Role Based Admin Access (RBAC)

Role Based Admin Access (RBAC)

Full Couchbase administrators can manage role-based access for administrators (RBAC) using REST API.

GET /settings/rbac/roles

Description

This command retrieves information about the available admin roles.

Syntax:

$ curl GET http://user:password@127.0.0.1:8091/settings/rbac/roles

GET /settings/rbac/users

Description

This command retrieves information about the current users and roles assigned to them.

Syntax:

$ curl GET http://user:password@127.0.0.1:8091/settings/rbac/users

PUT /settings/rbac/users/<user_id>

Description

This command sets names and roles for the specified user IDs.

Syntax:

$ curl PUT http://user:password@127.0.0.1:8091/settings/rbac/users/<user_id>

DELETE /settings/rbac/users/<user_id>

Description

This command deletes the user specified with an ID.

Syntax:

$ curl DELETE http://user:password@127.0.0.1:8091/settings/rbac/users/<user_id>

POST /pools/default/checkPermissions

Description

This command checks the permissions.

Syntax:

$ curl POST http://user:password@127.0.0.1:8091/pools/default/checkPermissions

Examples

Get list of available roles
GET /settings/rbac/roles
Returns array of objects like this one:
{"role":"admin", "name":"Admin", "desc":
      "Can manage ALL cluster features including security."}

or with extra property "bucket_name":"default" if the role is parametrized.

Get a list of users and roles assigned to them.
GET /settings/rbac/users

The list does not include built-in users.

In the following example, the output of the command shows that John Doe was assigned to the role of the Bucket Administrator for the default bucket, while Alice Smith is the Replication Administrator.

$ curl -X GET http://Administrator:asdasd@127.0.0.1:8091/settings/rbac/users
            
     [{"name":"John Doe","id":"johndoe","roles":[
     {"role":"admin"}
     ,
      {"role":"bucket_admin","bucket_name":"default"}
      ]},{"name":"alice-smith","id":"alicesmith","roles":[
      {"role":"replication_admin"}
      ]}]
Set names and roles for specified user IDs <user_id>
PUT /settings/rbac/users/<user_id>
In this example, John Doe is assigned to be the Cluster Administrator and a Bucket Administrator for the default bucket, while Alice Smith is assigned to be the Replication Administrator:
$ curl -X PUT --data "name=John Doe&roles=cluster_admin,bucket_admin[default]" \
       http://Administrator:asdasd@127.0.0.1:8091/settings/rbac/users/johndoe
       
       [{"name":"John Doe","id":"johndoe,"roles":[
       {"role":"cluster_admin"}
       ,
       {"role":"bucket_admin","bucket_name":"default"}
       ]},{"name":"Alice Smith","id":"alicesmith","roles":[
       {"role":"replication_admin"}
       ]}]
Delete users
DELETE /settings/rbac/users/<user_id>
In this example, Alice Smith was deleted as the Replication Administrator and the other user, John Doe, remains as a Cluster administrator.
$ curl -X DELETE http://Administrator:asdasd@127.0.0.1:8091/settings/rbac/users/alicesmith
      [{"name":"John Doe","id":"johndoe,"roles":[
       {"role":"cluster_admin"}     
       ]}]
Check multiple permissions
POST /pools/default/checkPermissions
Example:
$ curl -X POST --data 'cluster.bucket[default].stats!read,cluster.bucket[default]!write' \
      http://roadmin:asdasd@127.0.0.1:8091/pools/default/checkPermissions
      {"cluster.bucket[default].stats!read":true,"cluster.bucket[default]!write":false}

Reading the Log Output

Here are some output logs with comments to help you understand how to read such logs.

{"name":"John Doe","id":"johndoe","roles":[{"role":"admin"}]}]
        {'status': '200', 'content-length': '64', 'server': 'Couchbase Server', 'pragma': 'no-cache', \
        'cache-control': 'no-cache', 'date': 'Mon, 13 Jun 2016 10:35:28 GMT',  'content-type': 'application/json’}

The first two lines indicate what is the admin role for the user John Doe. His role is set as admin.

2016-06-13 03:35:28,481 - root - INFO - http://172.23.107.7:8091/pools/default/buckets with param: \
          bucketType=membase&evictionPolicy=valueOnly&threadsNumber=3&ramQuotaMB=100&proxyPort=11211&\
          authType=sasl&name=default&flushEnabled=1&replicaNumber=1&replicaIndex=1&saslPassword=
          2016-06-13 03:35:28,486 - root - ERROR - http://172.23.107.7:8091/pools/default/buckets error 400 reason: \
          unknown {"errors":{"ramQuotaMB":"RAM quota specified is too large to be provisioned into this cluster.",\
          "name":"Bucket with given name already exists","replicaNumber":\
          "Warning: you do not have enough data servers to support this number of replicas."},"summaries":{"ramSummary":\
          {"total":2111832064,"otherBuckets":2111832064,"nodesCount":1,"perNodeMegs":100, \
          "thisAlloc":104857600,"thisUsed":0,"free":-104857600},"hddSummary":\
          {"total":33278128128,"otherData":2990780812,"otherBuckets":4250719,"thisUsed":0,"free":30283096597}}}
          2016-06-13 03:35:28,487 - root - INFO - Default Bucket already exists
          rbacPermissionList().cluster_indexes_write('ritam123','password',host=self.master_ip,servers=self.servers, \ cluster=self.cluster,httpCode= \ [200, 201],user_role='admin’) - \ This is the actual call to function, note the httpCode this is expected httpCode to be returned. 2016-06-13 03:35:28,487 - root - INFO - ----- Permission set is ------------\ {'indexes': "settings/indexes;POST;{'indexerThreads':5}", 'max_paralled_index': \ "settings/maxParallelIndexers;POST;{'globalValue':'8'}"} - \ You can the the REST API for cluster_index write permission. 
          {u'indexerThreads': 5}
          <type 'dict'>
            indexerThreads=5
            {u'globalValue': u'8'}
            <type 'dict'>
              globalValue=8

Each role has a set permission and each permission has a list of resources: cluster_indexes_write – This is one of the permission for admin role.

2016-06-13 03:35:30,777 - root - INFO - http://172.23.107.7:8091/pools/default/buckets with param: \
        bucketType=membase&evictionPolicy=valueOnly&threadsNumber=3&ramQuotaMB=100&proxyPort=11211& \
        authType=sasl&name=default&flushEnabled=1&replicaNumber=1&replicaIndex=1&saslPassword=
        2016-06-13 03:35:30,783 - root - ERROR - http://172.23.107.7:8091/pools/default/buckets error 400 reason: \
        unknown {"errors":{"name":"Bucket with given name already exists","replicaNumber": \
        "Warning: you do not have enough data servers to support this number of replicas."},"summaries":{"ramSummary": \
        {"total":2111832064,"otherBuckets":104857600,"nodesCount":1,"perNodeMegs":100,"thisAlloc":104857600,"thisUsed":0, \
        "free":1902116864},"hddSummary":{"total":33278128128,"otherData":2990780812, \
        "otherBuckets":4250719,"thisUsed":0,"free":30283096597}}}
        2016-06-13 03:35:30,783 - root - INFO - Default Bucket already exists
        rbacPermissionList().cluster_admin_diag_write('ritam123','password',host=self.master_ip,servers=self.servers, \
        cluster=self.cluster,httpCode=[200, 201],user_role='admin')
        2016-06-13 03:35:30,784 - root - INFO -  ----- Permission set is ------------ \
        {'eval': "/diag/eval;POST;{'ale':'set_loglevel(ns_server,error).'}"}
        {u'ale': u'set_loglevel(ns_server,error).'}
        <type 'dict'>
          ale=set_loglevel%28ns_server%2Cerror%29.
          2016-06-13 03:35:30,797 - root - ERROR - http://172.23.107.7:8091//diag/eval error 500 reason: \
          status: 500, content: /diag/eval failed.
          Error: {error,{badmatch,set_loglevel}}
          Backtrace:
          [{erl_eval,expr,3,[]}] /diag/eval failed.
          Error: {error,{badmatch,set_loglevel}}
          Backtrace:
          [{erl_eval,expr,3,[]}]
          Matching not found

Above is an example of failure since it includes the message "Matching not found". In this case, it is not an actual error because the values have not been passed correctly to /diag/eval correctly.