Authentication and authorization are vastly improved in Couchbase Server 5.0. We’ve been blogging about the new RBAC features in the developer preview for a while.

• Authentication and Authorization With RBAC: Introduction.
• Authentication and Authorization With RBAC (Part 2): Managing users.
• Improved SDK Authentication Methods — Couchbase 5.0: An introduction featuring Python, Java, PHP, and .NET.

Now that Couchbase Server 5.0 Beta is released, I’m writing a more in-depth blog post about how to use the Couchbase .NET SDK along with these new features.

The full code samples used in this blog post are available for you on GitHub.

Create a Bucket

As I mentioned in previous posts, the days of buckets with passwords are gone. The future belongs to users — users that have specific permission(s) to the specific bucket(s).

Let’s start by creating a bucket. In the Couchbase UI, login as the Administrator that you created when you installed Couchbase. Go to Buckets and click ADD BUCKET (top right). You will see the Add Data Bucket dialog. Notice that there is no longer a “password” field (not even in Advanced bucket settings).

Give the bucket a name and some amount of memory, and click Add Bucket. Now you have a bucket. But, other than an Administrator in the UI, no one can access this bucket yet.

Create a User

In order to get access to this bucket, you must create a user. In Couchbase 5.0, “users” are an entirely new feature, bringing richer authentication and authorization features to Couchbase Server.

While still logged in as an administrator, go to Security to see a list of users. Click ADD USER (top right).

Create a user with whatever name and password you’d like. You can choose which roles the user has, and for which buckets (when applicable). Let’s give this user Data Writer and Data Reader roles, for the bucket that was just created (e.g. “mybucket”), but not any Query roles.

Once the user is added, you can hover over the roles to get a description of what the role means.

Authentication and Authorization With the Couchbase .NET SDK

Now that we have a bucket and a user, let’s see how to use them with the .NET SDK.

Start by creating a Cluster object.

var cluster = new Cluster(new ClientConfiguration
{
    Servers = new List<Uri> { new Uri("http://localhost:8091") }
});

You have a cluster, but your program has not been authenticated yet. Use a PasswordAuthenticator object to specify the credentials. Then, use that object with the cluster’s Authenticate method. In this example below, I’m using incorrect credentials.

var authenticator = new PasswordAuthenticator("myuser", "wrongpassword");
cluster.Authenticate(authenticator);

Now, if I try to perform an operation like OpenBucket on the cluster, an exception is thrown.

try
{
    var bucket = cluster.OpenBucket("mybucket");
}
catch (Exception ex)
{
    Console.WriteLine("Error getting bucket.");
    Console.WriteLine(ex.Message);
}

Now, let’s try it again using the correct credentials. Authentication will work. But let’s talk about authorization next.

Remember that I only gave this user Data Writer and Data Reader roles (for mybucket). So, if I authenticate and insert a document now, it works.

var cluster = new Cluster(new ClientConfiguration
{
    Servers = new List<Uri> { new Uri("http://localhost:8091") }
});
var authenticator = new PasswordAuthenticator("myuser", "password");
cluster.Authenticate(authenticator);
var bucket = cluster.OpenBucket("mybucket");

// insert a document, this should be allowed
var result = bucket.Insert(Guid.NewGuid().ToString(), new {foo = "bar"});
Console.WriteLine("Insert was successful: " + result.Success);

But if I tried to, for instance, execute a N1QL (SQL for JSON) query, then it would fail. This is because that user is not authorized to execute queries.

var queryResult = bucket.Query<int>("SELECT COUNT(1) FROM `" + bucket.Name + "`");
Console.WriteLine("Query was successful: " + queryResult.Success);
queryResult.Errors.ForEach(e => Console.WriteLine("Error: " + e.Message));

I’m just doing a simple COUNT(1) aggregation query. Since that user is not authorized, here’s what’s displayed:

One More Thing

If you are worried about the effect this will have on upgrading from Couchbase Server 4.x to Couchbase Server 5.0, then here’s a tip. If you create a user with the same name as the bucket (e.g. a bucket called “foo” and a user named “foo”), then the older Couchbase.NET APIs that still expect a bucket password will work as before. Just give that user a “Cluster Admin” role for now. This is a good temporary fix until you can re-engineer your system to use a regimented approach to the role.

Summary

Couchbase Server 5.0 is out now in beta! The role-based authentication (RBAC) features make Couchbase a leader in document database security, and I’m personally very pleased that Couchbase is going in this direction. Security is important, but too often overlooked by developers.