Uploaded image for project: 'Couchbase Mobile'
  1. Couchbase Mobile
  2. CM-84

Authentication and Authorization for Sync Gateway Admin API

    XMLWordPrintable

Details

    Description

      PRD: https://docs.google.com/document/d/1c_WSQwgsf9Dr3ut3tjnCR4q7Cdc7xY0eUF1EaBNfCRM/edit#heading=h.lc76bc1zsnxu

      Roles PRD: https://docs.google.com/document/d/1_xUt5MzvlQH4du5ksK_dqfes6zcHpQDqGDYgQGYjiX4/edit?usp=sharing

       

       

      The admin REST endpoint is unauthenticated . The documentation encourages the use of localhost to enforce only local access to the machine . The only way to allow external access is doing something clunky like SSH tunneling or establishing firewall rules to allow restricted access to the machine
      This has several limitations
      1) Users are developing own backend "admin UI applications", external monitoring apps, authentication server etc that need to be able to remotely access the adminAPI Users are using mechanisms like bastion hosts and HA proxy and firewalls to restrict access...this s is not always practical.
      2) WIth distributed edge deployments, the ability to remotely connect to and administer sync gateway over public network may be more likely
      3) Anyone with access to the machine (though mechanisms indicated earlier) can administer the admin API. So while the access is restricted to a specific machine(s) - there is no user authentication to restrict user level access. Additionally, there may be scenarios where different users may be allowed different roles (read-only, read-write, monitor etc)- Customer company policies have user-level restrictions and they need a way to enforce that

      Leveraging RBAC users to enforce admin API access would be a likely candidate for implementation.

      Attachments

        Issue Links

          Activity

            People

              priya.rajagopal Priya Rajagopal
              priya.rajagopal Priya Rajagopal
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                PagerDuty