Confused about RBAC in JDBC driver

I have a cluster and a bunch of buckets. I have a primary index on one of the buckets. I’ve verified that I can run a query on the query page in the GUI.

I’m now trying to use jdbc-json so I can run queries in SQuirreL, and also eventually in my code. The connection alias uses the same principal that I logged into the main GUI with.

When I run a simple “select * from bucketname where blah = ‘foo’” query, I get log entries like the following (somewhat elided):

	2018-02-21 11:50:49,185 [Thread-3] INFO  net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog  - 11:50:49.184 [Thread-3] DEBUG com.couchbase.jdbc.CBResultSet - Loaded result set
2018-02-21 11:50:49,185 [Thread-3] ERROR net.sourceforge.squirrel_sql.client.session.schemainfo.SchemaInfoCache  - Could not get table types
java.sql.SQLException: Invalid index
	at com.couchbase.jdbc.CBResultSet.checkIndex(
	at com.couchbase.jdbc.CBResultSet.getString(
	at net.sourceforge.squirrel_sql.fw.sql.SQLDatabaseMetaData.getTableTypes(
2018-02-21 11:50:51,225 [Thread-3] ERROR net.sourceforge.squirrel_sql.client.session.schemainfo.SchemaInfo  - failed to load table names
	at com.couchbase.jdbc.core.ProtocolImpl.handleResponse(
	at com.couchbase.jdbc.core.ProtocolImpl.query(
	at com.couchbase.jdbc.CBStatement.executeQuery(
	at com.couchbase.jdbc.CBDatabaseMetaData.getTables(
	at net.sourceforge.squirrel_sql.fw.sql.SQLDatabaseMetaData.getTables(
2018-02-21 11:50:55,195 [Thread-2] INFO  net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog  - 11:50:55.195 [Thread-2] ERROR com.couchbase.jdbc.core.ProtocolImpl - Error executing query [select * from ONEMAP_PLACES where tz = "pst"
2018-02-21 11:50:55,196 [Thread-2] INFO  net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog  - limit 10] User does not have credentials to run SELECT queries on the ONEMAP_PLACES bucket. Add role query_select on ONEMAP_PLACES to allow the query to run.

It’s possible that the issue reported at the end here is the cause of the earlier exceptions. As far as I can tell, the user DOES have that role. The user I’m using has query access to all the buckets in the cluster.