Couchbase sync gateway admin user authentication


#1

Hi All,
We are trying to protect the sync gateway access with plain username and passowrd, so we did some configurations, that’s restricting normal user(port number: 4984) but not admin user(port number: 4985). Can you please suggest me, how to protect for admin user as well?

Example:
normal user: http://localhost:4984/sales_gateway/ – it’s forcing me to enter username and password, it’s fine and expected

admin user: http://localhost:4985/sales_gateway/ – it’s not asking any username and password and shows response, it looks strange for me, can we do some configurations to ask username and password?

Your help would be highly appreciated and thanks for your time.

Below is the config file:

{
“interface”:“localhost:4984”,
“adminInterface”:“localhost:4985”,
“databases”:{
“sales_gateway”:{
“server”:“http://localhost:8091”,
“bucket”:“sales”,
“sync”:function(doc) {channel(doc.channels);},
“users”: {
“GUEST”: {
“disabled”: true,
“admin_channels”: ["*"]
},
“subbu”: {“password”: “password”}

        }
	}
}
}

#2

So, by default the Admin REST API is only accessible from localhost, mentioned here:

The Admin REST API is used to administer user accounts and roles. It can also be used to look at the contents of databases in superuser mode. The default port for the Admin REST API is 4985. By default, the Admin REST API is reachable only from localhost for safety reasons.

Also mentioned here:

By default, the Admin REST API runs on port 4985 (unless you change the adminInterface configuration parameter). Do not expose this port—It belongs behind your firewall. Anyone who can reach this port has free access to and control over your databases and user accounts.


#3

Are you telling that there is no way to secure sync gateway with a username and password? You can make it secure only by making it accessible from localhost? I’m sure there has to be a better way!