Couchbase Server version 7.0 introduces some important changes as part of the role-based access control (RBAC) authorization system. Couchbase Server has allowed fine-grained access controls to the platform with RBAC for administrators since version 4.5 and all users since version 5.0. In the previous blog post, I described how DBAs can control some roles to restrict access to a scope or collection level. In this post, I would like to show you some of the role changes and additional roles that have been created.
Here is a summary of the changes:
- Security Admin has been replaced with Local or External User Security Admin
- Two new Full Admin roles: Eventing Full Admin and Backup Full Admin
- Eight new Functions roles for N1QL Query User-Defined Functions
- Two additional operational roles: Manage Scopes and External Stats Reader
We received some customer feedback that RBAC didn’t define the existing Security Admin role narrowly enough. We decided we could improve security to allow administrators to choose if a Security Admin could manage Local Users, External Users or both. With Couchbase Server 7.0, we split the role of Security Admin into two distinct roles: Local User Security Admin and External User Security Admin.
Upon upgrading a cluster from a previous version where a user has the Security Admin role, their role definition will change to inherit both new roles instead of the legacy Security Admin role.
The new Local User Security Admin role allows an administrator to add/remove/modify users defined and stored locally in the cluster. This role does not permit the administrator to change the external authentication settings.
The External User Security Admin role allows an administrator to add/remove/modify users defined and managed externally to the cluster in a system such as LDAP or Active Directory. Additionally, this role allows modification of the external authentication settings.
An administrator who possesses both Local User Security Admin and External User Security Admin can manage all non-admin users in the cluster.
New Full Admin Roles
We created two new roles in Couchbase Server 7.0 to facilitate cluster-wide operations for Eventing and Backups: Eventing Full Admin and Backup Full Admin.
Eventing Full Admin is a powerful administrator role. It has most of the same capabilities as a Full Admin, but it does not allow the modification of security settings such as adding or removing users or modification of XDCR.
Backup Full Admin is also a powerful administrator role. It, too, has most of the same capabilities as a Full Admin, but it also does not allow modification of security settings. Administrators wishing to backup Eventing Data will need to have this role or the Full Admin role.
New N1QL Query User-Defined Function Roles
Eight new roles were added to Couchbase Server 7.0 to manage or execute the new N1QL User-Defined Functions (UDFs) feature. These apply at both a Scope and Global level and at both an Inline and External level for the functions:
- Manage Global Functions
- Execute Global Functions
- Manage Scope Functions
- Execute Scope Functions
- Manage Global External Functions
- Execute Global External Functions
- Manage Scope External Functions
- Execute Scope External Functions
A Global function is created within a namespace at the same level as the buckets within the namespace; whereas a Scope function is created within a scope, at the same level as the collections within the scope. When creating a user-defined function, the current query context determines whether it is created as a Global function or a Scope function. You can also include the full path to the function when you specify the function name.
Here are some examples:
GRANT query_manage_global_functions TO user1;
GRANT query_execute_external_functions ON default:test.scope1 TO user1;
By providing the granularity of managing or executing the N1QL functions and allowing only specific scopes and execution languages, it allows administrators to provide only the minimum amount of privileges, in what is known as the principle of least privilege (PoLP).
New Operational Roles
Last but not least, we’ve added two operational-type roles. The Manage Scopes role and the External Stats Reader role.
The Manage Scopes role allows a Cluster or Bucket administrator to delegate the adding/removing of Scopes and Collections at a Bucket Level or the adding/removing of Collections at a Scope level, depending on the parameter given when assigning the role to a user.
The External Stats Reader role allows access to the stats endpoints which provide data that is stored in the embedded Prometheus system stats storage.
In this article I’ve shown you what new RBAC roles have been added to Couchbase Server 7.0 and what they are used for.
If security is important to you, I recommend reading a few additional blog posts about our RBAC features that help keep your Couchbase data protected.
- Authentication and Authorization with RBAC
- Authentication and Authorization with RBAC (Part 2)
- Introducing Role-Based Access Control (RBAC) Security for Collections in Couchbase 7.0
- Try these latest features with our 30-day free cloud-hosted trial on Couchbase Capella
- Read more about the Couchbase 7 release and its new features
- Learn more about Scopes and Collections