Description
Example of file content:
{
|
"user1": {
|
"type": "builtin",
|
"buckets": [
|
"bucket1": ["Read", "Write", "SimpleStats"],
|
"bucket2": ["Read", "SimpleStats"]
|
],
|
"privileges": ["BucketManagement"],
|
}
|
}
|
Current situation with privileges in memcached:
The list isn't "finalized" and may change... so for now you could just use the special keyword "all" for ns_server ;-)
|
|
The current "work in progress" consist of:
|
|
/**
|
* The `Read` privilege allows for reading documents in the selected
|
* bucket.
|
*/
|
Read = 0x00,
|
/**
|
* The `Write` privilege allows for creating, updating or deleting
|
* documents in the selected bucket.
|
*/
|
Write = 0x01,
|
/**
|
* The `SimpleStats` privilege allows for requesting basic statistics
|
* information from the system (restricted to the selected bucket)
|
*/
|
SimpleStats = 0x02,
|
/**
|
* The `Stats` privilege allows for requesting all the statistics
|
* information in the system (system configuration, vbucket state,
|
* dcp information etc).
|
*/
|
Stats = 0x03,
|
/**
|
* The `BucketManagement` privilege allows for bucket management
|
* (create or delete buckets, toggle vbucket states etc).
|
*/
|
BucketManagement = 0x04,
|
/**
|
* The `NodeManagement` privilege allows for changing verbosity
|
* level, reloading configuration files (This privilege should
|
* be split into multiple others)
|
*/
|
NodeManagement = 0x05,
|
/**
|
* The `SessionManagement` privilege allows for changing (and fetching)
|
* the session context registered by ns_server
|
*/
|
SessionManagement = 0x06,
|
/**
|
* The `Audit` privilege allows for adding audit events to the
|
* audit trail
|
*/
|
Audit = 0x07,
|
/**
|
* The `AuditManagement` privilege allows for reconfigure audit
|
* subsystem
|
*/
|
AuditManagement = 0x08,
|
/**
|
* The `DcpConsumer` privilege allows for setting up a DCP stream in the
|
* selected bucket to apply DCP mutations.
|
*/
|
DcpConsumer = 0x09,
|
/**
|
* The `DcpProducer` privilege allows for setting up a DCP stream in the
|
* selected bucket.
|
*/
|
DcpProducer = 0x0a,
|
/**
|
* The `TapProducer` privilege allows for setting up a TAP stream
|
*/
|
TapProducer = 0x0b,
|
/**
|
* The `TapConsumer` privilege allows for consuming TAP events
|
*/
|
TapConsumer = 0x0c,
|
/**
|
* The `MetaRead` privilege allows for reading the meta information
|
* on documents.
|
*/
|
MetaRead = 0x0d,
|
/**
|
* The `MetaWrite` privilege allows for updating the meta information
|
* on documents.
|
*/
|
MetaWrite = 0x0e,
|
/**
|
* The `IdleConnection` privilege allows a client to hold on to an
|
* idle connection witout being disconnected.
|
*/
|
IdleConnection = 0x0f,
|
/**
|
* The `XattrRead` privilege allows the connection to read the
|
* system attributes on the documents
|
*/
|
XattrRead = 0x10,
|
/**
|
* The `XattrWrite` privilege allows the connection to write to the
|
* system attributes on the documents
|
*/
|
XattrWrite = 0x11,
|
/**
|
* The `CollectionManagement` privilege allows the connection to create or
|
* delete collections.
|
*/
|
CollectionManagement = 0x12,
|
|
/**
|
* The `Impersonate` privilege allows the connection to execute commands
|
* by using a different authentication context. The intented use is
|
* for other components in the system which is part of the TCB so that
|
* they don't have to open separate connections to memcached with the
|
* users creds to run the command with the users privilege context.
|
* For Spock this won't be used as all access is per bucket level, but
|
* moving forward we might get per collection/doc access control and at
|
* that time we can't have all components in our system to evaluate
|
* RBAC access
|
*/
|
Impersonate = 0x13
|