.schachter · May 8, 2018, 10:39am

I’m trying to give the user Full Access to all buckets.

I got the role name here https://developer.couchbase.com/documentation/server/5.1/security/concepts-rba-for-apps.html

MikeGoldsmith · May 8, 2018, 11:06am

I think that name is incorrect, I’ll request a change to the documentation.

Please try bucket_admin as your role name.

alon.schachter · May 8, 2018, 11:25am

Doesn’t work…
It would have been best if you had an enum with all the role names. (assuming that’s my issue)

MikeGoldsmith · May 8, 2018, 11:39am

We decided against using an enum because it’s inflexible and creates a dependency for an SDK update to take advantage of new roles. I do agree the documentation could be clearer.

This is my test code, and works for me against server 5.1:

var cluster = new Cluster(new ClientConfiguration
{
    Servers = new List<Uri> {new Uri("http://10.112.175.101")}
});
cluster.Authenticate("Administrator", "password");
var clusterManager = cluster.CreateManager();
var result = clusterManager.UpsertUser(
    AuthenticationDomain.Local,
    "test_user",
    "secure123",
    null,
    new Role {Name = "bucket_admin", BucketName = "*"}
);

alon.schachter · May 8, 2018, 12:18pm

Doesn’t work for me.
Are you using my version of the SDK?

MikeGoldsmith · May 8, 2018, 12:33pm

I’m was using latest development branch for the SDK, but I’ve just wound down back to 2.5.8 tag and get the same result.

Here is complete .NET core console app that can create the user with the ‘bucket_admin’ role.

Please can you try to capture the HTTP request / response with something like Fiddler or Wireshark? When executing my example above, I see the following HTTP request / response:

Request:

PUT http://10.112.170.101:8091/settings/rbac/users/local/test_user HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: application/x-www-form-urlencoded
Authorization: Basic QWRtaW5pc3RyYXRvcjpwYXNzd29yZA==
Host: 10.112.170.101:8091
User-Agent: couchbase-net-sdk/2.5.8.0 (clr/.NET Core 4.6.26212.01) (os/Microsoft Windows 10.0.16299 )
Content-Length: 46

password=secure123&roles=bucket_admin%5B%2A%5D

Response:

HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
X-Permitted-Cross-Domain-Policies: none
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Server: Couchbase Server
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Tue, 08 May 2018 12:31:18 GMT
Content-Type: application/json
Content-Length: 2
Cache-Control: no-cache,no-store,must-revalidate

""

alon.schachter · May 8, 2018, 1:11pm

Sorry, my mistake.
couchbase 5.0.1 build 5003

0000   45 00 00 ac 75 31 40 00 80 06 00 00 7f 00 00 01   E..¬u1@.........
0010   7f 00 00 01 1f 9b c7 97 2a e9 47 0b 25 37 fe 24   ......Ç.*éG.%7þ$
0020   50 18 1e 68 6a 1e 00 00 22 43 61 6e 6e 6f 74 20   P..hj..."Cannot 
0030   61 73 73 69 67 6e 20 72 6f 6c 65 73 20 74 6f 20   assign roles to 
0040   75 73 65 72 20 62 65 63 61 75 73 65 20 74 68 65   user because the
0050   20 66 6f 6c 6c 6f 77 69 6e 67 20 72 6f 6c 65 73    following roles
0060   20 61 72 65 20 75 6e 6b 6e 6f 77 6e 2c 20 6d 61    are unknown, ma
0070   6c 66 6f 72 6d 65 64 20 6f 72 20 72 6f 6c 65 20   lformed or role 
0080   70 61 72 61 6d 65 74 65 72 73 20 61 72 65 20 75   parameters are u
0090   6e 64 65 66 69 6e 65 64 3a 20 5b 62 75 63 6b 65   ndefined: [bucke
00a0   74 5f 61 64 6d 69 6e 5b 2a 5d 5d 22               t_admin[*]]"

MikeGoldsmith · May 8, 2018, 1:42pm

That’s the response, please could you provide the request too?

Also, I was able to run my console app against CB server 5.0.1 and it worked as expected. Is this a new cluster or was it upgraded from 4.x?

alon.schachter · May 8, 2018, 2:17pm

It’s a new cluster.
I noticed you are using .NET core SDK. Maybe that’s the difference

PUT /settings/rbac/users/local/test_user HTTP/1.1
Accept: application/x-www-form-urlencoded
User-Agent: couchbase-net-sdk/2.5.8.0 (clr/4.0.30319.42000) (os/Microsoft Windows NT 6.2.9200.0)
Authorization: Basic YWRtaW5pc3RyYXRvcjpjYW5jZWxjYTEh
Content-Type: application/x-www-form-urlencoded
Host: 127.0.0.1:8091
Content-Length: 46
Expect: 100-continue

HTTP/1.1 100 Continue

password=secure123&roles=bucket_admin%5B%2A%5DHTTP/1.1 400 Bad Request
X-XSS-Protection: 1; mode=block
X-Permitted-Cross-Domain-Policies: none
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Server: Couchbase Server
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Tue, 08 May 2018 13:02:05 GMT
Content-Type: application/json
Content-Length: 132
Cache-Control: no-cache,no-store,must-revalidate

"Cannot assign roles to user because the following roles are unknown, malformed or role parameters are undefined: [bucket_admin[*]]"

MikeGoldsmith · May 8, 2018, 2:24pm

The only difference I can see between the two requests is the host where you’re using localhost and I’m using a VM. I’ll take a look to see if I can reproduce with localhost.

Our SDK supports both .NET framework and .NET core and actually uses the same code path for managing users - I will switch to full framework to rule it out though.

FYI - we maintain a vagrant repository for quick building / development - https://github.com/couchbaselabs/vagrants

alon.schachter · May 8, 2018, 3:36pm

Solved.

I wireshark’ed the couchbase admin UI when i was adding a user with full access there.
The role name is ‘bucket_full_access’

MikeGoldsmith · May 8, 2018, 3:40pm

I was just typing out I was unable to reproduce with localhost traffic.

I’m still uncertain why you have a different role name; ‘bucket_admin’ vs ‘bucket_full_access’. It’s good that you have solved your immediate issue but I think it may be a red-herring which may come back.

To be clear, the only change you made was to use the role name ‘bucket_full_access’?

alon.schachter · May 8, 2018, 3:41pm

correct.

maybe you are testing on an upgraded cluster and bucket_admin is a deprecated role?

MikeGoldsmith · May 8, 2018, 3:45pm

Ah, there are two roles:
bucket_full_access: Full access to bucket data
bucket_admin: Can manage all bucket features including XDCR start/stop

I’m using a freshly built 5.0.1 cluster to test with.

alon.schachter · May 8, 2018, 3:49pm

So the only question is why my server doesn’t have the bucket_admin role.

By the way, when I create a user on the UI, I only have 3 roles to select:
Admin, Bucket full access, Read only admin.

I don’t have all of the other roles that’s on your documentation

MikeGoldsmith · May 8, 2018, 3:57pm

Are you using the cluster administrator to log into the UI or a new RBAC user? Only the cluster administrator account can access everything, maybe some RBAC roles are blocked too.