In large organizations, management of security across the enterprise becomes more and more challenging as the number of apps and users grow. Having a role based access control model enables you to fine control what users get access to. However, as the number of users becomes large, managing permissions for each and every user individually can become quite challenging.
If managing user permissions is not done right (let’s say if we alter user permissions incorrectly if they change job responsibilities, or leave a company), it could result in someone accidently getting elevated permissions, or in other cases not able to complete their jobs due to insufficient privileges.
In this blog, we will discuss about a new ‘Groups’ capability in Couchbase, along with easy to follow steps to get you started. This blog will focus only on groups applied to domain=couchbase users, and in the following blog we will discuss about LDAP based group support.
What are Couchbase groups?
Couchbase groups are used to group Couchbase users together in order to simplify the administration and maintenance of security in Couchbase. Typically, a user in Couchbase can take several actions on resources based on the RBAC privileges assigned to the user. For example, an employee might need SELECT access on all buckets. In previous versions of Couchbase, user onboarding involved creating user accounts (domain=couchbase) for every employee, and individually assigning them the SELECT privilege on bucket[‘*’].
With Couchbase 6.5, groups can be created to bundle users that have similar job roles together, and easily control their permissions. Instead of modifying every user account, privileges can directly be associated with a group, and inherited by users who are members of the group.
Figure : Fixed roles in Couchbase can be applied to individual users or groups
Users and groups in Couchbase
In the admin UI of Couchbase, you can now toggle between user and group view in the security tab. You must be either a full administrator, or a security administrator to be able to access the security tab.
As shown in the figure below, selecting ‘users’ will list all the users information including their authorization domain (in this case only Couchbase), and the different roles a user has.
Selecting ‘groups’ will list all the groups and their associated roles.
Creating a Couchbase group
Creating a group and assigning roles to it is easy. By simply clicking ‘Add Group’ in the top right corner of the UI, and picking a group name along with the roles to be associated with the group, you can create a group.
Adding users to groups
Just like creating groups are easy, creating new users and mapping them to a group is also simple. Clicking the ‘Add user’ link at the top right corner in the UI, brings up a dialog as shown below. In the example shown below, sam is a user who is mapped to the executives group that was created. We only selected the ‘executive’ group in this case, and it is allowed to add a user to more than one group. In that case, the effective permission of the user is a union of the permissions of all groups and permissions assigned directly to the user.
Summarizing the Groups-Role mappings
Here is a quick summary of the different groups and role mappings based on our setup so far –
This means that –
- The Executive is effectively full admin and has all the privileges of Couchbase
- The Manager has full read-write access on the buckets, as well as cluster and bucket admin privileges. He/she does not have access to security settings.
- The employee should be able to only issue N1QL SELECT statements for any bucket, and manage indexes.
Logging in as ‘Mary’: The Employee
Notice that the user logged in is ‘mary’, which is shown in the top right.
The N1QL select query works fine, allowing Mary to select from beer-sample
The N1QL insert query fails since Mary does not have the required privileges as expected
Logging in as ‘Bob’: The Manager
Notice that the user logged in is ‘bob’, which is shown in the top right.
Notice that Bob cannot change security settings, and the ‘security’ option is not shown in the left menu.
Group support for Couchbase users is an exciting new feature in Couchbase Server 6.5. We hope you enjoyed this blog, and as always, we look forward to your feedback. Do take Couchbase Server for a spin and checkout all the new cool features.
Couchbase Server 6.5 Release Notes
Couchbase Server 6.5 What’s New
Blog: Announcing Couchbase Server 6.5 – What’s New and Improved
Blog: Couchbase brings Distributed Multi-document ACID Transactions to NoSQL