diff --git a/modules/introduction/partials/new-features-80.adoc b/modules/introduction/partials/new-features-80.adoc index 0dd2c20030..61a92d184a 100644 --- a/modules/introduction/partials/new-features-80.adoc +++ b/modules/introduction/partials/new-features-80.adoc @@ -158,7 +158,6 @@ When Hybrid is selected: This mode enhances flexibility for clients while enforcing strict security for node-to-node communication. + For more information, see xref:manage:manage-security/enable-client-certificate-handling.adoc[Enable Client Certificate Handling]. -======= https://jira.issues.couchbase.com/browse/MB-11575[MB-11575]:: XDCR now supports the identification of Incoming Replications on a cluster. @@ -253,6 +252,15 @@ The Backup Service in Couchbase Sever 8.0 or later also performs these changes + NOTE: If the user restoring a backup does not have a role that allows them to restore specific roles to a user in the backup, the backup server skips restoring that user. +[#MB-67164] +https://jira.issues.couchbase.com/browse/MB-67164[MB-67164 Add Read-Only Security Admin Role and Remove Security Privileges from Read-Only Admin]:: +To better segment security privileges, Couchbase Server 8.0 removes the security privileges from the Read-Only Admin (`ro_admin`) role. +It also adds a new Read-Only Security Admin (`ro_security_admin`) role that lets the user view security details except for listing users and groups. + ++ +When you upgrade to Couchbase Server 8.0, the upgrade process automatically grants the Read-Only Security Admin role to users who have the Read-Only Admin role. +This grant lets users with the Read-Only Admin role still have the same privileges they had before the upgrade. + See xref:learn:security/roles.adoc[] for more information. [#section-new-feature-800--tools] diff --git a/modules/learn/pages/security/certificates.adoc b/modules/learn/pages/security/certificates.adoc index 0ca98ae4ec..f58f98a733 100644 --- a/modules/learn/pages/security/certificates.adoc +++ b/modules/learn/pages/security/certificates.adoc @@ -31,7 +31,7 @@ This page provides a general overview of using certificates with Couchbase Serve It assumes you know the basics of Transport Layer Security (TLS) and certificates. To learn more about these topics, see the Wikipedia article on https://en.wikipedia.org/wiki/Public_key_certificate[Public key certificate^], and OpenSSL's https://wiki.openssl.org/index.php/Command_Line_Utilities[Command Line Utilities] page. -Managing certificates requires Full Admin, Local User Security Admin, or External User Security Admin privileges. +Managing certificates requires the Full Admin or Security Admin roles. For step-by-step instructions for creating and deploying certificate for Couchbase Server and clients, see xref:manage:manage-security/configure-server-certificates.adoc[Configure Server Certificates] and xref:manage:manage-security/configure-client-certificates.adoc[Configure Client Certificates]. diff --git a/modules/learn/pages/security/roles.adoc b/modules/learn/pages/security/roles.adoc index 2f6b0d2470..8c6bc9311e 100644 --- a/modules/learn/pages/security/roles.adoc +++ b/modules/learn/pages/security/roles.adoc @@ -100,13 +100,20 @@ This role is also available in Couchbase Server Community Edition. === Read-Only Admin The Read-Only Admin role lets the user read Couchbase Server settings and statistics. -This information includes registered usernames with roles and authentication domains, but excludes passwords. Users with this role can also read Backup Service data to monitor backup plans and tasks. The role lets the user log into the Couchbase Server Web Console. This role is also available in Couchbase Server Community Edition. +NOTE: Prior to Couchbase Server 8.0, this role allowed the user to read security information including listing users and groups. +In 8.0, these permissions were split off into the <<#ro-security-admin>> role. +The Read-Only Admin role now does not allow access to any of the security information. + ++ +When you upgrade Couchbase Server from a version earlier than 8.0 to 8.0 or later, the upgrade process grants any user with this role the <<#ro-security-admin>> role as well. +Granting this role lets the user retain the privileges they had in prior versions. + [#table_read_only_admin_role,cols="1,2,2,hrows=2"] |=== 3+^| Role: Read-Only Admin (`ro_admin`) @@ -132,8 +139,8 @@ h| Restrictions | Cannot list incoming replications, or add or edit replications. | *Security* -| Can view settings for SAML, certificates, encryption at rest, audits, and other settings. -| Cannot change settings. +| None. +| All. | *Settings* | View all settings @@ -235,6 +242,78 @@ h| Restrictions |=== +[#ro-security-admin] +=== Read-Only Security Admin + +The Read-Only Security Admin role lets the user view all security settings except for listing users and groups. + +This role lets the user log into the Couchbase Server Web Console. + +NOTE: This role is new in Couchbase Server 8.0. +It was created to separate security privileges from the Read-Only Admin role. +The upgrade process from prior versions to Couchbase Server 8.0 or later grants this role to users that had the Read-Only Admin. +This grant ensures the user retains the privileges they had in prior versions. + +[#table_ro_security_admin_role,cols="1,2,2,hrows=2"] +|=== +3+^| Role: Read-Only Security Admin (`ro_security_admin`) + +h| Resource +h| Permissions +h| Restrictions + +| *Servers* +| View configuration and statistics +| Cannot add, failover, remove, modify services, or rebalance + +| *Buckets* +| List buckets, scopes, and collections +| Cannot create, drop, or edit settings, or read or write data + +| *Backup* +| None +| All + +| *XDCR* +| List outgoing replications +| Cannot create, start, alter connections + +| *Security* +| View LDAP, SAML, certificates, encryption at rest, audit, and logging settings. +| Cannot make any changes to security settings. +Cannot view or change users or groups. + +| *Settings* +| View +| Change + +| *Logs* +| View +| Collect Information + +| *Query* +| None +| All + +| *Search* +| None +| All + +| *Analytics* +| None +| All + +| *Eventing* +| None +| All + +| *Views* +| None +| All + +|=== + + [#local-user-security-admin] === Local User Admin @@ -530,7 +609,6 @@ Cannot add or edit replications. |=== - [#backup-full-admin] === Backup Full Admin @@ -1146,7 +1224,7 @@ Cannot use the Query Workbench in Couchbase Server Web Console. [#manage-scope-functions] -=== Manage Scope Functions (Query and Index) +=== Manage Scope Functions The Manage Scope Functions role lets the user create and drop user-defined {sqlpp} functions for one or more scopes. When granting this role, You select the scopes where the user can manage user-defined functions. @@ -1347,7 +1425,7 @@ Cannot use the Query Workbench in Couchbase Server Web Console. [#query-sequential-scan] -=== Query Use Sequential Scan +=== Query Use Sequential Scans The Query Use Sequential Scan role allows users' queries to perform a sequential scan of a keyspace. The query planner only uses a sequential scan when no suitable index exists for the keyspace. @@ -1360,7 +1438,7 @@ This role does not let the user log into Couchbase Server Web Console. [#table_query_use_sequential_scans_role,cols="1,2,2,hrows=2] |=== -3+^| Role: Query Use Sequential Scan (`query_use_sequential_scans`) +3+^| Role: Query Use Sequential Scans (`query_use_sequential_scans`) h| Resource h| Permissions @@ -1624,7 +1702,7 @@ Cannot use the Query Workbench in Couchbase Server Web Console. |=== [#query_manage_sequences] -=== Query Manage Sequences +=== Manage Sequences This role lets the user manage sequences for one or more scopes. See xref:n1ql:n1ql-language-reference/sequenceops.adoc[] for more information about sequences. @@ -1635,7 +1713,7 @@ This role lets the user log into Couchbase Server Web Console. [#table_query_manage_sequences_role,cols="1,2,2,hrows=2] |=== -3+^| Role: Query Manage Sequences (`query_manage_sequences`) +3+^| Role: Manage Sequences (`query_manage_sequences`) h| Resource h| Permissions @@ -1660,7 +1738,7 @@ Cannot manage sequences in buckets they do have not assigned to them. [#query_use_sequences] -=== Query Use Sequences +=== Use Sequences This role lets the user incorporate sequences into their queries in one or more scopes. When you grant this role, you choose the scopes where the user can use sequences. @@ -1671,7 +1749,7 @@ This role lets the user log into Couchbase Server Web Console. [#table_query_use_sequences_role,cols="1,2,2,hrows=2] |=== -3+^| Role: Query Manage Sequences (`query_use_sequences`) +3+^| Role: Manage Sequences (`query_use_sequences`) h| Resource h| Permissions @@ -1730,7 +1808,6 @@ Cannot use the Query Workbench in Couchbase Server Web Console. |=== - == Search Roles The following roles give users privileges to the xref:learn:services-and-indexes/services/search-service.adoc[] features. diff --git a/modules/manage/pages/manage-security/manage-auditing.adoc b/modules/manage/pages/manage-security/manage-auditing.adoc index 5339bcb0d4..6c03e2f2e5 100644 --- a/modules/manage/pages/manage-security/manage-auditing.adoc +++ b/modules/manage/pages/manage-security/manage-auditing.adoc @@ -13,8 +13,8 @@ The records created by the Couchbase Auditing facility capture information on _w The records are created by Couchbase Server-processes, which run asynchronously. Each record is stored as a JSON document, which can be retrieved and inspected. -Auditing can be configured by the *Full Admin* and the *Local User Security Admin* roles. -The auditing configuration can be read by the *Full Admin*, the *Local User Security Admin*, and the *Read-Only Admin* roles. +Users with the Full Admin or Security Admin roles can configure Auditing. +Users with the Full Admin, Security Admin, or Read-Only Security Admin roles can view the audit configuration. A conceptual overview of event auditing can be found in xref:learn:security/auditing.adoc[Auditing]. See the reference page xref:audit-event-reference:audit-event-reference.adoc[Audit Event Reference], for a complete list of the events that can be audited. diff --git a/modules/manage/pages/manage-statistics/manage-statistics.adoc b/modules/manage/pages/manage-statistics/manage-statistics.adoc index 34bd233eff..e875b35b16 100644 --- a/modules/manage/pages/manage-statistics/manage-statistics.adoc +++ b/modules/manage/pages/manage-statistics/manage-statistics.adoc @@ -47,11 +47,12 @@ Additional information can be displayed by left-clicking on the *Node Resources* === Dashboard Access All chart-content is provided by _bucket_. -Users whose roles allow them both to access Couchbase Web Console _and_ see administrative details on one or more buckets are able to see the default chart-content for those buckets. -For example, the *Full Admin*, *Cluster Admin*, *Read Only Admin*, *Local User Security Admin*, and *External User Security Admin* roles permit display of charts for all buckets defined on the cluster; while the *Bucket Admin* role permits display of charts only for those buckets to which the role has been applied. +Users whose roles grant them access to Couchbase Web Console and see administrative details on one or more buckets are able to see the default chart-content for those buckets. +For example, users with the Full Admin, Cluster Admin, Read Only Admin, Security Admin, or Read-Only Security Admin roles can display the charts for all buckets in the cluster. +The Bucket Admin role allows a user to display of charts of buckets to which they were granted administrator access. Users who can see the default content for some or all buckets can also create their own, customized content for those buckets. -Note that customized content is saved on Couchbase Server only on a _per user_ basis: therefore, for example, when a *Full Admin* creates customized content, it is visible only to the *Full Admin*, not to any other user. +Note that customized content is saved on Couchbase Server only on a _per user_ basis: therefore, for example, when a Full Admin creates customized content, it is visible only to the Full Admin, not to any other user. [#dashboard-controls] === Dashboard Controls diff --git a/modules/rest-api/pages/change-master-password.adoc b/modules/rest-api/pages/change-master-password.adoc index 42d7dedafa..dd667c8b96 100644 --- a/modules/rest-api/pages/change-master-password.adoc +++ b/modules/rest-api/pages/change-master-password.adoc @@ -14,7 +14,7 @@ POST /node/controller/changeMasterPassword == Description This command sets the master password for the current node. -The *Full Admin*, *Local User Security Admin*, or *External User Security Admin* role is required. + For a full description of system secrets and their management, see xref:manage:manage-security/manage-system-secrets.adoc[Manage System Secrets]. @@ -26,6 +26,13 @@ curl -X POST http://127.0.0.1:8091/node/controller/changeMasterPassword -d newPassword= ---- +== Required Privileges + +You must have one of the following roles to change the master password: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + == Responses Success returns `200 OK`. diff --git a/modules/rest-api/pages/get-trusted-cas.adoc b/modules/rest-api/pages/get-trusted-cas.adoc index a28abd15c7..4429c1f89a 100644 --- a/modules/rest-api/pages/get-trusted-cas.adoc +++ b/modules/rest-api/pages/get-trusted-cas.adoc @@ -20,9 +20,7 @@ Note that this list is therefore _complete_ and _cluster-wide_. Note that although support of multiple root certificates is only available in versions of Couchbase Server that are 7.1 and later, this API _can_ be used on clusters that are running different versions of Couchbase Server, some of which are prior to 7.1. -This method and endpoint can be used by unauthorized users: however, cluster-private details are redacted from the output. -For all details to be returned, the user must have the Full Admin, the Local User Security Admin, or the External User Security Admin role. -See the examples provided in xref:#output-redaction[Output Redaction], below. + [#curl-syntax] == Curl Syntax @@ -34,6 +32,19 @@ curl -X GET http://:8091/pools/default/trustedCAs -u : ---- +== Required Privileges + +Any user can call this method and endpoint. +However, they will only see a redacted version which does not include cluster-private details. +See the examples <<#output-redaction>> to see what is omitted. + + +To see all details of the returned objects, the user must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] + [#responses] == Responses diff --git a/modules/rest-api/pages/load-trusted-cas.adoc b/modules/rest-api/pages/load-trusted-cas.adoc index 36c2997b19..0f954e5ae6 100644 --- a/modules/rest-api/pages/load-trusted-cas.adoc +++ b/modules/rest-api/pages/load-trusted-cas.adoc @@ -19,7 +19,7 @@ Loads trusted certificates into the Couchbase-Server trust store. All loaded certificates can be accessed by all nodes. Loaded CA (or _root_) certificates can be used to provide authority to the cluster's nodes, and can be used to authenticate clients' access-attempts. -The Full Admin, the Local User Security Admin, or the External User Security Admin role is required. + Note the following: @@ -66,6 +66,13 @@ curl -X POST http://:8091/node/controller/loadTrusted -u : ---- +== Required Privileges + +To load trusted CA certificates, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + [#responses] == Responses diff --git a/modules/rest-api/pages/rest-auditing.adoc b/modules/rest-api/pages/rest-auditing.adoc index 455c142a83..531ed3a64f 100644 --- a/modules/rest-api/pages/rest-auditing.adoc +++ b/modules/rest-api/pages/rest-auditing.adoc @@ -28,8 +28,18 @@ A _filterable_ event is an event that can be individually disabled, even when ev Events that are not filterable are not included in the list returned by `GET /settings/audit/descriptors`. + Events that are not filterable can be retrieved using the `GET` method `/settings/audit/nonFilterableDescriptors` -Auditing can be configured by the *Full Admin* and the *Local User Security Admin* roles. -The auditing configuration can be read by the *Full Admin*, the *Local User Security Admin*, and the *Read-Only Admin* roles. +== Required Privileges + +To read auditing settings, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + +To change auditing settings, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] == Curl Syntax diff --git a/modules/rest-api/pages/rest-cluster-autofailover-settings.adoc b/modules/rest-api/pages/rest-cluster-autofailover-settings.adoc index dcc5528360..6b759b887c 100644 --- a/modules/rest-api/pages/rest-cluster-autofailover-settings.adoc +++ b/modules/rest-api/pages/rest-cluster-autofailover-settings.adoc @@ -17,7 +17,7 @@ GET /settings/autoFailover The `GET /settings/autoFailover` HTTP method and URI retrieve auto-failover settings for the cluster. Auto-failover settings are global, and apply to all nodes in the cluster. -To read auto-failover settings, one of the following roles is required: Full Admin, Cluster Admin, Read-Only Admin, Backup Full Admin, Eventing Full Admin, Local User Security Admin, External User Security Admin. + == Curl Syntax @@ -27,6 +27,23 @@ curl -X GET http://:8091/settings/autoFailover -u : ---- +== Required Privileges + +You must have one of the following roles to retrieve auto-failover settings: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#backup-full-admin[Backup Full Admin] +* xref:learn:security/roles.adoc#bucket-admin[Bucket Admin] +* xref:learn:security/roles.adoc#cluster-admin[Cluster Admin] +* xref:learn:security/roles.adoc#eventing-full-admin[Eventing Full Admin] +* xref:learn:security/roles.adoc#xdcr-admin[XDCR Admin] +* xref:learn:security/roles.adoc#read-only-admin[Read-Only Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] +* xref:learn:security/roles.adoc#external-user-security-admin[External User Admin] +* xref:learn:security/roles.adoc#local-user-security-admin[Local User Admin] +* xref:learn:security/roles.adoc#views-admin[Views Admin] + == Responses Success returns `200 OK`, and an object that contains the following parameters: diff --git a/modules/rest-api/pages/rest-identify-orchestrator.adoc b/modules/rest-api/pages/rest-identify-orchestrator.adoc index 4a18ba4400..39a633c5a6 100644 --- a/modules/rest-api/pages/rest-identify-orchestrator.adoc +++ b/modules/rest-api/pages/rest-identify-orchestrator.adoc @@ -31,7 +31,60 @@ curl -v -X GET -u : ---- The `ip-address-or-domain-name` should specify a node within the cluster whose orchestrator-location is to be determined: information returned by the call is that which is _known to the specified node_. -The `username` and `password` must be those of a user with the Full Admin, Cluster Admin, Read Only Admin, Local User Security Admin, or External User Security role. +The `username` and `password` must a user with one of the roles listed in the newxt section. + +== Required Privileges + +You must have one of the following roles to call this method: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#analytics-admin[Analytics Admin] +* xref:learn:security/roles.adoc#analytics-manager[Analytics Manager] +* xref:learn:security/roles.adoc#analytics-reader[Analytics Reader] +* xref:learn:security/roles.adoc#analytics-select[Analytics Select] +* xref:learn:security/roles.adoc#backup-full-admin[Backup Full Admin] +* xref:learn:security/roles.adoc#bucket-admin[Bucket Admin] +* xref:learn:security/roles.adoc#application-access[Application Access] +* xref:learn:security/roles.adoc#cluster-admin[Cluster Admin] +* xref:learn:security/roles.adoc#data-backup-and-restore[Data Backup & Restore] +* xref:learn:security/roles.adoc#data-dcp-reader[Data DCP Reader] +* xref:learn:security/roles.adoc#data-monitor[Data Monitor] +* xref:learn:security/roles.adoc#data-reader[Data Reader] +* xref:learn:security/roles.adoc#data-writer[Data Writer] +* xref:learn:security/roles.adoc#eventing-full-admin[Eventing Full Admin] +* xref:learn:security/roles.adoc#manage-scope-functions[Manage Scope Functions] +* xref:learn:security/roles.adoc#search-admin[Search Admin] +* xref:learn:security/roles.adoc#search-reader[Search Reader] +* xref:learn:security/roles.adoc#sync-gateway[Sync Gateway] +* xref:learn:security/roles.adoc#query-delete[Query Delete] +* xref:learn:security/roles.adoc#execute-scope-external-functions[Execute Scope External Functions] +* xref:learn:security/roles.adoc#execute-scope-functions[Execute Scope Functions] +* xref:learn:security/roles.adoc#execute-global-external-functions[Execute Global External Functions] +* xref:learn:security/roles.adoc#execute-global-functions[Execute Global Functions] +* xref:learn:security/roles.adoc#query-curl-access[Query CURL Access] +* xref:learn:security/roles.adoc#query-insert[Query Insert] +* xref:learn:security/roles.adoc#query-list-index[Query List Index] +* xref:learn:security/roles.adoc#manage-scope-external-functions[Manage Scope External Functions] +* xref:learn:security/roles.adoc#manage-scope-functions[Manage Scope Functions] +* xref:learn:security/roles.adoc#manage-global-external-functions[Manage Global External Functions] +* xref:learn:security/roles.adoc#manage-global-functions[Manage Global Functions] +* xref:learn:security/roles.adoc#query-manage-index[Query Manage Index] +* xref:learn:security/roles.adoc#query_manage_sequences[Manage Sequences] +* xref:learn:security/roles.adoc#query_manage_system_catalog[Query Manage System Catalog] +* xref:learn:security/roles.adoc#query-select[Query Select] +* xref:learn:security/roles.adoc#query-system-catalog[Query System Catalog] +* xref:learn:security/roles.adoc#query-update[Query Update] +* xref:learn:security/roles.adoc#query_use_sequences[Use Sequences] +* xref:learn:security/roles.adoc#xdcr-admin[XDCR Admin] +* xref:learn:security/roles.adoc#xdcr-inbound[XDCR Inbound] +* xref:learn:security/roles.adoc#read-only-admin[Read-Only Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] +* xref:learn:security/roles.adoc#external-user-security-admin[External User Admin] +* xref:learn:security/roles.adoc#local-user-security-admin[Local User Admin] +* xref:learn:security/roles.adoc#views-admin[Views Admin] +* xref:learn:security/roles.adoc#views-reader[Views Reader] + == Responses @@ -73,10 +126,10 @@ If the call is successful, `200 OK` is returned, with the following output: ---- { - "clusterUUID": "21d1c9a5d1f40f5bb8ac73f6df9db8a7", - "orchestrator": "ns_1@10.143.210.101", + "clusterUUID": "58ea8d6385837b4aa60755a9a6ab81bb", + "orchestrator": "ns_1@node3.", "isBalanced": true, - "clusterCompatVersion": "6.6" + "clusterCompatVersion": "8.0" } ---- diff --git a/modules/rest-api/pages/rest-logs-get.adoc b/modules/rest-api/pages/rest-logs-get.adoc index 6d4d2d6f0d..bfaffff0fc 100644 --- a/modules/rest-api/pages/rest-logs-get.adoc +++ b/modules/rest-api/pages/rest-logs-get.adoc @@ -17,7 +17,7 @@ GET /sasl_logs/ == Description The `GET /diag` method and URI return general Couchbase-Server diagnostic information. -This requires the *Full Admin*, the *Cluster Admin*, or the *Local User Security Admin* role. + The `GET /sasl_logs` method and URI return the contents of a Couchbase-Server _log_ file. This requires the *Full Admin* or the *Cluster Admin* role. @@ -40,6 +40,18 @@ For a complete list of log files, see xref:manage:manage-logging/manage-logging. If no `log-name` argument is specified, the default value is `debug`; whereby the contents of the `debug.log` file are displayed. +== Required Privileges + +You must have one of the following roles to call this endpoint: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#cluster-admin[Cluster Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] +* xref:learn:security/roles.adoc#external-user-security-admin[External User Admin] +* xref:learn:security/roles.adoc#local-user-security-admin[Local User Admin] + + [#responses] == Responses For both URIs, success gives `200 OK`, and displays the returned content. diff --git a/modules/rest-api/pages/rest-regenerate-all-certs.adoc b/modules/rest-api/pages/rest-regenerate-all-certs.adoc index 8f391b9c9d..916aeaf2f0 100644 --- a/modules/rest-api/pages/rest-regenerate-all-certs.adoc +++ b/modules/rest-api/pages/rest-regenerate-all-certs.adoc @@ -28,7 +28,6 @@ Should problems occur during or subsequent to the deployment of these new certif Note that on Couchbase Server Version 7.1 and later, when regeneration is performed, no trusted root certificate is _removed_ from the cluster: all trusted root certificates remain in the cluster's trust store; and can be removed _manually_, as appropriate. For information, see xref:learn:security/using-multiple-cas.adoc[Using Multiple Root Certificates]. -To regenerate certificates, the administrator must have either the Full Admin or the Local Admin Security Admin role. [#curl-syntax] == Curl Syntax @@ -40,6 +39,13 @@ curl -X POST http://:8091/controller/regenerateCertif -u : ---- +== Required Privileges + +You must have one of the following roles to regenerate certificates: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + [#responses] == Responses @@ -47,7 +53,7 @@ Success returns `200 OK` and the text of the regenerated, default root certifica An incorrect username-password combination fails with `401 Unauthorized`. An incorrectly specified URI fails with `404 Object Not Found`. An incorrectly specified IP address or domain name causes the attempted connection to time out, with a `Failed to connect` notification. -An attempt to regenerate certificates without the Full Admin, the Local User Security Admin, or the External User Security Admin role fails with either `401 Unauthorized` or `403 Forbidden` with a notification such as `"message":"Forbidden. User needs one of the following permissions","permissions":["cluster.admin.security!write"]`. +An attempt to regenerate certificates without the Full Admin or Security Admin role fails with either `401 Unauthorized` or `403 Forbidden` with a notification such as `"message":"Forbidden. User needs one of the following permissions","permissions":["cluster.admin.security!write"]`. [#example] == Example diff --git a/modules/rest-api/pages/rest-set-password-policy.adoc b/modules/rest-api/pages/rest-set-password-policy.adoc index a46ab55b7b..97e1d6af1c 100644 --- a/modules/rest-api/pages/rest-set-password-policy.adoc +++ b/modules/rest-api/pages/rest-set-password-policy.adoc @@ -19,7 +19,7 @@ POST /settings/passwordPolicy A cluster's _password policy_ specifies a set of character-related requirements that must be met by all passwords whose definition occurs subsequent to the establishing of the policy. Previously defined passwords continue to be valid, even if they do not meet the requirements specified in the most recent policy. -To establish the cluster's password policy, the user must have been assigned the Full Admin, the Local User Security Admin, or the External User Security Admin role. + [#curl-syntax] == Curl Syntax @@ -45,6 +45,19 @@ The `enforceUppercase` and `enforceLowercase` flags establish whether the passwo The `enforceDigits` and `enforceSpecialChars` flags establish whether the password must contain at least one digit or special character, respectively: the value of each must be either `true` or `false`. Acceptable special characters are the following: `@`, `%`, `+`, `/`, `'`, `\`, `"`, `!`, `#`, `$`, `^`, `?`, `:`, `,`, `(`, `)`, `{`, `}`, `[`, `]`, `~`, ```, `-`, and `_`. +== Required Privileges + +To retrieve the password policy, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + +To set the password policy, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + [#responses] == Responses diff --git a/modules/rest-api/pages/rest-xdcr-adv-settings.adoc b/modules/rest-api/pages/rest-xdcr-adv-settings.adoc index a344ea1a6f..254af8330c 100644 --- a/modules/rest-api/pages/rest-xdcr-adv-settings.adoc +++ b/modules/rest-api/pages/rest-xdcr-adv-settings.adoc @@ -30,7 +30,7 @@ If the global settings are themselves changed, existing replications are not aff Used with the `GET` method, the URIs respectively retrieve global settings for _all_ replications; and for _a specific_ replication, which is referenced by its `settings_URI`. -Each command requires the Full Admin, Cluster Admin, ReadOnly Admin, External User Security Admin, Local User Security Admin, Backup Full Admin, or XDCR Admin role. + [#curl-syntax] == Curl Syntax @@ -54,6 +54,26 @@ curl -u : -X GET \ Each instance of the POST method allows one or more instances of the `xdcr-advanced-setting` flag to be specified, with an appropriate `value`. All flags are listed below, in the section xref:rest-api:rest-xdcr-adv-settings.adoc#xdcr-advanced-settings-rest[List of Advanced Settings]. +== Required Privileges + +You must have one of the following roles to call the GET methods: + +* Full Admin +* Cluster Admin +* Read-Only Admin +* Security Admin +* Read-Only Security Admin +* Backup Full Admin +* XDCR Admin + +You must have one of the following roles to call the POST methods: + +* Full Admin +* Cluster Admin +* Security Admins +* Backup Full Admin +* XDCR Admin + [#responses] == Responses diff --git a/modules/rest-api/pages/rotate-data-key.adoc b/modules/rest-api/pages/rotate-data-key.adoc index 809239a85c..801186f4e5 100644 --- a/modules/rest-api/pages/rotate-data-key.adoc +++ b/modules/rest-api/pages/rotate-data-key.adoc @@ -14,7 +14,7 @@ POST /node/controller/rotateDataKey == Description This command rotates the data key. -The *Full Admin*, *Local User Security Admin*, or *External User Security Admin* role is required. + == Curl Syntax @@ -23,6 +23,16 @@ curl -X POST http://127.0.0.1:8091/node/controller/rotateDataKey -u Administrator:password ---- +== Required Privileges + + +You must have one of the following roles to rotate the data key: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + + + == Responses Success returns `200 OK`. diff --git a/modules/rest-api/pages/system-secrets-configuration.adoc b/modules/rest-api/pages/system-secrets-configuration.adoc index a34b40f625..5ef60c4ac1 100644 --- a/modules/rest-api/pages/system-secrets-configuration.adoc +++ b/modules/rest-api/pages/system-secrets-configuration.adoc @@ -17,8 +17,6 @@ POST /node/controller/secretsManagement == Description Configures _system secrets_; which comprises the master password, data keys, key storage, and the location of key-control scripts. -The *Full Admin*, *Local User Security Admin*, or *External User Security Admin* role is required. - == Curl Syntax ---- @@ -101,6 +99,20 @@ The script to be executed for the writing of data keys (when the value of `keySt * `deleteCmd`. The script to be executed for the deletion of data keys (when the value of `keyStorageType` is `script`). + +== Required Privileges + +To retrieve the current configuration, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + +To change the current configuration, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + == Responses For `GET` and `POST`, success returns `200 OK`, and an object containing the current settings. diff --git a/modules/rest-api/pages/upload-retrieve-node-cert.adoc b/modules/rest-api/pages/upload-retrieve-node-cert.adoc index 5d975f7d58..333f73c9f9 100644 --- a/modules/rest-api/pages/upload-retrieve-node-cert.adoc +++ b/modules/rest-api/pages/upload-retrieve-node-cert.adoc @@ -28,7 +28,6 @@ Note that such retrieval can only be performed with an administrator-configured Note that the `POST` API _can_ be used on clusters one or more of whose nodes is running a version of Couchbase Server prior to 7.1. The `GET` API can likewise be used: however, node-certificates for pre-7.1 nodes are not returned. -Both calls require either the Full Admin or the Local User Security Admin role. For the loading of the node-certificate to succeed, the private key and chain file must both be readable by user `couchbase`. [#node-certificate-validation] @@ -123,6 +122,19 @@ The specified passphrase is stored on the node with the Couchbase-Server procedu See xref:manage:manage-security/manage-system-secrets.adoc[Manage System Secrets]. When the private key is accessed, the passphrase is transmitted in the clear (unless Https is used), and can be transmitted between nodes: this is insecure, and consequently, the `plain` option is recommended only for pre-production use. +== Required Privileges + +To retrieve a node certificate, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + +To upload a node certificate, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + [#responses] == Responses