CouchDB
  1. CouchDB
  2. COUCHDB-263

require valid user for all database operations

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 0.9
    • Fix Version/s: 0.10
    • Component/s: HTTP Interface
    • Labels:
      None
    • Environment:

      All platforms.

      Description

      Admin accounts currently restrict a few operations, but leave all other operations completely open. Many use cases will require all operations to be authenticated. This can certainly be done by overriding the default_authentication_handler, but I think this very common use case can be handled in default_authentication_handler without increasing the complexity much.

      Attached is a patch which adds a new config option, "require_valid_user", which restricts all operations to authenticated users only. Since CouchDB currently only has admins, this means that all operations are restricted to admins. In a future CouchDB where there are also normal users, the intention is that this would let them pass through as well.

      1. couchauth.diff
        1 kB
        Jack Moffitt

        Activity

        Hide
        Jack Moffitt added a comment -

        Patch to add require_valid_user to httpd config section.

        Show
        Jack Moffitt added a comment - Patch to add require_valid_user to httpd config section.
        Hide
        Damien Katz added a comment -

        This patch looks okay, but we actually need something like this at the database level, the ability to say who can and can't access a database, and the ability to disallow anonymous access.

        Show
        Damien Katz added a comment - This patch looks okay, but we actually need something like this at the database level, the ability to say who can and can't access a database, and the ability to disallow anonymous access.
        Hide
        Damien Katz added a comment -

        hmmm, on second thought, we do need this both as a server wide setting and at the database level.

        However, this check and throwing exceptions for authenticated users should not be done in the authentication function, but by the caller of the auth function, so the setting works with all auth handlers.

        Also, it would be nice to have a more complete solution with more settings: allowed users, disallowed users and allow anonymous

        Show
        Damien Katz added a comment - hmmm, on second thought, we do need this both as a server wide setting and at the database level. However, this check and throwing exceptions for authenticated users should not be done in the authentication function, but by the caller of the auth function, so the setting works with all auth handlers. Also, it would be nice to have a more complete solution with more settings: allowed users, disallowed users and allow anonymous
        Hide
        Curt Arnold added a comment -

        References on http://wiki.apache.org/couchdb/Authentication_and_Authorization. Similar to VALID-USER authorization use case.

        Show
        Curt Arnold added a comment - References on http://wiki.apache.org/couchdb/Authentication_and_Authorization . Similar to VALID-USER authorization use case.
        Hide
        Jason Davies added a comment -

        I've absorbed this patch into my oauth branch at http://github.com/jasondavies/couchdb/tree/oauth .

        I've modified it as follows:

        1. The setting has been moved to [couch_httpd_auth] require_valid_user = true
        2. The setting affects all authentication handlers instance-wide. If none of them set user_ctx, then a 401 error is returned when require_valid_user = true.

        Show
        Jason Davies added a comment - I've absorbed this patch into my oauth branch at http://github.com/jasondavies/couchdb/tree/oauth . I've modified it as follows: 1. The setting has been moved to [couch_httpd_auth] require_valid_user = true 2. The setting affects all authentication handlers instance-wide. If none of them set user_ctx, then a 401 error is returned when require_valid_user = true.
        Hide
        Jan Lehnardt added a comment -

        Fixed in r800938 as part of COUCHDB-420.

        Show
        Jan Lehnardt added a comment - Fixed in r800938 as part of COUCHDB-420 .

          People

          • Assignee:
            Unassigned
            Reporter:
            Jack Moffitt
          • Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development