Security
Couchbase Server can be rendered highly secure.
Security Overview
Couchbase Server can be rendered highly secure, so as to preserve the privacy and integrity of data, and account for access-attempts. The security facilities provided cover:
-
Authentication: All administrators, users, and applications (all formally considered users) must authenticate, in order to gain server-access. Users can be authenticated by means of either the local or an external password-registry. Authentication can be achieved by either passing credentials directly to the server, or by using a client certificate, in which the credentials are embedded. Connections can be secured by means of SCRAM and TLS. See Authentication.
-
Authorization: Couchbase Server uses Role-Based Access Control (RBAC), to associate users with specifically assigned roles, these themselves corresponding to system-defined privileges, which allow degrees of access to specific system-resources. On authentication, a user’s roles are determined: if they allow the form of system-access the user is attempting, access is granted; otherwise, it is denied. See Authorization.
-
Auditing: Actions performed on Couchbase Server can be audited. This allows administrators to ensure that system-management tasks are being appropriately performed. See Auditing.
-
Encryption: Data is encoded such that it is non-readable, other than by authorized parties who possess the appropriate means of decryption. Prior to decryption, therefore, encrypted data can be securely saved or transmitted. This ensures the privacy of user-data, and the integrity of servers and their clients. See Encryption.
How to Use This Section
This section provides a conceptual and architectural overview of Couchbase Server security: this includes a list of roles and resources; an account of available auditing options and audit-file contents; and a description of required keys, best practices, supported identity encodings, and other details related to certificates. For practical steps whereby Couchbase Server can be secured, see the section Security Management Overview.