For authorizing users, Couchbase Server provides Role-Based Access Control.
Role-Based Access Control
Couchbase provides Role-Based Access Control (RBAC), in which access privileges are assigned to fixed roles; which are in turn assigned to administrators and applications.
Couchbase Server Enterprise Edition provides RBAC with multiple roles for finer access control. Community Edition provides multiple users that can be assigned to limited set of roles. There are three fixed roles in the community edition of Couchbase providing coarser access control: Bucket Full Access (bucket_full_access[*]), Admin (admin), and Read Only Admin (ro_admin).
Couchbase RBAC provides a secure solution for each of the following scenarios:
- An application consists of several services, each of which has a different purpose. Compliance demands that each service be given a different set of read and write privileges, in order to constrain its activities to those absolutely required.
- An application is available to several different classes of user. Each user-class has a different set of requirements for reading and writing data. Compliance demands that each user-class be given no more than the minimum privileges for supporting its requirements.
- A Couchbase bucket has been defined to contain sensitive data that should be accessible to only a minimal subset of administrators. While highly select members of the subset should be granted either read or read-write privileges on the data itself (for example, in order to define Views, set up XDCR filters, or run queries); others should be granted access only to statistical data provided in support of the bucket (for example, in relation to memory-management or performance).
- Test and production environments respectively require different degrees of constraint to be applied to read and write access. Administrators, developers, applications, and services should therefore each be granted one set of privileges for the test environment, and another (more restrictive) for the production.
The following concepts are essential to an understanding of Couchbase RBAC:
- Resource: An entity the access to which must be controlled. A resource can be specified either individually, by name; or as a group (for example, all buckets), by means of a wildcard character. Resources are described in Resources under Access Control.
- Privilege: The right, assigned by Couchbase Server, to apply an action to a resource. Possible actions include read, write, and execute. The associations of privileges to resources and roles are explained in RBAC for Administrators and RBAC for Applications.
- Role: An entity associated with a fixed set of privileges. The association of privileges to roles is described in RBAC for Administrators and RBAC for Applications.
- User: An identity, recognized by Couchbase Server, based on the passing of a username and password. A user can be assigned one or more roles: the privileges associated with each assigned role determine the resource-access granted the user. Users can be local (defined on Couchbase Server) or external (defined on a remote, network-accessible system). Each user might be an administrator or an application. For information on how to manage users, see RBAC User Management.
RBAC Security Model
Couchbase RBAC controls access to cluster-resources. Resources can only be accessed by users. A user may be an administrator or an application.
Users are added to Couchbase Server by the Full Administrator. Each user must be defined with a username and password. When attempting to access resources, each user must authenticate by means of these credentials.
Users may be defined locally (in which case their password is defined on Couchbase Server) or externally (in which case their password is defined on a remote system, such as an LDAP server). These two forms of definition constitute separate Authentication Domains; each being its own separate namespace, with no clash of usernames possible across namespaces. See Authentication, for more information.
A user can be assigned one or more roles by the Full Administrator. Each role is itself associated with a subset of privileges; a privilege being a form of action, such as Read, Write, Execute, or Manage. Each privilege is associated with a resource; such as a bucket, index, view, or DCP stream.
For example, the Data Reader role features the Read privilege, which is applied to the data of a bucket. When a user has been assigned the Data Reader role, and attempts to gain read-access to the bucket's data by submitting their credentials, Couchbase Server identifies the user, recognises their assigned role and privilege, and duly authorises read-access.
Note that resource-access can optionally be specified by means of parameterisation. This means that a wildcard character has been used, during role-assignment, to specify that a privilege applies to all resource-instances within a resource-class: for example, to all buckets.