Merge branch 'morpheus' into 'master'

* morpheus:
  MB-68871 Add --ipv6only and --ipv4only options to init-node
  MB-68657 Add CLI support for temporary passwords
  DOC-13099 Fix docs typo
  DOC-12245 Add `--ip` documentation to `reset-admin-password`

Change-Id: I07d931c37cca5f7b4af4cd2013ca94a5353dfff5

Author: lubomarinski

cbmgr.py

@@ -2278,28 +2278,42 @@ def __init__(self):
                            help="Configure the node to communicate via ipv6")
         group.add_argument("--ipv4", dest="ipv4", action="store_true", default=False,
                            help="Configure the node to communicate via ipv4")
+        group.add_argument("--ipv6only", dest="ipv6_only", action="store_true", default=False,
+                           help="Configure the node to only use ipv6")
+        group.add_argument("--ipv4only", dest="ipv4_only", action="store_true", default=False,
+                           help="Configure the node to only use ipv4")
 
     @rest_initialiser(credentials_required=False)
     def execute(self, opts):
         # Cluster does not need to be initialized for this command
 
         if (opts.data_path is None and opts.index_path is None and opts.analytics_path is None
                 and opts.eventing_path is None and opts.java_home is None and opts.hostname is None
-                and opts.ipv6 is None and opts.ipv4 is None):
+                and opts.ipv6 is None and opts.ipv4 is None and opts.ipv6_only is None and opts.ipv4_only is None):
             _exit_if_errors(["No node initialization parameters specified"])
 
-        if opts.ipv4 and opts.ipv6:
-            _exit_if_errors(["Use either --ipv4 or --ipv6"])
+        flags_used = sum([opts.ipv4, opts.ipv6, opts.ipv6_only, opts.ipv4_only])
+        if flags_used > 1:
+            _exit_if_errors(["--ipv4, --ipv6, --ipv4only, and --ipv6only are mutually exclusive"])
+
+        afamily_only = None
 
         if opts.ipv4:
             afamily = 'ipv4'
         elif opts.ipv6:
             afamily = 'ipv6'
+        elif opts.ipv4_only:
+            afamily = 'ipv4'
+            afamily_only = True
+        elif opts.ipv6_only:
+            afamily = 'ipv6'
+            afamily_only = True
         else:
             afamily = None
 
         _, errors = self.rest.node_init(hostname=opts.hostname,
                                         afamily=afamily,
+                                        afamily_only=afamily_only,
                                         data_path=opts.data_path,
                                         index_path=opts.index_path,
                                         cbas_path=opts.analytics_path,
@@ -4796,8 +4810,10 @@ def __init__(self):
         group.add_argument("--group-name", dest="group", metavar="<group>", help="Group name")
         group.add_argument("--group-description", dest="description", metavar="<text>", help="Group description")
         group.add_argument("--ldap-ref", dest="ldap_ref", metavar="<ref>", help="LDAP group's distinguished name")
+        group.add_argument("--temporary-password", dest="temporary_password", action="store_true",
+                           help="Force the user to change their password on next login (Enterprise Edition only)")
 
-    @rest_initialiser(cluster_init_check=True, version_check=True)
+    @rest_initialiser(cluster_init_check=True, version_check=True, enterprise_check=False)
     def execute(self, opts):
         num_selectors = sum([opts.delete, opts.list, opts.my_roles, opts.set, opts.get, opts.get_group,
                              opts.list_group, opts.delete_group, opts.set_group, opts.lock, opts.unlock])
@@ -4931,11 +4947,15 @@ def _set(self, opts):
         if opts.rbac_pass is not None and opts.auth_domain == "external":
             _warning("--rbac-password cannot be used with the external auth domain")
             opts.rbac_pass = None
+        if opts.temporary_password and not self.enterprise:
+            _exit_if_errors(["--temporary-password is only supported on Enterprise Edition"])
+        if opts.temporary_password and opts.auth_domain == "external":
+            _exit_if_errors(["--temporary-password cannot be used for external users"])
         if opts.auth_domain is None:
             _exit_if_errors(["--auth-domain is required with the --set option"])
 
         _, errors = self.rest.set_rbac_user(opts.rbac_user, opts.rbac_pass, opts.rbac_name, opts.roles,
-                                            opts.auth_domain, opts.groups)
+                                            opts.auth_domain, opts.groups, opts.temporary_password)
         _exit_if_errors(errors)
 
         if opts.roles is not None and "query_external_access" in opts.roles:

cluster_manager.py

@@ -1427,7 +1427,7 @@ def get_bucket(self, name):
 
         return None, ["Bucket not found"]
 
-    def node_init(self, hostname=None, afamily=None, data_path=None,
+    def node_init(self, hostname=None, afamily=None, afamily_only=None, data_path=None,
                   index_path=None, cbas_path=None, eventing_path=None,
                   java_home=None):
         url = f'{self.hostname}/nodeInit'
@@ -1439,6 +1439,9 @@ def node_init(self, hostname=None, afamily=None, data_path=None,
         if afamily is not None:
             params["afamily"] = afamily
 
+        if afamily_only is not None:
+            params["afamilyOnly"] = "true" if afamily_only else "false"
+
         if data_path is not None:
             params["dataPath"] = data_path
 
@@ -1626,7 +1629,7 @@ def my_roles(self):
         url = f'{self.hostname}/whoami'
         return self._get(url)
 
-    def set_rbac_user(self, username, password, name, roles, auth_domain, groups):
+    def set_rbac_user(self, username, password, name, roles, auth_domain, groups, temporary_password=None):
         if auth_domain is None:
             return None, ["The authentication type is required"]
 
@@ -1656,6 +1659,8 @@ def set_rbac_user(self, username, password, name, roles, auth_domain, groups):
             params['groups'] = groups
         elif 'groups' in defaults:
             params['groups'] = ','.join(defaults['groups'])
+        if temporary_password:
+            params['temporaryPassword'] = 'true'
 
         return self._put(url, params)
 

docs/modules/cli/pages/cbcli/couchbase-cli-node-init.adoc

@@ -17,7 +17,7 @@ _couchbase-cli node-init_ [--cluster <url>] [--username <user>] [--password <pas
     [--client-key-password <password>] [--node-init-data-path <path>]
     [--node-init-index-path <path>] [--node-init-analytics-path <path>]
     [--node-init-eventing-path <path>] [--node-init-hostname <hostname>]
-    [--node-init-java-home <path>] [--ipv4] [--ipv6]
+    [--node-init-java-home <path>] [--ipv4] [--ipv6] [--ipv4only] [--ipv6only]
 
 == DESCRIPTION
 
@@ -66,6 +66,14 @@ include::{partialsdir}/cbcli/part-common-options.adoc[]
 --ipv6::
   Switch the node to use ipv6 for node to node communication
 
+--ipv4only::
+  Switch the node to use ipv4 only for node to node communication. The node
+  will only listen on that address.
+
+--ipv6only::
+  Switch the node to use ipv6 only for node to node communication. The node
+  will only listen on that address.
+
 include::{partialsdir}/cbcli/part-host-formats.adoc[]
 
 include::{partialsdir}/cbcli/part-certificate-authentication.adoc[]

docs/modules/cli/pages/cbcli/couchbase-cli-node-to-node-encryption.adoc

@@ -12,7 +12,7 @@ Changes node-to-node encryption
 == SYNOPSIS
 
 [verse]
-_couchbase-cli node-to-node-encryption_ [--cluster <url>] [-username <username>] [--password <password>]
+_couchbase-cli node-to-node-encryption_ [--cluster <url>] [--username <username>] [--password <password>]
     [--client-cert <path>] [--client-cert-password <password>] [--client-key <path>]
     [--client-key-password <password>] [--get] [--enable] [--disable]
 

docs/modules/cli/pages/cbcli/couchbase-cli-reset-admin-password.adoc

@@ -13,7 +13,7 @@ Resets the Couchbase Server administrator password
 
 [verse]
 _couchbase-cli reset-admin-password_ [--regenerate] [--new-password <password>]
-    [--port <port>] [--config-path <path>]
+    [--port <port>] [--config-path <path>] [--ip]
 
 == DESCRIPTION
 
@@ -54,6 +54,11 @@ result, the command does not require credentials to be passed.
   Note: on Mac, this path is instead located in the user's home directory, at
   `~/Library/Application Support/Couchbase/var/lib/couchbase`.
 
+-I::
+--ip::
+  The IP address of the cluster, defaults to localhost. Useful if localhost
+  is not set as the loopback address.
+
 == EXAMPLES
 
 To change the administrator password to `new_pwd`, run the following command:

docs/modules/cli/pages/cbcli/couchbase-cli-user-manage.adoc

@@ -19,7 +19,7 @@ _couchbase-cli user-manage_ [--cluster <url>] [--username <user>] [--password <p
     [--set-group] [--delete-group] [--list-groups] [--get-group]
     [-- get] [--lock] [--unlock] [--rbac-username <username>]
     [--rbac-password <password>] [--rbac-name <name>] [--roles <roles_list>]
-    [--auth-domain <domain>] [--user-groups <group>]
+    [--auth-domain <domain>] [--user-groups <group>] [--temporary-password]
     [--group-description <text>] [--ldap-ref <ref>]
 
 == DESCRIPTION
@@ -100,6 +100,10 @@ include::{partialsdir}/cbcli/part-common-options.adoc[]
   a user (--set) or when updating the users group, and
   should be specified as a comma separated list.
 
+--temporary-password::
+  Sets a temporary password which the user must change on their next login.
+  This option can only be used with _local_ users.
+
 --group-name <group>::
   Specifies the target group for the group operations (--set-group,
   --delete-group, --get-group).
@@ -456,6 +460,13 @@ $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
  --rbac-name "John Doe" --roles bucket_admin[default],replication_admin \
  --auth-domain local
 ----
+To create a local user that with a temporary password (Enterprise Edition only):
+----
+$ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
+ -p password --set --rbac-username jdoe --rbac-password cbpass \
+ --rbac-name "John Doe" --roles bucket_admin[default] \
+ --auth-domain local --temporary-password
+----
 If you have external user source setup in your cluster and you want to add a
 user "John Doe" with username `jdoe` who should have the ability to manage only
 views for all bucket run the following command

jenkins/.aspell.en.pws

@@ -29,8 +29,8 @@ cbcli
 cbcollect
 cbdatarecovery
 cbexport
-cblogredaction
 cbimport
+cblogredaction
 CBO
 cbrecovery
 cbrestore

test/test_cli.py

@@ -1218,7 +1218,7 @@ def test_node_init(self):
 
     def test_node_init_ipv6_and_ipv4(self):
         self.system_exit_run(self.command + self.name_args + ['--ipv4', '--ipv6'], self.server_args)
-        self.assertIn('Use either --ipv4 or --ipv6', self.str_output)
+        self.assertIn('--ipv4, --ipv6, --ipv4only, and --ipv6only are mutually exclusive', self.str_output)
 
     def test_node_init_ipv6(self):
         self.no_error_run(self.command + self.name_args + ['--ipv6'], self.server_args)
@@ -1232,6 +1232,34 @@ def test_node_init_ipv4(self):
         expected_params = ['hostname=foo', 'afamily=ipv4']
         self.rest_parameter_match(expected_params)
 
+    def test_node_init_ipv6only(self):
+        self.no_error_run(self.command + self.name_args + ['--ipv6only'], self.server_args)
+        self.assertIn('POST:/nodeInit', self.server.trace)
+        expected_params = ['hostname=foo', 'afamily=ipv6', 'afamilyOnly=true']
+        self.rest_parameter_match(expected_params)
+
+    def test_node_init_ipv4only(self):
+        self.no_error_run(self.command + self.name_args + ['--ipv4only'], self.server_args)
+        self.assertIn('POST:/nodeInit', self.server.trace)
+        expected_params = ['hostname=foo', 'afamily=ipv4', 'afamilyOnly=true']
+        self.rest_parameter_match(expected_params)
+
+    def test_node_init_ipv6_and_ipv6only(self):
+        self.system_exit_run(self.command + self.name_args + ['--ipv6', '--ipv6only'], self.server_args)
+        self.assertIn('--ipv4, --ipv6, --ipv4only, and --ipv6only are mutually exclusive', self.str_output)
+
+    def test_node_init_ipv4_and_ipv6only(self):
+        self.system_exit_run(self.command + self.name_args + ['--ipv4', '--ipv6only'], self.server_args)
+        self.assertIn('--ipv4, --ipv6, --ipv4only, and --ipv6only are mutually exclusive', self.str_output)
+
+    def test_node_init_ipv4_and_ipv4only(self):
+        self.system_exit_run(self.command + self.name_args + ['--ipv4', '--ipv4only'], self.server_args)
+        self.assertIn('--ipv4, --ipv6, --ipv4only, and --ipv6only are mutually exclusive', self.str_output)
+
+    def test_node_init_ipv4only_and_ipv6only(self):
+        self.system_exit_run(self.command + self.name_args + ['--ipv4only', '--ipv6only'], self.server_args)
+        self.assertIn('--ipv4, --ipv6, --ipv4only, and --ipv6only are mutually exclusive', self.str_output)
+
 
 class TestNodeReset(CommandTest):
     def setUp(self):
@@ -2811,8 +2839,31 @@ def test_unlock(self):
         self.assertIn('PATCH:/settings/rbac/users/local/username', self.server.trace)
         expected_params = ['locked=false']
         self.rest_parameter_match(expected_params)
+
+    def test_set_local_user_with_temporary_password(self):
+        self.no_error_run(self.command + ['--set', '--rbac-username', 'username', '--rbac-password', 'pwd',
+                                          '--auth-domain', 'local', '--roles', 'admin', '--rbac-name', 'name',
+                                          '--temporary-password'],
+                          self.server_args)
+        self.assertIn('PUT:/settings/rbac/users/local/username', self.server.trace)
+        expected_params = ['name=name', 'password=pwd', 'roles=admin', 'temporaryPassword=true']
         self.rest_parameter_match(expected_params)
 
+    def test_set_external_user_with_temporary_password(self):
+        self.system_exit_run(self.command + ['--set', '--rbac-username', 'username', '--auth-domain',
+                                             'external', '--roles', 'admin', '--rbac-name', 'name',
+                                             '--temporary-password'],
+                             self.server_args)
+        self.assertIn('--temporary-password cannot be used for external users', self.str_output)
+
+    def test_set_local_user_with_temporary_password_community(self):
+        self.server_args['enterprise'] = False
+        self.system_exit_run(self.command + ['--set', '--rbac-username', 'username', '--rbac-password', 'pwd',
+                                             '--auth-domain', 'local', '--roles', 'admin', '--rbac-name', 'name',
+                                             '--temporary-password'],
+                             self.server_args)
+        self.assertIn('--temporary-password is only supported on Enterprise Edition', self.str_output)
+
 
 class TestMasterPassword(CommandTest):
     def setUp(self):