You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Geoffrey Cox <re...@gmail.com> on 2017/05/14 01:43:57 UTC
Does CouchDB 2 sync user sessions across nodes?
Hi!
Anyone have any ideas on this?http://stackoverflow.com/q/43958527/2831606
Thanks!
Geoff
Re: Does CouchDB 2 sync user sessions across nodes?
Posted by Jan Lehnardt <ja...@apache.org>.
There is a bug in 2.0 _cluster_setup that doesn’t use the same salt on all nodes for the admin password. So if you used that to setup, yours “sessions” will be “per node”, but that’s not by design. You can copy the local.ini config line for the admin from one node to all other nodes to address this issue.
Best
Jan
--
> On 14. May 2017, at 18:50, Robert Samuel Newson <rn...@apache.org> wrote:
>
> A session cookie acquired on one node is recognised by any other node if you follow the instructions below (these are in the docs and _cluster_setup does this too).
>
> You need to ensure each node has the same secret in couch_httpd_auth. It's randomized at startup if not set, so set it to something (large, random) before starting couchdb.
>
> For _admin_ users, you also need to ensure you set the same hashed version in the .init file as the salt value is part of the cookie state (so that cookies are invalidated when passwords change).
>
> Basically, anything in the .ini file needs synchronising between the nodes externally. By hand, but more likely using chef / puppet, etc.
>
> Cloudant, for example, generates default.ini from a template which sets a cluster-wide couch_httpd_auth secret and the [admins] section.
>
> B.
>
>> On 14 May 2017, at 02:43, Geoffrey Cox <re...@gmail.com> wrote:
>>
>> Hi!
>>
>> Anyone have any ideas on this?http://stackoverflow.com/q/43958527/2831606
>>
>> Thanks!
>>
>> Geoff
>
--
Professional Support for Apache CouchDB:
https://neighbourhood.ie/couchdb-support/
Re: Does CouchDB 2 sync user sessions across nodes?
Posted by Geoffrey Cox <re...@gmail.com>.
Nice. I just tried Jan's suggestion of using the exact same line (including
the pbkdf2 hash) in the [admins] section of local.ini on all my nodes and
disabled sticky load balancing in haproxy and the admin session now appears
to persist across all nodes!
I'm going to try to figure out a good way to automate this setup via
docker-compose and will then update my examples.
Thanks for the help!
On Sun, May 14, 2017 at 2:52 PM Robert Samuel Newson <rn...@apache.org>
wrote:
> As Jan says, and as my SO reply says, this is fixable.
>
> You absolutely do not need sticky load balancer routing for this (I can
> state definitely that Cloudant uses round-robin haproxy in their lb tier).
>
> Since the salt is the likely issue here and only applies to admins (as
> user hashes are in the distributed _users database), I recommend you not
> use admin credentials for regular database access, reserve those for the
> operations that require admin powers.
>
> B.
>
> > On 14 May 2017, at 18:55, Geoffrey Cox <re...@gmail.com> wrote:
> >
> > Thanks Robert, but in my testing, I found that you need to use cookie
> based
> > routing, i.e. sticky sessions, in order for the the session to persist
> when
> > you are using haproxy. This is even when you set the secret to be the
> same
> > on all nodes.
> >
> > My working solution with cookie-based routing can be found at
> >
> https://github.com/redgeoff/couchdb-docker/blob/production-multi-node/README.md#run-cluster-via-docker-compose-wip
> >
> > On Sun, May 14, 2017, 09:50 Robert Samuel Newson <rn...@apache.org>
> wrote:
> >
> >> A session cookie acquired on one node is recognised by any other node if
> >> you follow the instructions below (these are in the docs and
> _cluster_setup
> >> does this too).
> >>
> >> You need to ensure each node has the same secret in couch_httpd_auth.
> It's
> >> randomized at startup if not set, so set it to something (large, random)
> >> before starting couchdb.
> >>
> >> For _admin_ users, you also need to ensure you set the same hashed
> version
> >> in the .init file as the salt value is part of the cookie state (so that
> >> cookies are invalidated when passwords change).
> >>
> >> Basically, anything in the .ini file needs synchronising between the
> nodes
> >> externally. By hand, but more likely using chef / puppet, etc.
> >>
> >> Cloudant, for example, generates default.ini from a template which sets
> a
> >> cluster-wide couch_httpd_auth secret and the [admins] section.
> >>
> >> B.
> >>
> >>> On 14 May 2017, at 02:43, Geoffrey Cox <re...@gmail.com> wrote:
> >>>
> >>> Hi!
> >>>
> >>> Anyone have any ideas on this?
> >> http://stackoverflow.com/q/43958527/2831606
> >>>
> >>> Thanks!
> >>>
> >>> Geoff
> >>
> >>
>
>
Re: Does CouchDB 2 sync user sessions across nodes?
Posted by Robert Samuel Newson <rn...@apache.org>.
As Jan says, and as my SO reply says, this is fixable.
You absolutely do not need sticky load balancer routing for this (I can state definitely that Cloudant uses round-robin haproxy in their lb tier).
Since the salt is the likely issue here and only applies to admins (as user hashes are in the distributed _users database), I recommend you not use admin credentials for regular database access, reserve those for the operations that require admin powers.
B.
> On 14 May 2017, at 18:55, Geoffrey Cox <re...@gmail.com> wrote:
>
> Thanks Robert, but in my testing, I found that you need to use cookie based
> routing, i.e. sticky sessions, in order for the the session to persist when
> you are using haproxy. This is even when you set the secret to be the same
> on all nodes.
>
> My working solution with cookie-based routing can be found at
> https://github.com/redgeoff/couchdb-docker/blob/production-multi-node/README.md#run-cluster-via-docker-compose-wip
>
> On Sun, May 14, 2017, 09:50 Robert Samuel Newson <rn...@apache.org> wrote:
>
>> A session cookie acquired on one node is recognised by any other node if
>> you follow the instructions below (these are in the docs and _cluster_setup
>> does this too).
>>
>> You need to ensure each node has the same secret in couch_httpd_auth. It's
>> randomized at startup if not set, so set it to something (large, random)
>> before starting couchdb.
>>
>> For _admin_ users, you also need to ensure you set the same hashed version
>> in the .init file as the salt value is part of the cookie state (so that
>> cookies are invalidated when passwords change).
>>
>> Basically, anything in the .ini file needs synchronising between the nodes
>> externally. By hand, but more likely using chef / puppet, etc.
>>
>> Cloudant, for example, generates default.ini from a template which sets a
>> cluster-wide couch_httpd_auth secret and the [admins] section.
>>
>> B.
>>
>>> On 14 May 2017, at 02:43, Geoffrey Cox <re...@gmail.com> wrote:
>>>
>>> Hi!
>>>
>>> Anyone have any ideas on this?
>> http://stackoverflow.com/q/43958527/2831606
>>>
>>> Thanks!
>>>
>>> Geoff
>>
>>
Re: Does CouchDB 2 sync user sessions across nodes?
Posted by Geoffrey Cox <re...@gmail.com>.
Thanks Robert, but in my testing, I found that you need to use cookie based
routing, i.e. sticky sessions, in order for the the session to persist when
you are using haproxy. This is even when you set the secret to be the same
on all nodes.
My working solution with cookie-based routing can be found at
https://github.com/redgeoff/couchdb-docker/blob/production-multi-node/README.md#run-cluster-via-docker-compose-wip
On Sun, May 14, 2017, 09:50 Robert Samuel Newson <rn...@apache.org> wrote:
> A session cookie acquired on one node is recognised by any other node if
> you follow the instructions below (these are in the docs and _cluster_setup
> does this too).
>
> You need to ensure each node has the same secret in couch_httpd_auth. It's
> randomized at startup if not set, so set it to something (large, random)
> before starting couchdb.
>
> For _admin_ users, you also need to ensure you set the same hashed version
> in the .init file as the salt value is part of the cookie state (so that
> cookies are invalidated when passwords change).
>
> Basically, anything in the .ini file needs synchronising between the nodes
> externally. By hand, but more likely using chef / puppet, etc.
>
> Cloudant, for example, generates default.ini from a template which sets a
> cluster-wide couch_httpd_auth secret and the [admins] section.
>
> B.
>
> > On 14 May 2017, at 02:43, Geoffrey Cox <re...@gmail.com> wrote:
> >
> > Hi!
> >
> > Anyone have any ideas on this?
> http://stackoverflow.com/q/43958527/2831606
> >
> > Thanks!
> >
> > Geoff
>
>
Re: Does CouchDB 2 sync user sessions across nodes?
Posted by Robert Samuel Newson <rn...@apache.org>.
A session cookie acquired on one node is recognised by any other node if you follow the instructions below (these are in the docs and _cluster_setup does this too).
You need to ensure each node has the same secret in couch_httpd_auth. It's randomized at startup if not set, so set it to something (large, random) before starting couchdb.
For _admin_ users, you also need to ensure you set the same hashed version in the .init file as the salt value is part of the cookie state (so that cookies are invalidated when passwords change).
Basically, anything in the .ini file needs synchronising between the nodes externally. By hand, but more likely using chef / puppet, etc.
Cloudant, for example, generates default.ini from a template which sets a cluster-wide couch_httpd_auth secret and the [admins] section.
B.
> On 14 May 2017, at 02:43, Geoffrey Cox <re...@gmail.com> wrote:
>
> Hi!
>
> Anyone have any ideas on this?http://stackoverflow.com/q/43958527/2831606
>
> Thanks!
>
> Geoff