You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2022/10/21 12:41:19 UTC
[GitHub] [couchdb] janl opened a new issue, #4236: Unstable configuration when adding multiple admins at the same time
janl opened a new issue, #4236:
URL: https://github.com/apache/couchdb/issues/4236
## Description
If you add multiple admin accounts in parallel the configuration of couchdb may get into an "unstable" state where passwords hashes change continuously or in some cases passwords won't be hashed at all. After some time couchdb may get back into a stable state, but the amount of time seems to increase exponentially with the number of accounts added in parallel.
## Environment
Tested on a single node instance and on a specific node of a cluster instance of couchdb using the latest official docker image (`3.2.2`).
## Steps to reproduce
On a single node instance you can add multiple accounts in parallel using the following command:
```bash
seq 1 20 | xargs -n1 -P20 -I {} curl -X PUT -u admin:admin http://localhost:5984/_node/_local/_config/admins/admin{} -d '"password{}"'
```
If you want to try this on a cluster you should replace `_local` with a specific node name.
CouchDB will start logging messages like the following very fast:
```
[notice] 2022-10-20T13:06:56.868984Z nonode@nohost <0.103.0> -------- config: [admins] admin16 set to '****' for reason nil
[notice] 2022-10-20T13:06:56.869598Z nonode@nohost <0.103.0> -------- config: [admins] admin16 set to '****' for reason nil
[notice] 2022-10-20T13:06:56.870323Z nonode@nohost <0.103.0> -------- config: [admins] admin16 set to '****' for reason nil
```
And if you check the admins using
```bash
curl -X GET -u admin:admin http://localhost:5984/_node/_local/_config/admins
```
or by displaying directly the configuration file
```bash
cat /opt/couchdb/etc/local.d/docker.ini
```
you will see that it will have some cleartext passwords and some hashes will change continuously between requests, for example:
```json
{
// omitted
"admin5": "-pbkdf2-d23d834fc32321310c1d64eb98d08b190a1afe89,02211c4e01b0898347f61785cbf444fc,10",
// omitted
"admin19": "password19",
// omitted
}
```
```json
{
// omitted
"admin5": "-pbkdf2-8e4518204b831cabc335f661fdee03906c20f01c,8cef6ad463898bf3303407f3fbf3f5c0,10",
// omitted
"admin19": "password19",
//omitted
}
```
After enough time some of the cleartext passwords may be hashed.
—
The problem is here: https://github.com/apache/couchdb/blob/main/src/couch/src/couch_server.erl#L382-L385 every time there is a config change, we spawn a process to do the password hashing.
Those processes race in the above scenario.
IIRC we did this knowing it can be a problem and assuming clients would throttle.
Given erlang, making this a queue shouldn’t be so hard, maybe we can find a beginner-contributor volunteer? :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] big-r81 closed issue #4236: Unstable configuration when adding multiple admins at the same time
Posted by GitBox <gi...@apache.org>.
big-r81 closed issue #4236: Unstable configuration when adding multiple admins at the same time
URL: https://github.com/apache/couchdb/issues/4236
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org