I did read http://guide.couchdb.org/draft/security.html and
and the previous question
CouchDB Authorization on a Per-Database Basis
and
http://wiki.apache.org/couchdb/Security_Features_Overview
I am currently using Apache CouchDB 1.2.0 and via futon the adding an admin result in
adding a user at _users for example
_id
org.couchdb.user:stackoverflow
_rev
1-b9f223532b662d4ac52d14082d81e6a5
name
stackoverflow
password
null
roles
[ ]
type
user
So the first question is why the admin is added as type user and not admin is puzzling. This users are admin as they can do anything in any database and the role is empty BUT I did protect the _users document with
["admin"]
roles as the only members and only admins can access this (even if their role in the _users document is empty).
This protection does not allow new "normal" users to be created so the futon "signup" command will return Signup error: You are not authorized to access this db.
I think this setup is the only logical one. Why would you want anyone to be able to create a user on your database ??
Even if you specify read access in a db to be only for one admin every admin can access it
(
" admins" : {
"names" : ["guru"],
"roles" : ["boss"]
},
"readers" : {
"names" : ["guru"],
"roles" : ["boss"]
}
}
the above case has no impact on the newly created stackoverflow admin as per above example.
So my assumption is that admins created via futon can do everything and anything regardless. The only confusing logical part is the _users documents where they have no special type (they are users) nor a special role.
So back to the concrete question:
- when adding an admin via futon why is it not marked as admin inside the _users document and how does CouchDB from that document determine that it is a wide system admin?
- if you want to create a normal user WITHOUT allowing them to signup (via futon or direct HTTP Request) you have to protect the _users document. Yet how would you go to create yourself a user to read/write on his own database ?
- As the user (per CouchDB Docs) will have the read/write rights on a DB but not the possibility to create design documents how can he really use it efficiently as views will be needed for anyone developing using the DB?
It should be possible to have a normal, simply multi hosting without jeopardizing security as there is a shared CouchDB offering at http://www.iriscouch.com/ so I just don't understand how logically you would structure a simple service where a user has his own database and can do anything but just on this database. As the admin role is anyway "user" how would you distinguish them from a non admin in the _users table ?
Why is the admin added as a normal user and not an admin?
CouchDB is similar to Windows's Active Directory, or Unix NIS and LDAP: most users have "normal" accounts, however the admin account (e.g. Windows "Administrator", or Unix "root") does not use the normal accounting system, but rather a much simpler system (the local.ini config file).
If the account and authentication system ever has a problem, you can still log in as the admin and fix it.
Do I need to add the "_admin" role to a user?
No, the admin role (the role "_admin") does not come from the user's document, but only from the configuration, in the "admins" section.
How come all admins can read the database?
By creating an admin in the global configuration (either editing the local.ini file, or using Futon's "Configuration" tab, or clicking the "Fix this" link in Admin Party), you created a system admin. System admins have access to all data, always (similar to Windows Administrator and Unix root).
CouchDB supports database admins which are normal users. Those users have admin access only to a database, not to anything else, such as other databases, or the server config. Database admins are set in the "Security" section, by adding a user's name or role to the "Admins" lists.
The concrete question: - when adding an admin via futon why is it not marked as admin inside the _users document and how does CouchDB from that document determine that it is a wide system admin?
When adding an admin via Futon, two things happen
A normal user is created (with no valid password in fact)
The same user name is added to the system configuration "admins" section. GET /_config/admins/the_username to see it. (That's what Futon's configuration tab does.)
In other words, CouchDB does not know it is a wide system admin from the document but rather from the config. If you delete that config entry, the user is "demoted" back to a normal user.
Side note about Iris Couch
It can be a little confusing at first, but the CouchDB user and security system is pretty simple and powerful once you learn it. But each Iris Couch users have entire CouchDB servers. If you sign up, you have an account at Iris Couch, but you have an entire CouchDB server to use. Inside that server, you can create multiple users for your own applications.
Related
I'm managing a multiuser app using Ionic 3.x, PouchDB, CouchDB and a node.js server running Superlogin. The app is steadily growing and I want to introduce a new feature.
My app has normal users and superusers. Each normal and superuser in my application gets it's own user database. There is also a shared database, let's call it the generaldb.
And here's my problem: Both users can create documents. These documents are synced to the userdb as well as to the general db. These documents have, amongst other things, a keyword (e.g. "colour": "green"). Superusers have access to a specific key. (In the above example that would mean that there are for example 5 superusers who can access the key green.)
Now, no normal user should be able to read, update or write other user's documents on the generaldb. Superusers should be able to read, update or write documents in the generaldb depending on which key they have access to. But they should not be allowed to change documents that don't match their key.
How can I restrict access for normal users in the generaldb, so that only documents created by themselves are synced to their devices and so that they couldn't change other users documents?
How can I ensure, superusers can change normal users documents, as long as they have access to the correct key?
How can I ensure superusers cannot change their own key, so that when number 2 is accomplished, they cannot manually work around the system?
One of the ideas of mine is to only let the users access their own db and have the shared db only accessible by superusers and then do a filtered replication of the userdb to the shared db. But this only solves 1 and seems very inefficient.
I'm just want to create a standalone application with CouchDB back-end, but I don't know if I can add a new (ordinary) user without using admin credentials.
In the documentation I just got information about creating an admin user and existing user's permissions:
Only administrators may browse list of all documents (GET
/_users/_all_docs) Only administrators may listen to changes feed
(GET /_users/_changes)
Only administrators may execute design functions like views, shows and
others
There is a special design document _auth that cannot be modified
Every document except the design documents represent registered
CouchDB users and belong to them
Users may only access (GET /_users/org.couchdb.user:Jan) or modify
(PUT /_users/org.couchdb.user:Jan) documents that they own
Here is the relevant part of documentation.
Short answer:
YES, you can
Makes no sense in a registration if you have to use admin credentials to create your account. Anyway, here is an example:
https://serverfault.com/questions/742184/couchdb-user-creation-without-authentication-standard-behavior
In this topic also can be useful this articol:
http://www.staticshin.com/programming/easy-user-accounts-management-with-couchdb
One more tip:
Creating regular users in CouchDB
I am very new to the CouchDB world! I have a database that can be read by all users, and also can edit the docs except for the design docs. Is there a way I can make a specific user edit only the doc that was created by him/her. I am using CouchApp nd the jquery.couch.js plugin
CouchDB doesn't have per-document permissions, only per-database permissions. If you grant write access to a user, he has write access to all the documents in the database.
Assuming you avoid making all users admin and that you use CouchDB's build-in authentication mechanism, I think that's the default behaviour.
For creating regular users, see Creating regular users in CouchDB.
For more details about how the user authentication and authorization actually works, see Security Features Overview, specifically the section below "Authentication database", which outlines the built in rules in CouchDB.
Only admin users can create new users, but there's nothing stopping your from having a program logging in and doing it automatically (using an admin user, this is assuming you are looking for some kind of "Registration" process where you would do for instance email validation through some other software of yours).
I've been playing with Iris Couch using Futon, curl and reading the CouchDB security Wiki page and I'm a little confused about readers, admins & server admins.
Am I correct in saying that the "Create Server Admin" pop-up in Futon isn't actually creating a server admin, (the wiki mentions this is only done by editing a local.ini file)?
What you're really doing is creating documents in the _users database - giving users a username & password to authenticate with, after which their name or role is compared to any names/roles defined against a database security object?
Also, I noticed that the "require_valid_user" is set to false by default, so assuming Iris Couch has a server admin, does this mean that although users have to provide their username/password to authenticate - they're validated as anonymous, so no comparison is made against any database-defined security?
If I want to restrict a user to a specific database, do I need the "require_valid_user" setting to be set to true?
Cheers
When you use the "Create server admin" popup form, that is the same as editing the .ini files. (Internally, Futon will query the a /_config URL which is an HTTP API to edit the .ini files.)
The _users database is the authoritative location for all user acounts, their passwords, and their roles. When a user queries CouchDB with a password (or with a session cookie), that name and role will be used to grant or deny their query. The decision of whether to allow or disallow their query is made by checking the _security object in the database first. They must be in the "readers" section: either their name is in the "names" list, or their role must be in the "roles" list.
I recommend that you avoid the require_valid_user option. It is for very specialized situations.
You can have database-specific users and roles. You need to modify the _security "document" for a given database. It's also documented here on the wiki.
I would like to restrict the user permissions so that a normal user is only able to read/write its own user document.
I managed to set the write permissions such that a user can only edit their own document (via the validate_doc_update function in the design document).
Now I only have to limit a user from viewing the user list or other user documents. If I set the database read permissions to the '_admin' role, then the user will not be able to view their own document, which it's not what I intend.
Can this be done in a more general way? I.e. to set read permissions such that a user is able to read only some specific documents in the database?
Unfortunately, per-document read control is not possible.
However, if you use a list function you can perform a "post-query filter" that limits the results of a view query based on the current session user. (via the userCtx parameter)
In CouchDB creating a new database is cheap and it was designed to keep the data as close as possible to the user who needs it.
So the suggested approach is to have one database for each user.