RBAC for Applications

    +
    Role-Based Access Control precisely determines an application’s ability to read and write data.

    Roles and Privileges

    Couchbase roles each have a fixed association with a set of one or more privileges. Each privilege is associated with a resource. Privileges are actions such as Read, Write, Execute, Manage, Flush, or List; or a combination of some or all of these.

    When an application attempts to access a resource, the application’s roles and privileges are checked by Couchbase Server. If the assigned roles contain privileges that support the kind of access that is being attempted, access is granted; otherwise, it is denied.

    The following list contains all application-roles supported by Couchbase RBAC. Each role explained by means of a description and a table: the table lists the privileges in association with resources. Where a privilege is associated with a resource, this is indicated with a check-mark. Where a privilege is not associated with a resource (or where association would not be applicable), this is indicated with a cross.

    Access to Couchbase Web Console

    Only a subset of application-roles are granted access to the Couchbase Web Console. In the tables below, if a UI row is included, the role is granted the UI-related privilege indicated in the row, and the username and password associated with the role can therefore be used to log into the console. If no UI row is included, no UI-related privilege is granted; and the username and password cannot therefore be used to log into the console.

    Bucket Full Access

    The Bucket Full Access role provides full access to bucket data. Note that this privilege is available for the Community Edition of Couchbase Server, as well as for Enterprise Edition.

    The role is provided in support of buckets that were created on versions of Couchbase Server prior to 5.0. Such buckets were accessed by specifying bucket-name and bucket-password: however, bucket-passwords are not recognized by Couchbase Server 5.0 and after. Therefore, for each pre-existing bucket, the 5.0 upgrade-process creates a new user, whose username is identical to the bucket-name; and whose password is identical to the former bucket-password, if one existed. If no bucket-password existed, the user is created with no password. This migration-process allows the same name-combination as before to be used in authentication. To ensure backwards compatibility, each system-created user is assigned the Bucket Full Access role, which authorizes the same read-write access to bucket-data as was granted before 5.0.

    Use of the Bucket Full Access role is deprecated for buckets created on Couchbase Server 5.0 and after: use the other bucket-access roles provided.

    The tables below list each bucket’s name followed by its alias name in parenthesis. The alias names are used in commands and are accessible only by N1QL queries.
    Role: Bucket Full Access (bucket_sasl)
    Resources Privileges
    Read Write Execute Manage Flush

    Bucket [ * | bucket-name ]: Data

    yes

    yes

    yes

    yes

    no

    Bucket [ * | bucket-name ]: Views

    yes

    yes

    yes

    yes

    no

    N1QL: Index

    yes

    yes

    yes

    yes

    no

    N1QL: Other

    yes

    yes

    yes

    no

    no

    Bucket: [ * | bucket-name ]

    yes

    no

    no

    no

    yes

    Pools

    yes

    no

    no

    no

    no

    Data Reader

    The Data Reader role allows data to be read from a specified bucket. Note that the role does not permit the running of N1QL queries (such as SELECT) against data.

    Role: Data Reader (data_reader)
    Resources Privileges
    Read Write Execute Manage

    Bucket [ * | bucket-name ]: Docs

    yes

    no

    no

    no

    Bucket [ * | bucket-name ]: Meta

    yes

    no

    no

    no

    Bucket [ * | bucket-name ]: Xattr

    yes

    no

    no

    no

    Pools

    yes

    no

    no

    no

    Data Writer

    The Data Writer role allows information to be written to and read from a specified bucket.

    Role: Data Writer (data_writer)
    Resources Privileges
    Read Write Execute Manage

    Bucket [ * | bucket-name ]: Docs

    yes

    yes

    no

    no

    Bucket [ * | bucket-name ]: Xattr

    yes

    yes

    no

    no

    Pools

    yes

    no

    no

    no

    Data DCP Reader

    The Data DCP Reader role allows DCP streams to be read.

    Role: Data DCP Reader (data_dcp_reader)
    Resources Privileges
    Read Write Execute Manage

    Bucket: [ * | bucket-name ]: Docs

    yes

    no

    no

    no

    Bucket: [ * | bucket-name ]: Meta

    yes

    no

    no

    no

    Bucket: [ * | bucket-name ]: DCP

    yes

    no

    no

    no

    Bucket: [ * | bucket-name ]: Sxattr

    yes

    no

    no

    no

    Bucket: [ * | bucket-name ]: Xattr

    yes

    no

    no

    no

    Admin: Memcached: Idle

    no

    yes

    no

    no

    Pools

    yes

    no

    no

    no

    Data Backup

    The Data Backup role allows data to be backed up and restored.

    Role: Data Backup (data_backup)
    Resources Privileges
    Read Write Execute Manage

    Bucket: [ * | bucket-name ]: Data

    yes

    yes

    no

    no

    Bucket: [ * | bucket-name ]: Views

    yes

    yes

    no

    no

    Bucket: [ * | bucket-name ]: FTS

    yes

    yes

    no

    yes

    Bucket: [ * | bucket-name ]: Stats

    yes

    no

    no

    no

    Bucket: [ * | bucket-name ]: Settings

    yes

    no

    no

    no

    Bucket: [ * | bucket-name ]: Pools

    yes

    no

    no

    no

    Data Monitoring

    The Data Monitoring role allows all bucket-statistics to be read.

    Role: Data Monitoring (data_monitoring)
    Resources Privileges
    Read Write Execute Manage

    Bucket [ * | bucket-name ]: Stats

    yes

    no

    no

    no

    Pools

    yes

    no

    no

    no

    Views Reader

    The Views Reader role allows all views to be read.

    Role: Views Reader (views_reader)
    Resources Privileges
    Read Write Execute Manage

    Bucket [ * | bucket-name ]: Data

    yes

    no

    no

    no

    Bucket [ * | bucket-name ]: Views

    yes

    no

    no

    no

    FTS Searcher

    The role FTS Searcher allows Full Text Search indexes to be searched by users with appropriate bucket-privileges.

    Role: FTS Searcher (fts_searcher)
    Resources Privileges
    Read Write Execute Manage

    Bucket [ * | bucket-name ]: FTS

    yes

    no

    no

    no

    Settings: FTS

    yes

    no

    no

    no

    UI

    yes

    no

    no

    no

    Pools

    yes

    no

    no

    no

    Query Select

    The Query Select role allows the SELECT statement to be executed on a specified bucket.

    Role: Query Select (query_select)
    Resources Privileges
    Read Write Execute Manage

    Bucket [ * | bucket-name ]: N1QL, SELECT

    no

    no

    yes

    no

    UI

    yes

    no

    no

    no

    Pools

    yes

    no

    no

    no

    Query Update

    The Query Update role allows the UPDATE statement to be executed on a specified bucket.

    Role: Query Update (query_update)
    Resources Privileges
    Read Write Execute Manage

    Bucket [ * | bucket-name ]: N1QL, UPDATE

    no

    no

    yes

    no

    UI

    yes

    no

    no

    no

    Pools

    yes

    no

    no

    no

    Query Insert

    The Query Insert role allows the INSERT statement to be executed on a specified bucket.

    Role: Query Insert (query_insert)
    Resources Privileges
    Read Write Execute Manage

    Bucket [ * | bucket-name ]: N1QL, INSERT

    no

    no

    yes

    no

    UI

    yes

    no

    no

    no

    Pools

    yes

    no

    no

    no

    Query Delete

    The Query Delete role allows the DELETE statement to be executed on a specified bucket.

    Role: Query Delete (query_delete)
    Resources Privileges
    Read Write Execute Manage

    Bucket [ * | bucket-name ]: N1QL, DELETE

    no

    no

    yes

    no

    UI

    yes

    no

    no

    no

    Pools

    yes

    no

    no

    no

    Query Manage Index

    The Query Manage Index role allows indexes to be managed for a specified bucket.

    Role: Query Manage Index (query_manage_index)
    Resources Privileges
    Read Write Execute Manage

    Bucket [ * | bucket-name ]: N1QL, INDEX

    yes

    yes

    yes

    yes

    UI

    yes

    no

    no

    no

    Pools

    yes

    no

    no

    no

    Query System Catalog

    The Query System Catalog role allows information to be looked up in the system catalog: this includes system:indexes, system:prepareds, and tables listing current and past queries. This role is designed for troubleshooters, who need to debug queries.

    Role: Query System Catalog (query_system_catalog)
    Resources Privileges
    Read Write Execute Manage List

    Bucket [ * | bucket-name ]: N1QL, INDEX

    no

    no

    no

    no

    yes

    Bucket [ * | bucket-name ]: N1QL, Meta

    yes

    no

    no

    no

    no

    UI

    yes

    no

    no

    no

    no

    Pools

    yes

    no

    no

    no

    no

    Query External Access

    The Query External Access role allows the N1QL CURL function to be executed by an externally authenticated user.

    Note that the Query External Access role should be assigned with caution, since it entails risk: CURL runs within the local Couchbase Server network; therefore, the assignee of the Query External Access role is permitted to run GET and POST requests on the internal network, while being themselves externally located.

    For an account of limitations on CURL, see CURL Function.

    Role: Query External Access (query_external_access)
    Resources Privileges
    Read Write Execute Manage

    Bucket [ * | bucket-name ]: N1QL, curl

    no

    no

    yes

    no

    UI

    yes

    no

    no

    no

    Pools

    yes

    no

    no

    no

    System Keyspaces (Tables)

    In Couchbase Server 5.0, three new system keyspaces have been added:

    • system:applicable_roles

    • system:my_user_info

    • system:user_info

    Along with these three keyspaces, meta data related to roles and user access has been added as well.

    This brings the total number of system keyspaces up to 12:

    System Catalogs

    Monitoring Catalogs

    Security Catalogs

    SELECT Operations on System Keyspaces

    All of the system keyspaces support SELECT operations and are divided into the below security levels:

    concepts rba for apps table SELECT