Configure Named Query Access Control
Configure named query access control to restrict which queries each edge client user can execute, based on their collection-level permissions.
Prerequisites
-
Couchbase Edge Server {version} or later.
-
enable_user_access_controlset totrueat the server level. See configuration:configure-access-control.adoc. -
Named queries defined in the database configuration.
| Ad hoc query execution is disabled by default. Couchbase recommends keeping ad hoc queries disabled in production deployments. Access control policies apply to named queries only. |
How Named Query Access Works
When enable_user_access_control is enabled, Couchbase Edge Server evaluates a user’s collection-level permissions to determine which named queries that user can execute.
There are two ways to configure a named query:
-
Database-level query — A query defined without an
allowproperty. Any authenticated user with read access to at least one collection in the database can execute this query. -
Collection-restricted query — A query with an
allow.collectionsproperty. Only users with read access to at least one of the listed collections can execute this query.
Configure a Database-Level Named Query
Define the query in the queries object without an allow property.
{
"enable_user_access_control": true,
"databases": {
"mydb": {
"queries": {
"all_airlines": {
"statement": "SELECT * FROM travel.inventory.airlines"
}
}
}
}
}
Any user with read access to the mydb database can execute the all_airlines query.
Configure a Collection-Restricted Named Query
Add an allow.collections property to the query definition.
List the collections a user must have read access to in order to execute the query.
A user needs read access to at least one of the listed collections.
{
"enable_user_access_control": true,
"databases": {
"mydb": {
"queries": {
"all_airlines": {
"statement": "SELECT * FROM travel.inventory.airlines"
},
"best_hotels": {
"statement": "SELECT id, name, rating FROM travel.inventory.hotels",
"allow": {
"collections": ["inventory.hotels", "inventory.landmarks"]
}
}
}
}
}
}
In this example:
-
Any user with read access to
mydbcan executeall_airlines. -
Only users with read access to
inventory.hotelsorinventory.landmarkscan executebest_hotels.
The following users file illustrates which queries each user can run:
{
"foo": {
"access": {
"mydb.inventory.landmarks": ["read"]
}
},
"bar": {
"access": {
"mydb.inventory.airlines": ["read", "write"]
}
}
}
-
foohas read access toinventory.landmarksand can executebest_hotels. -
barhas read access toinventory.airlinesand can executeall_airlines.barcannot executebest_hotelsbecausebardoes not have access toinventory.hotelsorinventory.landmarks.
Next Steps
-
To review how Couchbase Edge Server enforces access control across REST operations, see configuration:fine-grained-access-control.adoc.
-
To configure user access permissions, see configuration:configure-access-control.adoc.