Couchbase Server version 7.0 introduces some important changes as part of the role-based access control (RBAC) authorization system.  Couchbase Server has allowed fine-grained access controls to the platform with RBAC for administrators since version 4.5 and all users since version 5.0. In the previous blog post, I described how DBAs can control some roles to restrict access to a scope or collection level. In this post, I would like to show you some of the role changes and additional roles that have been created.

Here is a summary of the changes:

  • Security Admin has been replaced with Local or External User Security Admin
  • Two new Full Admin roles: Eventing Full Admin and Backup Full Admin
  • Eight new Functions roles for N1QL Query User-Defined Functions
  • Two additional operational roles: Manage Scopes and External Stats Reader

Security Admin

We received some customer feedback that RBAC didn’t define the existing Security Admin role narrowly enough. We decided we could improve security to allow administrators to choose if a Security Admin could manage Local Users, External Users or both. With Couchbase Server 7.0, we split the role of Security Admin into two distinct roles: Local User Security Admin and External User Security Admin. 

Upon upgrading a cluster from a previous version where a user has the Security Admin role, their role definition will change to inherit both new roles instead of the legacy Security Admin role.

The new Local User Security Admin role allows an administrator to add/remove/modify users defined and stored locally in the cluster.  This role does not permit the administrator to change the external authentication settings.

The External User Security Admin role allows an administrator to add/remove/modify users defined and managed externally to the cluster in a system such as LDAP or Active Directory. Additionally, this role allows modification of the external authentication settings.

An administrator who possesses both Local User Security Admin and External User Security Admin can manage all non-admin users in the cluster.

New Full Admin Roles

We created two new roles in Couchbase Server 7.0 to facilitate cluster-wide operations for Eventing and Backups: Eventing Full Admin and Backup Full Admin.

Eventing Full Admin is a powerful administrator role. It has most of the same capabilities as a Full Admin, but it does not allow the modification of security settings such as adding or removing users or modification of XDCR. 

Backup Full Admin is also a powerful administrator role. It, too, has most of the same capabilities as a Full Admin, but it also does not allow modification of security settings.  Administrators wishing to backup Eventing Data will need to have this role or the Full Admin role.

New N1QL Query User-Defined Function Roles

Eight new roles were added to Couchbase Server 7.0 to manage or execute the new N1QL User-Defined Functions (UDFs) feature. These apply at both a Scope and Global level and at both an Inline and External level for the functions:

  • Manage Global Functions
  • Execute Global Functions
  • Manage Scope Functions
  • Execute Scope Functions
  • Manage Global External Functions
  • Execute Global External Functions
  • Manage Scope External Functions
  • Execute Scope External Functions

A Global function is created within a namespace at the same level as the buckets within the namespace; whereas a Scope function is created within a scope, at the same level as the collections within the scope. When creating a user-defined function, the current query context determines whether it is created as a Global function or a Scope function. You can also include the full path to the function when you specify the function name.

An Inline function uses the N1QL language to define the function’s capabilities whereas an External function uses an external language such as Javascript. 

Here are some examples: 

By providing the granularity of managing or executing the N1QL functions and allowing only specific scopes and execution languages, it allows administrators to provide only the minimum amount of privileges, in what is known as the principle of least privilege (PoLP). 

New Operational Roles

Last but not least, we’ve added two operational-type roles. The Manage Scopes role and the External Stats Reader role.

The Manage Scopes role allows a Cluster or Bucket administrator to delegate the adding/removing of Scopes and Collections at a Bucket Level or the adding/removing of Collections at a Scope level, depending on the parameter given when assigning the role to a user.

The External Stats Reader role allows access to the stats endpoints which provide data that is stored in the embedded Prometheus system stats storage.

Conclusion

In this article I’ve shown you what new RBAC roles have been added to Couchbase Server 7.0 and what they are used for.

If security is important to you, I recommend reading a few additional blog posts about our RBAC features that help keep your Couchbase data protected. 

Author

Posted by Ian McCloy, Principal Product Manager

Ian McCloy is a Principal Product Manager for Couchbase and lives in the United Kingdom. He focuses on security features across the Couchbase portfolio of on-prem, cloud and edge products. Ian has a vast range of experience as a Software Engineer, Technical Support Engineer, Quality Assurance Engineer and Systems Administrator. Ian has lead global technical teams for the majority of his 20 year professional career and holds several patents in the areas of information security, virtualisation and hardware design.

Leave a reply