I am having CouchDB installed in a developer environment and exposed the port to public. I have also added admin party. So if I go to http://ip:5984/_utils its asking for username and password which is expected.
However, if I make the direct request with my db name for example http://ip:5984/{dbname} then its returning json value and also I am able to access this data also via same get request. Am I doing anything wrong here?
It sounds like you need to set up the database's security document to control which users have what access. Be sure to read the entire document on security so you have a complete understanding of CouchDB's security model, and how to configure it.
Correct me if I'm wrong but you probably meant that you Removed the admin party?
If so, removing admin party only disable annonymous users from doing admin operations. They can still access database.
If you want to restrict access only to authenticated users, you MUST set this configuration value:
[couch_httpd_auth]
require_valid_user = true
Otherwise, you can set per database permissions (see Database Security)
Related
I'm using strapi.
User registered with local api getting all data same as super admin.
How to implement or which plugin setting restricts, non-admin user to access data that he has added. (Similar to author-admin role)
This depends. Do you mean access their own data via the default Strapi backend? if yes, you could give them the Author role. Authors can always onle edit their own content.
If you mean access via REST API, you should be able to accomplish this with a policy, where you can restrict specific access based on your code entirely.
I am very new to the CouchDB world! I have a database that can be read by all users, and also can edit the docs except for the design docs. Is there a way I can make a specific user edit only the doc that was created by him/her. I am using CouchApp nd the jquery.couch.js plugin
CouchDB doesn't have per-document permissions, only per-database permissions. If you grant write access to a user, he has write access to all the documents in the database.
Assuming you avoid making all users admin and that you use CouchDB's build-in authentication mechanism, I think that's the default behaviour.
For creating regular users, see Creating regular users in CouchDB.
For more details about how the user authentication and authorization actually works, see Security Features Overview, specifically the section below "Authentication database", which outlines the built in rules in CouchDB.
Only admin users can create new users, but there's nothing stopping your from having a program logging in and doing it automatically (using an admin user, this is assuming you are looking for some kind of "Registration" process where you would do for instance email validation through some other software of yours).
I've been playing with Iris Couch using Futon, curl and reading the CouchDB security Wiki page and I'm a little confused about readers, admins & server admins.
Am I correct in saying that the "Create Server Admin" pop-up in Futon isn't actually creating a server admin, (the wiki mentions this is only done by editing a local.ini file)?
What you're really doing is creating documents in the _users database - giving users a username & password to authenticate with, after which their name or role is compared to any names/roles defined against a database security object?
Also, I noticed that the "require_valid_user" is set to false by default, so assuming Iris Couch has a server admin, does this mean that although users have to provide their username/password to authenticate - they're validated as anonymous, so no comparison is made against any database-defined security?
If I want to restrict a user to a specific database, do I need the "require_valid_user" setting to be set to true?
Cheers
When you use the "Create server admin" popup form, that is the same as editing the .ini files. (Internally, Futon will query the a /_config URL which is an HTTP API to edit the .ini files.)
The _users database is the authoritative location for all user acounts, their passwords, and their roles. When a user queries CouchDB with a password (or with a session cookie), that name and role will be used to grant or deny their query. The decision of whether to allow or disallow their query is made by checking the _security object in the database first. They must be in the "readers" section: either their name is in the "names" list, or their role must be in the "roles" list.
I recommend that you avoid the require_valid_user option. It is for very specialized situations.
You can have database-specific users and roles. You need to modify the _security "document" for a given database. It's also documented here on the wiki.
In response to a question I asked about a week ago I changed our database engine to only accept Windows Authentication instead of SQL Authentication. Because our code runs in a different user context then that of the database connection we need to specify the username and password information in order for us to connect to the database. How do we do this using a ConnectionString? Remember, we are not using SQL Authentication anymore.
Thanks,
On your SQL Server instance, you need to add the domain group under the Security node (the one in the main server group, not in the individual databases). Under that node, the end result would be an item that resembles
<Your Domain>\Domain Users
Then in your application (Windows or Web) connection strings you want to set integrated security to be TRUE, and elsewhere, you need to set Impersonation to also be True. I am being vague here because the methods vary by application type.
Hopefully that sets you on the correct path.
Since you are using only Windows authentication, you can't in the connection string. The calling process will need to impersonate a windows principle (user) with the relevant access permissions.
Is user profiles an appropriate place to store things like number of items per page in a custom grid user selected? (I you can store it in the view, but it won't be per user this way).
My first though was to store these settings in user profiles, but there are problems with access permissions for programmatically creating user profile properties boiling down to you either have to give every user 'Manager User Profiles' permission in SSP or you have to run the application pool under a domain user, not NETWORK SERVICE. Both scenarios are unrealistic for me, so I'm now looking for another way to store such 'per user' settings.
Thanks!
Edit: I'm now considering ASP.NET profile mechanism with an additional DB to store user properties.
Given that the information is not sensitive a simple database with values stored against AD login should suffice.
And as you have the ASP.Net user database already, storing the information there would be the best option.
Maybe a Global List, that is only accessible for the SHAREPOINT\SYSTEM User and that you can then Query in a SPSecurity.RunWithElevatedPrivileges Function.
Disadvantage: You require Custom code to read/write to that list.
Cookie?
Sure they have limitations, but it is fairly easy to create the control to run javascript to add/edit the value