When testing which RBAC roles are required to manage SSL Certificates from couchbase-cli, it appears that a single RBAC role (other than the "Full Admin" super-administrator role) is unable to manage both the cluster certificate, and the node certificates.
Security Admins can upload Cluster CA certs, but not node certs:
couchbase-cli ssl-manage -c 10.111.191.101:8091 -u security-admin -p password --upload-cluster-ca=root/ca.pem
SUCCESS: Uploaded cluster certificate to http://10.111.191.101:8091
couchbase-cli ssl-manage -c 10.111.191.101:8091 -u security-admin -p password --set-node-certificate
ERROR: Forbidden. User needs one of the following permissions: cluster.admin.setup!write
Cluster Admins can set node certs, but not CA certs (please ignore the fact the cert has expired):
couchbase-cli ssl-manage -c 10.111.191.101:8091 -u cluster-admin -p password --set-node-certificate
ERROR: "Incorrectly configured certificate chain. Error: cert_expired. Certificate: \"C=UA, O=My Company, CN=My Company Intermediate CA\""
couchbase-cli ssl-manage -c 10.111.191.101:8091 -u cluster-admin -p password --upload-cluster-ca=root/ca.pem
ERROR: Forbidden. User needs one of the following permissions: cluster.admin.security!write
This seems counter-intuitive as one would expect both operations to be performed with the same role. Assigning multiple roles is possible, but widens the scope of operations that the user could do, somewhat lowering the effectiveness of RBAC's intentions.
|For Gerrit Dashboard: MB-33764|
|107685,2||MB-33764: Allow users, with security admin role...||alice||ns_server||Status: MERGED||+2||+1|
|107686,1||MB-33764: Merge remote-tracking branch alice.||master||ns_server||Status: MERGED||+2||+1|