How can I authorize users in Couchbase Server?


#1

Hi, I have a system that needs data access from web clients and mobile clients, so I use Sync Gateway and a Couchbase Server’s bucket that is shadowed.

I realized that the sync function of the Sync GW only works for items that are created from the gateway, so If my web app communicates through the Couchbase Server bucket I can’t perform security routing using channels and roles. How can I overcome this problem?


#2

If your webapp and SG talk to the same data you need to make sure that the webapp talks through it on the shadowed bucket. This is a technique you need to use in order to prevent weird situations with concurrent updates. Also the documents where SG stores it contain more information that should not be changed by the user.

In general, your webapp uses bucket level credentials to talk to the bucket and you need to implement RBAC or something similar inside your webapp (if you want to grant specific access to specific users). Your webapp has no access to the channels on SG in general if you don’t perform some additional logic.

Is there a specific use case we can try to figure out for you?


#3

Is there another solution that lets me using the RBAC already implemented in SG for web clients purposes?

If the answer is no, a solution could be to perform CUD (Create, Update, Delete) operations via web client using sync_gateway, so I can perform write access control, and retrieve the documents from couchbase server views in the shadowed bucket. This means that I have to create a service that routes these views and gets only the allowed infos based on the same roles and channels that are used with the sync_function. How can I handle this? Do you know any existing library that does this?


#4

Currently if you need security/metadata, the preferred way is to go through the SG HTTP REST API. I’ll send a note to one of our mobile engineers because they are in a better position to give you an authoritative answer.


#5

Have the web client go through SG’s REST API to create/update docs.

This means that I have to create a service that routes these views and gets only the allowed infos based on the same roles and channels that are used with the sync_function.

I think you’re asking about how to filter a view query to only the info visible to a specific user? The current release of SG doesn’t support that, but there’s a branch that includes it; the branch is quite out of date at this point, though, so I can’t recommend using it. It’s a feature that we should add to the next major release though (IMO).


#6

When have you planned to release the new version? I really need this feature.


#7

Looks like it’s currently scheduled for 1.2. You can add a comment to the issue in Github to indicate that it’s important to you.


#8

thank you very much!


#9

Hi, I realized that SG HTTP APIs for deletion and updation of documents require a revision_id property. How can I instead apply these changes to the last revision available? It is mandatory to include this field? How can I overcome this problem?


#10

And isn’t this solution (perform crud using HTTP REST APIs) slower than use the Couchnode library, for example? I think that HTTP has more overhead than Couchnode internal communication protocol.