Authentication is a process that securely identifies who is accessing the system.
Only Couchbase administrators and applications can authenticate with Couchbase Server:
Two types of Couchbase administrators can authenticate with Couchbase Server using their passwords: one full administrator and one read-only administrator.
|The full Couchbase administrator can connect to Couchbase Server at all times.|
- Full Couchbase administrator
The full (built-in) Couchbase administrator is configured during installation. This administrator can configure one read-only Couchbase administrator and access all Couchbase Server functions, including the ability to enable LDAP and configure additional LDAP administrators.
Passwords for full Couchbase administrators must follow security best practices. See Couchbase passwords for more details.
- Read-only Couchbase administrator
The read-only administrator is optional and can be set by the full Couchbase administrator at any time using the Couchbase Web Console. This administrator can view certain activities without having ability to edit.
Passwords for read-only administrators follow the same security best practices. See Couchbase passwords for more details.
To set up credentials for the read-only Couchbase administrator, open the Couchbase Web Console and go toto enter the administrator’s credentials.
- Resetting the administrative password
The administrative password can be reset using the password reset tool:
Applications authenticate themselves with buckets using the SASL password.
Authentication at the bucket level takes place over the CRAM-MD5 protocol and involves a single challenge-and-response cycle initiated by Couchbase Server.
In the challenge sequence, the server sends a string in the format of a Message ID (email header value including angle brackets). The Message ID includes an arbitrary string of random digits, a timestamp, and the server’s fully qualified domain name.
Access control is configured using the Couchbase Web Console atand is set for two ports:
- Standard port
This is TCP port
11211, which requires SASL authentication. Enter the password that complies with the best practices rules.
- Dedicated port
This port supports ASCII protocol and doesn’t need authentication. You only need to enter the port number.