Security

Using native transport encryption, authentication and authorization

Refer to the Couchbase documentation.

DC/OS Couchbase Security

The DC/OS Couchbase service supports Couchbase’s native transport encryption, authentication, and authorization mechanisms. The service provides automation and orchestration to simplify the use of these important features.

NOTE: These security features are only available on DC/OS Enterprise 1.10 and later.

Transport Encryption

With transport encryption enabled, DC/OS Couchbase will automatically deploy all nodes with the correct configuration to encrypt communication via SSL.

NOTE: Couchbase Server currently supports TLS for client interactions and cross data center replication. There is no TLS for node-to-node communication. See the Couchbase documentation for more details.

The service uses the DC/OS CA to generate the SSL artifacts that it uses to secure the service. Any client that trusts the DC/OS CA will consider the service’s certificates valid.

Prerequisites

Configure Transport Encryption

Set up the service account

Grant the service account the correct permissions.

  • In DC/OS 1.10, the required permission is dcos:superuser full.
  • In DC/OS 1.11 and later, the required permissions are:
dcos:secrets:default:/<service name>/* full
dcos:secrets:list:default:/<service name> read
dcos:adminrouter:ops:ca:rw full
dcos:adminrouter:ops:ca:ro full

where <service name> is the name of the service to be installed.

Run the following DC/OS Enterprise CLI commands to set permissions for the service account on a strict cluster:

dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:task:app_id:<service/name> create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:reservation:principal:dev_hdfs create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:volume:principal:dev_hdfs create

Install the service

Install the DC/OS Couchbase service including the following options in addition to your own:

{
    "service": {
        "service_account": "<your service account name>",
        "service_account_secret": "<full path of service secret>",
        "security": {
            "transport_encryption": {
                "enabled": true
            }
        }
    }
}

When launching the Couchbase Server via the DC/OS console, you can enable TLS as well as a service account and service account secret.

Secure ports

Couchbase uses the following ports; see (SSL).

8091: Couchbase Web console, REST/HTTP interface
8092: Views, queries, XDCR
8093: Query services (4.0+)
8094: Full-text Search (4.5+)
8095: Analytics (5.5+)
8096: Eventing (5.5+)
11207: Smart client library data node access (SSL)
11210: Smart client library/moxi data node access
11211: Legacy non-smart client library data node access
18091: Couchbase Web console, REST/HTTP interface (SSL)
18092: Views, query, XDCR (SSL)
18093: Query services (SSL) (4.0+)
18094: Full-text Search (SSL) (4.5+)
18095: Analytics (SSL) (5.5+)
18096: Eventing (SSL) (5.5+)

NOTE: Even if TLS is enabled, the non-TLS Couchbase ports stay open.

The important ports for clients to interact with Couchbase are 8091 (non-SSL) and 18091 (SSL).

TLS and Couchbase Sync Gateway

The Couchbase Sync Gateway also supports TLS on its inbound side. The following two lines must be added to your gateway configuration.

SSLCert: node.crt
SSLKey: node.key
...

Authentication

DC/OS Couchbase supports the Couchbase native authentication mechanism. More details can be found here.

NOTE: Non-native methods like LDAP and PAM are not supported at this time.

Authorization

DC/OS Couchbase service supports the Couchbase native authorization mechanism. More details can be found in the Couchbase developer documentation.