couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoffrey Cox <redge...@gmail.com>
Subject Re: Does CouchDB 2 sync user sessions across nodes?
Date Mon, 15 May 2017 02:40:10 GMT
Nice. I just tried Jan's suggestion of using the exact same line (including
the pbkdf2 hash) in the [admins] section of local.ini on all my nodes and
disabled sticky load balancing in haproxy and the admin session now appears
to persist across all nodes!

I'm going to try to figure out a good way to automate this setup via
docker-compose and will then update my examples.

Thanks for the help!

On Sun, May 14, 2017 at 2:52 PM Robert Samuel Newson <rnewson@apache.org>
wrote:

> As Jan says, and as my SO reply says, this is fixable.
>
> You absolutely do not need sticky load balancer routing for this (I can
> state definitely that Cloudant uses round-robin haproxy in their lb tier).
>
> Since the salt is the likely issue here and only applies to admins (as
> user hashes are in the distributed _users database), I recommend you not
> use admin credentials for regular database access, reserve those for the
> operations that require admin powers.
>
> B.
>
> > On 14 May 2017, at 18:55, Geoffrey Cox <redgeoff@gmail.com> wrote:
> >
> > Thanks Robert, but in my testing, I found that you need to use cookie
> based
> > routing, i.e. sticky sessions, in order for the the session to persist
> when
> > you are using haproxy. This is even when you set the secret to be the
> same
> > on all nodes.
> >
> > My working solution with cookie-based routing can be found at
> >
> https://github.com/redgeoff/couchdb-docker/blob/production-multi-node/README.md#run-cluster-via-docker-compose-wip
> >
> > On Sun, May 14, 2017, 09:50 Robert Samuel Newson <rnewson@apache.org>
> wrote:
> >
> >> A session cookie acquired on one node is recognised by any other node if
> >> you follow the instructions below (these are in the docs and
> _cluster_setup
> >> does this too).
> >>
> >> You need to ensure each node has the same secret in couch_httpd_auth.
> It's
> >> randomized at startup if not set, so set it to something (large, random)
> >> before starting couchdb.
> >>
> >> For _admin_ users, you also need to ensure you set the same hashed
> version
> >> in the .init file as the salt value is part of the cookie state (so that
> >> cookies are invalidated when passwords change).
> >>
> >> Basically, anything in the .ini file needs synchronising between the
> nodes
> >> externally. By hand, but more likely using chef / puppet, etc.
> >>
> >> Cloudant, for example, generates default.ini from a template which sets
> a
> >> cluster-wide couch_httpd_auth  secret and the [admins] section.
> >>
> >> B.
> >>
> >>> On 14 May 2017, at 02:43, Geoffrey Cox <redgeoff@gmail.com> wrote:
> >>>
> >>> Hi!
> >>>
> >>> Anyone have any ideas on this?
> >> http://stackoverflow.com/q/43958527/2831606
> >>>
> >>> Thanks!
> >>>
> >>> Geoff
> >>
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message