Skip to content

Commit

Permalink
Document bucket and scopes flags for credentials create cmd
Browse files Browse the repository at this point in the history
  • Loading branch information
@Westwooo
Westwooo committed Feb 5, 2025
1 parent 70b36eb commit 2987825
Show file tree
Hide file tree
Showing 2 changed files with 69 additions and 31 deletions.
46 changes: 46 additions & 0 deletions docs/commands/credentials.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,52 @@ Then you could create credentials using the username and password above as follo
```

This can be useful to avoid entering the username and password multiple times when registering new clusters with the `cb-env register` command as shown https://couchbase.sh/docs/recipes/#_register_clusters[here].
By default the created credentials will have access granted to all buckets/scopes on the active cluster.
If you want to grant access to a specific bucket, this can be done using the bucket flag:

[options="nowrap"]
```
👤 Charlie 🏠 remote
> credentials create --read --write --registered --bucket travel-sample
👤 Charlie 🏠 remote
> credentials
╭───┬──────────────────────────────────────┬───────────────┬─────────┬─────────────────────────────────────────────────────────╮
│ # │ id │ name │ cluster │ access │
├───┼──────────────────────────────────────┼───────────────┼─────────┼─────────────────────────────────────────────────────────┤
│ 0 │ 4076108d-88d6-405c-84ab-e8842eec4166 │ Administrator │ remote │ ╭───┬───────────────┬───────────┬─────────────────────╮ │
│ │ │ │ │ │ # │ bucket │ scopes │ privileges │ │
│ │ │ │ │ ├───┼───────────────┼───────────┼─────────────────────┤ │
│ │ │ │ │ │ 0 │ travel-sample │ ╭───┬───╮ │ ╭───┬─────────────╮ │ │
│ │ │ │ │ │ │ │ │ 0 │ * │ │ │ 0 │ data_writer │ │ │
│ │ │ │ │ │ │ │ ╰───┴───╯ │ │ 1 │ data_reader │ │ │
│ │ │ │ │ │ │ │ │ ╰───┴─────────────╯ │ │
│ │ │ │ │ ╰───┴───────────────┴───────────┴─────────────────────╯ │
╰───┴──────────────────────────────────────┴───────────────┴─────────┴─────────────────────────────────────────────────────────╯
```

And if you want to limit access to specific scopes within that bucket then you can add the scopes flag:

[options="nowrap"]
```
👤 Charlie 🏠 remote
> credentials create --read --write --registered --bucket travel-sample --scopes [inventory tenant_agent_00]
👤 Charlie 🏠 remote
> credentials
╭───┬──────────────────────────────────────┬───────────────┬─────────┬───────────────────────────────────────────────────────────────────────╮
│ # │ id │ name │ cluster │ access │
├───┼──────────────────────────────────────┼───────────────┼─────────┼───────────────────────────────────────────────────────────────────────┤
│ 0 │ fe26b54f-165d-47d6-90ae-2f10ef3c6db1 │ Administrator │ remote │ ╭───┬───────────────┬─────────────────────────┬─────────────────────╮ │
│ │ │ │ │ │ # │ bucket │ scopes │ privileges │ │
│ │ │ │ │ ├───┼───────────────┼─────────────────────────┼─────────────────────┤ │
│ │ │ │ │ │ 0 │ travel-sample │ ╭───┬─────────────────╮ │ ╭───┬─────────────╮ │ │
│ │ │ │ │ │ │ │ │ 0 │ inventory │ │ │ 0 │ data_writer │ │ │
│ │ │ │ │ │ │ │ │ 1 │ tenant_agent_00 │ │ │ 1 │ data_reader │ │ │
│ │ │ │ │ │ │ │ ╰───┴─────────────────╯ │ ╰───┴─────────────╯ │ │
│ │ │ │ │ ╰───┴───────────────┴─────────────────────────┴─────────────────────╯ │
╰───┴──────────────────────────────────────┴───────────────┴─────────┴───────────────────────────────────────────────────────────────────────╯
```

Note that to use the scopes flag you must specify a bucket first, else the command will return an error.

==== `credentials drop`

Expand Down
54 changes: 23 additions & 31 deletions src/cli/credentials_create.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,41 +97,33 @@ fn credentials_create(
let bucket = call.get_flag(engine_state, stack, "bucket")?;
let scopes_flag: Option<Value> = call.get_flag(engine_state, stack, "scopes")?;

let scopes = if let Some(scopes) = scopes_flag {
if bucket.is_none() {
return Err(ShellError::GenericError {
error: "--scopes cannot be used without specifying a bucket".to_string(),
msg: "".to_string(),
span: None,
help: Some(
"Use the --bucket flag to specify a bucket the credentials are allowed to access"
.to_string(),
),
inner: vec![],
});
}

match scopes {
Value::String { val, .. } => {
Ok(vec!(val))
},
Value::List { vals, .. } => {
vals.iter().map(|v| v.as_str().map(|s| s.to_string())).collect()
}
let scopes = match scopes_flag {
Some(_) if bucket.is_none() => Err(ShellError::GenericError {
error: "--scopes cannot be used without specifying a bucket".to_string(),
msg: "".to_string(),
span: None,
help: Some(
"Use the --bucket flag to specify a bucket the credentials are allowed to access"
.to_string(),
),
inner: vec![],
}),
Some(val) => match val {
Value::String { val, .. } => Ok(vec![val]),
Value::List { vals, .. } => vals
.iter()
.map(|v| v.as_str().map(|s| s.to_string()))
.collect(),
_ => Err(ShellError::GenericError {
error: "--scopes cannot be used without specifying a bucket".to_string(),
error: "failed to parse scopes".to_string(),
msg: "".to_string(),
span: None,
help: Some(
"Use the --bucket flag to specify a bucket the credentials are allowed to access"
.to_string(),
),
help: Some("--scopes must be a string or a list of strings".to_string()),
inner: vec![],
})
}?
} else {
vec!["*".to_string()]
};
}),
},
None => Ok(vec!["*".to_string()]),
}?;

if !read && !write {
return Err(ShellError::GenericError {
Expand Down

0 comments on commit 2987825

Please sign in to comment.