Authentication and Authorization with RBAC in .NET

This is a repost that originally appeared on the Couchbase Blog: Authentication and Authorization with RBAC in .NET.

Authentication and authorization are vastly improved in Couchbase Server 5.0. We’ve been blogging about the new RBAC features in the developer preview for a while.

Now that Couchbase Server 5.0 is released, I’m writing a more in-depth blog post about how to use the Couchbase .NET SDK along with these new features.

The full code samples used in this blog post are available for you on Github.

Create a bucket

As I mentioned in the previous posts, the days of buckets with passwords are gone. The future belongs to users—users that have specific permission(s) to specific bucket(s).

Let’s start by creating a bucket. In the Couchbase UI, login as the Administrator that you created when you installed Couchbase. Go to "Buckets" and click "ADD BUCKET" (top right). You will see the "Add Data Bucket" dialog. Notice that there is no longer a "password" field (not even in "Advanced bucket settings").

Add new bucket - no authentication options anymore

Give the bucket a name and some amount of memory, and click "Add Bucket". Now you have a bucket. But, other than an Administrator in the UI, no one can access this bucket yet.

Create a user

In order to get access to this bucket, you must create a user. In Couchbase 5.0, "users" are an entirely new feature, bringing richer authentication and authorization features to Couchbase Server.

While still logged in as an administrator, go to "Security" to see a list of users. Click "ADD USER" (top right).

Adding a new user for authentication and authorization

Create a user with whatever name and password you’d like. You can choose which roles the user has, and for which buckets (when applicable). Let’s give this user Data Writer and Data Reader roles, for the bucket that was just created (e.g. "mybucket"), but NOT any Query roles.

Adding authorization for data read and data write

Once the user is added, you can hover over the roles to get a description of what the role means.

Authorization tool tip

Authentication and authorization with the Couchbase .NET SDK

Now that we have a bucket and a user, let’s see how to use them with the .NET SDK.

Start by creating a Cluster object.

var cluster = new Cluster(new ClientConfiguration
{
    Servers = new List<Uri> { new Uri("http://localhost:8091") }
});

You have a cluster, but your program has not been authenticated yet. Use a PasswordAuthenticator object to specify the credentials. Then, use that object with the cluster’s Authenticate method. In this example below, I’m using incorrect credentials.

var authenticator = new PasswordAuthenticator("myuser", "wrongpassword");
cluster.Authenticate(authenticator);

Now, if I try to perform an operation like OpenBucket on the cluster, an exception is thrown.

try
{
    var bucket = cluster.OpenBucket("mybucket");
}
catch (Exception ex)
{
    Console.WriteLine("Error getting bucket.");
    Console.WriteLine(ex.Message);
}

Error in authentication

Now, let’s try it again using the correct credentials. Authentication will work. But let’s talk about authorization next.

Remember that I only gave this user Data Writer and Data Reader roles (for mybucket). So, if I authenticate and insert a document now, it works.

var cluster = new Cluster(new ClientConfiguration
{
    Servers = new List<Uri> { new Uri("http://localhost:8091") }
});
var authenticator = new PasswordAuthenticator("myuser", "password");
cluster.Authenticate(authenticator);
var bucket = cluster.OpenBucket("mybucket");

// insert a document, this should be allowed
var result = bucket.Insert(Guid.NewGuid().ToString(), new {foo = "bar"});
Console.WriteLine("Insert was successful: " + result.Success);

Console output when authentication and authorization are valid

But if I tried to, for instance, execute a N1QL (SQL for JSON) query, then it would fail. This is because that user is not authorized to execute queries.

var queryResult = bucket.Query<int>("SELECT COUNT(1) FROM `" + bucket.Name + "`");
Console.WriteLine("Query was successful: " + queryResult.Success);
queryResult.Errors.ForEach(e => Console.WriteLine("Error: " + e.Message));

I’m just doing a simple COUNT(1) aggregation query. Since that user is not authorized, here’s what’s displayed:

No authorization for running a query

One more thing

If you are worried about the effect this will have on upgrading from Couchbase Server 4.x to Couchbase Server 5.0, then here’s a tip. If you create a user with the same name as the bucket (e.g. a bucket called "foo" and a user named "foo"), then the older Couchbase .NET APIs that still expect a bucket password will work as before. Just give that user a "Cluster Admin" role for now. This is a good temporary fix until you can re-engineer your system to use a regimented approach to role.

Summary

Couchbase Server 5.0 is out now in beta! These role-based authentication (RBAC) features make Couchbase a leader in document database security, and I’m personally very pleased that Couchbase is going in this direction. Security is important, but too often overlooked by developers.

If you have any questions, please ask away in the Couchbase Forums, leave a comment below, or ping me on Twitter @mgroves.