{"id":4427,"date":"2025-01-01T22:07:24","date_gmt":"2025-01-02T06:07:24","guid":{"rendered":"https:\/\/www.couchbase.com\/blog\/permit-io-couchbase-access-control\/"},"modified":"2025-01-01T22:07:24","modified_gmt":"2025-01-02T06:07:24","slug":"permit-io-couchbase-access-control","status":"publish","type":"post","link":"https:\/\/www.couchbase.com\/blog\/es\/permit-io-couchbase-access-control\/","title":{"rendered":"Adding External RBAC to Couchbase Data Using Permit.io"},"content":{"rendered":"\n

As web applications grow in complexity, ensuring that only the right users have access to your Couchbase data is essential.<\/span><\/p>\n\n\n\n

Without a well-defined access control system, unauthorized users may access sensitive information or perform harmful actions.<\/span><\/p>\n\n\n\n

Integrating <\/span>Permit<\/span><\/a> with Couchbase provides a robust solution for managing access control in applications leveraging Couchbase as the database. Permit is designed to streamline the authorization process, enabling developers to implement fine-grained access control while leveraging the advanced data management capabilities of Couchbase.<\/span><\/p>\n\n\n\n

In this guide, we walk through building a simple request system where we pass a Couchbase query and check whether the relevant user has access to run that query based on rule-based format checks. If the user lacks permission, they\u2019ll be denied from running the query, if they have permission, they can proceed.<\/span><\/p>\n\n\n\n

What is Couchbase?<\/span><\/h2>\n\n\n\n

Couchbase is a robust NoSQL database, optimized for storing and managing JSON documents. Its ability to handle JSON objects is what sets it apart from traditional key value stores. This flexibility allows developers to be able to store, retrieve, and manage unstructured or semi-structured data easily, making it extremely useful for applications with evolving data models.<\/span><\/p>\n\n\n\n

One of the key strengths of Couchbase is its <\/span>SQL++ querying capability<\/span><\/a> which provides a familiar SQL-like syntax for JSON documents (formerly known as N1QL). This enables developers to perform powerful queries on their JSON data such as being able to add common table expressions, joins, and much more. This Couchbase query layer allows data to be stored in JSON format while also supporting sophisticated queries.<\/span><\/p>\n\n\n\n

What is RBAC?<\/span>
\n<\/span><\/h2>\n\n\n\n

Role-Based Access Control (RBAC) <\/span><\/a>is a model that helps simplify permission management inside of applications by organizing the system permissions around roles rather than specific individuals. It provides an approach to manage and restrict access to specific resources within a particular application or organization.<\/span><\/p>\n\n\n\n

To implement external Role-Based Access Control with Couchbase, we will leverage <\/span>Permit.io<\/span><\/a>, an end-to-end solution for managing user permissions and roles with a simple UI. We will create a React application with the Express packet where the user passes the SQL++ query with the help of Couchbase. Then, we will see whether the user has the relevant permission. If they don’t, we’ll send out a message. If they do, we can modify the request.<\/span><\/p>\n\n\n\n

Set up a Couchbase Cluster<\/span><\/h2>\n\n\n\n

The first step is to create a free Capella account. To do this, navigate to <\/span>cloud.couchbase.com <\/span><\/a>and choose <\/span>Create Account<\/b>, use an email and password combination. You can also sign up with your GitHub or Google account.<\/span><\/p>\n\n\n\n

Once you have created your account on Capella, you can proceed with creating your database cluster. You can choose the <\/span>Free tier<\/span><\/i> option for the cluster.<\/span><\/p>\n\n\n\n

\"\"<\/a><\/p>\n\n\n\n

From the home page of your account, after logging in, click the<\/span> + Create Database<\/b> button in the top right corner and fill in the required details, including the name you chose for the database.<\/span><\/p>\n\n\n\n

When you are ready, go ahead and click on the final <\/span>Create Database<\/b> button.<\/span>
\n\"\"<\/a><\/p>\n\n\n\n

You have now created a cluster. The next step is to add a bucket to hold your data. A bucket is similar to a database table, but with significant differences. Since you are working with unstructured and semi-structured JSON data, a single bucket can hold diverse types of data.<\/span><\/p>\n\n\n\n

Head over to the <\/span>Data Tools<\/b> section, where you will find a pre-imported dataset known as the <\/span>travel-sample<\/span><\/i> dataset.<\/span><\/p>\n\n\n\n

\"\"<\/a><\/p>\n\n\n\n

You can insert more documents or create completely new buckets if needed. But for this demo we will use the <\/span>travel-sample<\/span><\/i> dataset.<\/span><\/p>\n\n\n\n

The following figure illustrates the relationship between the different kinds of documents in the travel-sample dataset. It shows the primary key, ID, and type fields that each document has, along with some other representative fields in each type of document.<\/span><\/p>\n\n\n\n


\"\"<\/a><\/p>\n\n\n\n

We will use this dataset for our demo. In order to interact with your data on Capella from your application, you need to know the connection string and create access credentials.<\/span><\/p>\n\n\n\n

You can find the connection string by clicking the <\/span>Connect<\/b> button in the top navigation bar of the dashboard.<\/span><\/p>\n\n\n\n

To add access credentials, navigate to this page in your Capella settings, as shown below, and click the <\/span>+ Create Database Access<\/b> button. Provide a name and password, then click <\/span>Save<\/b>. Make sure to immediately add the credentials to an <\/span>.env<\/span><\/i> file, as you won\u2019t be able to retrieve the password again after this.<\/span><\/p>\n\n\n\n

\"\"<\/a><\/p>\n\n\n\n

After creating your credentials, your Capella setup is complete. Let\u2019s move to the RBAC part!<\/span><\/p>\n\n\n\n

Set up RBAC Permissions in Permit.io<\/span><\/h2>\n\n\n\n

Ensure you have set up your account on <\/span>Permit.io <\/span><\/a>and created a project. In this demo, we will use the default project that was created.<\/span><\/p>\n\n\n\n

Head over to the Policy Editor section, and within the Resources section, add the relevant resources corresponding to the <\/span>travel-sample<\/span><\/i> dataset.<\/span><\/p>\n\n\n\n

\"\"<\/a><\/p>\n\n\n\n

In this case, we will add the resources as <\/span>Route<\/span><\/i>, <\/span>Airport<\/span><\/i>, <\/span>Hotel,<\/span><\/i> and <\/span>Airline<\/span><\/i>.<\/span><\/p>\n\n\n\n

\"\"<\/a><\/p>\n\n\n\n

Ensure that you have added the relevant actions.<\/span><\/p>\n\n\n\n

Next, head over to the <\/span>Roles<\/b> section to add the specific user roles associated with the travel sample dataset.<\/span><\/p>\n\n\n\n

For the dataset we\u2019re using, you will need to add the following roles: <\/span>Traveler<\/span><\/i>, <\/span>Travel Agent<\/span><\/i>, <\/span>Airline Staff<\/span><\/i> and <\/span>Hotel Staff<\/span><\/i>.<\/span><\/p>\n\n\n\n


\"\"<\/a>Now, head over to the <\/span>Policy Editor<\/b> section and define the relevant role-based access control definitions for each specific role corresponding to the resources defined. You can refer to the image below for the specific attributes to help create the policies. Then, go to the <\/span>Policy Editor<\/b>, check all the checkboxes as shown below, and save your changes.<\/span><\/p>\n\n\n\n

\"\"<\/a><\/p>\n\n\n\n

Next, head to the directory section to create a new tenant. Once you have created the tenant, add users based on their roles.<\/span><\/p>\n\n\n\n

We will create new users for hotel staff, travel agents, and travelers.<\/span><\/p>\n\n\n\n


\"\"<\/a><\/p>\n\n\n\n

For each user, add their email, first name, last name, and specific role in the top-level access section.<\/span><\/p>\n\n\n\n

That’s all it took to create a Role-Based Access Control (RBAC) model for the travel sample dataset using Permit UI.<\/span><\/p>\n\n\n\n

Implementing Fine-Grained RBAC for Couchbase with Permit.io<\/span><\/h2>\n\n\n\n

Now let\u2019s implement our Couchbase SQL++ query parser with Permit.<\/span><\/p>\n\n\n\n

First, we\u2019ll set up a Node.js project with Express for our backend server. We’ll use the Couchbase SDK for Node.js and the Permit.io SDK.<\/span><\/p>\n\n\n\n

Here’s our <\/span>package.json<\/span><\/i> file with the necessary dependencies:<\/span><\/p>\n\n\n

[crayon nums=”false” lang=”js” decode=”true”]{
\n “name”: “backend”,
\n “version”: “1.0.0”,
\n “main”: “index.js”,
\n “scripts”: {
\n “test”: “echo “Error: no test specified” && exit 1″
\n },
\n “keywords”: [],
\n “author”: “”,
\n “license”: “ISC”,
\n “description”: “”,
\n “dependencies”: {
\n “cors”: “^2.8.5”,
\n “couchbase”: “^4.4.3”,
\n “dotenv”: “^16.4.5”,
\n “express”: “^4.21.1”,
\n “permitio”: “^2.6.1”
\n }
\n}[\/crayon]<\/p>\n\n\n\n

Implementing the Server<\/span><\/h3>\n\n\n\n

Let’s break it down into key components:<\/span><\/p>\n\n\n\n

Initialization<\/b><\/h4>\n\n\n\n

We start by setting up our Express server and initializing the Permit.io client:<\/span><\/p>\n\n\n

[crayon nums=”false” lang=”js” decode=”true”]const express = require(‘express’);
\nconst cors = require(‘cors’);
\nconst { Permit } = require(‘permitio’); const couchbase = require(‘couchbase’); require(‘dotenv’).config();
\nconst app = express();
\nconst port = process.env.PORT || 3001;
\napp.use(cors({
\n origin: ‘https:\/\/localhost:5173’,
\n methods: [‘POST’],
\n allowedHeaders: [‘Content-Type’],
\n}));<\/p>\n

\/\/ Initialize Permit client
\nconst permit = new Permit({
\n token: process.env.PERMIT_SDK_TOKEN,
\n pdp: “https:\/\/cloudpdp.api.permit.io”
\n});[\/crayon]<\/p>\n\n\n\n

Parsing SQL++ Queries<\/b><\/h4>\n\n\n\n

To work with the incoming Couchbase queries, we need to parse them. We’ve implemented a simple parser that extracts the SELECT, FROM, and WHERE clauses from the input query.<\/span><\/p>\n\n\n\n

Let\u2019s look at the core components of our parser:<\/span><\/p>\n\n\n\n

Query Parser<\/b><\/p>\n\n\n\n

The QueryParser class is the foundation of our security implementation. It handles two critical tasks:<\/span><\/p>\n\n\n\n

    \n
  1. Query Analysis: <\/b>P<\/span>arses SQL++ queries to determine:<\/span><\/li>\n\n<\/ol>\n\n\n\n