Authenticating against Couchbase Server
As well as Role-Based Access Control (RBAC), Couchbase offers connection with Certificate Authentication, and works transparently with LDAP.
Our Getting Started guide covered the basics for authorizing against a Couchbase cluster, but you may need to use alternative authentication methods such as Certification.
RBAC
Our Getting Started guide introduced basic authentication against a Couchbase cluster:
Cluster cluster = Cluster.connect("127.0.0.1", "Administrator", "password");
If you need to provide custom options, the same credentials can be supplied to the ClusterOptions
:
Cluster cluster = Cluster.connect("127.0.0.1", clusterOptions("Administrator", "password"));
Note that this is actually just a convenience overload for the PasswordAuthenticator
, which can also be used directly to supply more advanced options.
PasswordAuthenticator authenticator = PasswordAuthenticator.builder().username("Administrator")
.password("password")
// enables only the PLAIN authentication mechanism, used with LDAP
.onlyEnablePlainSaslMechanism().build();
Cluster cluster = Cluster.connect("127.0.0.1", clusterOptions(authenticator));
In this example, the PLAIN
authentication mechanism is enabled as well, which is needed if LDAP is enabled on the server side and no TLS encrypted connection is used.
Unresolved include directive in modules/howtos/pages/sdk-authentication.adoc - include::6.5@sdk:shared:partial$auth-overview.adoc[]
Unresolved include directive in modules/howtos/pages/sdk-authentication.adoc - include::6.5@sdk:shared:partial$auth-overview.adoc[]
Authenticating the Java Client by Certificate
For sample procedures whereby certificates can be generated and deployed, see Manage Certificates. The rest of this document assumes that the processes there, or something similar, have been followed. That is, a cluster certificate has been created and installed on the server, a client certificate has been created, and it is stored in a JVM keystore along with the cluster’s certificate.
// should be replaced with your actual KeyStore
KeyStore keyStore = loadKeyStore();
CertificateAuthenticator authenticator = CertificateAuthenticator.fromKeyStore(keyStore, "keyStorePassword");
Cluster cluster = Cluster.connect("127.0.0.1", clusterOptions(authenticator));
In addition to providing the initialized KeyStore
directly, the CertificateAuthenticator
can also be initialized from a key store path, a key directly or a KeyManagerFactory
for maximum flexibility. Please see the API documentation for the CertificateAuthenticator
for more details.
Unresolved include directive in modules/howtos/pages/sdk-authentication.adoc - include::6.5@sdk:shared:partial$auth-overview.adoc[]
PasswordAuthenticator authenticator = PasswordAuthenticator.builder().username("Administrator")
.password("password")
// enables only the PLAIN authentication mechanism, used with LDAP
.onlyEnablePlainSaslMechanism().build();
Cluster cluster = Cluster.connect("127.0.0.1", clusterOptions(authenticator));
Note that .onlyEnablePlainSaslMechanism()
requires SDK 3.0.9 or newer.