Eventing REST API getAppLog

Hi,

I am using eventing REST API getAppLog in couchbase 6.6 as documented here Eventing REST API | Couchbase Docs

What user permissions are required for the user:

curl -XGET http://Administrator:password@192.168.1.5:8096/getAppLog?name=[sample_name]

Must it be full admin.?

in my environment, the call only succeeded with full admin. user.

Regards,
Faris

Hi @FarisAhmed the behavior depends on the version let me explain:

• In Couchbase 5.5 through 6.6 Eventing runs as the Administrator user, here only the Administrator use can have access to the logs (and create and manage Eventing functions).
• In Couchbase 7.0 we introduced the “Eventing Full Admin” role which disallows the ability to create or modify security credentials thus protects against privilege escalation, this role can also access the application logs (and create and manage Eventing functions).
• In Couchbase 7.1 Eventing Eventing functions can now run as any RBAC user thus if a user has the proper RBAC privileges they can access those Eventing application logs for the Eventing Scope (a bucket+scope tuple) in which they are authorized to create and manage Eventing Functions.

For 5.5 through 7.0 the Application log of an Eventing function is considered an Administrator level artifact and thus only accessible by those roles, this restriction is of course lifted in 7.1 because Eventing Functions can not be created by any user granted the proper RBAC credentials for the collections of data that the function operates on.

IMHO 7.1 will really open up the use of Eventing as it give granular security control by not requiring admin privileges across all data.

Best

Jon Strabala
Principal Product Manager - Server‌