RBAC for Applications
Role-Based Access Control precisely determines an application’s ability to read and write data.
Roles and Privileges
Couchbase roles each have a fixed association with a set of one or more privileges. Each privilege is associated with a resource. Privileges are actions such as Read, Write, Execute, Manage, Flush, or List; or a combination of some or all of these.
When an application attempts to access a resource, the application’s roles and privileges are checked by Couchbase Server. If the assigned roles contain privileges that support the kind of access that is being attempted, access is granted; otherwise, it is denied.
The following list contains all application-roles supported by Couchbase RBAC. Each role explained by means of a description and a table: the table lists the privileges in association with resources. Where a privilege is associated with a resource, this is indicated with a check-mark. Where a privilege is not associated with a resource (or where association would not be applicable), this is indicated with a cross.
Access to Couchbase Web Console
Only a subset of application-roles are granted access to the Couchbase Web Console. In the tables below, if a UI row is included, the role is granted the UI-related privilege indicated in the row, and the username and password associated with the role can therefore be used to log into the console. If no UI row is included, no UI-related privilege is granted; and the username and password cannot therefore be used to log into the console.
Bucket Full Access
The Bucket Full Access role provides full access to bucket data. Note that this privilege is available for the Community Edition of Couchbase Server, as well as for Enterprise Edition.
The role is provided in support of buckets that were created on versions of Couchbase Server prior to 5.0. Such buckets were accessed by specifying bucket-name and bucket-password: however, bucket-passwords are not recognized by Couchbase Server 5.0 and after. Therefore, for each pre-existing bucket, the 5.0 upgrade-process creates a new user, whose username is identical to the bucket-name; and whose password is identical to the former bucket-password, if one existed. If no bucket-password existed, the user is created with no password. This migration-process allows the same name-combination as before to be used in authentication. To ensure backwards compatibility, each system-created user is assigned the Bucket Full Access role, which authorizes the same read-write access to bucket-data as was granted before 5.0.
Use of the Bucket Full Access role is deprecated for buckets created on Couchbase Server 5.0 and after: use the other bucket-access roles provided.
The tables below list each bucket’s name followed by its alias name in parenthesis.
The alias names are used in commands and are accessible only by N1QL queries.
|
Role: Bucket Full Access (bucket_full_access) |
|||||
|---|---|---|---|---|---|
| Resources | Privileges | ||||
| Read | Write | Execute | Manage | Flush | |
Bucket [ * | bucket-name ]: Data |
|
|
|
|
|
Bucket [ * | bucket-name ]: Views |
|
|
|
|
|
N1QL: Index |
|
|
|
|
|
N1QL: Other |
|
|
|
|
|
Bucket: [ * | bucket-name ] |
|
|
|
|
|
Pools |
|
|
|
|
|
Data Reader
The Data Reader role allows data to be read from a specified bucket. Note that the role does not permit the running of N1QL queries (such as SELECT) against data.
Role: Data Reader (data_reader) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket [ * | bucket-name ]: Docs |
|
|
|
|
Bucket [ * | bucket-name ]: Meta |
|
|
|
|
Bucket [ * | bucket-name ]: Xattr |
|
|
|
|
Pools |
|
|
|
|
Data Writer
The Data Writer role allows information to be written to and read from a specified bucket.
Role: Data Writer (data_writer) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket [ * | bucket-name ]: Docs |
|
|
|
|
Bucket [ * | bucket-name ]: Xattr |
|
|
|
|
Pools |
|
|
|
|
Data DCP Reader
The Data DCP Reader role allows DCP streams to be read.
Role: Data DCP Reader (data_dcp_reader) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket: [ * | bucket-name ]: Docs |
|
|
|
|
Bucket: [ * | bucket-name ]: Meta |
|
|
|
|
Bucket: [ * | bucket-name ]: DCP |
|
|
|
|
Bucket: [ * | bucket-name ]: Sxattr |
|
|
|
|
Bucket: [ * | bucket-name ]: Xattr |
|
|
|
|
Admin: Memcached: Idle |
|
|
|
|
Pools |
|
|
|
|
Data Backup
The Data Backup role allows data to be backed up and restored.
Role: Data Backup (data_backup) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket: [ * | bucket-name ]: Data |
|
|
|
|
Bucket: [ * | bucket-name ]: Views |
|
|
|
|
Bucket: [ * | bucket-name ]: FTS |
|
|
|
|
Bucket: [ * | bucket-name ]: Stats |
|
|
|
|
Bucket: [ * | bucket-name ]: Settings |
|
|
|
|
Bucket: [ * | bucket-name ]: Pools |
|
|
|
|
Data Monitoring
The Data Monitoring role allows all bucket-statistics to be read.
Role: Data Monitoring (data_monitoring) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket [ * | bucket-name ]: Stats |
|
|
|
|
Pools |
|
|
|
|
Views Reader
The Views Reader role allows all views to be read.
Role: Views Reader (views_reader) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket [ * | bucket-name ]: Data |
|
|
|
|
Bucket [ * | bucket-name ]: Views |
|
|
|
|
FTS Searcher
The role FTS Searcher allows Full Text Search indexes to be searched by users with appropriate bucket-privileges.
Role: FTS Searcher (fts_searcher) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket [ * | bucket-name ]: FTS |
|
|
|
|
Settings: FTS |
|
|
|
|
UI |
|
|
|
|
Pools |
|
|
|
|
Query Select
The Query Select role allows the SELECT statement to be executed on a specified bucket.
Role: Query Select (query_select) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket [ * | bucket-name ]: N1QL, SELECT |
|
|
|
|
UI |
|
|
|
|
Pools |
|
|
|
|
Query Update
The Query Update role allows the UPDATE statement to be executed on a specified bucket.
Role: Query Update (query_update) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket [ * | bucket-name ]: N1QL, UPDATE |
|
|
|
|
UI |
|
|
|
|
Pools |
|
|
|
|
Query Insert
The Query Insert role allows the INSERT statement to be executed on a specified bucket.
Role: Query Insert (query_insert) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket [ * | bucket-name ]: N1QL, INSERT |
|
|
|
|
UI |
|
|
|
|
Pools |
|
|
|
|
Query Delete
The Query Delete role allows the DELETE statement to be executed on a specified bucket.
Role: Query Delete (query_delete) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket [ * | bucket-name ]: N1QL, DELETE |
|
|
|
|
UI |
|
|
|
|
Pools |
|
|
|
|
Query Manage Index
The Query Manage Index role allows indexes to be managed for a specified bucket.
Role: Query Manage Index (query_manage_index) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket [ * | bucket-name ]: N1QL, INDEX |
|
|
|
|
UI |
|
|
|
|
Pools |
|
|
|
|
Query System Catalog
The Query System Catalog role allows information to be looked up in the system catalog: this includes system:indexes, system:prepareds, and tables listing current and past queries.
This role is designed for troubleshooters, who need to debug queries.
Role: Query System Catalog (query_system_catalog) |
|||||
|---|---|---|---|---|---|
| Resources | Privileges | ||||
| Read | Write | Execute | Manage | List | |
Bucket [ * | bucket-name ]: N1QL, INDEX |
|
|
|
|
|
Bucket [ * | bucket-name ]: N1QL, Meta |
|
|
|
|
|
UI |
|
|
|
|
|
Pools |
|
|
|
|
|
Query External Access
The Query External Access role allows the N1QL CURL function to be executed by an externally authenticated user.
Note that the Query External Access role should be assigned with caution, since it entails risk: CURL runs within the local Couchbase Server network; therefore, the assignee of the Query External Access role is permitted to run GET and POST requests on the internal network, while being themselves externally located.
For an account of limitations on CURL, see CURL Function.
Role: Query External Access (query_external_access) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket [ * | bucket-name ]: N1QL, curl |
|
|
|
|
UI |
|
|
|
|
Pools |
|
|
|
|
System Keyspaces (Tables)
In Couchbase Server 5.0, three new system keyspaces have been added:
-
system:applicable_roles
-
system:my_user_info
-
system:user_info
Along with these three keyspaces, meta data related to roles and user access has been added as well.
This brings the total number of system keyspaces up to 12:
System Catalogs |
|
Monitoring Catalogs |
|
Security Catalogs |
|
SELECT Operations on System Keyspaces
All of the system keyspaces support SELECT operations and are divided into the below security levels:
