Role required to change user's own password via the "settings/rbac/users" API


Is it possible for a user to change its own password via the “settings/rbac/users” API with a set of roles less permissive than “full_admin”? It seems that having both the “cluster_admin” and “security_admin” (local) roles would be permissive enough from the documentation. However, I’ve not been able to use the API to change a user’s own password with any role besides “full_admin”.

For example, the error response from the API when trying to change a user’s own password via the following HTTP request seems to suggest that the “cluster_admin” and “security_admin” roles would be sufficient to authorize the request:

$ curl -X PUT -u user:password  -d password=password2

{"message":"Forbidden. User needs one of the following permissions","permissions":["!write"]}

I understand there is also the “controller/changePassword” API which works with a less permissive role, but we’re using the Couchbase Go SDK, which doesn’t appear to have support for using that API.

I appreciate any help. Thanks!

Hi @austingebauer just to reiterate what I wrote in the GOCBC ticket that you raised, for greater visibility.

We have plans within the SDK to add a HTTP client, which will allow users to specify things like the URL path, body etc… and the SDK will handle routing and all those details. The timeframe for this isn’t specified at the moment and it will initially be added at volatile API stability but it should cover this sort of usecase where you want to do something within management API that the SDK doesn’t specifically support.

Thanks for the reply, @chvck! We’ll wait for the SDK to support it. We’re using this in GitHub - hashicorp/vault-plugin-database-couchbase.

Do you happen to know the answer to the role related question above?

Sorry for the slow reply @austingebauer I’m not sure on this one. Our security expert @ianmccloy might have a better idea.

1 Like