Couchbase authentication


#1

Hi,

I want to allow a user to access records on a bucket which is a complete database of all the users. I need to restrict the user to its own records only. How can I do that?

For example, there are two users - A and B.

I want user A to be able to see(Read only access) the records that he owns. He should not be able to see user B records.

If I choose different buckets, I can solve the issue; however I can not do that as my user count might be in thousands.

Please, advise.

–PP


#2

Hi There, we do not provide authorization today to specific parts of a bucket per user. Many folks do this type of authorization at the application level and connect to Couchbase from the app with app authenticating to the bucket once under a single identity. I’d recommend that as the workaround.
Many Thanks
-cihan


#3

Thanks for your answer. So, in the case I authenticate access via application, probably I need to store credentials as a part of other bucket. Sorry for being novice, but can you elaborate mechanisms that can encrypt such information before storing in such sensitive info ?

Thanks
PP


#4

The way the app will authenticate to the bucket is only through a password today in couchbase. I took your question as how do I store that secret on the app side. Encrypting information on app side can be done multiple ways and isn’t specific to Couchbase.
One possible way is: you can choose to encrypt in your config file: http://stackoverflow.com/questions/1132567/encrypt-password-in-configuration-files-java
OR you can use file system encryption and app identity can be set up to decrypt it. OSs provide facilities in this regard. Apps identity can be stored in the local identity store of the OS which has secret management facility OR can be managed by a central user directory which has its own secret management facility etc.
I am sure others can come up with more options but those are the first ones I can think about.
Hope this helps.
-cihan


#5

Thanks for the reply. You have answered it partially; however here is what I need:

**** Web Client -----> ASP.NET server ----> Couchbase Database

*** A secure encrypted couchbase document that can store all the user names and passwords for users (remote users, typically accessing data through https protocol )
*** Based on remote user authentication, server provides access based on rules defined in that particular user document

I am interested in couchbase’s ability to encrypt data for a particular bucket or for a document. Please, guide me in the right direction.

Thanks again for your help.

PP


#6

I think you are looking for data encryption on the wire or on the server at rest or both?
For encryption is at rest - you can use filesystem encryption on nodes of couchbase server. For encryption on the wire, we do not have the facility in 2.5.1. We are planning that in future.
Does that help?


#7

Thanks Cihan,
You got it right. One is encryption of web traffic, for which https should be suffice. On the other hand, server side encryption is required, which as you said, I can use file system encryption. Now, please, bear with me can you guide me where to look for this ? I need my couchbase documents to be encrypted with filesystem encryption. It will be great help if you can send me some sample.
PP