Community v4.5 vs v6 user authentication

Hi. We’re updating from Couchbase 4.5 to 6.0, and have had to shift from Enyim to the Couchbase .net client in our app. I’ve got the .net client working fine, but at the moment I have to store the username and password in the web.config file, which isn’t ideal. When we were using Enyim, we didn’t need to do that, and I can’t find anywhere else where those credentials were actually stored. I can’t see any security settings in the 4.5 server that change the authentication method from the standard username/password role-based authentication.
Can someone suggest any other places I could look, or ways to not have to stick the credentials in web.config?
Cheers
Jen

@bast

Couchbase Server does support LDAP, as of 5.5 but only on Enterprise Edition. That said, I think you still have to provide a username/password, it won’t use Windows Auth.

My recommendation is to simply collect the password from somewhere other than the web.config file, whatever your secure configuration store is. For example, we run .NET Core in Kubernetes so we keep our password in K8S secrets and apply via environment variables or volume mounts. You could also use something like Consul/Vault or Amazon KMS or many other options.

Whichever option you may choose, the trick is applying the values. Instead of including username and password in the configuration file, you can apply using the Authenticate method.

var cluster = new Cluster("couchbase");
cluster.Authenticate("username", "password");

You can also choose to get the entire configuration from another source, such as a JSON file.

var configuration = JsonConvert.Deserialize<CouchbaseClientDefinition>("JSON string from somewhere");
var cluster = new Cluster(configuration);

Thanks. This helps. The only remaining problem is that I’m using Couchbase as a custom session state provider as well, so I’ve got this in web.config:

<sessionState customProvider="couchbase-session" mode="Custom">
      <providers>
        <add name="couchbase-session" type="Couchbase.AspNet.SessionState.CouchbaseSessionStateProvider, Couchbase.AspNet" bucket="ASPState" maxRetryCount="6" />
      </providers>
    </sessionState>

How do I insert the authentication so that this section will pick it up? I’ve shifted the authentication for “couchbase-session” to reading a config value from our config store in code, but now the bit above doesn’t work any more because it’s not finding those credentials. Is there somewhere in code where I can catch that custom provider initialisation so that I can inject the credentials?

@bast

Unfortunately, I haven’t used the session state provider much. That said, based on a quick code review (https://github.com/couchbaselabs/couchbase-aspnet) there appears to be a way to “manually” configure the cluster used by the session state provider.

It looks like there is a way to set the session state provider in web.config for manual configuration using this enum:

And then you can inject the ICluster into the MultiCluster static class, presumably in Global.asax:

1 Like