How to assign ROLES in _user DB for Cloudant

Question

How do I add Roles to users in the Cloudant user database?(_users) I have not been able to sort this out using Google or Cloudant Docs. I see some mention of a Cloudant _user db and have not found how to use it.

I have built an API with nodejs and express. with

const { CloudantV1 } = require('@ibm-cloud/cloudant');
const { BasicAuthenticator } = require('ibm-cloud-sdk-core');

I am able to create ApiKeys and assign roles with service.putCloudantSecurityConfiguration().

result of service.getSecurity() below:

cloudant: {
'apikey-01beebbe10ae46ad9e86cc16a2937939': [ '_replicator', '_writer', '_reader' ],
'apikey-3044abd26f324792a8be5809a5521400': [ '_writer', '_reader' ],
'apikey-8d98aa26f1d246f6b736f313bd45d630': [ '_writer', '_reader' ],
'apikey-231cdadcf38945e9ab48125adddc0fdb': [],
'apikey-7ec3ebdd9c5b4aa691685fae251a255d': [ '_writer', '_reader' ],
'apikey-061e3a0ae05d486583dda500ee6685f6': [ '_writer', '_reader' ],
'apikey-0324472243bd4c0da6ea6e9022e102c8': [ '_writer', '_reader' ]

}

When I look at the service.getSessionInformation(); result, I see:

"result": {
  "userCtx": {
    "roles": [],
    "name": "apikey-01beebbe10ae46ad9e86cc16a2937939"
  },
  "ok": true,
  "info": {
    "authentication_handlers": [
      "iam",
      "cookie",
      "default",
      "local"
    ],
    "authenticated": "default",
    "authentication_db": "bm-cc-us-south-18/users"
  }
}

Roles array empty!

I want to use these new apikey credentials with Pouchdb as in:

    localDB.replicate.to(https://<apikey>:<pass>@<cloudantURL>/<dbname>
    ).on('complete', function () {
      // yay, we're done!
    }).on('error', function (err) {
      // boo, something went wrong!
    });

I get error:

message: "You are not authorized to access this db."

Thanks for your help.

Answer 1

Glenn's answer is good, for my case there are extra user objects. This was after month of back and forth with Cloudant Help. I needed to delete the extra user objects in the response from "service.getSecurity({"

delete response.result.cloudant['nobody'];
delete response.result['members'];

The only object that I need is the "cloudant"

Answer 2

Cloudant, as you have discovered, allows you to create api-key/password pairs that have access to one or more databases. You can set the permissions for each API Key against each database, as you have done already.

The GET /session endpoint (which you are accessing with the service.getSessionInformation() JavaScript function) doesn't return the API key's permissions in the roles array, but don't be put off - your API key does have the permissions you defined in the first step, so you should be able to read/write/query data as normal with that API key.

Note that this authentication mechanism is separate to the CouchDB-style _users database.

---

e.g with PouchDB

const PouchDB = require('pouchdb')
const db = new PouchDB('test')
const username = 'apikey-somevalue'
const password = 'somepassword'
const hostname = 'myhost.cloudant.com'
const dbname = 'pouch'
const remoteDB = `https://${username}:${password}@${hostname}/${dbname}`
    
db.sync(remoteDB).on('complete', async function () { 
 console.log('done')
 const docs = await db.allDocs()
 console.log(docs)
}).on('error', function (err) {
  console.error(err)
});