|
| 1 | +'\" t |
| 2 | +.\" Title: couchbase-cli-setting-master-password |
| 3 | +.\" Author: Couchbase |
| 4 | +.\" Generator: Asciidoctor 1.5.8 |
| 5 | +.\" Date: 2021-06-15 |
| 6 | +.\" Manual: Couchbase CLI Manual |
| 7 | +.\" Source: Couchbase CLI 1.0.0 |
| 8 | +.\" Language: English |
| 9 | +.\" |
| 10 | +.TH "COUCHBASE\-CLI\-SETTING\-MASTER\-PASSWORD" "1" "2021-06-15" "Couchbase CLI 1.0.0" "Couchbase CLI Manual" |
| 11 | +.ie \n(.g .ds Aq \(aq |
| 12 | +.el .ds Aq ' |
| 13 | +.ss \n[.ss] 0 |
| 14 | +.nh |
| 15 | +.ad l |
| 16 | +.de URL |
| 17 | +\fI\\$2\fP <\\$1>\\$3 |
| 18 | +.. |
| 19 | +.als MTO URL |
| 20 | +.if \n[.g] \{\ |
| 21 | +. mso www.tmac |
| 22 | +. am URL |
| 23 | +. ad l |
| 24 | +. . |
| 25 | +. am MTO |
| 26 | +. ad l |
| 27 | +. . |
| 28 | +. LINKSTYLE blue R < > |
| 29 | +.\} |
| 30 | +.SH "NAME" |
| 31 | +couchbase\-cli\-setting\-master\-password \- Manages the Couchbase master password |
| 32 | +.SH "SYNOPSIS" |
| 33 | +.sp |
| 34 | +.nf |
| 35 | +\fIcouchbase\-cli setting\-master\-password\fP [\-\-cluster <url>] [\-\-username <user>] |
| 36 | + [ \-\-password <password>] [ \-\-new \-password <password>] [ \-\-rotate \-password] |
| 37 | +.fi |
| 38 | +.br |
| 39 | +.SH "DESCRIPTION" |
| 40 | +.sp |
| 41 | +Couchbase Server Enterprise Edition has a "Secret Management" feature, which |
| 42 | +allows users to securely encrypt passwords and other sensitive configuration |
| 43 | +information that is stored on disk. These secrets must be stored in a secure |
| 44 | +way; and access must be controlled, to reduce the risk of accidental exposure. |
| 45 | +By using Secret Management in Couchbase Server, secrets are written to disk |
| 46 | +in encrypted format. To decrypt these secrets, Couchbase requires entry of a |
| 47 | +"master password", which is supplied by the user during server startup. This |
| 48 | +master password can be passed to the server using the couchbase\-cli |
| 49 | +master\-password command. |
| 50 | +.sp |
| 51 | +By default, the Secret Management feature is disabled. To enable the feature, |
| 52 | +you must first set the master password. Once a master password is set, the |
| 53 | +user is required to enter it when the server starts up. This can be done by |
| 54 | +setting the environment variable CB_MASTER_PASSWORD=<password> during server |
| 55 | +startup. |
| 56 | +.SH "OPTIONS" |
| 57 | +.sp |
| 58 | +\-c, \-\-cluster |
| 59 | +.RS 4 |
| 60 | +Specifies the hostname of a node in the cluster. See the HOST FORMATS |
| 61 | +section for more information on specifying a hostname. |
| 62 | +.RE |
| 63 | +.sp |
| 64 | +\-u, \-\-user <username> |
| 65 | +.RS 4 |
| 66 | +Specifies the username of the user executing the command. If you do not have |
| 67 | +a user account with permission to execute the command then it will fail with |
| 68 | +an unauthorized error. |
| 69 | +.RE |
| 70 | +.sp |
| 71 | +\-p, \-\-password <password> |
| 72 | +.RS 4 |
| 73 | +Specifies the password of the user executing the command. If you do not have |
| 74 | +a user account with permission to execute the command then it will fail with |
| 75 | +an unauthorized error. If this argument is specified, but no password is |
| 76 | +given then the command will prompt the user for a password through |
| 77 | +non\-echoed stdin. You may also specify your password by using the |
| 78 | +environment variable CB_REST_PASSWORD. |
| 79 | +.RE |
| 80 | +.sp |
| 81 | +\-\-rotate\-data\-key |
| 82 | +.RS 4 |
| 83 | +Secrets are encrypted using a data key file, which is a unique key that is |
| 84 | +stored on disk for each server. To open this file, the master password is |
| 85 | +used to generate a key which decrypts the contents of the data key file. |
| 86 | +The contents of the decrypted data key file can then be used to decrypt |
| 87 | +secrets. Some users may want to generate a new data key file periodically, |
| 88 | +to increase security. This option is used to generate a new data key file. |
| 89 | +.RE |
| 90 | +.sp |
| 91 | +\-\-new\-password |
| 92 | +.RS 4 |
| 93 | +Sets a new master password for the server specified. The user may specify |
| 94 | +this password on the command line, or through non\-echoed stdin. To specify |
| 95 | +the password through non\-echoed stdin, do not provide a value for this |
| 96 | +option. The user will then be prompted to enter the password. |
| 97 | +.RE |
| 98 | +.SH "HOST FORMATS" |
| 99 | +.sp |
| 100 | +When specifying a host for the couchbase\-cli command the following formats are expected: |
| 101 | +.sp |
| 102 | +.RS 4 |
| 103 | +.ie n \{\ |
| 104 | +\h'-04'\(bu\h'+03'\c |
| 105 | +.\} |
| 106 | +.el \{\ |
| 107 | +. sp -1 |
| 108 | +. IP \(bu 2.3 |
| 109 | +.\} |
| 110 | +\f(CRcouchbase://<addr>\fP |
| 111 | +.RE |
| 112 | +.sp |
| 113 | +.RS 4 |
| 114 | +.ie n \{\ |
| 115 | +\h'-04'\(bu\h'+03'\c |
| 116 | +.\} |
| 117 | +.el \{\ |
| 118 | +. sp -1 |
| 119 | +. IP \(bu 2.3 |
| 120 | +.\} |
| 121 | +\f(CR<addr>:<port>\fP |
| 122 | +.RE |
| 123 | +.sp |
| 124 | +.RS 4 |
| 125 | +.ie n \{\ |
| 126 | +\h'-04'\(bu\h'+03'\c |
| 127 | +.\} |
| 128 | +.el \{\ |
| 129 | +. sp -1 |
| 130 | +. IP \(bu 2.3 |
| 131 | +.\} |
| 132 | +\f(CRhttp://<addr>:<port>\fP |
| 133 | +.RE |
| 134 | +.sp |
| 135 | +It is recommended to use the couchbase://<addr> format for standard |
| 136 | +installations. The other two formats allow an option to take a port number which |
| 137 | +is needed for non\-default installations where the admin port has been set up on |
| 138 | +a port other that 8091. |
| 139 | +.SH "EXAMPLES" |
| 140 | +.sp |
| 141 | +To use the Secret Management feature, the first thing you need to do is set a |
| 142 | +password on each node of the cluster. To do this, install and start Couchbase, |
| 143 | +but don\(cqt go through the setup process or initialize the cluster. Once |
| 144 | +Couchbase has started, run the following command to set the master password |
| 145 | +for your server. |
| 146 | +.sp |
| 147 | +.if n .RS 4 |
| 148 | +.nf |
| 149 | +$ couchbase\-cli setting\-master\-password \-c 127.0.0.1 \-u Administrator \(rs |
| 150 | + \-p password \-\-new\-password password |
| 151 | +.fi |
| 152 | +.if n .RE |
| 153 | +.sp |
| 154 | +Once the master password is configured restart the server. Upon restarting the |
| 155 | +cluster you will notice that the server doesn\(cqt fully start. This is because it |
| 156 | +is waiting for you to enter the master password. You can do this by running the |
| 157 | +command below. The master\-password subcommand has to be run locally on the node |
| 158 | +that is waiting for the master password. |
| 159 | +.sp |
| 160 | +.if n .RS 4 |
| 161 | +.nf |
| 162 | +$ couchbase\-cli master\-password \-\-send\-password password |
| 163 | +.fi |
| 164 | +.if n .RE |
| 165 | +.sp |
| 166 | +Note you can also use the CB_MASTER_PASSWORD=<password> environmental variable |
| 167 | +to pass the password to the node during startup. |
| 168 | +.SH "ENVIRONMENT AND CONFIGURATION VARIABLES" |
| 169 | +.sp |
| 170 | +CB_REST_USERNAME |
| 171 | +.RS 4 |
| 172 | +Specifies the username to use when executing the command. This environment |
| 173 | +variable allows you to specify a default argument for the \-u/\-\-username |
| 174 | +argument on the command line. |
| 175 | +.RE |
| 176 | +.sp |
| 177 | +CB_REST_PASSWORD |
| 178 | +.RS 4 |
| 179 | +Specifies the password of the user executing the command. This environment |
| 180 | +variable allows you to specify a default argument for the \-p/\-\-password |
| 181 | +argument on the command line. It also allows the user to ensure that their |
| 182 | +password are not cached in their command line history. |
| 183 | +.RE |
| 184 | +.SH "SEE ALSO" |
| 185 | +.sp |
| 186 | +\fBcouchbase\-cli\-master\-password\fP(1), |
| 187 | +\fBcouchbase\-cli\-cluster\-init\fP(1), |
| 188 | +\fBcouchbase\-cli\-server\-add\fP(1) |
| 189 | +.SH "COUCHBASE\-CLI" |
| 190 | +.sp |
| 191 | +Part of the \fBcouchbase\-cli\fP(1) suite |
| 192 | +.SH "AUTHOR" |
| 193 | +.sp |
| 194 | +Couchbase |
0 commit comments