The patch could check for either the _admin or _externals role right now. (IIRC, roles prefixed with underscore in user documents are a validation error.)
A future step is Jan's idea to apply the _externals role to some requests that arrive. For example:
1. When spawning an external, CouchDB generates random UUIDs for a username and password, and passes those along as environment. Those are associated with that child process.
2. An authentication handler checks whether query credentials match those assigned to any externals.
3. If they match, the "_external" role is assigned. (And incidentally, the "source" field is already known.)
(Iris Couch uses an authentication handler similar to this already. I will donate the code if it is wanted.)
P.S. "Logging" is a privilege, whereas "an external program" is more properly a role, in a role-based access control system. So I like "_external" as a role name.