var cluster = new Cluster(new ClientConfiguration
{
Servers = new List<Uri> { new Uri("http://localhost:8091") }
});
Authentication and Authorization with RBAC in .NET
This is a repost that originally appeared on the Couchbase Blog: Authentication and Authorization with RBAC in .NET.
Authentication and authorization are vastly improved in Couchbase Server 5.0. We’ve been blogging about the new RBAC features in the developer preview for a while.
-
Authentication and Authorization with RBAC - introduction / part 1
-
Authentication and Authorization with RBAC (Part 2) - managing users
-
Improved SDK Authentication Methods - Couchbase 5.0 - an introduction featuring Python, Java, PHP, and .NET
Now that Couchbase Server 5.0 is released, I’m writing a more in-depth blog post about how to use the Couchbase .NET SDK along with these new features.
The full code samples used in this blog post are available for you on Github.
Create a bucket
As I mentioned in the previous posts, the days of buckets with passwords are gone. The future belongs to users—​users that have specific permission(s) to specific bucket(s).
Let’s start by creating a bucket. In the Couchbase UI, login as the Administrator that you created when you installed Couchbase. Go to "Buckets" and click "ADD BUCKET" (top right). You will see the "Add Data Bucket" dialog. Notice that there is no longer a "password" field (not even in "Advanced bucket settings").
Give the bucket a name and some amount of memory, and click "Add Bucket". Now you have a bucket. But, other than an Administrator in the UI, no one can access this bucket yet.
Create a user
In order to get access to this bucket, you must create a user. In Couchbase 5.0, "users" are an entirely new feature, bringing richer authentication and authorization features to Couchbase Server.
While still logged in as an administrator, go to "Security" to see a list of users. Click "ADD USER" (top right).
Create a user with whatever name and password you’d like. You can choose which roles the user has, and for which buckets (when applicable). Let’s give this user Data Writer and Data Reader roles, for the bucket that was just created (e.g. "mybucket"), but NOT any Query roles.
Once the user is added, you can hover over the roles to get a description of what the role means.
Authentication and authorization with the Couchbase .NET SDK
Now that we have a bucket and a user, let’s see how to use them with the .NET SDK.
Start by creating a Cluster
object.
You have a cluster, but your program has not been authenticated yet. Use a PasswordAuthenticator
object to specify the credentials. Then, use that object with the cluster’s Authenticate
method. In this example below, I’m using incorrect credentials.
var authenticator = new PasswordAuthenticator("myuser", "wrongpassword");
cluster.Authenticate(authenticator);
Now, if I try to perform an operation like OpenBucket
on the cluster, an exception is thrown.
try
{
var bucket = cluster.OpenBucket("mybucket");
}
catch (Exception ex)
{
Console.WriteLine("Error getting bucket.");
Console.WriteLine(ex.Message);
}
Now, let’s try it again using the correct credentials. Authentication will work. But let’s talk about authorization next.
Remember that I only gave this user Data Writer and Data Reader roles (for mybucket). So, if I authenticate and insert a document now, it works.
var cluster = new Cluster(new ClientConfiguration
{
Servers = new List<Uri> { new Uri("http://localhost:8091") }
});
var authenticator = new PasswordAuthenticator("myuser", "password");
cluster.Authenticate(authenticator);
var bucket = cluster.OpenBucket("mybucket");
// insert a document, this should be allowed
var result = bucket.Insert(Guid.NewGuid().ToString(), new {foo = "bar"});
Console.WriteLine("Insert was successful: " + result.Success);
But if I tried to, for instance, execute a N1QL (SQL for JSON) query, then it would fail. This is because that user is not authorized to execute queries.
var queryResult = bucket.Query<int>("SELECT COUNT(1) FROM `" + bucket.Name + "`");
Console.WriteLine("Query was successful: " + queryResult.Success);
queryResult.Errors.ForEach(e => Console.WriteLine("Error: " + e.Message));
I’m just doing a simple COUNT(1)
aggregation query. Since that user is not authorized, here’s what’s displayed:
One more thing
If you are worried about the effect this will have on upgrading from Couchbase Server 4.x to Couchbase Server 5.0, then here’s a tip. If you create a user with the same name as the bucket (e.g. a bucket called "foo" and a user named "foo"), then the older Couchbase .NET APIs that still expect a bucket password will work as before. Just give that user a "Cluster Admin" role for now. This is a good temporary fix until you can re-engineer your system to use a regimented approach to role.
Summary
Couchbase Server 5.0 is out now in beta! These role-based authentication (RBAC) features make Couchbase a leader in document database security, and I’m personally very pleased that Couchbase is going in this direction. Security is important, but too often overlooked by developers.
If you have any questions, please ask away in the Couchbase Forums, leave a comment below, or ping me on Twitter @mgroves.