Users
About Sync Gateway users and their role in secure cloud-to-edge enterprise data synchronization.
Here we introduce the concept of users and their role in assuring secure access control within Sync Gateway.
Related Concepts: Access Control Model | Channels | Roles | Sync Function | Users
Sync Gateway Users
Sync Gateway users and roles have no relationship to Couchbase Server’s RBAC (Role-based Access Control) users. They are created and operate solely within the Sync Gateway ecosphere to govern access to replication data and to the Public API.
Granting access to a channel in Couchbase Sync Gateway allows users to access all documents assigned to that channel, which are part of specific collections. If granting users access to admin channels statically, it is necessary to specify both the corresponding collection and channel.
Users can also be assigned to zero or more Roles. A user inherits the channel access of all roles it belongs to. This is very much like Unix groups, except that roles do not form a hierarchy.
Sync Gateway user credentials can be used to authenticate access to the Public API; RBAC users are required for access to other API.
RBAC Users
Couchbase Server RBAC user credentials are required to authenticate and authorize access to the Admin and Metrics API. You will need to create these users on Couchbase server in order to enable access — see: Create RBAC users for how to and Security Authorization Overview for more on RBAC user authentication.
Process
A user must be created on Sync Gateway before it can be granted access to documents.
You create and-or manage users using the following options — as shown in Example 1:
-
Admin REST API
Users are created via the Sync Gateway Admin REST API. -
OIDC
Configure OIDC authentication to auto-register a user following successful validation of an ID Token — User Authentication. -
Static Configuration (Pre 3.0):
Users can be statically configured within the Sync Gateway Configuration File — see: Legacy Pre-3.0 Configuration.
Note, to use this option in version 3.x users must run Sync Gateway with thedisable_persistent_config
flag set totrue
.
- Admin REST API
-
This is the default recommended option starting 3.0. Create a new user by sending a POST request to the Admin Rest Api
_user
endpoint ({db}/_user/{name}). Update existing users by sending a PUT instead; in this case include the user name at the end of the url.The user credentials (username/password) are passed in the request body.
$ curl -vX POST "http://localhost:4985/mydatabase/_user/" -H "accept: application/json" -H "Content-Type: application/json" -d '{"name": "Edge1User", "password": "pass"}' (1) $ curl -vX PUT "http://localhost:4985/mydatabase/_user/Edge1User" -H "accept: application/json" -H "Content-Type: application/json" -d '{"name": "Edge1User", "admin_channels": ["RandomChannel"]}' (2)
1 Add new user "Edge1User", no admin_channels
orrole
is specified here.2 Update existing user "Edge1User" and add admin_channels
data - OIDC
-
curl --location --request PUT 'http://localhost:4985/ourdb/_config' \ --header 'accept: application/json' \ --header 'Content-Type: application/json' \ --data-raw '{ oidc: { providers: { google_implicit: { issuer:https://accounts.google.com, client_id:yourclientid-uso.apps.googleusercontent.com, register:true (1) }, }, } }'
1 Use register=true
to automatically create a Sync Gateway user on successful completion of validation. - File-based Configuration Properties File
-
Persistent Configuration is enabled by default from 3.0.
To continue using legacy Pre-3.0 configuration you should start Sync Gateway with disable-persistent-config set true
either in the configuration file or in Command Line Options.
Create users by hardcoding their credentials in the Configuration Properties file.
This method is convenient for testing and to get started.
Use the Admin REST API for production system changes.
{
"databases": {
"mydatabase": {
"users": { (1)
"GUEST": {"disabled": true},
"Edge1User": {"password": "pass", (2)
"admin_channels": ["RandomChannel"]},
}
}
}
}
1 | databases.$db.users |
2 | Here we add the Edge1 user |