You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Alexey Elfman <el...@gmail.com> on 2014/08/21 12:35:56 UTC
old-style (hashed) passwords for admin are broken in 1.6.0?
Hello.
I've experiencing troubles after upgrade to 1.6.0.
After short investigation, I realized, that troubles are with admin users
with hashed password (not pbkdf) in locals.ini file.
Users with hashed password experiencing 403 error accessing couchdb 1.6.0
(all previous versions work fine). Error text isn't helpfull:
"{"error":"forbidden","reason":"doc.type must be user"}"
So, my recommendation is to reset password before upgrade (it will become
in pbkdf format).
This trouble (breaking change?) was not covered in change log for 1.6.0,
so, may be, my message will be helpfull for somebody.
--
----------------
Best regards
Alexey Elfman
mailto:elf2001@gmail.com
Re: old-style (hashed) passwords for admin are broken in 1.6.0?
Posted by Andy Wenk <an...@apache.org>.
... or better help and vote on the release 1.6.1
http://markmail.org/search/?q=list%3Aorg.apache.couchdb-dev+1.6.1#query:list%3Aorg.apache.couchdb-dev%201.6.1+page:1+mid:qae64n7x257xs7am+state:results
:)
On 21 August 2014 14:40, Alexander Shorin <kx...@gmail.com> wrote:
> or just wait for awhile for 1.6.1 release with the bugfix.
> --
> ,,,^..^,,,
>
>
> On Thu, Aug 21, 2014 at 4:33 PM, James Dingwall
> <ja...@zynstra.com> wrote:
> > Alexey Elfman wrote:
> >>
> >> Hello.
> >>
> >> I've experiencing troubles after upgrade to 1.6.0.
> >> After short investigation, I realized, that troubles are with admin
> users
> >> with hashed password (not pbkdf) in locals.ini file.
> >>
> >> Users with hashed password experiencing 403 error accessing couchdb
> 1.6.0
> >> (all previous versions work fine). Error text isn't helpfull:
> >> "{"error":"forbidden","reason":"doc.type must be user"}"
> >>
> >> So, my recommendation is to reset password before upgrade (it will
> become
> >> in pbkdf format).
> >>
> >> This trouble (breaking change?) was not covered in change log for 1.6.0,
> >> so, may be, my message will be helpfull for somebody.
> >>
> > This was a bug in the 1.6.0 release. You can apply a patch to the
> source to
> > solve the problem.
> >
> > Regards,
> > James
> >
> > cat << EOF | patch src/couchdb/couch_passwords.erl
> > --- src/couchdb/couch_passwords.erl.orig 2014-07-26
> > 17:53:22.624015000 +0000
> > +++ src/couchdb/couch_passwords.erl 2014-07-26 17:54:10.524015000
> +0000
> > @@ -26,7 +26,9 @@
> > ?l2b(couch_util:to_hex(crypto:sha(<<Password/binary,
> Salt/binary>>))).
> >
> > %% CouchDB utility functions
> > --spec hash_admin_password(binary()) -> binary().
> > +-spec hash_admin_password(binary() | list()) -> binary().
> > +hash_admin_password(ClearPassword) when is_list(ClearPassword) ->
> > + hash_admin_password(?l2b(ClearPassword));
> > hash_admin_password(ClearPassword) when is_binary(ClearPassword) ->
> > Iterations = couch_config:get("couch_httpd_auth", "iterations",
> > "10000"),
> > Salt = couch_uuids:random(),
> > EOF
> >
>
--
Andy Wenk
Hamburg - Germany
RockIt!
GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588
https://people.apache.org/keys/committer/andywenk.asc
Re: old-style (hashed) passwords for admin are broken in 1.6.0?
Posted by Alexander Gabriel <al...@barbalex.ch>.
+A
;-)
2014-08-21 22:44 GMT+02:00 Robert Samuel Newson <rn...@apache.org>:
> and the fix is:
> https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=5e46f3b
>
>
> On 21 Aug 2014, at 14:55, Dave Cottlehuber <dc...@jsonified.com> wrote:
>
> >> Thanks for reporting this Alexey, unless I’m missing something, this
> seems to be a
> >> *different* problem, I’ve struck this too this morning.
> >>
> >> Alexey - what version of CouchDB were you running prior?
> >
> > BTW I logged https://issues.apache.org/jira/browse/COUCHDB-2299 for
> this & we’ll hold 1.6.1 to get a fix in. Further info please add to the
> jira ticket!
> >
> > A+
> > Dave
> >
>
>
Re: old-style (hashed) passwords for admin are broken in 1.6.0?
Posted by Robert Samuel Newson <rn...@apache.org>.
and the fix is: https://git-wip-us.apache.org/repos/asf?p=couchdb.git;h=5e46f3b
On 21 Aug 2014, at 14:55, Dave Cottlehuber <dc...@jsonified.com> wrote:
>> Thanks for reporting this Alexey, unless I’m missing something, this seems to be a
>> *different* problem, I’ve struck this too this morning.
>>
>> Alexey - what version of CouchDB were you running prior?
>
> BTW I logged https://issues.apache.org/jira/browse/COUCHDB-2299 for this & we’ll hold 1.6.1 to get a fix in. Further info please add to the jira ticket!
>
> A+
> Dave
>
Re: old-style (hashed) passwords for admin are broken in 1.6.0?
Posted by Dave Cottlehuber <dc...@jsonified.com>.
> Thanks for reporting this Alexey, unless I’m missing something, this seems to be a
> *different* problem, I’ve struck this too this morning.
>
> Alexey - what version of CouchDB were you running prior?
BTW I logged https://issues.apache.org/jira/browse/COUCHDB-2299 for this & we’ll hold 1.6.1 to get a fix in. Further info please add to the jira ticket!
A+
Dave
Re: old-style (hashed) passwords for admin are broken in 1.6.0?
Posted by Dave Cottlehuber <dc...@jsonified.com>.
> On Thu, Aug 21, 2014 at 4:33 PM, James Dingwall
> wrote:
> > Alexey Elfman wrote:
> >>
> >> Hello.
> >>
> >> I've experiencing troubles after upgrade to 1.6.0.
> >> After short investigation, I realized, that troubles are with admin users
> >> with hashed password (not pbkdf) in locals.ini file.
> >>
> >> Users with hashed password experiencing 403 error accessing couchdb 1.6.0
> >> (all previous versions work fine). Error text isn't helpfull:
> >> "{"error":"forbidden","reason":"doc.type must be user"}"
> >>
> >> So, my recommendation is to reset password before upgrade (it will become
> >> in pbkdf format).
> >>
> >> This trouble (breaking change?) was not covered in change log for 1.6.0,
> >> so, may be, my message will be helpfull for somebody.
> >>
> > This was a bug in the 1.6.0 release. You can apply a patch to the source to
> > solve the problem.
> >
> > Regards,
> > James
Thanks for reporting this Alexey, unless I’m missing something, this seems to be a
*different* problem, I’ve struck this too this morning.
Alexey - what version of CouchDB were you running prior?
repro:
- install 1.2.1
- create admin, bdmin users via futon
- remove old binaries etc `rm -rf bin share lib`
only dbs and .ini files remain (apart from log uri etc)
- install 1.6.0 (or 1-rc.3 with the fix for the raw/unhashed password fix)
- try to log in using admin or bdmin via futon
See https://dpaste.de/XRfY for more details.
CC’ing dev.
—
Dave Cottlehuber
dch@jsonified.com
Sent from my Couch
Re: old-style (hashed) passwords for admin are broken in 1.6.0?
Posted by Dave Cottlehuber <dc...@jsonified.com>.
> On Thu, Aug 21, 2014 at 4:33 PM, James Dingwall
> wrote:
> > Alexey Elfman wrote:
> >>
> >> Hello.
> >>
> >> I've experiencing troubles after upgrade to 1.6.0.
> >> After short investigation, I realized, that troubles are with admin users
> >> with hashed password (not pbkdf) in locals.ini file.
> >>
> >> Users with hashed password experiencing 403 error accessing couchdb 1.6.0
> >> (all previous versions work fine). Error text isn't helpfull:
> >> "{"error":"forbidden","reason":"doc.type must be user"}"
> >>
> >> So, my recommendation is to reset password before upgrade (it will become
> >> in pbkdf format).
> >>
> >> This trouble (breaking change?) was not covered in change log for 1.6.0,
> >> so, may be, my message will be helpfull for somebody.
> >>
> > This was a bug in the 1.6.0 release. You can apply a patch to the source to
> > solve the problem.
> >
> > Regards,
> > James
Thanks for reporting this Alexey, unless I’m missing something, this seems to be a
*different* problem, I’ve struck this too this morning.
Alexey - what version of CouchDB were you running prior?
repro:
- install 1.2.1
- create admin, bdmin users via futon
- remove old binaries etc `rm -rf bin share lib`
only dbs and .ini files remain (apart from log uri etc)
- install 1.6.0 (or 1-rc.3 with the fix for the raw/unhashed password fix)
- try to log in using admin or bdmin via futon
See https://dpaste.de/XRfY for more details.
CC’ing dev.
—
Dave Cottlehuber
dch@jsonified.com
Sent from my Couch
Re: old-style (hashed) passwords for admin are broken in 1.6.0?
Posted by Alexander Shorin <kx...@gmail.com>.
or just wait for awhile for 1.6.1 release with the bugfix.
--
,,,^..^,,,
On Thu, Aug 21, 2014 at 4:33 PM, James Dingwall
<ja...@zynstra.com> wrote:
> Alexey Elfman wrote:
>>
>> Hello.
>>
>> I've experiencing troubles after upgrade to 1.6.0.
>> After short investigation, I realized, that troubles are with admin users
>> with hashed password (not pbkdf) in locals.ini file.
>>
>> Users with hashed password experiencing 403 error accessing couchdb 1.6.0
>> (all previous versions work fine). Error text isn't helpfull:
>> "{"error":"forbidden","reason":"doc.type must be user"}"
>>
>> So, my recommendation is to reset password before upgrade (it will become
>> in pbkdf format).
>>
>> This trouble (breaking change?) was not covered in change log for 1.6.0,
>> so, may be, my message will be helpfull for somebody.
>>
> This was a bug in the 1.6.0 release. You can apply a patch to the source to
> solve the problem.
>
> Regards,
> James
>
> cat << EOF | patch src/couchdb/couch_passwords.erl
> --- src/couchdb/couch_passwords.erl.orig 2014-07-26
> 17:53:22.624015000 +0000
> +++ src/couchdb/couch_passwords.erl 2014-07-26 17:54:10.524015000 +0000
> @@ -26,7 +26,9 @@
> ?l2b(couch_util:to_hex(crypto:sha(<<Password/binary, Salt/binary>>))).
>
> %% CouchDB utility functions
> --spec hash_admin_password(binary()) -> binary().
> +-spec hash_admin_password(binary() | list()) -> binary().
> +hash_admin_password(ClearPassword) when is_list(ClearPassword) ->
> + hash_admin_password(?l2b(ClearPassword));
> hash_admin_password(ClearPassword) when is_binary(ClearPassword) ->
> Iterations = couch_config:get("couch_httpd_auth", "iterations",
> "10000"),
> Salt = couch_uuids:random(),
> EOF
>
Re: old-style (hashed) passwords for admin are broken in 1.6.0?
Posted by James Dingwall <ja...@zynstra.com>.
Alexey Elfman wrote:
> Hello.
>
> I've experiencing troubles after upgrade to 1.6.0.
> After short investigation, I realized, that troubles are with admin users
> with hashed password (not pbkdf) in locals.ini file.
>
> Users with hashed password experiencing 403 error accessing couchdb 1.6.0
> (all previous versions work fine). Error text isn't helpfull:
> "{"error":"forbidden","reason":"doc.type must be user"}"
>
> So, my recommendation is to reset password before upgrade (it will become
> in pbkdf format).
>
> This trouble (breaking change?) was not covered in change log for 1.6.0,
> so, may be, my message will be helpfull for somebody.
>
This was a bug in the 1.6.0 release. You can apply a patch to the
source to solve the problem.
Regards,
James
cat << EOF | patch src/couchdb/couch_passwords.erl
--- src/couchdb/couch_passwords.erl.orig 2014-07-26
17:53:22.624015000 +0000
+++ src/couchdb/couch_passwords.erl 2014-07-26 17:54:10.524015000 +0000
@@ -26,7 +26,9 @@
?l2b(couch_util:to_hex(crypto:sha(<<Password/binary, Salt/binary>>))).
%% CouchDB utility functions
--spec hash_admin_password(binary()) -> binary().
+-spec hash_admin_password(binary() | list()) -> binary().
+hash_admin_password(ClearPassword) when is_list(ClearPassword) ->
+ hash_admin_password(?l2b(ClearPassword));
hash_admin_password(ClearPassword) when is_binary(ClearPassword) ->
Iterations = couch_config:get("couch_httpd_auth", "iterations",
"10000"),
Salt = couch_uuids:random(),
EOF