Users

      +

      About Sync Gateway users and their role in secure cloud-to-edge enterprise data synchronization.
      Here we introduce the concept of users and their role in assuring secure access control within Sync Gateway.

      Related Concepts: Access Control Model | Channels | Roles | Sync Function | Users

      Concept

      Users are one of the cornerstone concepts of access control. You can restrict document access to specific users and-or to users with specific roles.

      As an entity a user comprises a name, password, list of Roles and a list of Channels.

      Sync Gateway Users

      Sync Gateway users and roles have no relationship to Couchbase Server’s RBAC (Role-based Access Control) users. They are created and operate solely within the Sync Gateway ecosphere to govern access to replication data and to the Public API.

      Granting access to a channel in Couchbase Sync Gateway allows users to access all documents assigned to that channel, which are part of specific collections. If granting users access to admin channels statically, it is necessary to specify both the corresponding collection and channel.

      Users can also be assigned to zero or more Roles. A user inherits the channel access of all roles it belongs to. This is very much like Unix groups, except that roles do not form a hierarchy.

      Sync Gateway user credentials can be used to authenticate access to the Public API; RBAC users are required for access to other API.

      RBAC Users

      Couchbase Server RBAC user credentials are required to authenticate and authorize access to the Admin and Metrics API. You will need to create these users on Couchbase server in order to enable access — see: Create RBAC users for how to and Security Authorization Overview for more on RBAC user authentication.

      Process

      A user must be created on Sync Gateway before it can be granted access to documents.

      You create and-or manage users using the following options — as shown in Example 1:

      • Admin REST API
        Users are created via the Sync Gateway Admin REST API.

      • OIDC
        Configure OIDC authentication to auto-register a user following successful validation of an ID Token — User Authentication.

      • Static Configuration (Pre 3.0):
        Users can be statically configured within the Sync Gateway Configuration File — see: Legacy Pre-3.0 Configuration.
        Note, to use this option in version 3.x users must run Sync Gateway with the disable_persistent_config flag set to true.

      Example 1. How to Create Users
      Admin REST API
      This is the default recommended option starting 3.0.

      Create a new user by sending a POST request to the Admin Rest Api _user endpoint ({db}/_user/{name}). Update existing users by sending a PUT instead; in this case include the user name at the end of the url.

      The user credentials (username/password) are passed in the request body.

      $ curl -vX POST "http://localhost:4985/mydatabase/_user/" -H
      "accept: application/json" -H "Content-Type: application/json" -d
      '{"name": "Edge1User", "password": "pass"}' (1)
      
      $ curl -vX PUT "http://localhost:4985/mydatabase/_user/Edge1User" -H
      "accept: application/json" -H "Content-Type: application/json" -d
      '{"name": "Edge1User", "admin_channels": ["RandomChannel"]}' (2)
      1 Add new user "Edge1User", no admin_channels or role is specified here.
      2 Update existing user "Edge1User" and add admin_channels data
      OIDC
      curl --location --request PUT 'http://localhost:4985/ourdb/_config' \
      --header 'accept: application/json' \
      --header 'Content-Type: application/json' \
      --data-raw '{
        oidc: {
          providers: {
            google_implicit: {
              issuer:https://accounts.google.com,
              client_id:yourclientid-uso.apps.googleusercontent.com,
              register:true (1)
            },
          },
        }
      }'
      1 Use register=true to automatically create a Sync Gateway user on successful completion of validation.
      File-based Configuration Properties File

      Persistent Configuration is enabled by default from 3.0.

      To continue using legacy Pre-3.0 configuration you should start Sync Gateway with disable-persistent-config set true either in the configuration file or in Command Line Options.

      Create users by hardcoding their credentials in the Configuration Properties file. This method is convenient for testing and to get started.
      Use the Admin REST API for production system changes.

      {
        "databases": {
          "mydatabase": {
            "users": { (1)
              "GUEST": {"disabled": true},
              "Edge1User": {"password": "pass", (2)
                            "admin_channels": ["RandomChannel"]},
            }
          }
        }
      }
      1 databases.$db.users
      2 Here we add the Edge1 user