{"id":3332,"date":"2017-04-24T11:30:54","date_gmt":"2017-04-24T18:30:54","guid":{"rendered":"https:\/\/www.couchbase.com\/blog\/?p=3332"},"modified":"2025-06-13T19:29:03","modified_gmt":"2025-06-14T02:29:03","slug":"authentication-authorization-rbac-part-2","status":"publish","type":"post","link":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac-part-2\/","title":{"rendered":"Authorization & Authentication with RBAC (Part 2)"},"content":{"rendered":"
\n

Authorization and authentication are important to Couchbase. In March, I blogged about some of the new Role Based Access Control (RBAC)<\/a> that we are showing in the Couchbase Server 5.0 Developer Builds. This month, I\u2019d like to go into a little more detail now that the April Couchbase Server 5.0 Developer Build is available<\/a> (make sure to click the “Developer” tab).<\/p>\n<\/div>\n

\n

Authentication and authorization<\/h2>\n
\n
\n

In past version of Couchbase, buckets were secured by a password. In 5.0, bucket passwords for authorization are gone. You can no longer create a “bucket password” for authorization. Instead, you must create one (or more) users that have varying levels of authorization for that bucket. Notice that there is no “password” field anymore (not even in the “Advance bucket settings”:<\/p>\n<\/div>\n

\n

\"Create<\/span><\/p>\n<\/div>\n

\n

So now, you no longer have to hand out a password that gives complete access to a bucket. You can fine-tune bucket authorization, and give out multiple sets of credentials with varying levels of access. This will help you tighten up security, and reduce your exposure.<\/p>\n<\/div>\n

\n

Note: The administrator user still exists, and has permission to do everything. So I can still run N1QL queries (for instance) on that bucket while logged in as an administrator account. However, this is not the account you should be using from your clients.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n

Creating an authorized user<\/h2>\n
\n
\n

To create a new user, you must be logged in as an administrator (or as a user that has an Admin role). Go to the “Security” tab, and you\u2019ll be able to see a list of users, and be able to add new ones.<\/p>\n<\/div>\n

\n

Create a new user by clicking “ADD USER”. Enter the information for the user. You may want to create a user for a person (e.g. “Matt”), or you may want to create a user for a service (e.g. “MyAspNetApplication”). Make sure to enter a strong password, and then select the appropriate roles for the user you want to create.<\/p>\n<\/div>\n

\n

For example, let\u2019s create a user “Matt” that only has access to run SELECT<\/code> queries on the bucket I just created. In “Roles”, I expand “Query Roles”, then “Query Select”, and check the box for “mynewbucket”, and then “Save” to finalize the user.<\/p>\n<\/div>\n

\n

\"Create<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n

Authorization in action<\/h2>\n
\n
\n

When I log out of the administrator account, and log back in as “Matt”, I can see that the authorization level I have is severely restricted. Only “Dashboard”, “Servers”, “Settings”, and “Query” are visible. If I go to “Query” I can execute SELECT 1<\/code>;<\/p>\n<\/div>\n

\n

\"Execute<\/span><\/p>\n<\/div>\n

\n

If I try something more complex, like SELECT COUNT(1) FROM mynewbucket<\/code>, I\u2019ll get an error message like:<\/p>\n<\/div>\n

\n
\n
[\r\n  {\r\n    \"code\": 13014,\r\n    \"msg\": \"User does not have credentials to access privilege cluster.bucket[mynewbucket].data.docs!read. Add role Data Reader[mynewbucket] to allow the query to run.\"\r\n  }\r\n]<\/code><\/pre>\n<\/div>\n<\/div>\n
\n
So, it looks like I have the correct authentication to log in, and I have the correct authorization to execute a SELECT<\/code>, but I don\u2019t have the correct authorization to actually read the data. I\u2019ll go back in as admin, and add Data Reader authorization.<\/p>\n<\/div>\n
\n
\"User<\/span><\/p>\n<\/div>\n
\n
At this point, when I login with “Matt”, SELECT COUNT(1) FROM mynewbucket;<\/code> will work. If you are following along, try SELECT * FROM mynewbucket;<\/code>. You\u2019ll get an error message that no index is available. But, if you try to CREATE INDEX<\/code> you\u2019ll need another permission to do that. You get the idea.<\/p>\n<\/div>\n<\/div>\n<\/div>\n
\n
New N1QL functionality<\/h2>\n
\n
\n
There\u2019s some new N1QL functionality to go along with the new authentication and authorization features.<\/p>\n<\/div>\n
\n
GRANT and REVOKE ROLE<\/h3>\n
\n
You can grant and revoke roles with N1QL commands. You need Admin access to do this.<\/p>\n<\/div>\n
\n
Here\u2019s a quick example of granting SELECT<\/code> query authorization to a user named “Matt” on a bucket called “mynewbucket”:<\/p>\n<\/div>\n
\n
GRANT ROLE query_select(`mynewbucket<\/code>) TO Matt;`<\/p>\n<\/div>\n
\n
And likewise, you can REVOKE a role doing something similar:<\/p>\n<\/div>\n
\n
REVOKE ROLE query_select(`mynewbucket<\/code>) FROM Matt;`<\/p>\n<\/div>\n<\/div>\n
\n
Creating users with REST<\/h3>\n
\n
There is no way (currently) to create users with N1QL, but you can use the REST API to do this. Full documentation is coming later, but here\u2019s how you can create a user with the REST API:<\/p>\n<\/div>\n
\n