Refer to the Couchbase documentation.
DC/OS Couchbase Security
The DC/OS Couchbase service supports Couchbase’s native transport encryption, authentication, and authorization mechanisms. The service provides automation and orchestration to simplify the use of these important features.
NOTE: These security features are only available on DC/OS Enterprise 1.10 and later. |
Transport Encryption
With transport encryption enabled, DC/OS Couchbase will automatically deploy all nodes with the correct configuration to encrypt communication via SSL.
NOTE: Couchbase Server currently supports TLS for client interactions and cross data center replication. There is no TLS for node to node communication. See the [Couchbase documentation](https://developer.couchbase.com/documentation/server/current/security/security-x509certsintro.html) for more details. |
The service uses the DC/OS CA to generate the SSL artifacts that it uses to secure the service. Any client that trusts the DC/OS CA will consider the service’s certificates valid.
Prerequisites
- A DC/OS Service Account with a secret stored in the DC/OS Secret Store.
- DC/OS Superuser permissions for modifying the permissions of the Service Account.
Configure Transport Encryption
Set up the service account
Grant the service account the correct permissions.
- In DC/OS 1.10, the required permission is
dcos:superuser full
. - In DC/OS 1.11 and later, the required permissions are:
dcos:secrets:default:/<service name>/* full
dcos:secrets:list:default:/<service name> read
dcos:adminrouter:ops:ca:rw full
dcos:adminrouter:ops:ca:ro full
where <service name>
is the name of the service to be installed.
Run the following DC/OS Enterprise CLI commands to set permissions for the service account on a strict cluster:
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:task:app_id:<service/name> create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:reservation:principal:dev_hdfs create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:volume:principal:dev_hdfs create
Install the service
Install the DC/OS Couchbase service including the following options in addition to your own:
{
"service": {
"service_account": "<your service account name>",
"service_account_secret": "<full path of service secret>",
"security": {
"transport_encryption": {
"enabled": true
}
}
}
}
Service account and service account secret plus enabling TLS can also be configured when launching the Couchbase Server via the DC/OS console.
Secure ports
Couchbase uses the following ports, see (SSL)
8091: Couchbase Web console, REST/HTTP interface
8092: Views, queries, XDCR
8093: Query services (4.0+)
8094: Full-text Search (4.5+)
8095: Analytics (5.5+)
8096: Eventing (5.5+)
11207: Smart client library data node access (SSL)
11210: Smart client library/moxi data node access
11211: Legacy non-smart client library data node access
18091: Couchbase Web console, REST/HTTP interface (SSL)
18092: Views, query, XDCR (SSL)
18093: Query services (SSL) (4.0+)
18094: Full-text Search (SSL) (4.5+)
18095: Analytics (SSL) (5.5+)
18096: Eventing (SSL) (5.5+)
NOTE: Even if TLS is enabled, the non-TLS Couchbase ports stay open. |
The important ports for clients to interact with Couchbase are 8091 (non-SSL) and 18091 (SSL).
TLS and Couchbase Sync Gateway
The Couchbase Sync Gateway also supports TLS on its inbound side. The following two lines must be added to your gateway configuration.
SSLCert: node.crt
SSLKey: node.key
...
Authentication
DC/OS Couchbase supports the Couchbase native authentication mechanism. More details can be found here.
NOTE: Non-native methods like LDAP and PAM are not supported at this time. |
Authorization
DC/OS Couchbase service supports the Couchbase native authorization mechanism. More details can be found here.