From d36bed3d0e939a56f79562aac9259567c7155133 Mon Sep 17 00:00:00 2001 From: Gary Gray <137797428+ggray-cb@users.noreply.github.com> Date: Fri, 15 Aug 2025 10:08:44 -0400 Subject: [PATCH 1/8] * Added read-only security role. * Edited Read-Only Admin role to reflect changes to priviliges. * Changed several role names to match the names in reported by Couchbase (i.e. Query Manage Sequences -> Manage Sequences). * Cleanup of lingering references to Local and External User Admin roles. * In several cases, updated the roles requirements for REST API calls. These were mainly determined by using a script that calls he endpoints with every possible role. --- .../learn/pages/security/certificates.adoc | 2 +- modules/learn/pages/security/roles.adoc | 96 +++++++++++++++++-- .../manage-security/manage-auditing.adoc | 4 +- .../manage-statistics/manage-statistics.adoc | 5 +- .../pages/change-master-password.adoc | 2 +- modules/rest-api/pages/get-trusted-cas.adoc | 2 +- modules/rest-api/pages/load-trusted-cas.adoc | 2 +- modules/rest-api/pages/rest-auditing.adoc | 6 +- .../rest-cluster-autofailover-settings.adoc | 19 +++- .../pages/rest-identify-orchestrator.adoc | 61 +++++++++++- modules/rest-api/pages/rest-logs-get.adoc | 14 ++- .../pages/rest-regenerate-all-certs.adoc | 2 +- .../pages/rest-set-password-policy.adoc | 2 +- .../pages/rest-xdcr-adv-settings.adoc | 20 +++- modules/rest-api/pages/rotate-data-key.adoc | 6 +- .../pages/system-secrets-configuration.adoc | 16 +++- .../pages/upload-retrieve-node-cert.adoc | 14 ++- 17 files changed, 240 insertions(+), 33 deletions(-) diff --git a/modules/learn/pages/security/certificates.adoc b/modules/learn/pages/security/certificates.adoc index 0ca98ae4ec..f58f98a733 100644 --- a/modules/learn/pages/security/certificates.adoc +++ b/modules/learn/pages/security/certificates.adoc @@ -31,7 +31,7 @@ This page provides a general overview of using certificates with Couchbase Serve It assumes you know the basics of Transport Layer Security (TLS) and certificates. To learn more about these topics, see the Wikipedia article on https://en.wikipedia.org/wiki/Public_key_certificate[Public key certificate^], and OpenSSL's https://wiki.openssl.org/index.php/Command_Line_Utilities[Command Line Utilities] page. -Managing certificates requires Full Admin, Local User Security Admin, or External User Security Admin privileges. +Managing certificates requires the Full Admin or Security Admin roles. For step-by-step instructions for creating and deploying certificate for Couchbase Server and clients, see xref:manage:manage-security/configure-server-certificates.adoc[Configure Server Certificates] and xref:manage:manage-security/configure-client-certificates.adoc[Configure Client Certificates]. diff --git a/modules/learn/pages/security/roles.adoc b/modules/learn/pages/security/roles.adoc index 2f6b0d2470..ff3d99fa03 100644 --- a/modules/learn/pages/security/roles.adoc +++ b/modules/learn/pages/security/roles.adoc @@ -100,13 +100,20 @@ This role is also available in Couchbase Server Community Edition. === Read-Only Admin The Read-Only Admin role lets the user read Couchbase Server settings and statistics. -This information includes registered usernames with roles and authentication domains, but excludes passwords. Users with this role can also read Backup Service data to monitor backup plans and tasks. The role lets the user log into the Couchbase Server Web Console. This role is also available in Couchbase Server Community Edition. +NOTE: Prior to Couchbase Server 8.0, this role allowed the user to read security information including listing users and groups. +In 8.0, these permissions were split off into the <<#ro-security-admin>> role. +The Read-Only Admin role now does not allow access to any of the security information. + ++ +When you upgrade Couchbase Server from a version earlier than 8.0 to 8.0 or later, the upgrade process grants any user with this role the <<#ro-security-admin>> role as well. +Granting this role lets the user retain the privileges they had in prior versions. + [#table_read_only_admin_role,cols="1,2,2,hrows=2"] |=== 3+^| Role: Read-Only Admin (`ro_admin`) @@ -132,8 +139,8 @@ h| Restrictions | Cannot list incoming replications, or add or edit replications. | *Security* -| Can view settings for SAML, certificates, encryption at rest, audits, and other settings. -| Cannot change settings. +| None. +| All. | *Settings* | View all settings @@ -235,6 +242,77 @@ h| Restrictions |=== +[#ro-security-admin] +=== Read-Only Security Admin + +The Read- +only Security Admin role allows the user to view all security settings except for users and groups. + +This role lets the user log into the Couchbase Server Web Console. + +NOTE: This role is new in Couchbase Server 8.0. + + +[#table_ro_security_admin_role,cols="1,2,2,hrows=2"] +|=== +3+^| Role: Read-Only Security Admin (`ro_security_admin`) + +h| Resource +h| Permissions +h| Restrictions + +| *Servers* +| View configuration and statistics +| Cannot add, failover, remove, modify services, or rebalance + +| *Buckets* +| List buckets, scopes, and collections +| Cannot create, drop, or edit settings, or read or write data + +| *Backup* +| None +| All + +| *XDCR* +| List outgoing replications +| Cannot create, start, alter connections + +| *Security* +| View LDAP, SAML, certificates, encryption at rest, audit, and logging settings. +| Cannot make any changes to security settings. +Cannot view or change users or groups. + +| *Settings* +| View +| Change + +| *Logs* +| View +| Collect Information + +| *Query* +| None +| All + +| *Search* +| None +| All + +| *Analytics* +| None +| All + +| *Eventing* +| None +| All + +| *Views* +| None +| All + +|=== + + [#local-user-security-admin] === Local User Admin @@ -530,7 +608,6 @@ Cannot add or edit replications. |=== - [#backup-full-admin] === Backup Full Admin @@ -1146,7 +1223,7 @@ Cannot use the Query Workbench in Couchbase Server Web Console. [#manage-scope-functions] -=== Manage Scope Functions (Query and Index) +=== Manage Scope Functions The Manage Scope Functions role lets the user create and drop user-defined {sqlpp} functions for one or more scopes. When granting this role, You select the scopes where the user can manage user-defined functions. @@ -1624,7 +1701,7 @@ Cannot use the Query Workbench in Couchbase Server Web Console. |=== [#query_manage_sequences] -=== Query Manage Sequences +=== Manage Sequences This role lets the user manage sequences for one or more scopes. See xref:n1ql:n1ql-language-reference/sequenceops.adoc[] for more information about sequences. @@ -1635,7 +1712,7 @@ This role lets the user log into Couchbase Server Web Console. [#table_query_manage_sequences_role,cols="1,2,2,hrows=2] |=== -3+^| Role: Query Manage Sequences (`query_manage_sequences`) +3+^| Role: Manage Sequences (`query_manage_sequences`) h| Resource h| Permissions @@ -1660,7 +1737,7 @@ Cannot manage sequences in buckets they do have not assigned to them. [#query_use_sequences] -=== Query Use Sequences +=== Use Sequences This role lets the user incorporate sequences into their queries in one or more scopes. When you grant this role, you choose the scopes where the user can use sequences. @@ -1671,7 +1748,7 @@ This role lets the user log into Couchbase Server Web Console. [#table_query_use_sequences_role,cols="1,2,2,hrows=2] |=== -3+^| Role: Query Manage Sequences (`query_use_sequences`) +3+^| Role: Manage Sequences (`query_use_sequences`) h| Resource h| Permissions @@ -1730,7 +1807,6 @@ Cannot use the Query Workbench in Couchbase Server Web Console. |=== - == Search Roles The following roles give users privileges to the xref:learn:services-and-indexes/services/search-service.adoc[] features. diff --git a/modules/manage/pages/manage-security/manage-auditing.adoc b/modules/manage/pages/manage-security/manage-auditing.adoc index 5339bcb0d4..0a2ce889ce 100644 --- a/modules/manage/pages/manage-security/manage-auditing.adoc +++ b/modules/manage/pages/manage-security/manage-auditing.adoc @@ -13,8 +13,8 @@ The records created by the Couchbase Auditing facility capture information on _w The records are created by Couchbase Server-processes, which run asynchronously. Each record is stored as a JSON document, which can be retrieved and inspected. -Auditing can be configured by the *Full Admin* and the *Local User Security Admin* roles. -The auditing configuration can be read by the *Full Admin*, the *Local User Security Admin*, and the *Read-Only Admin* roles. +Auditing can be configured by the *Full Admin* and the *Security Admin* roles. +The auditing configuration can be read by the *Full Admin*, the *Security Admin*, and the *Read-Only Security Admin* roles. A conceptual overview of event auditing can be found in xref:learn:security/auditing.adoc[Auditing]. See the reference page xref:audit-event-reference:audit-event-reference.adoc[Audit Event Reference], for a complete list of the events that can be audited. diff --git a/modules/manage/pages/manage-statistics/manage-statistics.adoc b/modules/manage/pages/manage-statistics/manage-statistics.adoc index 34bd233eff..6ff581c991 100644 --- a/modules/manage/pages/manage-statistics/manage-statistics.adoc +++ b/modules/manage/pages/manage-statistics/manage-statistics.adoc @@ -47,8 +47,9 @@ Additional information can be displayed by left-clicking on the *Node Resources* === Dashboard Access All chart-content is provided by _bucket_. -Users whose roles allow them both to access Couchbase Web Console _and_ see administrative details on one or more buckets are able to see the default chart-content for those buckets. -For example, the *Full Admin*, *Cluster Admin*, *Read Only Admin*, *Local User Security Admin*, and *External User Security Admin* roles permit display of charts for all buckets defined on the cluster; while the *Bucket Admin* role permits display of charts only for those buckets to which the role has been applied. +Users whose roles grant them access to Couchbase Web Console and see administrative details on one or more buckets are able to see the default chart-content for those buckets. +For example, users with the Full Admin, Cluster Admin, Read Only Admin, Security Admin, or Read-Only Security Admin roles can display the charts for all buckets in the cluster. +The *Bucket Admin* role allows a user to display of charts of buckets to which they were granted administrator access. Users who can see the default content for some or all buckets can also create their own, customized content for those buckets. Note that customized content is saved on Couchbase Server only on a _per user_ basis: therefore, for example, when a *Full Admin* creates customized content, it is visible only to the *Full Admin*, not to any other user. diff --git a/modules/rest-api/pages/change-master-password.adoc b/modules/rest-api/pages/change-master-password.adoc index 42d7dedafa..c4e8ea0551 100644 --- a/modules/rest-api/pages/change-master-password.adoc +++ b/modules/rest-api/pages/change-master-password.adoc @@ -14,7 +14,7 @@ POST /node/controller/changeMasterPassword == Description This command sets the master password for the current node. -The *Full Admin*, *Local User Security Admin*, or *External User Security Admin* role is required. +Users must have the Full Admin or Security Admin role call it. For a full description of system secrets and their management, see xref:manage:manage-security/manage-system-secrets.adoc[Manage System Secrets]. diff --git a/modules/rest-api/pages/get-trusted-cas.adoc b/modules/rest-api/pages/get-trusted-cas.adoc index a28abd15c7..76153c6291 100644 --- a/modules/rest-api/pages/get-trusted-cas.adoc +++ b/modules/rest-api/pages/get-trusted-cas.adoc @@ -21,7 +21,7 @@ Note that this list is therefore _complete_ and _cluster-wide_. Note that although support of multiple root certificates is only available in versions of Couchbase Server that are 7.1 and later, this API _can_ be used on clusters that are running different versions of Couchbase Server, some of which are prior to 7.1. This method and endpoint can be used by unauthorized users: however, cluster-private details are redacted from the output. -For all details to be returned, the user must have the Full Admin, the Local User Security Admin, or the External User Security Admin role. +For all details to be returned, the user must have the Full Admin, the Security Admin, or the External User Security Admin role. See the examples provided in xref:#output-redaction[Output Redaction], below. [#curl-syntax] diff --git a/modules/rest-api/pages/load-trusted-cas.adoc b/modules/rest-api/pages/load-trusted-cas.adoc index 36c2997b19..cb38a4c9cd 100644 --- a/modules/rest-api/pages/load-trusted-cas.adoc +++ b/modules/rest-api/pages/load-trusted-cas.adoc @@ -19,7 +19,7 @@ Loads trusted certificates into the Couchbase-Server trust store. All loaded certificates can be accessed by all nodes. Loaded CA (or _root_) certificates can be used to provide authority to the cluster's nodes, and can be used to authenticate clients' access-attempts. -The Full Admin, the Local User Security Admin, or the External User Security Admin role is required. +This method requires the user to have the Full Admin or Security Admin role. Note the following: diff --git a/modules/rest-api/pages/rest-auditing.adoc b/modules/rest-api/pages/rest-auditing.adoc index 455c142a83..a5f1afb198 100644 --- a/modules/rest-api/pages/rest-auditing.adoc +++ b/modules/rest-api/pages/rest-auditing.adoc @@ -28,8 +28,10 @@ A _filterable_ event is an event that can be individually disabled, even when ev Events that are not filterable are not included in the list returned by `GET /settings/audit/descriptors`. + Events that are not filterable can be retrieved using the `GET` method `/settings/audit/nonFilterableDescriptors` -Auditing can be configured by the *Full Admin* and the *Local User Security Admin* roles. -The auditing configuration can be read by the *Full Admin*, the *Local User Security Admin*, and the *Read-Only Admin* roles. +== Required Privileges + +Only users with the Full Admin or Security Admin* roles can configure Auditing. +Users with the Full Admin, Security Admin, or the Read-Only Security Admin roles can read the Auditing configuration. == Curl Syntax diff --git a/modules/rest-api/pages/rest-cluster-autofailover-settings.adoc b/modules/rest-api/pages/rest-cluster-autofailover-settings.adoc index dcc5528360..6b759b887c 100644 --- a/modules/rest-api/pages/rest-cluster-autofailover-settings.adoc +++ b/modules/rest-api/pages/rest-cluster-autofailover-settings.adoc @@ -17,7 +17,7 @@ GET /settings/autoFailover The `GET /settings/autoFailover` HTTP method and URI retrieve auto-failover settings for the cluster. Auto-failover settings are global, and apply to all nodes in the cluster. -To read auto-failover settings, one of the following roles is required: Full Admin, Cluster Admin, Read-Only Admin, Backup Full Admin, Eventing Full Admin, Local User Security Admin, External User Security Admin. + == Curl Syntax @@ -27,6 +27,23 @@ curl -X GET http://:8091/settings/autoFailover -u : ---- +== Required Privileges + +You must have one of the following roles to retrieve auto-failover settings: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#backup-full-admin[Backup Full Admin] +* xref:learn:security/roles.adoc#bucket-admin[Bucket Admin] +* xref:learn:security/roles.adoc#cluster-admin[Cluster Admin] +* xref:learn:security/roles.adoc#eventing-full-admin[Eventing Full Admin] +* xref:learn:security/roles.adoc#xdcr-admin[XDCR Admin] +* xref:learn:security/roles.adoc#read-only-admin[Read-Only Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] +* xref:learn:security/roles.adoc#external-user-security-admin[External User Admin] +* xref:learn:security/roles.adoc#local-user-security-admin[Local User Admin] +* xref:learn:security/roles.adoc#views-admin[Views Admin] + == Responses Success returns `200 OK`, and an object that contains the following parameters: diff --git a/modules/rest-api/pages/rest-identify-orchestrator.adoc b/modules/rest-api/pages/rest-identify-orchestrator.adoc index 4a18ba4400..39a633c5a6 100644 --- a/modules/rest-api/pages/rest-identify-orchestrator.adoc +++ b/modules/rest-api/pages/rest-identify-orchestrator.adoc @@ -31,7 +31,60 @@ curl -v -X GET -u : ---- The `ip-address-or-domain-name` should specify a node within the cluster whose orchestrator-location is to be determined: information returned by the call is that which is _known to the specified node_. -The `username` and `password` must be those of a user with the Full Admin, Cluster Admin, Read Only Admin, Local User Security Admin, or External User Security role. +The `username` and `password` must a user with one of the roles listed in the newxt section. + +== Required Privileges + +You must have one of the following roles to call this method: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#analytics-admin[Analytics Admin] +* xref:learn:security/roles.adoc#analytics-manager[Analytics Manager] +* xref:learn:security/roles.adoc#analytics-reader[Analytics Reader] +* xref:learn:security/roles.adoc#analytics-select[Analytics Select] +* xref:learn:security/roles.adoc#backup-full-admin[Backup Full Admin] +* xref:learn:security/roles.adoc#bucket-admin[Bucket Admin] +* xref:learn:security/roles.adoc#application-access[Application Access] +* xref:learn:security/roles.adoc#cluster-admin[Cluster Admin] +* xref:learn:security/roles.adoc#data-backup-and-restore[Data Backup & Restore] +* xref:learn:security/roles.adoc#data-dcp-reader[Data DCP Reader] +* xref:learn:security/roles.adoc#data-monitor[Data Monitor] +* xref:learn:security/roles.adoc#data-reader[Data Reader] +* xref:learn:security/roles.adoc#data-writer[Data Writer] +* xref:learn:security/roles.adoc#eventing-full-admin[Eventing Full Admin] +* xref:learn:security/roles.adoc#manage-scope-functions[Manage Scope Functions] +* xref:learn:security/roles.adoc#search-admin[Search Admin] +* xref:learn:security/roles.adoc#search-reader[Search Reader] +* xref:learn:security/roles.adoc#sync-gateway[Sync Gateway] +* xref:learn:security/roles.adoc#query-delete[Query Delete] +* xref:learn:security/roles.adoc#execute-scope-external-functions[Execute Scope External Functions] +* xref:learn:security/roles.adoc#execute-scope-functions[Execute Scope Functions] +* xref:learn:security/roles.adoc#execute-global-external-functions[Execute Global External Functions] +* xref:learn:security/roles.adoc#execute-global-functions[Execute Global Functions] +* xref:learn:security/roles.adoc#query-curl-access[Query CURL Access] +* xref:learn:security/roles.adoc#query-insert[Query Insert] +* xref:learn:security/roles.adoc#query-list-index[Query List Index] +* xref:learn:security/roles.adoc#manage-scope-external-functions[Manage Scope External Functions] +* xref:learn:security/roles.adoc#manage-scope-functions[Manage Scope Functions] +* xref:learn:security/roles.adoc#manage-global-external-functions[Manage Global External Functions] +* xref:learn:security/roles.adoc#manage-global-functions[Manage Global Functions] +* xref:learn:security/roles.adoc#query-manage-index[Query Manage Index] +* xref:learn:security/roles.adoc#query_manage_sequences[Manage Sequences] +* xref:learn:security/roles.adoc#query_manage_system_catalog[Query Manage System Catalog] +* xref:learn:security/roles.adoc#query-select[Query Select] +* xref:learn:security/roles.adoc#query-system-catalog[Query System Catalog] +* xref:learn:security/roles.adoc#query-update[Query Update] +* xref:learn:security/roles.adoc#query_use_sequences[Use Sequences] +* xref:learn:security/roles.adoc#xdcr-admin[XDCR Admin] +* xref:learn:security/roles.adoc#xdcr-inbound[XDCR Inbound] +* xref:learn:security/roles.adoc#read-only-admin[Read-Only Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] +* xref:learn:security/roles.adoc#external-user-security-admin[External User Admin] +* xref:learn:security/roles.adoc#local-user-security-admin[Local User Admin] +* xref:learn:security/roles.adoc#views-admin[Views Admin] +* xref:learn:security/roles.adoc#views-reader[Views Reader] + == Responses @@ -73,10 +126,10 @@ If the call is successful, `200 OK` is returned, with the following output: ---- { - "clusterUUID": "21d1c9a5d1f40f5bb8ac73f6df9db8a7", - "orchestrator": "ns_1@10.143.210.101", + "clusterUUID": "58ea8d6385837b4aa60755a9a6ab81bb", + "orchestrator": "ns_1@node3.", "isBalanced": true, - "clusterCompatVersion": "6.6" + "clusterCompatVersion": "8.0" } ---- diff --git a/modules/rest-api/pages/rest-logs-get.adoc b/modules/rest-api/pages/rest-logs-get.adoc index 6d4d2d6f0d..288783f01d 100644 --- a/modules/rest-api/pages/rest-logs-get.adoc +++ b/modules/rest-api/pages/rest-logs-get.adoc @@ -17,7 +17,7 @@ GET /sasl_logs/ == Description The `GET /diag` method and URI return general Couchbase-Server diagnostic information. -This requires the *Full Admin*, the *Cluster Admin*, or the *Local User Security Admin* role. + The `GET /sasl_logs` method and URI return the contents of a Couchbase-Server _log_ file. This requires the *Full Admin* or the *Cluster Admin* role. @@ -40,6 +40,18 @@ For a complete list of log files, see xref:manage:manage-logging/manage-logging. If no `log-name` argument is specified, the default value is `debug`; whereby the contents of the `debug.log` file are displayed. +== Required Privileges + +You must have one of the following roles to call this endpoint: + + * Full Admin + * Cluster Admin + * Read-Only Security Admin + * Security Admin + * External User Admin + * Local User Admin + + [#responses] == Responses For both URIs, success gives `200 OK`, and displays the returned content. diff --git a/modules/rest-api/pages/rest-regenerate-all-certs.adoc b/modules/rest-api/pages/rest-regenerate-all-certs.adoc index 8f391b9c9d..03f2edc3d5 100644 --- a/modules/rest-api/pages/rest-regenerate-all-certs.adoc +++ b/modules/rest-api/pages/rest-regenerate-all-certs.adoc @@ -47,7 +47,7 @@ Success returns `200 OK` and the text of the regenerated, default root certifica An incorrect username-password combination fails with `401 Unauthorized`. An incorrectly specified URI fails with `404 Object Not Found`. An incorrectly specified IP address or domain name causes the attempted connection to time out, with a `Failed to connect` notification. -An attempt to regenerate certificates without the Full Admin, the Local User Security Admin, or the External User Security Admin role fails with either `401 Unauthorized` or `403 Forbidden` with a notification such as `"message":"Forbidden. User needs one of the following permissions","permissions":["cluster.admin.security!write"]`. +An attempt to regenerate certificates without the Full Admin or Security Admin role fails with either `401 Unauthorized` or `403 Forbidden` with a notification such as `"message":"Forbidden. User needs one of the following permissions","permissions":["cluster.admin.security!write"]`. [#example] == Example diff --git a/modules/rest-api/pages/rest-set-password-policy.adoc b/modules/rest-api/pages/rest-set-password-policy.adoc index a46ab55b7b..6a8ff2d0a7 100644 --- a/modules/rest-api/pages/rest-set-password-policy.adoc +++ b/modules/rest-api/pages/rest-set-password-policy.adoc @@ -19,7 +19,7 @@ POST /settings/passwordPolicy A cluster's _password policy_ specifies a set of character-related requirements that must be met by all passwords whose definition occurs subsequent to the establishing of the policy. Previously defined passwords continue to be valid, even if they do not meet the requirements specified in the most recent policy. -To establish the cluster's password policy, the user must have been assigned the Full Admin, the Local User Security Admin, or the External User Security Admin role. +To call this endpoint, you must have the Full Admin or Security Admin role. [#curl-syntax] == Curl Syntax diff --git a/modules/rest-api/pages/rest-xdcr-adv-settings.adoc b/modules/rest-api/pages/rest-xdcr-adv-settings.adoc index a344ea1a6f..4843c68c52 100644 --- a/modules/rest-api/pages/rest-xdcr-adv-settings.adoc +++ b/modules/rest-api/pages/rest-xdcr-adv-settings.adoc @@ -30,7 +30,25 @@ If the global settings are themselves changed, existing replications are not aff Used with the `GET` method, the URIs respectively retrieve global settings for _all_ replications; and for _a specific_ replication, which is referenced by its `settings_URI`. -Each command requires the Full Admin, Cluster Admin, ReadOnly Admin, External User Security Admin, Local User Security Admin, Backup Full Admin, or XDCR Admin role. +Each command requires the Full Admin, Cluster Admin, Read-Only Admin, Security Admin, Read-Only Security Admin, Backup Full Admin, or XDCR Admin role. + +You must have one of the following roles to call the GET methods: + +* Full Admin +* Cluster Admin +* Read-Only Admin +* Security Admin +* Read-Only Security Admin +* Backup Full Admin +* XDCR Admin + +You must have one of the following roles to call the POST methods: + +* Full Admin +* Cluster Admin +* Security Admins +* Backup Full Admin +* XDCR Admin [#curl-syntax] == Curl Syntax diff --git a/modules/rest-api/pages/rotate-data-key.adoc b/modules/rest-api/pages/rotate-data-key.adoc index 809239a85c..acc86f7f3f 100644 --- a/modules/rest-api/pages/rotate-data-key.adoc +++ b/modules/rest-api/pages/rotate-data-key.adoc @@ -14,7 +14,7 @@ POST /node/controller/rotateDataKey == Description This command rotates the data key. -The *Full Admin*, *Local User Security Admin*, or *External User Security Admin* role is required. + == Curl Syntax @@ -23,6 +23,10 @@ curl -X POST http://127.0.0.1:8091/node/controller/rotateDataKey -u Administrator:password ---- +== Required Privileges + +You must have the Full Admin or Security Admin role to call this endpoint. + == Responses Success returns `200 OK`. diff --git a/modules/rest-api/pages/system-secrets-configuration.adoc b/modules/rest-api/pages/system-secrets-configuration.adoc index a34b40f625..5ef60c4ac1 100644 --- a/modules/rest-api/pages/system-secrets-configuration.adoc +++ b/modules/rest-api/pages/system-secrets-configuration.adoc @@ -17,8 +17,6 @@ POST /node/controller/secretsManagement == Description Configures _system secrets_; which comprises the master password, data keys, key storage, and the location of key-control scripts. -The *Full Admin*, *Local User Security Admin*, or *External User Security Admin* role is required. - == Curl Syntax ---- @@ -101,6 +99,20 @@ The script to be executed for the writing of data keys (when the value of `keySt * `deleteCmd`. The script to be executed for the deletion of data keys (when the value of `keyStorageType` is `script`). + +== Required Privileges + +To retrieve the current configuration, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + +To change the current configuration, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + == Responses For `GET` and `POST`, success returns `200 OK`, and an object containing the current settings. diff --git a/modules/rest-api/pages/upload-retrieve-node-cert.adoc b/modules/rest-api/pages/upload-retrieve-node-cert.adoc index 5d975f7d58..333f73c9f9 100644 --- a/modules/rest-api/pages/upload-retrieve-node-cert.adoc +++ b/modules/rest-api/pages/upload-retrieve-node-cert.adoc @@ -28,7 +28,6 @@ Note that such retrieval can only be performed with an administrator-configured Note that the `POST` API _can_ be used on clusters one or more of whose nodes is running a version of Couchbase Server prior to 7.1. The `GET` API can likewise be used: however, node-certificates for pre-7.1 nodes are not returned. -Both calls require either the Full Admin or the Local User Security Admin role. For the loading of the node-certificate to succeed, the private key and chain file must both be readable by user `couchbase`. [#node-certificate-validation] @@ -123,6 +122,19 @@ The specified passphrase is stored on the node with the Couchbase-Server procedu See xref:manage:manage-security/manage-system-secrets.adoc[Manage System Secrets]. When the private key is accessed, the passphrase is transmitted in the clear (unless Https is used), and can be transmitted between nodes: this is insecure, and consequently, the `plain` option is recommended only for pre-production use. +== Required Privileges + +To retrieve a node certificate, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + +To upload a node certificate, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + [#responses] == Responses From 09bca3b9b652711542a9a016fcadb5af7a684505 Mon Sep 17 00:00:00 2001 From: Gary Gray <137797428+ggray-cb@users.noreply.github.com> Date: Fri, 15 Aug 2025 10:41:38 -0400 Subject: [PATCH 2/8] Updates to standardize the roles sections --- modules/rest-api/pages/load-trusted-cas.adoc | 9 ++++- modules/rest-api/pages/rest-auditing.adoc | 12 +++++- modules/rest-api/pages/rest-logs-get.adoc | 12 +++--- .../pages/rest-regenerate-all-certs.adoc | 8 +++- .../pages/rest-set-password-policy.adoc | 15 +++++++- .../pages/rest-xdcr-adv-settings.adoc | 38 ++++++++++--------- modules/rest-api/pages/rotate-data-key.adoc | 8 +++- 7 files changed, 72 insertions(+), 30 deletions(-) diff --git a/modules/rest-api/pages/load-trusted-cas.adoc b/modules/rest-api/pages/load-trusted-cas.adoc index cb38a4c9cd..0f954e5ae6 100644 --- a/modules/rest-api/pages/load-trusted-cas.adoc +++ b/modules/rest-api/pages/load-trusted-cas.adoc @@ -19,7 +19,7 @@ Loads trusted certificates into the Couchbase-Server trust store. All loaded certificates can be accessed by all nodes. Loaded CA (or _root_) certificates can be used to provide authority to the cluster's nodes, and can be used to authenticate clients' access-attempts. -This method requires the user to have the Full Admin or Security Admin role. + Note the following: @@ -66,6 +66,13 @@ curl -X POST http://:8091/node/controller/loadTrusted -u : ---- +== Required Privileges + +To load trusted CA certificates, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + [#responses] == Responses diff --git a/modules/rest-api/pages/rest-auditing.adoc b/modules/rest-api/pages/rest-auditing.adoc index a5f1afb198..531ed3a64f 100644 --- a/modules/rest-api/pages/rest-auditing.adoc +++ b/modules/rest-api/pages/rest-auditing.adoc @@ -30,8 +30,16 @@ Events that are not filterable can be retrieved using the `GET` method `/setting == Required Privileges -Only users with the Full Admin or Security Admin* roles can configure Auditing. -Users with the Full Admin, Security Admin, or the Read-Only Security Admin roles can read the Auditing configuration. +To read auditing settings, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + +To change auditing settings, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] == Curl Syntax diff --git a/modules/rest-api/pages/rest-logs-get.adoc b/modules/rest-api/pages/rest-logs-get.adoc index 288783f01d..bfaffff0fc 100644 --- a/modules/rest-api/pages/rest-logs-get.adoc +++ b/modules/rest-api/pages/rest-logs-get.adoc @@ -44,12 +44,12 @@ If no `log-name` argument is specified, the default value is `debug`; whereby th You must have one of the following roles to call this endpoint: - * Full Admin - * Cluster Admin - * Read-Only Security Admin - * Security Admin - * External User Admin - * Local User Admin +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#cluster-admin[Cluster Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] +* xref:learn:security/roles.adoc#external-user-security-admin[External User Admin] +* xref:learn:security/roles.adoc#local-user-security-admin[Local User Admin] [#responses] diff --git a/modules/rest-api/pages/rest-regenerate-all-certs.adoc b/modules/rest-api/pages/rest-regenerate-all-certs.adoc index 03f2edc3d5..916aeaf2f0 100644 --- a/modules/rest-api/pages/rest-regenerate-all-certs.adoc +++ b/modules/rest-api/pages/rest-regenerate-all-certs.adoc @@ -28,7 +28,6 @@ Should problems occur during or subsequent to the deployment of these new certif Note that on Couchbase Server Version 7.1 and later, when regeneration is performed, no trusted root certificate is _removed_ from the cluster: all trusted root certificates remain in the cluster's trust store; and can be removed _manually_, as appropriate. For information, see xref:learn:security/using-multiple-cas.adoc[Using Multiple Root Certificates]. -To regenerate certificates, the administrator must have either the Full Admin or the Local Admin Security Admin role. [#curl-syntax] == Curl Syntax @@ -40,6 +39,13 @@ curl -X POST http://:8091/controller/regenerateCertif -u : ---- +== Required Privileges + +You must have one of the following roles to regenerate certificates: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + [#responses] == Responses diff --git a/modules/rest-api/pages/rest-set-password-policy.adoc b/modules/rest-api/pages/rest-set-password-policy.adoc index 6a8ff2d0a7..97e1d6af1c 100644 --- a/modules/rest-api/pages/rest-set-password-policy.adoc +++ b/modules/rest-api/pages/rest-set-password-policy.adoc @@ -19,7 +19,7 @@ POST /settings/passwordPolicy A cluster's _password policy_ specifies a set of character-related requirements that must be met by all passwords whose definition occurs subsequent to the establishing of the policy. Previously defined passwords continue to be valid, even if they do not meet the requirements specified in the most recent policy. -To call this endpoint, you must have the Full Admin or Security Admin role. + [#curl-syntax] == Curl Syntax @@ -45,6 +45,19 @@ The `enforceUppercase` and `enforceLowercase` flags establish whether the passwo The `enforceDigits` and `enforceSpecialChars` flags establish whether the password must contain at least one digit or special character, respectively: the value of each must be either `true` or `false`. Acceptable special characters are the following: `@`, `%`, `+`, `/`, `'`, `\`, `"`, `!`, `#`, `$`, `^`, `?`, `:`, `,`, `(`, `)`, `{`, `}`, `[`, `]`, `~`, ```, `-`, and `_`. +== Required Privileges + +To retrieve the password policy, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + +To set the password policy, you must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + [#responses] == Responses diff --git a/modules/rest-api/pages/rest-xdcr-adv-settings.adoc b/modules/rest-api/pages/rest-xdcr-adv-settings.adoc index 4843c68c52..254af8330c 100644 --- a/modules/rest-api/pages/rest-xdcr-adv-settings.adoc +++ b/modules/rest-api/pages/rest-xdcr-adv-settings.adoc @@ -30,25 +30,7 @@ If the global settings are themselves changed, existing replications are not aff Used with the `GET` method, the URIs respectively retrieve global settings for _all_ replications; and for _a specific_ replication, which is referenced by its `settings_URI`. -Each command requires the Full Admin, Cluster Admin, Read-Only Admin, Security Admin, Read-Only Security Admin, Backup Full Admin, or XDCR Admin role. -You must have one of the following roles to call the GET methods: - -* Full Admin -* Cluster Admin -* Read-Only Admin -* Security Admin -* Read-Only Security Admin -* Backup Full Admin -* XDCR Admin - -You must have one of the following roles to call the POST methods: - -* Full Admin -* Cluster Admin -* Security Admins -* Backup Full Admin -* XDCR Admin [#curl-syntax] == Curl Syntax @@ -72,6 +54,26 @@ curl -u : -X GET \ Each instance of the POST method allows one or more instances of the `xdcr-advanced-setting` flag to be specified, with an appropriate `value`. All flags are listed below, in the section xref:rest-api:rest-xdcr-adv-settings.adoc#xdcr-advanced-settings-rest[List of Advanced Settings]. +== Required Privileges + +You must have one of the following roles to call the GET methods: + +* Full Admin +* Cluster Admin +* Read-Only Admin +* Security Admin +* Read-Only Security Admin +* Backup Full Admin +* XDCR Admin + +You must have one of the following roles to call the POST methods: + +* Full Admin +* Cluster Admin +* Security Admins +* Backup Full Admin +* XDCR Admin + [#responses] == Responses diff --git a/modules/rest-api/pages/rotate-data-key.adoc b/modules/rest-api/pages/rotate-data-key.adoc index acc86f7f3f..801186f4e5 100644 --- a/modules/rest-api/pages/rotate-data-key.adoc +++ b/modules/rest-api/pages/rotate-data-key.adoc @@ -25,7 +25,13 @@ curl -X POST http://127.0.0.1:8091/node/controller/rotateDataKey == Required Privileges -You must have the Full Admin or Security Admin role to call this endpoint. + +You must have one of the following roles to rotate the data key: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + + == Responses From cba6e5c118b9baa58c89dd217c633588384e3e57 Mon Sep 17 00:00:00 2001 From: Gary Gray <137797428+ggray-cb@users.noreply.github.com> Date: Fri, 15 Aug 2025 11:01:28 -0400 Subject: [PATCH 3/8] Some clarificxations about RO Security Admin --- modules/learn/pages/security/roles.adoc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/learn/pages/security/roles.adoc b/modules/learn/pages/security/roles.adoc index ff3d99fa03..96ee619539 100644 --- a/modules/learn/pages/security/roles.adoc +++ b/modules/learn/pages/security/roles.adoc @@ -245,13 +245,14 @@ h| Restrictions [#ro-security-admin] === Read-Only Security Admin -The Read- -only Security Admin role allows the user to view all security settings except for users and groups. +The Read-Only Security Admin role lets the user view all security settings except for listing users and groups. This role lets the user log into the Couchbase Server Web Console. NOTE: This role is new in Couchbase Server 8.0. - +It was created to separate security privileges from the Read-Only Admin role. +The upgrade process from prior versions to Couchbase Server 8.0 or later grants this role to users that had the Read-Only Admin. +This grant ensures the user retains the privileges they had in prior versions. [#table_ro_security_admin_role,cols="1,2,2,hrows=2"] |=== From 474f9eb86aab52609bac5229ec673e042204c6d3 Mon Sep 17 00:00:00 2001 From: Gary Gray <137797428+ggray-cb@users.noreply.github.com> Date: Fri, 15 Aug 2025 11:04:25 -0400 Subject: [PATCH 4/8] Removing some bolded role references --- modules/manage/pages/manage-statistics/manage-statistics.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/manage/pages/manage-statistics/manage-statistics.adoc b/modules/manage/pages/manage-statistics/manage-statistics.adoc index 6ff581c991..e875b35b16 100644 --- a/modules/manage/pages/manage-statistics/manage-statistics.adoc +++ b/modules/manage/pages/manage-statistics/manage-statistics.adoc @@ -49,10 +49,10 @@ Additional information can be displayed by left-clicking on the *Node Resources* All chart-content is provided by _bucket_. Users whose roles grant them access to Couchbase Web Console and see administrative details on one or more buckets are able to see the default chart-content for those buckets. For example, users with the Full Admin, Cluster Admin, Read Only Admin, Security Admin, or Read-Only Security Admin roles can display the charts for all buckets in the cluster. -The *Bucket Admin* role allows a user to display of charts of buckets to which they were granted administrator access. +The Bucket Admin role allows a user to display of charts of buckets to which they were granted administrator access. Users who can see the default content for some or all buckets can also create their own, customized content for those buckets. -Note that customized content is saved on Couchbase Server only on a _per user_ basis: therefore, for example, when a *Full Admin* creates customized content, it is visible only to the *Full Admin*, not to any other user. +Note that customized content is saved on Couchbase Server only on a _per user_ basis: therefore, for example, when a Full Admin creates customized content, it is visible only to the Full Admin, not to any other user. [#dashboard-controls] === Dashboard Controls From a5401e07f65319b49766c7161bd0df42c498a2df Mon Sep 17 00:00:00 2001 From: Gary Gray <137797428+ggray-cb@users.noreply.github.com> Date: Fri, 15 Aug 2025 11:28:53 -0400 Subject: [PATCH 5/8] Fixed another role name and stanardized two more REST API pages. --- modules/learn/pages/security/roles.adoc | 4 ++-- .../rest-api/pages/change-master-password.adoc | 9 ++++++++- modules/rest-api/pages/get-trusted-cas.adoc | 17 ++++++++++++++--- 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/modules/learn/pages/security/roles.adoc b/modules/learn/pages/security/roles.adoc index 96ee619539..8c6bc9311e 100644 --- a/modules/learn/pages/security/roles.adoc +++ b/modules/learn/pages/security/roles.adoc @@ -1425,7 +1425,7 @@ Cannot use the Query Workbench in Couchbase Server Web Console. [#query-sequential-scan] -=== Query Use Sequential Scan +=== Query Use Sequential Scans The Query Use Sequential Scan role allows users' queries to perform a sequential scan of a keyspace. The query planner only uses a sequential scan when no suitable index exists for the keyspace. @@ -1438,7 +1438,7 @@ This role does not let the user log into Couchbase Server Web Console. [#table_query_use_sequential_scans_role,cols="1,2,2,hrows=2] |=== -3+^| Role: Query Use Sequential Scan (`query_use_sequential_scans`) +3+^| Role: Query Use Sequential Scans (`query_use_sequential_scans`) h| Resource h| Permissions diff --git a/modules/rest-api/pages/change-master-password.adoc b/modules/rest-api/pages/change-master-password.adoc index c4e8ea0551..dd667c8b96 100644 --- a/modules/rest-api/pages/change-master-password.adoc +++ b/modules/rest-api/pages/change-master-password.adoc @@ -14,7 +14,7 @@ POST /node/controller/changeMasterPassword == Description This command sets the master password for the current node. -Users must have the Full Admin or Security Admin role call it. + For a full description of system secrets and their management, see xref:manage:manage-security/manage-system-secrets.adoc[Manage System Secrets]. @@ -26,6 +26,13 @@ curl -X POST http://127.0.0.1:8091/node/controller/changeMasterPassword -d newPassword= ---- +== Required Privileges + +You must have one of the following roles to change the master password: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] + == Responses Success returns `200 OK`. diff --git a/modules/rest-api/pages/get-trusted-cas.adoc b/modules/rest-api/pages/get-trusted-cas.adoc index 76153c6291..4429c1f89a 100644 --- a/modules/rest-api/pages/get-trusted-cas.adoc +++ b/modules/rest-api/pages/get-trusted-cas.adoc @@ -20,9 +20,7 @@ Note that this list is therefore _complete_ and _cluster-wide_. Note that although support of multiple root certificates is only available in versions of Couchbase Server that are 7.1 and later, this API _can_ be used on clusters that are running different versions of Couchbase Server, some of which are prior to 7.1. -This method and endpoint can be used by unauthorized users: however, cluster-private details are redacted from the output. -For all details to be returned, the user must have the Full Admin, the Security Admin, or the External User Security Admin role. -See the examples provided in xref:#output-redaction[Output Redaction], below. + [#curl-syntax] == Curl Syntax @@ -34,6 +32,19 @@ curl -X GET http://:8091/pools/default/trustedCAs -u : ---- +== Required Privileges + +Any user can call this method and endpoint. +However, they will only see a redacted version which does not include cluster-private details. +See the examples <<#output-redaction>> to see what is omitted. + + +To see all details of the returned objects, the user must have one of the following roles: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] + [#responses] == Responses From bad493f67be18e6a01b97fcd1e0d7229ec60733b Mon Sep 17 00:00:00 2001 From: Gary Gray <137797428+ggray-cb@users.noreply.github.com> Date: Fri, 15 Aug 2025 14:28:05 -0400 Subject: [PATCH 6/8] Add What's New entry for Read-Only Security Admin role. --- modules/introduction/partials/new-features-80.adoc | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/introduction/partials/new-features-80.adoc b/modules/introduction/partials/new-features-80.adoc index 0dd2c20030..61a92d184a 100644 --- a/modules/introduction/partials/new-features-80.adoc +++ b/modules/introduction/partials/new-features-80.adoc @@ -158,7 +158,6 @@ When Hybrid is selected: This mode enhances flexibility for clients while enforcing strict security for node-to-node communication. + For more information, see xref:manage:manage-security/enable-client-certificate-handling.adoc[Enable Client Certificate Handling]. -======= https://jira.issues.couchbase.com/browse/MB-11575[MB-11575]:: XDCR now supports the identification of Incoming Replications on a cluster. @@ -253,6 +252,15 @@ The Backup Service in Couchbase Sever 8.0 or later also performs these changes + NOTE: If the user restoring a backup does not have a role that allows them to restore specific roles to a user in the backup, the backup server skips restoring that user. +[#MB-67164] +https://jira.issues.couchbase.com/browse/MB-67164[MB-67164 Add Read-Only Security Admin Role and Remove Security Privileges from Read-Only Admin]:: +To better segment security privileges, Couchbase Server 8.0 removes the security privileges from the Read-Only Admin (`ro_admin`) role. +It also adds a new Read-Only Security Admin (`ro_security_admin`) role that lets the user view security details except for listing users and groups. + ++ +When you upgrade to Couchbase Server 8.0, the upgrade process automatically grants the Read-Only Security Admin role to users who have the Read-Only Admin role. +This grant lets users with the Read-Only Admin role still have the same privileges they had before the upgrade. + See xref:learn:security/roles.adoc[] for more information. [#section-new-feature-800--tools] From 52f34e8b921f980c9f29e54e8e42e00e01fe917d Mon Sep 17 00:00:00 2001 From: Gary Gray <137797428+ggray-cb@users.noreply.github.com> Date: Fri, 15 Aug 2025 14:46:04 -0400 Subject: [PATCH 7/8] Another roles cleanup. --- modules/manage/pages/manage-security/manage-auditing.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/manage/pages/manage-security/manage-auditing.adoc b/modules/manage/pages/manage-security/manage-auditing.adoc index 0a2ce889ce..6c03e2f2e5 100644 --- a/modules/manage/pages/manage-security/manage-auditing.adoc +++ b/modules/manage/pages/manage-security/manage-auditing.adoc @@ -13,8 +13,8 @@ The records created by the Couchbase Auditing facility capture information on _w The records are created by Couchbase Server-processes, which run asynchronously. Each record is stored as a JSON document, which can be retrieved and inspected. -Auditing can be configured by the *Full Admin* and the *Security Admin* roles. -The auditing configuration can be read by the *Full Admin*, the *Security Admin*, and the *Read-Only Security Admin* roles. +Users with the Full Admin or Security Admin roles can configure Auditing. +Users with the Full Admin, Security Admin, or Read-Only Security Admin roles can view the audit configuration. A conceptual overview of event auditing can be found in xref:learn:security/auditing.adoc[Auditing]. See the reference page xref:audit-event-reference:audit-event-reference.adoc[Audit Event Reference], for a complete list of the events that can be audited. From ba56afa14f62a69f196c3e45f148d5dc94d89e3d Mon Sep 17 00:00:00 2001 From: Gary Gray <137797428+ggray-cb@users.noreply.github.com> Date: Tue, 7 Oct 2025 09:52:46 -0400 Subject: [PATCH 8/8] Added links to roles in some of the rest api pages at the suggestion of Steve --- .../pages/rest-identify-orchestrator.adoc | 2 +- modules/rest-api/pages/rest-logs-get.adoc | 7 +++- .../pages/rest-xdcr-adv-settings.adoc | 40 +++++++++++++------ 3 files changed, 34 insertions(+), 15 deletions(-) diff --git a/modules/rest-api/pages/rest-identify-orchestrator.adoc b/modules/rest-api/pages/rest-identify-orchestrator.adoc index 39a633c5a6..1e396bfc23 100644 --- a/modules/rest-api/pages/rest-identify-orchestrator.adoc +++ b/modules/rest-api/pages/rest-identify-orchestrator.adoc @@ -31,7 +31,7 @@ curl -v -X GET -u : ---- The `ip-address-or-domain-name` should specify a node within the cluster whose orchestrator-location is to be determined: information returned by the call is that which is _known to the specified node_. -The `username` and `password` must a user with one of the roles listed in the newxt section. +The `username` and `password` must a user with one of the roles listed in the next section. == Required Privileges diff --git a/modules/rest-api/pages/rest-logs-get.adoc b/modules/rest-api/pages/rest-logs-get.adoc index bfaffff0fc..88e8a3a961 100644 --- a/modules/rest-api/pages/rest-logs-get.adoc +++ b/modules/rest-api/pages/rest-logs-get.adoc @@ -42,7 +42,7 @@ If no `log-name` argument is specified, the default value is `debug`; whereby th == Required Privileges -You must have one of the following roles to call this endpoint: +You must have one of the following roles to call the `/diag` endpoint: * xref:learn:security/roles.adoc#full-admin[Full Admin] * xref:learn:security/roles.adoc#cluster-admin[Cluster Admin] @@ -51,6 +51,11 @@ You must have one of the following roles to call this endpoint: * xref:learn:security/roles.adoc#external-user-security-admin[External User Admin] * xref:learn:security/roles.adoc#local-user-security-admin[Local User Admin] +You must have one of the following roles to call the `/sasl_logs` endpoint: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#cluster-admin[Cluster Admin] + [#responses] == Responses diff --git a/modules/rest-api/pages/rest-xdcr-adv-settings.adoc b/modules/rest-api/pages/rest-xdcr-adv-settings.adoc index da5594d9d0..caeb9613c2 100644 --- a/modules/rest-api/pages/rest-xdcr-adv-settings.adoc +++ b/modules/rest-api/pages/rest-xdcr-adv-settings.adoc @@ -56,23 +56,37 @@ All flags are listed below, in the section xref:rest-api:rest-xdcr-adv-settings. == Required Privileges -You must have one of the following roles to call the GET methods: +You must have one of the following roles to call the GET method on `/settings/replications`: + + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#backup-full-admin[Backup Full Admin] +* xref:learn:security/roles.adoc#cluster-admin[Cluster Admin] +* xref:learn:security/roles.adoc#xdcr-admin[XDCR Admin] +* xref:learn:security/roles.adoc#read-only-admin[Read-Only Admin] + +You must have one of the following roles to call the GET method on `/settings/replications/`: + +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#backup-full-admin[Backup Full Admin] +* xref:learn:security/roles.adoc#bucket-admin[Bucket Admin] +* xref:learn:security/roles.adoc#application-access[Application Access] +* xref:learn:security/roles.adoc#cluster-admin[Cluster Admin] +* xref:learn:security/roles.adoc#sync-gateway[Sync Gateway] +* xref:learn:security/roles.adoc#xdcr-admin[XDCR Admin] +* xref:learn:security/roles.adoc#read-only-admin[Read-Only Admin] +* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin] +* xref:learn:security/roles.adoc#security-admin[Security Admin] +* xref:learn:security/roles.adoc#external-user-security-admin[External User Admin] +* xref:learn:security/roles.adoc#local-user-security-admin[Local User Admin] -* Full Admin -* Cluster Admin -* Read-Only Admin -* Security Admin -* Read-Only Security Admin -* Backup Full Admin -* XDCR Admin You must have one of the following roles to call the POST methods: -* Full Admin -* Cluster Admin -* Security Admins -* Backup Full Admin -* XDCR Admin +* xref:learn:security/roles.adoc#full-admin[Full Admin] +* xref:learn:security/roles.adoc#backup-full-admin[Backup Full Admin] +* xref:learn:security/roles.adoc#cluster-admin[Cluster Admin] +* xref:learn:security/roles.adoc#xdcr-admin[XDCR Admin] [#responses] == Responses