RBAC for Applications

RBAC for Applications

Building on the Role-Based Access Control (RBAC) security model introduced in 4.5 for administrators, Couchbase Server 5.0 adds RBAC for applications; so that you can control, at both broad and granular levels, what end-users and application services can do. Thus, you can limit access to just the information they need, nothing more or less, and meet compliance requirements.

Roles and Privileges

Couchbase roles each have a fixed association with a set of one or more privileges. Each privilege is associated with a resource. Privileges are actions such as Read, Write, Execute, Manage, Flush, or List; or a combination of some or all of these.

When an application attempts to access a resource, the application's roles and privileges are checked by Couchbase Server. If the assigned roles contain privileges that support the kind of access that is being attempted, access is granted; otherwise, it is denied.

The following list contains all application-roles supported by Couchbase RBAC. Each role explained by means of a description and a table: the table lists the privileges in association with resources. Where a privilege is associated with a resource, this is indicated with a check-mark. Where a privilege is not associated with a resource (or where association would not be applicable), this is indicated with a cross.

Bucket Full Access

The Bucket Full Access role provides full access to bucket data. Note that this privilege is available for the Community Edition of Couchbase Server, as well as for Enterprise Edition.

The role is provided in support of buckets that were created on versions of Couchbase Server prior to 5.0. Such buckets were accessed by specifying bucket-name and bucket-password: however, bucket-passwords are not recognized by Couchbase Server 5.0 and after. Therefore, for each pre-existing bucket, the 5.0 upgrade-process creates a new user, whose username is identical to the bucket-name; and whose password is identical to the former bucket-password, if one existed. If no bucket-password existed, the user is created with no password. This migration-process allows the same name-combination as before to be used in authentication. To ensure backwards compatibility, each system-created user is assigned the Bucket Full Access role, which authorizes the same read-write access to bucket-data as was granted before 5.0.

Use of the Bucket Full Access role is deprecated for buckets created on Couchbase Server 5.0 and after: use the other bucket-access roles provided.

Note: The below tables list each bucket's name followed by its alias name in parenthesis. The alias names are used in commands and are accessible only by N1QL queries.
Role: Bucket Full Access (bucket_sasl)
Resources Privileges
Read Write Execute Manage Flush
Bucket [ * | bucket-name ]: Data
Bucket [ * | bucket-name ]: Views
N1QL: Index
N1QL: Other
Bucket: [ * | bucket-name ]
Pools

Data Reader

The Data Reader role allows data to be read from a specified bucket. Note that the role does not permit the running of N1QL queries (such as SELECT) against data.

Role: Data Reader (data_reader)
Resources Privileges
Read Write Execute Manage
Bucket [ * | bucket-name ]: Docs
Bucket [ * | bucket-name ]: Meta
Bucket [ * | bucket-name ]: Xattr
Pools

Data Writer

The Data Writer role allows information to be written to and read from a specified bucket.

Role: Data Writer (data_reader_writer)
Resources Privileges
Read Write Execute Manage
Bucket [ * | bucket-name ]: Docs
Bucket [ * | bucket-name ]: Xattr
Pools

Data DCP Reader

The Data DCP Reader role allows DCP streams to be read.

Role: Data DCP Reader (data_dcp_reader)
Resources Privileges
Read Write Execute Manage
Bucket: [ * | bucket-name ]: Docs
Bucket: [ * | bucket-name ]: Meta
Bucket: [ * | bucket-name ]: DCP
Bucket: [ * | bucket-name ]: Sxattr
Bucket: [ * | bucket-name ]: Xattr
Admin: Memcached: Idle
Pools

Data Backup

The Data Backup role allows data to be backed up and restored.

Role: Data Backup (data_backup)
Resources Privileges
Read Write Execute Manage
Bucket: [ * | bucket-name ]: Data
Bucket: [ * | bucket-name ]: Views
Bucket: [ * | bucket-name ]: FTS
Bucket: [ * | bucket-name ]: Stats
Bucket: [ * | bucket-name ]: Settings
Bucket: [ * | bucket-name ]: Pools

Data Monitoring

The Data Monitoring role allows all bucket-statistics to be read.

Role: Data Monitoring (data_monitoring)
Resources Privileges
Read Write Execute Manage
Bucket [ * | bucket-name ]: Stats
Pools

FTS Searcher

The role FTS Searcher allows Full Text Search indexes to be searched by users with appropriate bucket-privileges.

Role: FTS Searcher (fts_searcher)
Resources Privileges
Read Write Execute Manage
Bucket [ * | bucket-name ]: FTS
Settings: FTS
UI
Pools

Query Select

The Query Select role allows the SELECT statement to be executed on a specified bucket.

Role: Query Select (query_select)
Resources Privileges
Read Write Execute Manage
Bucket [ * | bucket-name ]: N1QL, SELECT
UI
Pools

Query Insert

The Query Insert role allows the INSERT statement to be executed on a specified bucket.

Role: Query Insert (query_insert)
Resources Privileges
Read Write Execute Manage
Bucket [ * | bucket-name ]: N1QL, INSERT
UI
Pools

Query Delete

The Query Delete role allows the DELETE statement to be executed on a specified bucket.

Role: Query Delete (query_delete)
Resources Privileges
Read Write Execute Manage
Bucket [ * | bucket-name ]: N1QL, DELETE
UI
Pools

Query Manage Index

The Query Manage Index role allows indexes to be managed for a specified bucket.

Role: Query Manage Index (query_manage_index)
Resources Privileges
Read Write Execute Manage
Bucket [ * | bucket-name ]: N1QL, INDEX
UI
Pools

Query System Catalog

The Query System Catalog role allows information to be looked up in the system catalog: this includes system:indexes, system:prepareds, and tables listing current and past queries. This role is designed for troubleshooters, who need to debug queries.

Role: Query System Catalog (query_system_catalog)
Resources Privileges
Read Write Execute Manage List
Bucket [ * | bucket-name ]: N1QL, INDEX
Bucket [ * | bucket-name ]: N1QL, Meta
UI
Pools

Query External Access

The Query External Access role allows the N1QL curl function to be executed by an externally authenticated user.

Note that the Query External Access role should be assigned with caution, since it entails risk: CURL runs within the local Couchbase Server network; therefore, the assignee of the Query External Access role is permitted to run GET and POST requests on the internal network, while being themselves externally located.

For an account of limitations on CURL, see CURL Function.

Role: Query External Access (query_external_access)
Resources Privileges
Read Write Execute Manage
Bucket [ * | bucket-name ]: N1QL, curl
UI
Pools

System Keyspaces (Tables)

In Couchbase Server 5.0, three new system keyspaces have been added:
  • system:applicable_roles
  • system:my_user_info
  • system:user_info
Along with these three keyspaces, meta data related to roles and user access has been added as well.

This brings the total number of system keyspaces up to 12:

SELECT Operations on System Keyspaces

All of the system keyspaces support SELECT operations and are divided into the below security levels: