diff --git a/modules/n1ql/assets/images/n1ql-language-reference/alter-bucket.png b/modules/n1ql/assets/images/n1ql-language-reference/alter-bucket.png new file mode 100644 index 000000000..49a8d19a5 Binary files /dev/null and b/modules/n1ql/assets/images/n1ql-language-reference/alter-bucket.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/alter-group.png b/modules/n1ql/assets/images/n1ql-language-reference/alter-group.png new file mode 100644 index 000000000..402e7504a Binary files /dev/null and b/modules/n1ql/assets/images/n1ql-language-reference/alter-group.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/alter-user.png b/modules/n1ql/assets/images/n1ql-language-reference/alter-user.png new file mode 100644 index 000000000..c65f5656f Binary files /dev/null and b/modules/n1ql/assets/images/n1ql-language-reference/alter-user.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/create-bucket.png b/modules/n1ql/assets/images/n1ql-language-reference/create-bucket.png new file mode 100644 index 000000000..a186b4ccc Binary files /dev/null and b/modules/n1ql/assets/images/n1ql-language-reference/create-bucket.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/create-group.png b/modules/n1ql/assets/images/n1ql-language-reference/create-group.png new file mode 100644 index 000000000..d962ae241 Binary files /dev/null and b/modules/n1ql/assets/images/n1ql-language-reference/create-group.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/create-statement.png b/modules/n1ql/assets/images/n1ql-language-reference/create-statement.png index 9abbc3084..7d4bcaea5 100644 Binary files a/modules/n1ql/assets/images/n1ql-language-reference/create-statement.png and b/modules/n1ql/assets/images/n1ql-language-reference/create-statement.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/create-user.png b/modules/n1ql/assets/images/n1ql-language-reference/create-user.png new file mode 100644 index 000000000..a68e1369d Binary files /dev/null and b/modules/n1ql/assets/images/n1ql-language-reference/create-user.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/drop-bucket.png b/modules/n1ql/assets/images/n1ql-language-reference/drop-bucket.png new file mode 100644 index 000000000..1a662f2dc Binary files /dev/null and b/modules/n1ql/assets/images/n1ql-language-reference/drop-bucket.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/drop-group.png b/modules/n1ql/assets/images/n1ql-language-reference/drop-group.png new file mode 100644 index 000000000..146b95d40 Binary files /dev/null and b/modules/n1ql/assets/images/n1ql-language-reference/drop-group.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/drop-statement.png b/modules/n1ql/assets/images/n1ql-language-reference/drop-statement.png index ad8f3791c..898f61cc2 100644 Binary files a/modules/n1ql/assets/images/n1ql-language-reference/drop-statement.png and b/modules/n1ql/assets/images/n1ql-language-reference/drop-statement.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/drop-user.png b/modules/n1ql/assets/images/n1ql-language-reference/drop-user.png new file mode 100644 index 000000000..b3e1efdda Binary files /dev/null and b/modules/n1ql/assets/images/n1ql-language-reference/drop-user.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/grant-group.png b/modules/n1ql/assets/images/n1ql-language-reference/grant-group.png new file mode 100644 index 000000000..3cfcc9bda Binary files /dev/null and b/modules/n1ql/assets/images/n1ql-language-reference/grant-group.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/grant-user.png b/modules/n1ql/assets/images/n1ql-language-reference/grant-user.png new file mode 100644 index 000000000..7165ee0d8 Binary files /dev/null and b/modules/n1ql/assets/images/n1ql-language-reference/grant-user.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/grant.png b/modules/n1ql/assets/images/n1ql-language-reference/grant.png index 5a1b680e8..146e850fd 100644 Binary files a/modules/n1ql/assets/images/n1ql-language-reference/grant.png and b/modules/n1ql/assets/images/n1ql-language-reference/grant.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/other-statement.png b/modules/n1ql/assets/images/n1ql-language-reference/other-statement.png index 11e4e38d9..5cef6956a 100644 Binary files a/modules/n1ql/assets/images/n1ql-language-reference/other-statement.png and b/modules/n1ql/assets/images/n1ql-language-reference/other-statement.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/rbac-role.png b/modules/n1ql/assets/images/n1ql-language-reference/rbac-role.png new file mode 100644 index 000000000..007e740dd Binary files /dev/null and b/modules/n1ql/assets/images/n1ql-language-reference/rbac-role.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/revoke-group.png b/modules/n1ql/assets/images/n1ql-language-reference/revoke-group.png new file mode 100644 index 000000000..e310a2cd4 Binary files /dev/null and b/modules/n1ql/assets/images/n1ql-language-reference/revoke-group.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/revoke-user.png b/modules/n1ql/assets/images/n1ql-language-reference/revoke-user.png new file mode 100644 index 000000000..fe50f7e4a Binary files /dev/null and b/modules/n1ql/assets/images/n1ql-language-reference/revoke-user.png differ diff --git a/modules/n1ql/assets/images/n1ql-language-reference/revoke.png b/modules/n1ql/assets/images/n1ql-language-reference/revoke.png index 91d35cb63..0cf3a20e9 100644 Binary files a/modules/n1ql/assets/images/n1ql-language-reference/revoke.png and b/modules/n1ql/assets/images/n1ql-language-reference/revoke.png differ diff --git a/modules/n1ql/pages/n1ql-language-reference/alterbucket.adoc b/modules/n1ql/pages/n1ql-language-reference/alterbucket.adoc new file mode 100644 index 000000000..6f5aae4c7 --- /dev/null +++ b/modules/n1ql/pages/n1ql-language-reference/alterbucket.adoc @@ -0,0 +1,77 @@ += ALTER BUCKET +:description: The ALTER BUCKET statement enables you to update an existing bucket's configuration. +:page-topic-type: reference +:page-status: Couchbase Server 8.0 +:imagesdir: ../../assets/images + +:identifier: xref:n1ql-language-reference/identifiers.adoc +:roles: xref:learn:security/roles.adoc +:bucket-parameters: xref:rest-api:rest-bucket-create.adoc#parameter-groups +:buckets: xref:learn:buckets-memory-and-storage/buckets.adoc +:manage-buckets: xref:manage:manage-buckets/bucket-management-overview.adoc +:buckets-api: xref:rest-api:rest-bucket-intro.adoc +:couchbase-cli-bucket-edit: xref:cli:cbcli/couchbase-cli-bucket-edit.adoc + +[abstract] +{description} + +== Purpose + +Use the ALTER BUCKET statement to modify the configuration of a bucket in your Couchbase cluster. +You can update only a limited set of bucket settings. +You cannot change its core properties such as the bucket name and type. +For more information, see the <> section. + +== RBAC Privileges + +Only administrators with the following roles can execute the ALTER BUCKET statement: + +* Full Admin +* Cluster Admin +* Bucket Admin (if privileges are extended to the specific bucket or all buckets on the cluster) + +For more information about roles and privileges, see {roles}[Roles]. + +[[alterbucket-syntax]] +== Syntax + +[source,ebnf] +---- +include::partial$grammar/ddl.ebnf[tag=alter-bucket] +---- + +image::n1ql-language-reference/alter-bucket.png["Syntax diagram: refer to source code listing", align=left] + +The `BUCKET` and `DATABASE` keywords are synonyms. +You can use either of them. + +[horizontal] +name:: +(Required) An {identifier}[identifier] that represents the name of the bucket that you want to update. + +with-fields:: (Optional) +A JSON object containing a list of name-value pairs that specify additional options for the bucket. +For a list of valid fields names and values, see {bucket-parameters}[Bucket Parameter Groups] in the REST API documentation. + +NOTE: You cannot alter the following fields of a bucket: `bucketType`, `storageBackend`, `replicaIndex`, and `conflictResolutionType`. + +== Example + +.Alter a bucket and update its memory quota, maximum TTL, and durability level +==== +[source,sqlpp] +---- +ALTER BUCKET `student-records` +WITH { + "ramQuota": 256, + "maxTTL": 86400, + "durabilityMinLevel": "majority" +}; +---- +==== + +== Related Links + +* For an overview of buckets, see {buckets}[Buckets]. +* For step-by-step procedures for bucket management, see {manage-buckets}[Manage Buckets]. +* For managing buckets with the REST API, see {buckets-api}[Buckets API]. \ No newline at end of file diff --git a/modules/n1ql/pages/n1ql-language-reference/altergroup.adoc b/modules/n1ql/pages/n1ql-language-reference/altergroup.adoc new file mode 100644 index 000000000..a5ba64de2 --- /dev/null +++ b/modules/n1ql/pages/n1ql-language-reference/altergroup.adoc @@ -0,0 +1,142 @@ += ALTER GROUP +:description: The ALTER GROUP statement enables you to update an existing group. +:page-topic-type: reference +:page-status: Couchbase Server 8.0 +:imagesdir: ../../assets/images + +:from: xref:n1ql-language-reference/from.adoc +:from-keyspace-ref: {from}#from-keyspace-ref + +[abstract] +{description} + +== Purpose + +Use the ALTER GROUP statement to modify an existing group within the Couchbase Server Role-Based Access Control (RBAC) system. +You can update the group's description and its roles. +You can either add new roles or remove all the existing ones. +When you update a role for a group, all users in the group inherit the updated permissions automatically. + +CAUTION: When you add new roles to a group, the ALTER GROUP statement replaces the group's existing role assignments with the new ones you provide. +It updates the entire role list, so any existing roles not included in the new list will be removed. +If you want to add or remove specific roles without affecting the others, use the xref:n1ql:n1ql-language-reference/grant.adoc[GRANT] and xref:n1ql:n1ql-language-reference/revoke.adoc[REVOKE] statements instead. + +== RBAC Privileges + +To execute the ALTER GROUP statement, you must have either the Full Admin or the Security Admin role. +For more information about user roles, see xref:learn:security/authorization-overview.adoc[Authorization]. + +== Syntax + +[source,ebnf] +---- +include::partial$grammar/ddl.ebnf[tag=alter-group] +---- + +image::n1ql-language-reference/alter-group.png["Syntax diagram: refer to source code listing", align=left] + +[horizontal] +name:: +(Required) The unique identifier of the group you want to update. + +description:: +(Optional) A quoted string containing the updated description for the group. + +rbac-role:: +(Optional) +<> + +[NOTE] +==== +When altering a group, you can update its roles using one of the following options: `ROLE`, `ROLES`, or `NO ROLES`. +You can specify only one of these options per statement. + +* `ROLE` assigns a single role to the group. +* `ROLES` assigns multiple roles to group (the names must be separated by commas). +* `NO ROLES` removes all roles from the group. +==== + +[[roles]] +=== Update Roles + +[source,ebnf] +---- +include::partial$grammar/ddl.ebnf[tag=rbac-role] +---- + +image::n1ql-language-reference/rbac-role.png["Syntax diagram: refer to source code listing", align=left] + +[horizontal] + +role:: +One of the xref:learn:security/authorization-overview.adoc[RBAC role names predefined] by Couchbase Server. ++ +The following roles have short forms that can be used as well: + +* `query_select` → `select` +* `query_insert` → `insert` +* `query_update` → `update` +* `query_delete` → `delete` + +keyspace-ref:: <> + +[[keyspace-ref]] +==== Keyspace Reference + +[source,ebnf] +---- +include::partial$grammar/dql.ebnf[tag=keyspace-ref] +---- + +image::n1ql-language-reference/keyspace-ref.png["Syntax diagram: refer to source code listing", align=left] + +[source#keyspace-path,ebnf,reftext="keyspace path"] +---- +include::partial$grammar/dql.ebnf[tag=keyspace-path] +---- + +image::n1ql-language-reference/keyspace-path.png["Syntax diagram: refer to source code listing", align=left] + +[source#keyspace-partial,ebnf,reftext="keyspace partial"] +---- +include::partial$grammar/dql.ebnf[tag=keyspace-partial] +---- + +image::n1ql-language-reference/keyspace-partial.png["Syntax diagram: refer to source code listing", align=left] + +Use keyspace reference to specify the target for the update. +For more information about each element, see the xref:n1ql-language-reference/from.adoc#from-keyspace-ref[Keyspace Reference] section in the FROM clause. + +== Examples + +.Alter a group and update its description +==== +[source,sqlpp] +---- +ALTER GROUP support WITH "Support team for customer queries"; +---- +==== + +.Alter a group and add new roles +==== +[source,sqlpp] +---- +ALTER GROUP support +ROLES +query_select ON `travel-sample`.`inventory`.`airline`, +query_insert ON `travel-sample`.`inventory`.`airline`; +---- +==== + +.Alter a group and remove all roles +==== +[source,sqlpp] +---- +ALTER GROUP support NO ROLES WITH "Currently unused group"; +---- +==== + +== Related Links +* To create a group, see xref:n1ql-language-reference/creategroup.adoc[]. +* To delete a group, see xref:n1ql-language-reference/altergroup.adoc[]. +* To create a new user, see xref:n1ql-language-reference/createuser.adoc[]. diff --git a/modules/n1ql/pages/n1ql-language-reference/alteruser.adoc b/modules/n1ql/pages/n1ql-language-reference/alteruser.adoc new file mode 100644 index 000000000..a3dea79e2 --- /dev/null +++ b/modules/n1ql/pages/n1ql-language-reference/alteruser.adoc @@ -0,0 +1,87 @@ += ALTER USER +:description: The ALTER USER statement enables you to alter the details of an existing user. +:page-topic-type: reference +:page-status: Couchbase Server 8.0 +:imagesdir: ../../assets/images + +[abstract] +{description} + +== Purpose + +Use the ALTER USER statement to update a local user's attributes, such as their password, full name, and group. +You can add the user to new groups or remove them from all existing groups. + +This statement helps manage access control and keeps user information up to date within Couchbase Server. + +CAUTION: When you add new groups to a user, the ALTER USER statement replaces the user's existing group assignments with the new ones you provide. +It updates the entire group list, so any existing groups not included in the new list will be removed. + +== RBAC Privileges + +To execute the ALTER USER statement, you must have either the Full Admin or the Security Admin role. +For more information about user roles, see xref:learn:security/authorization-overview.adoc[Authorization]. + +== Syntax + +[source,ebnf] +---- +include::partial$grammar/ddl.ebnf[tag=alter-user] +---- + +image::n1ql-language-reference/alter-user.png["Syntax diagram: refer to source code listing", align=left] + +[horizontal] +username:: +(Required) The unique identifier of the local user. + +password:: +(Optional) A quoted string containing the user's new password. +It must be at least 6 characters long. + +name:: +(Optional) A quoted string containing the user's updated name. + +group:: +(Optional) The group you want to assign the user to. + +[NOTE] +==== +When altering a user, you can update their group using one of the following options: `GROUP`, `GROUPS`, or `NO GROUPS`. +You can specify only one of these options per statement. + +* `GROUP` assigns the user to a single group. +* `GROUPS` assigns the user to multiple groups (the names must be separated by commas). +* `NO GROUPS` removes the user from all groups. +==== + +== Examples + +.Change a user's password and full name +==== +[source,sqlpp] +---- +ALTER USER Hilary PASSWORD "newpassword" WITH "Hilary Chloe"; +---- +==== + +.Assign a user to a new group +==== +[source,sqlpp] +---- +ALTER USER Alice GROUP support; +---- +==== + +.Remove a user from existing groups +==== +[source,sqlpp] +---- +ALTER USER Bob NO GROUPS; +---- +==== + +== Related Links +* To create a new user, see xref:n1ql:n1ql-language-reference/createuser.adoc[]. +* To delete a user, see xref:n1ql:n1ql-language-reference/dropuser.adoc[]. +* To create a new group, see xref:n1ql:n1ql-language-reference/creategroup.adoc[]. diff --git a/modules/n1ql/pages/n1ql-language-reference/createbucket.adoc b/modules/n1ql/pages/n1ql-language-reference/createbucket.adoc new file mode 100644 index 000000000..84c111251 --- /dev/null +++ b/modules/n1ql/pages/n1ql-language-reference/createbucket.adoc @@ -0,0 +1,118 @@ += CREATE BUCKET +:description: The CREATE BUCKET statement enables you to create a bucket. +:page-topic-type: reference +:page-status: Couchbase Server 8.0 +:imagesdir: ../../assets/images + +:identifier: xref:n1ql-language-reference/identifiers.adoc +:roles: xref:learn:security/roles.adoc +:bucket-parameters: xref:rest-api:rest-bucket-create.adoc#parameter-groups +:buckets: xref:learn:buckets-memory-and-storage/buckets.adoc +:manage-buckets: xref:manage:manage-buckets/bucket-management-overview.adoc +:buckets-api: xref:rest-api:rest-bucket-intro.adoc +:couchbase-cli-bucket-create: xref:cli:cbcli/couchbase-cli-bucket-create.adoc + +[abstract] +{description} + +== Purpose + +Use the CREATE BUCKET statement to create a new bucket in your Couchbase cluster. +A bucket is a top-level data container, similar to a database in relational database management systems. +It stores documents and provides a logical grouping for data. + +When you create a new bucket, a `_default` scope and a `_default` collection are automatically created within it, providing a basic structure for your data right away. +The name of the bucket must be unique within the cluster and you cannot change it once you create the bucket. +You can have a maximum of 30 buckets per cluster. + +== RBAC Privileges + +To execute the CREATE BUCKET statement, you must have either the Full Admin or the Cluster Admin role. +For more information about roles and privileges, see {roles}[Roles]. + +== Syntax + +[source,ebnf] +---- +include::partial$grammar/ddl.ebnf[tag=create-bucket] +---- + +image::n1ql-language-reference/create-bucket.png["Syntax diagram: refer to source code listing", align=left] + +The `BUCKET` and `DATABASE` keywords are synonyms. +You can use either of them. + +[horizontal] +name:: +(Required) An {identifier}[identifier] that represents the name of the bucket that you want to create. +It must be unique within the cluster and cannot be longer than 100 characters. +Acceptable characters are A-Z, a-z, 0-9, and the special characters underscore, period, dash, and percent. + +[[if-not-exists]] +=== IF NOT EXISTS Clause + +The optional `IF NOT EXISTS` clause enables the statement to complete successfully when the specified bucket already exists. +If a bucket with the same name already exists, then: + +* If this clause is not present, an error is generated. +* If this clause is present, the statement does nothing and completes without error. + +[[with]] +=== WITH Clause + +Use the optional `WITH` clause to specify additional options for the bucket. + +[horizontal] + +with-fields:: +A JSON object containing a list of name-value pairs that define the additional options. +For a list of valid fields names and values, see {bucket-parameters}[Bucket Parameter Groups] in the REST API documentation. ++ +If you do not include `with-fields`, the statement creates the bucket with default values for all optional settings. +Similarly, if you include `with-fields` but omit specific options, those options are also set to their default values. + +[NOTE] +==== +When using `with-fields`, if you set a value for `ramQuota`, the bucket's configured with that value as its memory quota. +However, if you do not specify a value for `ramQuota`, its value is determined as follows: + +* If `storageBackend` is set to `magma` and `numVBuckets` is set to `1024`, then `ramQuota` is set to `1024 MiB`. +* In all other cases, `ramQuota` is set to `100 MiB`. +==== + +== Examples + +.Create a bucket named `student-records` with default settings +==== +[source,sqlpp] +---- +CREATE BUCKET `student-records`; +---- +==== + +.Create a bucket named `custom-bucket` with custom settings +==== +The bucket has a memory quota of `512 MiB`, bucket type as `couchbase`, and storage backend as `magma`. +[source,sqlpp] +---- +CREATE BUCKET `custom-bucket` WITH { + "ramQuota": 512, + "bucketType": "couchbase", + "storageBackend": "magma" +}; +---- +==== + +.Create a bucket named `data-sample` if it does not already exist +==== +[source,sqlpp] +---- +CREATE BUCKET IF NOT EXISTS `data-sample`; +---- +==== + +== Related Links + +* For an overview of buckets, see {buckets}[Buckets]. +* For step-by-step procedures for bucket management, see {manage-buckets}[Manage Buckets]. +* For managing buckets with the REST API, see {buckets-api}[Buckets API]. \ No newline at end of file diff --git a/modules/n1ql/pages/n1ql-language-reference/creategroup.adoc b/modules/n1ql/pages/n1ql-language-reference/creategroup.adoc new file mode 100644 index 000000000..414ad67ea --- /dev/null +++ b/modules/n1ql/pages/n1ql-language-reference/creategroup.adoc @@ -0,0 +1,149 @@ += CREATE GROUP +:description: The CREATE GROUP statement enables you to create a group. +:page-topic-type: reference +:page-status: Couchbase Server 8.0 +:imagesdir: ../../assets/images + +[abstract] +{description} + +== Purpose + +Use the CREATE GROUP statement to define a new group within the Couchbase Server Role-Based Access Control (RBAC) system. +You can specify the group's name, description, and assign it one or more roles. + +By creating groups, you can organize users and assign roles collectively. +When you add users to a group, they automatically inherit the roles assigned to that group. + +== RBAC Privileges + +To execute the CREATE GROUP statement, you must have either the Full Admin or the Security Admin role. +For more information about user roles, see xref:learn:security/authorization-overview.adoc[Authorization]. + +== Syntax + +[source,ebnf] +---- +include::partial$grammar/ddl.ebnf[tag=create-group] +---- + +image::n1ql-language-reference/create-group.png["Syntax diagram: refer to source code listing", align=left] + +[horizontal] +name:: +(Required) The unique identifier for the new group. + +description:: +(Optional) A quoted string containing the description for the group. + +rbac-role:: +(Required) +<> + +[NOTE] +==== +When creating a group, you can grant roles to them using one of the following options: `ROLE`, `ROLES`, or `NO ROLES`. +You can specify only one of these options per statement. + +* `ROLE` assigns a single role to the group. +* `ROLES` assigns multiple roles to group (the names must be separated by commas). +* `NO ROLES` creates a group with no roles assigned. +This option has no effect during group creation. +==== + +[[if-not-exists]] +=== IF NOT EXISTS Clause + +The optional `IF NOT EXISTS` clause enables the statement to complete successfully when the specified group already exists. +If a group with the same name already exists, then: + +* If this clause is not present, an error is generated. + +* If this clause is present, the statement does nothing and completes without error. + +[[roles]] +=== Add Roles + +[source,ebnf] +---- +include::partial$grammar/ddl.ebnf[tag=rbac-role] +---- + +image::n1ql-language-reference/rbac-role.png["Syntax diagram: refer to source code listing", align=left] + +[horizontal] + +role:: +One of the xref:learn:security/authorization-overview.adoc[RBAC role names predefined] by Couchbase Server. ++ +For the following roles, you can use their short forms as well: + +* `query_select` → `select` +* `query_insert` → `insert` +* `query_update` → `update` +* `query_delete` → `delete` + +keyspace-ref:: <> + +[[keyspace-ref]] +==== Keyspace Reference + +[source,ebnf] +---- +include::partial$grammar/dql.ebnf[tag=keyspace-ref] +---- + +image::n1ql-language-reference/keyspace-ref.png["Syntax diagram: refer to source code listing", align=left] + +[source#keyspace-path,ebnf,reftext="keyspace path"] +---- +include::partial$grammar/dql.ebnf[tag=keyspace-path] +---- + +image::n1ql-language-reference/keyspace-path.png["Syntax diagram: refer to source code listing", align=left] + +[source#keyspace-partial,ebnf,reftext="keyspace partial"] +---- +include::partial$grammar/dql.ebnf[tag=keyspace-partial] +---- + +image::n1ql-language-reference/keyspace-partial.png["Syntax diagram: refer to source code listing", align=left] + +Use keyspace reference to specify the target keyspace. +For more information about each element, see the xref:n1ql-language-reference/from.adoc#from-keyspace-ref[Keyspace Reference] section in the FROM clause. + +== Examples + +.Create a group `sales` and assign it the `query_select` role +==== +[source,sqlpp] +---- +CREATE GROUP sales ROLE query_select ON `travel-sample`.`inventory`.`airline`; +---- +==== + +.Create a group `travelagents` and assign it multiple roles +==== +[source, sqlpp] +---- +CREATE GROUP travelagents +WITH "Sample travel agents group" +ROLES data_reader ON `travel-sample`.`inventory`.`airline`, +select ON `travel-sample`.`inventory`.`landmark`; +---- +==== + +.Create a group `support` if it does not already exist +==== +[source,sqlpp] +---- +CREATE GROUP IF NOT EXISTS support ROLE query_update +ON `travel-sample`.`inventory`.`airport`; +---- +==== + +== Related Links +* To create a new user, see xref:n1ql:n1ql-language-reference/createuser.adoc[]. +* To update an existing group, see xref:n1ql:n1ql-language-reference/altergroup.adoc[]. +* To delete a group, see xref:n1ql:n1ql-language-reference/dropgroup.adoc[]. + diff --git a/modules/n1ql/pages/n1ql-language-reference/createuser.adoc b/modules/n1ql/pages/n1ql-language-reference/createuser.adoc new file mode 100644 index 000000000..8d690365e --- /dev/null +++ b/modules/n1ql/pages/n1ql-language-reference/createuser.adoc @@ -0,0 +1,114 @@ += CREATE USER +:description: The CREATE USER statement enables you to create a user. +:page-topic-type: reference +:page-status: Couchbase Server 8.0 +:imagesdir: ../../assets/images + +[abstract] +{description} + +== Purpose + +Creating a user is an essential step in managing access to your Couchbase environment. +You can use the CREATE USER statement to define a new local user in the Couchbase Server Role-Based Access Control (RBAC) system. +By default, Couchbase Server assigns the user to the local authentication domain. + +When you create a user, you can specify their basic attributes such as username, password, full name, and assign them to one or more groups. +If you do not specify a group, the user is not assigned to any group by default. + +== RBAC Privileges + +To execute the CREATE USER statement, you must have either the Full Admin or the Security Admin role. +For more information about user roles, see xref:learn:security/authorization-overview.adoc[Authorization]. + +== Syntax + +[source,ebnf] +---- +include::partial$grammar/ddl.ebnf[tag=create-user] +---- + +image::n1ql-language-reference/create-user.png["Syntax diagram: refer to source code listing", align=left] + +[horizontal] +username:: +(Required) The unique identifier for the new local user. + +password:: +(Required) A quoted string containing the user's password. +It must be at least 6 characters long. + +name:: +(Optional) A quoted string containing the user's full name. + +group:: +(Optional) The group you want to assign the user to. + +[NOTE] +==== +When creating a user, you can assign them to groups using one of the following options: `GROUP`, `GROUPS`, or `NO GROUPS`. +You can specify only one of these options per statement. + +* `GROUP` assigns the user to a single group. +* `GROUPS` assigns the user to multiple groups (the names must be separated by commas). +* `NO GROUPS` creates a user without assigning any groups. +This option has no effect during user creation. +==== + +[[if-not-exists]] +=== IF NOT EXISTS Clause + +The optional `IF NOT EXISTS` clause enables the statement to complete successfully when the specified user already exists. +If a user with the same username already exists, then: + +* If this clause is not present, an error is generated. +* If this clause is present, the statement does nothing and completes without error. + +== Examples + +.Create a user and specify their full name and password +==== +[source,sqlpp] +---- +CREATE USER Hilary PASSWORD "password123" WITH "Hilary Smith"; +---- +==== + +.Create a user and assign them to a single group +==== +[source,sqlpp] +---- +CREATE USER Alice PASSWORD "password123" GROUP agents; +---- +==== + +.Create a user and assign them to multiple groups +==== +[source,sqlpp] +---- +CREATE USER Bob PASSWORD "P@ssw0rd" GROUPS agents, tourguides, support; +---- +==== + +.Create a user with no group assignments +==== +[source,sqlpp] +---- +CREATE USER Charlie PASSWORD "securePass" NO GROUPS; +---- +==== + +.Create a user if they do not already exist +==== +[source,sqlpp] +---- +CREATE USER IF NOT EXISTS David PASSWORD "davidPass" WITH "David Trantow"; +---- +==== + +== Related Links +* To update an existing user, see xref:n1ql:n1ql-language-reference/alteruser.adoc[]. +* To delete a user, see xref:n1ql:n1ql-language-reference/dropuser.adoc[]. +* To create a new group, see xref:n1ql:n1ql-language-reference/creategroup.adoc[]. +* To grant roles and privileges to a user, see xref:n1ql:n1ql-language-reference/grant.adoc[]. + diff --git a/modules/n1ql/pages/n1ql-language-reference/dropbucket.adoc b/modules/n1ql/pages/n1ql-language-reference/dropbucket.adoc new file mode 100644 index 000000000..e327459a1 --- /dev/null +++ b/modules/n1ql/pages/n1ql-language-reference/dropbucket.adoc @@ -0,0 +1,84 @@ += DROP BUCKET +:description: The DROP BUCKET statement enables you to delete a bucket. +:page-topic-type: reference +:page-status: Couchbase Server 8.0 +:imagesdir: ../../assets/images + +:identifier: xref:n1ql-language-reference/identifiers.adoc +:roles: xref:learn:security/roles.adoc +:bucket-parameters: xref:rest-api:rest-bucket-create.adoc#parameter-groups +:buckets: xref:learn:buckets-memory-and-storage/buckets.adoc +:manage-buckets: xref:manage:manage-buckets/bucket-management-overview.adoc +:buckets-api: xref:rest-api:rest-bucket-intro.adoc +:couchbase-cli-bucket-delete: xref:cli:cbcli/couchbase-cli-bucket-edit.adoc + +[abstract] +{description} + +== Purpose + +Use the DROP BUCKET statement to permanently delete an existing bucket from your Couchbase cluster. +Dropping a bucket deletes all data in the bucket, including documents, scopes, and collections. +It also deletes all associated indexes, metadata, and other bucket resources. + +WARNING: This operation is irreversible, so use this statement with caution. + +== RBAC Privileges + +Only administrators with the following roles can execute the DROP BUCKET statement: + +* Full Admin +* Cluster Admin +* Bucket Admin (if privileges are extended to the specific bucket or all buckets on the cluster) + +For more information about roles and privileges, see {roles}[Roles]. + +== Syntax + +[source,ebnf] +---- +include::partial$grammar/ddl.ebnf[tag=drop-bucket] +---- + +image::n1ql-language-reference/drop-bucket.png["Syntax diagram: refer to source code listing", align=left] + +The `BUCKET` and `DATABASE` keywords are synonyms. +You can use either of them. + +[horizontal] +name:: +(Required) An {identifier}[identifier] that represents the name of the bucket that you want to delete. + +[[if-exists]] +=== IF EXISTS Clause + +The optional `IF EXISTS` clause enables the statement to complete successfully when the specified bucket doesn't exist. +If a bucket with the same name does not exist, then: + +* If this clause is not present, an error is generated. + +* If this clause is present, the statement does nothing and completes without error. + +== Examples + +.Drop a bucket named `student-records` +==== +[source,sqlpp] +---- +DROP BUCKET `student-records`; +---- +==== + +.Drop a bucket named `custom-bucket` if it exists +==== +[source,sqlpp] +---- +DROP BUCKET IF EXISTS `custom-bucket`; +---- +==== + +== Related Links + +* For an overview of buckets, see {buckets}[Buckets]. +* For step-by-step procedures for bucket management, see {manage-buckets}[Manage Buckets]. +* For managing buckets with the REST API, see {buckets-api}[Buckets API]. \ No newline at end of file diff --git a/modules/n1ql/pages/n1ql-language-reference/dropgroup.adoc b/modules/n1ql/pages/n1ql-language-reference/dropgroup.adoc new file mode 100644 index 000000000..0ef0d6d0e --- /dev/null +++ b/modules/n1ql/pages/n1ql-language-reference/dropgroup.adoc @@ -0,0 +1,67 @@ += DROP GROUP +:description: The DROP GROUP statement enables you to delete a group. +:page-topic-type: reference +:page-status: Couchbase Server 8.0 +:imagesdir: ../../assets/images + +[abstract] +{description} + +== Purpose + +You can use this statement to clean up groups that are no longer needed. + +Deleting a group removes all roles and privileges associated with the group. +Users in the deleted group no longer inherit the roles granted to it. + +== RBAC Privileges + +To execute the DROP GROUP statement, you must have etiher the Full Admin or the Security Admin role. +For more information about user roles, see xref:learn:security/authorization-overview.adoc[Authorization]. + +== Syntax + +[source,ebnf] +---- +include::partial$grammar/ddl.ebnf[tag=drop-group] +---- + +image::n1ql-language-reference/drop-group.png["Syntax diagram: refer to source code listing", align=left] + +[horizontal] +groupname:: +(Required) The unique identifier of the group you want to delete. + +[[if-exists]] +=== IF EXISTS Clause + +The optional `IF EXISTS` clause enables the statement to complete successfully when the specified group doesn't exist. +If a group with the same name does not exist, then: + +* If this clause is not present, an error is generated. + +* If this clause is present, the statement does nothing and completes without error. + +== Examples + +.Delete a group named `sales` +==== +[source,sqlpp] +---- +DROP GROUP sales; +---- +==== + +.Delete a group named `support` if it exists +==== +[source,sqlpp] +---- +DROP GROUP IF EXISTS support; +---- +==== + +== Related Links +* To create a group, see xref:n1ql-language-reference/creategroup.adoc[]. +* To alter a group, see xref:n1ql-language-reference/altergroup.adoc[]. +* For step-by-step procedures for managing groups, see xref:manage:manage-security/manage-users-and-roles.adoc[Manage Groups]. + diff --git a/modules/n1ql/pages/n1ql-language-reference/dropuser.adoc b/modules/n1ql/pages/n1ql-language-reference/dropuser.adoc new file mode 100644 index 000000000..26ec0f2e8 --- /dev/null +++ b/modules/n1ql/pages/n1ql-language-reference/dropuser.adoc @@ -0,0 +1,64 @@ += DROP USER +:description: The DROP USER statement enables you to delete a user. +:page-topic-type: reference +:page-status: Couchbase Server 8.0 +:imagesdir: ../../assets/images + +:identifier: xref:n1ql-language-reference/identifiers.adoc + +[abstract] +{description} + +This statement permanently removes a user from the Couchbase Server Role-Based Access Control (RBAC) system. +It removes the user from all groups and revokes all roles and privileges assigned to that user. + +== RBAC Privileges + +To execute the DROP USER statement, you must have either the Full Admin or the Security Admin role. +For more information about user roles, see xref:learn:security/authorization-overview.adoc[Authorization]. + +== Syntax + +[source,ebnf] +---- +include::partial$grammar/ddl.ebnf[tag=drop-user] +---- + +image::n1ql-language-reference/drop-user.png["Syntax diagram: refer to source code listing", align=left] + +[horizontal] +username:: +(Required) The unique identifier of the local user you want to delete. + +[[if-exists]] +=== IF EXISTS Clause + +The optional `IF EXISTS` clause enables the statement to complete successfully when the specified user doesn't exist. +If a user with the same username does not exist, then: + +* If this clause is not present, an error is generated. + +* If this clause is present, the statement does nothing and completes without error. + +== Examples + +.Delete a user named Bob +==== +[source,sqlpp] +---- +DROP USER Bob; +---- +==== + +.Delete a user named David if they exist +==== +[source,sqlpp] +---- +DROP USER IF EXISTS David; +---- +==== + +== Related Links +* To create a user, see xref:n1ql-language-reference/createuser.adoc[CREATE USER]. +* To modify a user, see xref:n1ql-language-reference/alteruser.adoc[ALTER USER]. +* For step by step procedures for managing users, see xref:manage:manage-security/manage-users-and-roles.adoc[Manage Users]. \ No newline at end of file diff --git a/modules/n1ql/pages/n1ql-language-reference/grant.adoc b/modules/n1ql/pages/n1ql-language-reference/grant.adoc index 7c643ee57..2423ae5a6 100644 --- a/modules/n1ql/pages/n1ql-language-reference/grant.adoc +++ b/modules/n1ql/pages/n1ql-language-reference/grant.adoc @@ -1,5 +1,5 @@ = GRANT -:description: The GRANT statement allows granting any RBAC roles to a specific user. +:description: The GRANT statement allows granting any RBAC roles to a specific user or group. :page-topic-type: reference :imagesdir: ../../assets/images @@ -15,14 +15,18 @@ Roles can be of the following two types: simple:: Roles which apply generically to all keyspaces or resources in the cluster. + -For example: `ClusterAdmin` or `BucketAdmin` +For example: `cluster_admin` or `bucket_admin` parameterized by a keyspace:: -Roles which are defined for the scope of the specified keyspace only. -The keyspace name is specified after ON. +Roles which are defined for the context of the specified keyspace only. +Specify the keyspace name after the keyword ON. + -For example: `pass:c[DataReader ON `travel-sample`]` + -or `pass:c[Query_Select ON `travel-sample`]` +The keyspace must be fully qualified and must include the bucket, scope, and collection names. +Even if you're granting a role to an entire bucket, you must specify the default scope (`_default`) and default collection (`_default`). +Using only the bucket name is not sufficient. ++ +For example: `pass:c[data_reader ON `travel-sample`.`_default`.`_default`]` + +or `pass:c[query_select ON `travel-sample`.`inventory`.`airline`]` NOTE: Only Full Administrators can run the GRANT statement. For more details about user roles, see {authorization-overview}[Authorization]. @@ -36,19 +40,44 @@ include::partial$grammar/dcl.ebnf[tag=grant] image::n1ql-language-reference/grant.png["Syntax diagram: refer to source code listing", align=left] +[source,ebnf] +---- +include::partial$grammar/dcl.ebnf[tag=grant-user] +---- + +image::n1ql-language-reference/grant-user.png["Syntax diagram: refer to source code listing", align=left] + +[source,ebnf] +---- +include::partial$grammar/dcl.ebnf[tag=grant-group] +---- + +image::n1ql-language-reference/grant-group.png["Syntax diagram: refer to source code listing", align=left] + +[horizontal] role:: One of the {authorization-overview}[RBAC role names predefined] by Couchbase Server. + -The following roles have short forms that can be used as well: +For the following roles, you can use their short forms as well: * `query_select` → `select` * `query_insert` → `insert` * `query_update` → `update` * `query_delete` → `delete` +keyspace-ref:: +<> + user:: A user name created by the Couchbase Server RBAC system. +group:: +A group name created by the Couchbase Server RBAC system. + +NOTE: When granting roles to users, the keyword `USER` or `USERS` is optional. +However, when granting roles to groups, you must include the keyword `GROUP` or `GROUPS`. +You can use either the singular or plural form of these keywords as this does not affect the number of users or groups the role applies to. + [[keyspace-ref,keyspace-ref]] === Keyspace Reference @@ -73,8 +102,8 @@ include::partial$grammar/dql.ebnf[tag=keyspace-partial] image::n1ql-language-reference/keyspace-partial.png["Syntax diagram: refer to source code listing", align=left] -The simple name or fully-qualified name of a keyspace. -Refer to the {keyspace-ref}[CREATE INDEX] statement for details of the syntax. +The simple name or fully qualified name of a keyspace. +For more information about the syntax, see the {keyspace-ref}[CREATE INDEX] statement. == Usage @@ -94,11 +123,11 @@ GRANT replication_admin, query_external_access [source,sqlpp] ---- GRANT Query Select, Views Admin - ON orders, customers + ON `retail`.`customers`.`orders` TO bill, linda; GRANT query_select, views_admin - ON orders, customers + ON `retail`.`customers`.`orders` TO bill, linda; ---- @@ -106,18 +135,26 @@ NOTE: Mixing of parameterized and unparameterized roles or syntax is not allowed == Examples -.Grant the role of Cluster Administrator to three people +.Grant the role of Cluster Administrator to multiple users ==== [source,sqlpp] ---- -GRANT ClusterAdmin TO david, michael, robin; +GRANT cluster_admin TO david, michael, robin; ---- ==== -.Grant the roles of Cluster Administrator and Data Reader in the travel-sample keyspace to Debby +.Grant Query Select and Data Reader roles on a keyspace to a specific user ==== [source,sqlpp] ---- -GRANT ClusterAdmin, DataReader ON `travel-sample` TO debby; +GRANT query_select, data_reader ON `travel-sample`.`_default`.`_default` TO debby; +---- +==== + +.Grant the role of Data Reader on a keyspace to a specific group +==== +[source,sqlpp] +---- +GRANT data_reader ON `travel-sample`.`inventory`.`hotel` TO GROUP sales; ---- ==== \ No newline at end of file diff --git a/modules/n1ql/pages/n1ql-language-reference/revoke.adoc b/modules/n1ql/pages/n1ql-language-reference/revoke.adoc index 2f72cdcbc..cf3120079 100644 --- a/modules/n1ql/pages/n1ql-language-reference/revoke.adoc +++ b/modules/n1ql/pages/n1ql-language-reference/revoke.adoc @@ -1,5 +1,5 @@ = REVOKE -:description: The REVOKE statement allows revoking of any RBAC roles from specific users. +:description: The REVOKE statement allows revoking of any RBAC roles from specific users or groups. :page-topic-type: reference :imagesdir: ../../assets/images @@ -15,18 +15,21 @@ Roles can be of the following two types: simple:: Roles which apply generically to all keyspaces/resources in the cluster. + -For example: `ClusterAdmin` or `BucketAdmin` +For example: `cluster_admin` or `bucket_admin` parameterized by a keyspace:: -Roles which are defined for the scope of the specified keyspace only. -The keyspace name is specified after ON. +Roles which are defined for the context of the specified keyspace only. +Specify the keyspace name after the keyword ON. + -For example: `pass:c[DataReader ON `travel-sample`]` + -or `pass:c[Query_Select ON `travel-sample`]` +The keyspace must be fully qualified and must include the bucket, scope, and collection names. +Even if you're revoking a role from an entire bucket, you must specify the default scope (`_default`) and default collection (`_default`). +Using only the bucket name is not sufficient. ++ +For example: `pass:c[data_reader ON `travel-sample`.`_default`.`_default`]` + +or `pass:c[query_select ON `travel-sample`.`inventory`.`airline`]` NOTE: Only Full Administrators can run the REVOKE statement. -For more details about user roles, see -{authorization-overview}[Authorization]. +For more details about user roles, see {authorization-overview}[Authorization]. == Syntax @@ -37,19 +40,44 @@ include::partial$grammar/dcl.ebnf[tag=revoke] image::n1ql-language-reference/revoke.png["Syntax diagram: refer to source code listing", align=left] +[source,ebnf] +---- +include::partial$grammar/dcl.ebnf[tag=revoke-user] +---- + +image::n1ql-language-reference/revoke-user.png["Syntax diagram: refer to source code listing", align=left] + +[source,ebnf] +---- +include::partial$grammar/dcl.ebnf[tag=revoke-group] +---- + +image::n1ql-language-reference/revoke-group.png["Syntax diagram: refer to source code listing", align=left] + +[horizontal] role:: One of the {authorization-overview}[RBAC role names predefined] by Couchbase Server. + -The following roles have short forms that can be used as well: +For the following roles, you can use their short forms as well: * `query_select` → `select` * `query_insert` → `insert` * `query_update` → `update` * `query_delete` → `delete` +keyspace-ref:: +<> + user:: A user name created by the Couchbase Server RBAC system. +group:: +A group name created by the Couchbase Server RBAC system. + +NOTE: When revoking roles from users, the keyword `USER` or `USERS` is optional. +However, when revoking roles from groups, you must include the keyword `GROUP` or `GROUPS`. +You can use either the singular or plural form of these keywords as this does not affect the number of users or groups from which the role is revoked. + [[keyspace-ref,keyspace-ref]] === Keyspace Reference @@ -74,25 +102,35 @@ include::partial$grammar/dql.ebnf[tag=keyspace-partial] image::n1ql-language-reference/keyspace-partial.png["Syntax diagram: refer to source code listing", align=left] -The simple name or fully-qualified name of a keyspace. -Refer to the {keyspace-ref}[CREATE INDEX] statement for details of the syntax. +The simple name or fully qualified name of a keyspace. +For more information about the syntax, see the {keyspace-ref}[CREATE INDEX] statement. == Examples -.Revoke the role of ClusterAdmin from three people +.Revoke the Cluster Admin role from multiple users ==== [source,sqlpp] ---- -REVOKE ClusterAdmin FROM david, michael, robin +REVOKE cluster_admin FROM david, michael, robin ---- ==== -.Revoke the roles of ClusterAdmin and QueryUpdate in the travel-sample keyspace from debby +.Revoke Query Select and Query Update roles on a keyspace from a specific user ==== [source,sqlpp] ---- -REVOKE ClusterAdmin, QueryUpdate - ON `travel-sample` +REVOKE query_select, query_update + ON `travel-sample`.`_default`.`_default` FROM debby ---- +==== + +.Revoke the Query Update role on a keyspace from a specific group +==== +[source,sqlpp] +---- +REVOKE query_update + ON `travel-sample`.`inventory`.`hotel` + FROM GROUP sales +---- ==== \ No newline at end of file diff --git a/modules/n1ql/partials/grammar/dcl.ebnf b/modules/n1ql/partials/grammar/dcl.ebnf index c98dbee46..6fc9dba9a 100644 --- a/modules/n1ql/partials/grammar/dcl.ebnf +++ b/modules/n1ql/partials/grammar/dcl.ebnf @@ -4,14 +4,32 @@ dcl-statement ::= grant | revoke /* tag::grant[] */ -grant ::= 'GRANT' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )? - 'TO' user ( ',' user )* +grant ::= grant-user | grant-group /* end::grant[] */ +/* tag::grant-user[] */ +grant-user ::= 'GRANT' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )? + 'TO' ( 'USER' | 'USERS' )? user ( ',' user )* +/* end::grant-user[] */ + +/* tag::grant-group[] */ +grant-group ::= 'GRANT' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )? + 'TO' ( 'GROUP' | 'GROUPS' ) group ( ',' group )* +/* end::grant-group[] */ + /* tag::revoke[] */ -revoke ::= 'REVOKE' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )? - 'FROM' user ( ',' user )* +revoke ::= revoke-user | revoke-group /* end::revoke[] */ +/* tag::revoke-user[] */ +revoke-user ::= 'REVOKE' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )? + 'FROM' ( 'USER' | 'USERS' )? user ( ',' user )* +/* end::revoke-user[] */ + +/* tag::revoke-group[] */ +revoke-group ::= 'REVOKE' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )? + 'FROM' ( 'GROUP' | 'GROUPS' ) group ( ',' group )* +/* end::revoke-group[] */ + role ::= identifier user ::= identifier \ No newline at end of file diff --git a/modules/n1ql/partials/grammar/ddl.ebnf b/modules/n1ql/partials/grammar/ddl.ebnf index 827efc4b9..909e23585 100644 --- a/modules/n1ql/partials/grammar/ddl.ebnf +++ b/modules/n1ql/partials/grammar/ddl.ebnf @@ -10,6 +10,9 @@ create-statement ::= create-scope | create-index | create-function | create-sequence + | create-user + | create-group + | create-bucket drop-statement ::= drop-scope | drop-collection @@ -17,17 +20,28 @@ drop-statement ::= drop-scope | drop-index | drop-function | drop-sequence + | drop-user + | drop-group + | drop-bucket -other-statement ::= alter-index +other-statement ::= alter-bucket + | alter-group + | alter-index | alter-sequence + | alter-user | build-index | execute-function /************************** - * Scopes and Collections * + * Buckets, Scopes, and Collections * **************************/ +/* tag::create-bucket[] */ +create-bucket ::= 'CREATE' ( 'BUCKET' | 'DATABASE' ) ( 'IF' 'NOT' 'EXISTS' )? name + ( 'WITH' with-fields )? +/* end::create-bucket[] */ + /* tag::create-scope[] */ create-scope ::= 'CREATE' 'SCOPE' ( namespace ':' )? bucket '.' scope ( 'IF' 'NOT' 'EXISTS' )? /* end::create-scope[] */ @@ -37,6 +51,14 @@ create-collection ::= 'CREATE' 'COLLECTION' ( ( namespace ':' )? bucket '.' scop collection ( 'IF' 'NOT' 'EXISTS' )? ( 'WITH' expr )? /* end::create-collection[] */ +/* tag::alter-bucket[] */ +alter-bucket ::= 'ALTER' ( 'BUCKET' | 'DATABASE' ) name ( 'WITH' with-fields )? +/* end::alter-bucket[] */ + +/* tag::drop-bucket[] */ +drop-bucket ::= 'DROP' ( 'BUCKET' | 'DATABASE' ) ('IF' 'EXISTS' )? name +/* end::drop-bucket[] */ + /* tag::drop-scope[] */ drop-scope ::= 'DROP' 'SCOPE' ( namespace ':' )? bucket '.' scope ( 'IF' 'EXISTS' )? /* end::drop-scope[] */ @@ -288,3 +310,45 @@ alter-sequence-options ::= ( restart-with /* tag::restart-with[] */ restart-with ::= 'RESTART' ( 'WITH' integer )? /* end::restart-with[] */ + +/******************** + * Users and Groups * + ********************/ + +/* tag::create-user[] */ +create-user ::= 'CREATE' 'USER' ( 'IF' 'NOT' 'EXISTS' )? username 'PASSWORD' password + ( 'WITH' name )? + ( 'GROUP' group | 'GROUPS' group ( ',' group )* | 'NO' 'GROUPS' )? +/* end::create-user[] */ + +/* tag::alter-user[] */ +alter-user ::= 'ALTER' 'USER' username ( 'PASSWORD' password )? + ( 'WITH' name )? + ( 'GROUP' group | 'GROUPS' group ( ',' group )* | 'NO' 'GROUPS' )? +/* end::alter-user[] */ + +/* tag::drop-user[] */ +drop-user ::= 'DROP' 'USER' ( 'IF' 'EXISTS' )? username +/* end::drop-user[] */ + +/* tag::create-group[] */ +create-group ::= 'CREATE' 'GROUP' ( 'IF' 'NOT' 'EXISTS' )? name + ( 'WITH' description )? + ( 'ROLE' rbac-role | 'ROLES' rbac-role ( ',' rbac-role )* | 'NO' 'ROLES' ) +/* end::create-group[] */ + +/* tag::alter-group[] */ +alter-group ::= 'ALTER' 'GROUP' name ( 'WITH' description )? + ( 'ROLE' rbac-role | 'ROLES' rbac-role (',' rbac-role )* | 'NO' 'ROLES' )? +/* end::alter-group[] */ + +/* tag::rbac-role[] */ +rbac-role ::= role ( 'ON' keyspace-ref )? +/* end::rbac-role[] */ + +/* tag::drop-group[] */ +drop-group ::= 'DROP' 'GROUP' ('IF' 'EXISTS' )? groupname +/* end::drop-group[] */ + + + diff --git a/modules/n1ql/partials/nav.adoc b/modules/n1ql/partials/nav.adoc index adc7e548e..4f2b908f3 100644 --- a/modules/n1ql/partials/nav.adoc +++ b/modules/n1ql/partials/nav.adoc @@ -86,13 +86,18 @@ *** xref:n1ql:n1ql-language-reference/booleanlogic.adoc[] *** Statements **** xref:n1ql:n1ql-language-reference/advise.adoc[] + **** xref:n1ql:n1ql-language-reference/alterbucket.adoc[] + **** xref:n1ql:n1ql-language-reference/altergroup.adoc[] **** xref:n1ql:n1ql-language-reference/alterindex.adoc[] **** xref:n1ql:n1ql-language-reference/altersequence.adoc[] + **** xref:n1ql:n1ql-language-reference/alteruser.adoc[] **** xref:n1ql:n1ql-language-reference/begin-transaction.adoc[] **** xref:n1ql:n1ql-language-reference/build-index.adoc[] **** xref:n1ql:n1ql-language-reference/commit-transaction.adoc[] + **** xref:n1ql:n1ql-language-reference/createbucket.adoc[] **** xref:n1ql:n1ql-language-reference/createcollection.adoc[] **** xref:n1ql:n1ql-language-reference/createfunction.adoc[] + **** xref:n1ql:n1ql-language-reference/creategroup.adoc[] **** xref:n1ql:n1ql-language-reference/createindex.adoc[] ***** xref:n1ql:n1ql-language-reference/indexing-arrays.adoc[] ***** xref:n1ql:n1ql-language-reference/adaptive-indexing.adoc[] @@ -101,13 +106,17 @@ **** xref:n1ql:n1ql-language-reference/createprimaryindex.adoc[] **** xref:n1ql:n1ql-language-reference/createsequence.adoc[] **** xref:n1ql:n1ql-language-reference/createscope.adoc[] + **** xref:n1ql:n1ql-language-reference/createuser.adoc[] **** xref:n1ql:n1ql-language-reference/delete.adoc[] + **** xref:n1ql:n1ql-language-reference/dropbucket.adoc[] **** xref:n1ql:n1ql-language-reference/dropcollection.adoc[] **** xref:n1ql:n1ql-language-reference/dropfunction.adoc[] + **** xref:n1ql:n1ql-language-reference/dropgroup.adoc[] **** xref:n1ql:n1ql-language-reference/dropindex.adoc[] **** xref:n1ql:n1ql-language-reference/dropprimaryindex.adoc[] **** xref:n1ql:n1ql-language-reference/dropsequence.adoc[] **** xref:n1ql:n1ql-language-reference/dropscope.adoc[] + **** xref:n1ql:n1ql-language-reference/dropuser.adoc[] **** xref:n1ql:n1ql-language-reference/execute.adoc[] **** xref:n1ql:n1ql-language-reference/execfunction.adoc[] **** xref:n1ql:n1ql-language-reference/explain.adoc[]