ING-1369: Implemented no-auth mode to enable user-level setups.

Author: brett19

cmd/gateway/main.go

@@ -79,6 +79,7 @@ func init() {
 	configFlags.String("cb-user", "Administrator", "the couchbase server username")
 	configFlags.String("cb-pass", "password", "the couchbase server password")
 	configFlags.Bool("cb-host-is-local", false, "specifies if the cb-host node is running locally")
+	configFlags.Bool("single-user-auth", false, "enables single-user authenticating to GRPC and Data API")
 	configFlags.String("bind-address", "0.0.0.0", "the local address to bind to")
 	configFlags.Int("data-port", 18098, "the data port")
 	configFlags.Int("dapi-port", -1, "the data api port")
@@ -252,6 +253,7 @@ type config struct {
 	cbUser                string
 	cbPass                string
 	cbHostIsLocal         bool
+	singleUserAuth        bool
 	bindAddress           string
 	dataPort              int
 	webPort               int
@@ -293,6 +295,7 @@ func readConfig(logger *zap.Logger) *config {
 		cbUser:                viper.GetString("cb-user"),
 		cbPass:                viper.GetString("cb-pass"),
 		cbHostIsLocal:         viper.GetBool("cb-host-is-local"),
+		singleUserAuth:        viper.GetBool("single-user-auth"),
 		bindAddress:           viper.GetString("bind-address"),
 		dataPort:              viper.GetInt("data-port"),
 		webPort:               viper.GetInt("web-port"),
@@ -333,6 +336,7 @@ func readConfig(logger *zap.Logger) *config {
 		zap.String("cbUser", config.cbUser),
 		// zap.String("cbPass", config.cbPass),
 		zap.Bool("cbHostIsLocal", config.cbHostIsLocal),
+		zap.Bool("singleUserAuth", config.singleUserAuth),
 		zap.String("bindAddress", config.bindAddress),
 		zap.Int("dataPort", config.dataPort),
 		zap.Int("webPort", config.webPort),
@@ -609,6 +613,7 @@ func startGateway() {
 		Username:            config.cbUser,
 		Password:            config.cbPass,
 		BoostrapNodeIsLocal: config.cbHostIsLocal,
+		SingleUserAuth:      config.singleUserAuth,
 		Daemon:              daemon,
 		Debug:               config.debug,
 		ProxyServices:       strings.Split(config.dapiProxyServices, ","),
@@ -649,8 +654,9 @@ func startGateway() {
 
 		if newConfig.cbHost != config.cbHost ||
 			newConfig.cbUser != config.cbUser ||
-			newConfig.cbPass != config.cbPass {
-			logger.Warn("config changes for cbHost, cbUser, or cbPass require a restart")
+			newConfig.cbPass != config.cbPass ||
+			newConfig.singleUserAuth != config.singleUserAuth {
+			logger.Warn("config changes for cbHost, cbUser, cbPass or singleUserAuth require a restart")
 		}
 
 		if newConfig.bindAddress != config.bindAddress ||

gateway/auth/singleuserauthenticator.go

@@ -0,0 +1,28 @@
+package auth
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+)
+
+// We intentionally use an error for this case so that we only permit non-obo requests
+// to be produced if the caller is explicitly checking for this condition.
+var ErrSingleUserAuthValid = errors.New("single user authentication successful")
+
+type SingleUserAuthenticator struct {
+	Username string
+	Password string
+}
+
+func (a *SingleUserAuthenticator) ValidateUserForObo(ctx context.Context, user, pass string) (string, string, error) {
+	if user == a.Username && pass == a.Password {
+		return "", "", ErrSingleUserAuthValid
+	}
+
+	return "", "", ErrInvalidCredentials
+}
+
+func (a *SingleUserAuthenticator) ValidateConnStateForObo(ctx context.Context, connState *tls.ConnectionState) (string, string, error) {
+	return "", "", ErrInvalidCertificate
+}

gateway/dapiimpl/server_v1/authhandler.go

@@ -96,6 +96,10 @@ func (a AuthHandler) MaybeGetOboUserFromContext(ctx context.Context, authHdr *st
 
 	oboUser, oboDomain, err := a.Authenticator.ValidateUserForObo(ctx, username, password)
 	if err != nil {
+		if errors.Is(err, auth.ErrSingleUserAuthValid) {
+			return "", "", nil
+		}
+
 		if errors.Is(err, auth.ErrInvalidCredentials) {
 			return "", "", a.ErrorHandler.NewInvalidCredentialsStatus()
 		}
@@ -113,10 +117,6 @@ func (a AuthHandler) GetOboUserFromRequest(ctx context.Context, authHdr *string)
 		return "", "", st
 	}
 
-	if user == "" {
-		return "", "", a.ErrorHandler.NewNoAuthStatus()
-	}
-
 	return user, domain, nil
 }
 

gateway/dataimpl/server_v1/authhandler.go

@@ -99,6 +99,10 @@ func (a AuthHandler) MaybeGetOboUserFromContext(ctx context.Context) (string, st
 
 	oboUser, oboDomain, err := a.Authenticator.ValidateUserForObo(ctx, username, password)
 	if err != nil {
+		if errors.Is(err, auth.ErrSingleUserAuthValid) {
+			return "", "", nil
+		}
+
 		if errors.Is(err, auth.ErrInvalidCredentials) {
 			return "", "", a.ErrorHandler.NewInvalidCredentialsStatus()
 		}
@@ -116,10 +120,6 @@ func (a AuthHandler) GetOboUserFromContext(ctx context.Context) (string, string,
 		return "", "", st
 	}
 
-	if user == "" {
-		return "", "", a.ErrorHandler.NewNoAuthStatus()
-	}
-
 	return user, domain, nil
 }
 

gateway/gateway.go

@@ -58,6 +58,7 @@ type Config struct {
 	BoostrapNodeIsLocal bool
 	Username            string
 	Password            string
+	SingleUserAuth      bool
 
 	BindAddress      string
 	BindDataPort     int
@@ -273,20 +274,31 @@ func (g *Gateway) Run(ctx context.Context) error {
 	}
 
 	// initialize cb-auth
-	authenticator, err := auth.NewCbAuthAuthenticator(ctx, auth.NewCbAuthAuthenticatorOptions{
-		NodeId:      nodeID,
-		Addresses:   []string{authHostPort},
-		Username:    config.Username,
-		Password:    config.Password,
-		ClusterUUID: clusterUUID,
-		Logger:      config.Logger.Named("cbauth"),
-	})
-	if err != nil {
-		config.Logger.Error("failed to initialize cbauth connection",
-			zap.Error(err),
-			zap.String("hostPort", authHostPort),
-			zap.String("user", config.Username))
-		return err
+	var cbAuthAuthenticator *auth.CbAuthAuthenticator
+	var authenticator auth.Authenticator
+	if !config.SingleUserAuth {
+		cbAuthAuthenticator, err = auth.NewCbAuthAuthenticator(ctx, auth.NewCbAuthAuthenticatorOptions{
+			NodeId:      nodeID,
+			Addresses:   []string{authHostPort},
+			Username:    config.Username,
+			Password:    config.Password,
+			ClusterUUID: clusterUUID,
+			Logger:      config.Logger.Named("cbauth"),
+		})
+		if err != nil {
+			config.Logger.Error("failed to initialize cbauth connection",
+				zap.Error(err),
+				zap.String("hostPort", authHostPort),
+				zap.String("user", config.Username))
+			return err
+		}
+
+		authenticator = cbAuthAuthenticator
+	} else {
+		authenticator = &auth.SingleUserAuthenticator{
+			Username: config.Username,
+			Password: config.Password,
+		}
 	}
 
 	// try to establish a client connection to the cluster
@@ -319,45 +331,47 @@ func (g *Gateway) Run(ctx context.Context) error {
 		proxyServices = append(proxyServices, proxy.ServiceType(serviceName))
 	}
 
-	go func() {
-		watchCh := agentMgr.WatchConfig(context.Background())
-	runLoop:
-		for {
-			select {
-			case <-g.shutdownSig:
-				break runLoop
-			case cfg := <-watchCh:
-				if cfg == nil {
-					continue
-				}
+	if cbAuthAuthenticator != nil {
+		go func() {
+			watchCh := agentMgr.WatchConfig(context.Background())
+		runLoop:
+			for {
+				select {
+				case <-g.shutdownSig:
+					break runLoop
+				case cfg := <-watchCh:
+					if cfg == nil {
+						continue
+					}
 
-				mgmtEndpointsList := make([]string, 0, len(cfg.Nodes))
-				for _, node := range cfg.Nodes {
-					if node.Addresses.NonSSLPorts.Mgmt > 0 {
-						mgmtEndpointsList = append(mgmtEndpointsList,
-							fmt.Sprintf("%s:%d", node.Addresses.Hostname, node.Addresses.NonSSLPorts.Mgmt))
+					mgmtEndpointsList := make([]string, 0, len(cfg.Nodes))
+					for _, node := range cfg.Nodes {
+						if node.Addresses.NonSSLPorts.Mgmt > 0 {
+							mgmtEndpointsList = append(mgmtEndpointsList,
+								fmt.Sprintf("%s:%d", node.Addresses.Hostname, node.Addresses.NonSSLPorts.Mgmt))
+						}
 					}
-				}
 
-				err := authenticator.Reconfigure(auth.CbAuthAuthenticatorReconfigureOptions{
-					Addresses:   mgmtEndpointsList,
-					Username:    config.Username,
-					Password:    config.Password,
-					ClusterUUID: clusterUUID,
-				})
-				if err != nil {
-					config.Logger.Warn("failed to reconfigure cbauth",
-						zap.Error(err))
+					err := cbAuthAuthenticator.Reconfigure(auth.CbAuthAuthenticatorReconfigureOptions{
+						Addresses:   mgmtEndpointsList,
+						Username:    config.Username,
+						Password:    config.Password,
+						ClusterUUID: clusterUUID,
+					})
+					if err != nil {
+						config.Logger.Warn("failed to reconfigure cbauth",
+							zap.Error(err))
+					}
 				}
 			}
-		}
 
-		err := authenticator.Close()
-		if err != nil {
-			config.Logger.Warn("failed to shutdown cbauth",
-				zap.Error(err))
-		}
-	}()
+			err := cbAuthAuthenticator.Close()
+			if err != nil {
+				config.Logger.Warn("failed to shutdown cbauth",
+					zap.Error(err))
+			}
+		}()
+	}
 
 	startInstance := func(ctx context.Context, instanceIdx int) error {
 		rateLimiter := ratelimiting.NewGlobalRateLimiter(uint64(config.RateLimit), time.Second)