Usernames and Passwords
Couchbase Server requires that administrators and applications authenticate, in order to gain access to data, settings, and statistics. Authentication may require that a username and password be provided.
Introduction to Usernames and Passwords
Users of Couchbase Server frequently require a username and password. A user may be either an administrator or an application. An application may be a program or server, or may be a simple, single command-line query.
The Full Administrator who installs and configures Couchbase Server (and so has full read-write access to the whole system), defines their own username and password during the configuration-process: see Create a Cluster, for details. Subsequently, this administrator can add additional administrators to the system; assigning a username and password to each. Whenever any needs to log into Couchbase Web Console in order to inspect data, statistics, and settings (and possibly make changes), they must specify their own unique username-password combination, at the authentication-prompt provided by the server.
An application, if it is not using a client certificate for purposes of authentication, must pass its username and password as parameters. Therefore, Couchbase CLI commands, SQL++ queries, and executables supported by the Couchbase SDK all provide syntax to allow the passing of a username and password.
Additionally, a special master password may be designed and used by the Full Administrator, in order to manage system secrets. See Manage System Secrets, for details.
Note that a cluster running Couchbase Server Enterprise Edition can have any number of users. A cluster running Community Edition can have a maximum of twenty users.
The Full Administrator username and password are established during initialization of Couchbase Server: see Create a Cluster for details.
Subsequently, additional users can be added to the cluster as local users: each is at that time assigned a unique username, and a unique password. Passwords can be changed by means of the password-reset tool, reset-admin-password; or by Couchbase Web Console, as described in Editing Users and Groups. A local user can change their own password by means of the REST API: see Change Password.
Users can also be added to the cluster as external users, for whom no password need be specified; since the external user is to be authenticated externally.
Authentication for Administrators and Applications
In a modern environment, authenticating by means of username and password, by either an administrator or an application, is less than optimally secure. Therefore, the best practice for administrator-authentication is to use single sign-on, with a provider that is configured to require Multi-Factor Authentication (MFA). The best practice for application-authentication is to use x.509 certificate-based authentication.
For details on authenticating with optimal security, see Understanding Authentication.
Password Strength
Couchbase Server provides a default password-policy. This demands only that the password have a minimum of six characters.
For pre-production purposes, it may be desirable to strengthen this default password-policy. For production purposes, it should be considered essential to do so. The password-policy can be set by the Full Administrator, by means either of the Couchbase CLI command setting-password-policy, or of the REST API — as described in Setting Password Policy. This allows you to specify that every Couchbase Server-password should:
-
Contain a minimum-number of characters. If established with the CLI, this can be any number between 1 and 100. If established with the REST API, this can be any number between 0 and 100. (Note that if 0 is selected, the definition of password-free users is thereby enabled: this is highly insecure, and is not recommended.)
-
Contain at least one uppercase character.
-
Contain at least one lowercase character.
-
Contain at least one special character.
-
Contain at least one digit.
It is recommended that passwords be managed with a password manager, and that each password be designed as one of the following:
-
A password of at least 12 characters that includes letters, numbers, and special characters.
-
A unique passphrase of at least 15 characters, with individual words separated from one another by means of one or more special characters.
Usernames and Roles
Couchbase Server-users can typically authenticate by means of a username, specified with a password.
The restrictions on username-design are that each should be unique to the cluster; and that none of the following characters be used: ( ) < > , ; : \ " / [ ] ? = { }
.
Note additionally that the @
character cannot be used in a username on any Couchbase Server version before 6.5.1.
On versions 6.5.1 and beyond, a username may contain the @
character, as long as it does not occur at the start: for example, first.last@domain
.
Usernames cannot be more than 128 UTF-8 characters in length; and it is recommended that they be no more than 64 UTF-8 characters in length, in order to ensure successful onscreen display.
Each user is associated with one or more roles, which permit limited access-privileges. Therefore, once a user has authenticated, their role-assignment is examined, and an appropriate degree of access is granted to them by Couchbase Server. See Authorization, for details.
Note that usernames and role-names are case sensitive.