Close : Access to admin's roles on community edition

Hi all,

It seems like it’s impossible with community edition to get advanced roles about a user/admin.
When I create a new user, I only got Admin, ReadOnly Admin and Bucket roles checkbox. So when I try to query with n1ql with the rest api, I can’t because I don’t have required permissions given by Query Roles -> Query Select checkbox.

I wonder why, it seems weird because n1ql queries looks like a basic functionnality on couchbase.

Please tell me if I’m wrong.

Antoine

Hi Antoine,

First of all, thank you for your product feedback!

With every release of Couchbase, we continue to delight our customers with new features, but also extend the Enterprise functionality of our products.

The behavior you are seeing is as designed, and detailed RBAC roles are only available in the EE edition.

That being said, compared to the previous versions of CE, in 5.0 CE, you can create multiple Couchbase user accounts (which is new), and add them to one of the Roles (Admin, ReadOnly Admin, and Bucket Full Admin). The Bucket Full Admin role was created to give the same effect as bucket passwords from the previous release (ie. full access to the documents inside the bucket).

Hope this helps, and we hope to see you upgrade to the EE version of Couchbase (contact : sales@couchbase.com) to get the full RBAC functionality.

Thank you,
Chin

Hi @chinhong, Please could this info be added to the RBAC roles documentation here:
https://developer.couchbase.com/documentation/server/current/security/concepts-rba-for-apps.html

It does mention that the full_access role is available to Community Edition as well as Enterprise but it doesn’t state that the other roles aren’t. Worse, under full_access, it states:

“Use of the Bucket Full Access role is deprecated for buckets created on Couchbase Server 5.0 and after: use the other bucket-access roles provided.”

Please state that this advice is only for Enterprise Edition and that on Community Edition, the Full Access role should be used.

Thanks,
Giles

Hi,
So the query API ( /query/service ) is by design not available in the community edition? Even an admin does not seem to hold the query_select role in the community edition. To the original posters point: the documentation could be clearer around this. For example: https://developer.couchbase.com/documentation/server/current/introduction/editions.html#couchbase-editions__core-data-access-api states that core data access APIs are available in both editions, so the query/service API must not be part of the core data APIs.

As a note: we do run EE in production, but use CE in our test environments. The query/service API would be useful for our QA folks, but we can work around that.

@RentierM - which version of Couchbase are you using?

I tried this out with Couchbase 5.0 CE. There are 3 options for roles:

  1. Administrator
  2. Bucket Full Access
  3. Read-Only Admin

Using the query service on port 8093, I can run queries as roles #1 and #2, but get an error message with role #3.

I just upgraded to 5.0.1 CE from 5.0.0 and it works now. Maybe an install problem. This is a great feature for functional tests.