Users

    +

    About Sync Gateway users and their role in secure cloud-to-edge enterprise data synchronization.
    Here we introduce the concept of users and their role in assuring secure access control within Sync Gateway.

    Related Concepts: Access Control Model | Channels | Roles | Sync Function | Users

    Concept

    Users are one of the cornerstone concepts of access control. You can restrict document access to specific users and-or to users with specific roles.

    As an entity a user comprises a name, password, list of Roles and a list of Channels.

    Sync Gateway Users

    Sync Gateway users and roles have no relationship to Couchbase Server’s RBAC (Role-based Access Control) users. They are created and operate solely within the Sync Gateway ecosphere to govern access to replication data and to the Public API.

    Users granted access to a Channel can access all documents assigned to that channel.

    Users can also be assigned to zero or more Roles. A user inherits the channel access of all roles it belongs to. This is very much like Unix groups, except that roles do not form a hierarchy.

    Sync Gateway user credentials can be used to authenticate access to the Public API; RBAC users are required for access to other API.

    RBAC Users

    Couchbase Server RBAC user credentials are required to authenticate and authorize access to the Admin and Metrics API. You will need to create these users on Couchbase server in order to enable access — see: Create RBAC users for how to and Security Authorization Overview for more on RBAC user authentication.

    Process

    A user must be created on Sync Gateway before it can be granted access to documents.

    You create and-or manage users using the following options — as shown in Example 1:

    • Admin REST API
      Users are created via the Sync Gateway Admin REST API.

    • OIDC
      Configure OIDC authentication to auto-register a user following successful validation of an ID Token — User Authentication.

    • Static Configuration (Pre 3.0):
      Users can be statically configured within the Sync Gateway Configuration File — see: Legacy Pre-3.0 Configuration.
      Note, to use this option in version 3.x users must run Sync Gateway with the disable_persistent_config flag set to true.

    Example 1. How to Create Users
    • Admin REST API

    • OIDC

    • File-based Configuration Properties File

    This is the default recommended option starting 3.0.

    Create a new user by sending a POST request to the Admin Rest Api _user endpoint ({db}/_user/{name}). Update existing users by sending a PUT instead; in this case include the user name at the end of the url.

    The user credentials (username/password) are passed in the request body.

    $ curl -vX POST "http://localhost:4985/mydatabase/_user/" -H
    "accept: application/json" -H "Content-Type: application/json" -d
    '{"name": "Edge1User", "password": "pass"}' (1)
    
    $ curl -vX PUT "http://localhost:4985/mydatabase/_user/Edge1User" -H
    "accept: application/json" -H "Content-Type: application/json" -d
    '{"name": "Edge1User", "admin_channels": ["RandomChannel"]}' (2)
    1 Add new user "Edge1User", no admin_channels or role is specified here.
    2 Update existing user "Edge1User" and add admin_channels data
    curl --location --request PUT 'http://localhost:4985/ourdb/_config' \
    --header 'accept: application/json' \
    --header 'Content-Type: application/json' \
    --data-raw '{
      oidc: {
        providers: {
          google_implicit: {
            issuer:https://accounts.google.com,
            client_id:yourclientid-uso.apps.googleusercontent.com,
            register:true (1)
          },
        },
      }
    }'
    1 Use register=true to automatically create a Sync Gateway user on successful completion of validation.

    Persistent Configuration is enabled by default from 3.0.