Hiding cbbackup credentials


#1

In Couchbase 5, it is necessary to set a username/password on the buckets in order to read from them remotely.

Is there any existing way to hide cbbackup credentials from the command line? The reason being, they will appear in the process list and therefore in the server logs as I run it via docker.

Having them appear in the process list is insecure. If they could be brought in by environment variables or read from a file that would be a major improvement and very easy to implement.

Also, it seems necessary to make the backup user have full admin access to a bucket in order to back it up. Are there any plans afoot to change that or provide more fine grained control of access?


#2

Hello @Matthew_Hook,

Is there any existing way to hide cbbackup credentials from the command line? The reason being, they will appear in the process list and therefore in the server logs as I run it via docker.

Having them appear in the process list is insecure. If they could be brought in by environment variables or read from a file that would be a major improvement and very easy to implement.

The following environment can be used as noted in the manual pages and the documentation:

ENVIRONMENT AND CONFIGURATION VARIABLES
       CB_CLUSTER
           Specifies the hostname of the Couchbase cluster to connect to. If
           the hostname is supplied as a command line argument then this value
           is overridden.

       CB_USERNAME
           Specifies the username for authentication to a Couchbase cluster.
           If the username is supplied as a command line argument then this
           value is overridden.

       CB_PASSWORD
           Specifies the password for authentication to a Couchbase cluster.
           If the password is supplied as a command line argument then this
           value is overridden.

       CB_ARCHIVE_PATH
           Specifies the path to the backup archive. If the archive path is
           supplied as a command line argument then this value is overridden.

Also, it seems necessary to make the backup user have full admin access to a bucket in order to back it up.

There is a Data Backup role:

Given the nature of backing up and restoring it does require a lot of permissions to do the job.

Are there any plans afoot to change that or provide more fine grained control of access?

Out of interest what permission would you like the backup role to be restricted to?

One option I can think of is to have two roles, a backup_role and a restore_role, where the backup_role is limited to read_only access.


#3

@pvarley - Thanks for the feedback. You’re pointing me to a different tool called cbbackupmgr.

Unfortunately, cbbackupmgr does not seem to be installed. Perhaps because I’m using Couchbase Community Edition inside docker?

In the community edition there is a tool called cbbackup and that tool does not seem to provide the option to set the username and password via environment variables or file which is surprising.
I have found the source code for the tool in github so I might make the changes and submit a pull request for it.

Cheers, Matthew


#4

Sorry @Matthew_Hook, I missed the fact that you’re using cbbackup and not cbbackupmgr. As you rightly guessed cbbackupmgr is only available in Enterprise Edition.

With regards to cbbackup it looks like at one point using environment variables did work. I have opened a new defect to address this - MB-29781


#5

@pvarley - I modified the source and created a pull request here: https://github.com/couchbase/couchbase-cli/pull/9


#6

@Matthew_Hook Thank you for the pull request, I ready submitted a patch for it yesterday. Sorry I should have mentioned that.