Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

A newer version of this documentation is available.

View Latest

user-manage

      +

      Manage RBAC users

      SYNOPSIS

      couchbase-cli user-manage [--cluster <url>] [--username <user>]
    [--password <password>] [--delete] [--list] [--my-roles] [--set]
    [--set-group] [--delete-group] [--list-groups] [--get-group]
    [-- get] [--rbac-username <username>] [--rbac-password <password>]
    [--rbac-name <name>] [--roles <roles_list>]
    [--auth-domain <domain>] [--user-groups <group>]
    [--group-description <text>] [--ldap-ref <ref>]

      DESCRIPTION

      This command allows administrators to assign and manage roles to different users and user groups in their organization. Users can either be managed locally by Couchbase or externally through the use of an external domain.

      OPTIONS

      -c
      --cluster

      Specifies the hostname of a node in the cluster. See the HOST FORMATS section for more information on specifying a hostname.

      -u
      --username <username>

      Specifies the username of the user executing the command. If you do not have a user account with permission to execute the command then it will fail with an unauthorized error.

      -p
      --password <password>

      Specifies the password of the user executing the command. If you do not have a user account with permission to execute the command then it will fail with an unauthorized error. If this argument is specified, but no password is given then the command will prompt the user for a password through non-echoed stdin. You may also specify your password by using the environment variable CB_REST_PASSWORD.

      --delete

      Deletes an RBAC user profile from the cluster. You must have full administrator privileges in order to delete a user profile.

      --list

      Lists all RBAC user profiles in the cluster and show their roles. You must have full administrator privileges in order to list all user profiles.

      --my-roles

      Shows the current users RBAC user profile.

      --set

      Creates or updates an RBAC user profile. You must have full administrator privileges in order to create or update a user profile.

      --get

      Retrieves the RBAC user specified by --rbac-username and show their roles.

      --set-group

      Creates or updates a user group.

      --delete-group

      Deletes a user group.

      --list-groups

      List all groups.

      --get-group

      Gets the details of a group.

      --rbac-username <username>

      Specifies the username of the RBAC user to modify. This option is used when deleting, creating, or updating an RBAC user profile.

      --rbac-password <password>

      Specifies the password to be used for an RBAC user profile. This option is used only when creating or updating a local RBAC user profile. Couchbase does not store password for external RBAC roles.

      --rbac-name <name>

      Specifies the name to be used for an RBAC user profile. This option is used when creating or updating an RBAC user profile and it is recommended that this option be set to the users full name.

      --roles <roles_list>

      Specifies the roles to be given to an RBAC user profile. This option is used when creating or updating an RBAC user profile and it is specified as a comma separated list of roles. See the ROLES section for more details on the available roles in Couchbase.

      --auth-domain <domain>

      Specifies the auth_domain to use for a RBAC user profile. This option is used when deleting, creating or updating a RBAC user profile and it may be set to either local or external. Local users are users that are managed directly by the Couchbase cluster. External users are users managed by an external source such as LDAP.

      --user-groups <groups>

      Specifies the groups the user should be added to. This is used when creating a user (--set) or when updating the users group, and should be specified as a comma separated list.

      --group-name <group>

      Specifies the target group for the group operations (--set-group, --delete-group, --get-group).

      --group-description <text>

      Specifies the group description, it is used with --set-group.

      --ldap-ref <ref>

      Specifies the LDAP group’s distinguished name, to link the couchbase group with the LDAP one.

      HOST FORMATS

      When specifying a host for the couchbase-cli command the following formats are expected:

      • couchbase://<addr>

      • <addr>:<port>

      • http://<addr>:<port>

      It is recommended to use the couchbase://<addr> format for standard installations. The other two formats allow an option to take a port number which is needed for non-default installations where the admin port has been set up on a port other that 8091.

      ROLES

      Cluster-Wide Roles:
      admin

      Give the user permissions to manage all Couchbase configuration settings, and read and write all data in the cluster. This user can make changes to anything in the cluster.

      bucket_admin[…​]

      Gives the user permissions to manage bucket settings. This role can be assigned globally to all buckets or to a particular bucket. For XDCR operations, the user can start/stop replication for the buckets they administer, but they cannot set up the XDCR cluster references. To give a user the ability to manage all bucket settings set their role to bucket_admin[*]. To give the user permission to manage bucket settings on a single bucket named default then specify the role as bucket_admin[default]. If the user needs to be manage multiple buckets, for example default and app, then set the role as bucket_admin[default],bucket_admin[app].

      cluster_admin

      Gives the user permissions to read, write and manage all cluster-level settings except security.

      replication_admin

      Allows the user to configure XDCR topology and manage XDCR replications.

      ro_admin

      Gives the user read-only access and cannot make any changes to the system. This user has read-only access to cluster overview, design documents (without the ability to create or query views), bucket summaries (without the ability to create or view documents), XDCR cluster references, XDCR replications, and cluster settings.

      views_admin[…​]

      Gives the user privileges to define views and then run these views on data to ensure that views are defined properly. This applies both to the map-reduce and spatial views. To give a user the ability to manage views on all buckets set their role to views_admin[*]. To give the user permission to manage views on a single bucket named default then specify the role as views_admin[default]. If the user needs to be manage views for multiple buckets, for example default and app, then set the role as views_admin[default],views_admin[app].

      Data Service Roles:
      data_reader[…​]

      Gives the user permission to read data through the Couchbase key-value APIs. To give a user read-only access for all buckets set their role to data_reader[*]. To give the user read-only access to data on a single bucket named default then specify their role as data_reader[default]. If the user needs read-only access to data for multiple buckets, for example default and app, then set their role as data_reader[default],data_reader[app].

      data_writer[…​]

      Gives the user permission to read and write data through the Couchbase key-value APIs. The user cannot however modify the settings of a bucket. To give a user read-write access for all buckets set their role to data_writer[*]. To give the user read-write access to data on a single bucket named default then specify their role as data_writer[default]. If the user needs read-write access to data for multiple buckets, for example default and app, then set their role as data_writer[default,app].

      data_dcp_reader[…​]

      Gives the user permission to create Couchbase DCP connections. To give a user the ability to create DCP connections for all buckets set their role to data_dcp_reader[*]. To give the user the ability to create DCP connections on a single bucket named default then specify their role as data_dcp_reader[default]. If the user needs to be able to create DCP connections for multiple buckets, for example default and app, then set their role as data_dcp_reader[default],data_dcp_reader[app].

      data_backup[…​]

      Gives the user permission to backup and restore data in Couchbase. To give a user the ability to backup and restore data for all buckets set their role to data_backup[*]. To give the user the ability to backup and restore data on a single bucket named default then specify their role as data_backup[default]. If the user needs to be able to backup and restore data for multiple buckets, for example default and app, then set their role as data_backup[default],data_backup[app].

      data_monitoring[…​]

      Gives the user permission to read monitoring data related to the data service in Couchbase. To give a user the ability to monitor data for all buckets set their role to data_monitoring[*]. To give the user the ability to monitor data on a single bucket named default then specify their role as data_monitoring[default]. If the user needs to be able to monitor data for multiple buckets, for example default and app, then set their role as data_monitoring[default],data_monitoring[app].

      Full Text Service Roles:
      fts_admin[…​]

      Gives the user full administrator access for the Full Text Indexing service for the specified buckets. To give a user full administrator access for FTS on all buckets set their role to fts_admin[*]. To give the user full administrator access for FTS on a single bucket named default then specify their role as fts_admin[default]. If the user needs full administrator access for FTS for multiple buckets, for example default and app, then set their role as fts_admin[default],fts_admin[app].

      fts_searcher[…​]

      Allows the user to query full text indexes for the specified buckets. To give a user the ability to query full text indexes on all buckets set their role to fts_searcher[*]. To give the ability to query FTS indexes on a single bucket named default then specify their role as fts_searcher[default]. If the user needs to query FTS indexes on multiple multiple buckets, for example default and app, then set their role as fts_searcher[default],fts_searcher[app].

      Query Service Roles:
      query_manage_index[…​]

      Allows the user to create and delete indexes on the specified buckets. To give a user the ability to create and delete indexes on all buckets set their role to query_manage_index[*]. To give the user permission to create and delete indexes on a single bucket named default then specify their role as query_manage_index[default]. If the user needs to be create and delete indexes for multiple buckets, for example default and app, then set their role as query_manage_index[default],query_manage_index[app].

      query_delete[…​]

      Allows the user to execute DELETE query statements on the specified buckets. To give a user the ability execute DELETE statements on all buckets set their role to query_delete[*]. To give the user permission to execute DELETE statements on a single bucket named default then specify their role as query_delete[default]. If the user needs to be execute DELETE statements for multiple buckets, for example default and app, then set their role as query_delete[default],query_delete[app].

      query_insert[…​]

      Allows the user to execute INSERT query statements on the specified buckets. To give a user the ability execute INSERT statements on all buckets set their role to query_insert[*]. To give the user permission to execute INSERT statements on a single bucket named default then specify their role as query_insert[default]. If the user needs to be execute INSERT statements for multiple buckets, for example default and app, then set their role as query_insert[default],query_insert[app].

      query_select[…​]

      Allows the user to execute SELECT query statements on the specified buckets. To give a user the ability execute SELECT statements on all buckets set their role to query_select[*]. To give the user permission to execute SELECT statements on a single bucket named default then specify their role as query_select[default]. If the user needs to be execute SELECT statements for multiple buckets, for example default and app, then set their role as query_select[default],query_select[app].

      query_update[…​]

      Allows the user to execute UPDATE query statements on the specified buckets. To give a user the ability execute UPDATE statements on all buckets set their role to query_update[*]. To give the user permission to execute UPDATE statements on a single bucket named default then specify their role as query_update[default]. If the user needs to be execute UPDATE statements for multiple buckets, for example default and app, then set their role as query_update[default],query_update[app].

      system_catalog[…​]

      Allows the users to run queries against the system catalog on the specified buckets. To give a user the ability to run queries against the system catalog on all buckets set their role to system_catalog[*]. To give the user permission to run queries against the system catalog on a single bucket named default then specify their role as system_catalog[default]. If the user needs to be run queries against the system catalog for multiple buckets, for example default and app, then set their role as system_catalog[default],system_catalog[app].

      EXAMPLES

      To create an local RBAC user profile for a user named "John Doe" with username jdoe and password cbpass with roles to manage the default bucket and all XDCR replication run the following command

      $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
 -p password --set --rbac-username jdoe --rbac-password cbpass \
 --rbac-name "John Doe" --roles bucket_admin[default],replication_admin \
 --auth-domain local

      If you have external user source setup in your cluster and you want to add a user "John Doe" with username jdoe who should have the ability to manage only views for all bucket run the following command

      $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
 -p password --set --rbac-username jdoe --rbac-name "John Doe" \
 --roles views_admin[*] --auth-domain external

      To list the current RBAC user profiles run the following command.

      $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
 -p password --list

      To delete an external user named jdoe run the following command.

      $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
 -p password --delete --rbac-username jdoe --auth-domain external

      To delete a local user named jdoe run the following command.

      $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
 -p password --delete --rbac-username jdoe --auth-domain local

      To see the user profile for a user with the username jdoe and password cbpass run the following command.

      $ couchbase-cli user-manage -c 127.0.0.1:8091 -u jdoe -p cbpass \
 --my-roles

      To create a user group with name admins and roles admin and reference to and LDAP group reference admins run the following command.

      $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
 -p password --set-group --group-name admins --roles admin \
 --group-description "CB admins" --ldap-ref admins

      To delete a user group admins you have to run the following command.

      $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
  -p password --delete-group --group-name admins

      To get a user group admins you have to run the following command. This will show the associated roles.

      $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
  -p password --get-group --group-name admins

      To add or remove roles a user group admins you have to first get the current roles using the previous command and then use the set command bellow giving it an amended version of the roles.

      $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
 -p password --set-group --group-name admins --roles admin \
 --group-description "CB admins" --ldap-ref ro_admin

      ENVIRONMENT AND CONFIGURATION VARIABLES

      CB_REST_USERNAME

      Specifies the username to use when executing the command. This environment variable allows you to specify a default argument for the -u/--username argument on the command line.

      CB_REST_PASSWORD

      Specifies the password of the user executing the command. This environment variable allows you to specify a default argument for the -p/--password argument on the command line. It also allows the user to ensure that their password are not cached in their command line history.

      SEE ALSO

      setting-ldap

      COUCHBASE-CLI

      Part of the couchbase-cli suite