Add RBAC support (#25)

# What was done - Add new script to create RBAC users - Add sample configuration file for RBAC user creation - Add documentation
brantburnett · Dec 30, 2020 · bcf4535 · bcf4535
1 parent c32d6a9
commit bcf4535
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -130,6 +130,28 @@ The values to replace are `your_scope_name` and the values in the `collections`
 }
 ```
 
+### RBAC Configuration
+
+ To configure RBAC users for Couchbase Server versions 5+, simply place a `rbac-users.json` file in the `/startup` directory of your image. This file should be an array of JSON objects that define the various users and roles that need to be associated with each user. See the following example on how to structure the file:
+
+ ```json
+[
+  {
+    "rbacName": "App User",
+    "rbacUsername": "app-user",
+    "rbacPassword": "password",
+    "roles": [
+      "bucket_full_access[sample]"
+    ]
+  },
+  {
+    ...
+  }
+]
+```
+
+ Information on the available roles can be found [here](https://docs.couchbase.com/server/current/learn/security/roles.html). If you want to limit the role to a specific bucket, place the bucket name in brackets at the end of the name, i.e. `bucket_full_access[sample]`.
+
 ### Generating Data With FakeIt
 
 To generate data with FakeIt, create a directory underneath `/startup` with the name of your bucket, and directory beneath that named `models`.  For example, `/startup/sample/models`.  Note that the names are case sensitive.  Add your FakeIt YAML models to the models directory.

diff --git a/example/rbac-users.json b/example/rbac-users.json
@@ -0,0 +1,10 @@
+[
+  {
+    "rbacName": "App User",
+    "rbacUsername": "app-user",
+    "rbacPassword": "password",
+    "roles": [
+      "bucket_full_access[sample]"
+    ]
+  }
+]
diff --git a/scripts/configure-node.sh b/scripts/configure-node.sh
@@ -23,6 +23,7 @@ if [ ! -e "/nodestatus/initialized" ] ; then
   done < <(cat /startup/buckets.json | jq -r '.[].name')
 
   $scriptPath/create-events.sh
+  $scriptPath/create-rbac-users.sh
 
   # Done
   echo "Couchbase Server initialized."

diff --git a/scripts/create-rbac-users.sh b/scripts/create-rbac-users.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Create rbac users
+
+if [ -e "/startup/rbac-users.json" ]; then
+  while read rbacSettings
+  do
+    rbacName=$(echo $rbacSettings | jq -r '.["rbacName"]')
+    rbacUsername=$(echo $rbacSettings | jq -r '.["rbacUsername"]')
+    rbacPassword=$(echo $rbacSettings | jq -r '.["rbacPassword"]')
+    rbacRoles=$(echo $rbacSettings | jq -r '.roles | join(",")')
+
+    curl -Ss -X PUT http://127.0.0.1:8091/settings/rbac/users/local/$rbacUsername \
+      -u $CB_USERNAME:$CB_PASSWORD \
+      -d password=$rbacPassword \
+      -d name="$rbacName" \
+      -d roles=$rbacRoles && echo
+  done < <(cat /startup/rbac-users.json | jq -c '.[]')
+fi