couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Couchdb Wiki] Update of "Security Features Overview" by SamuelWan
Date Tue, 21 Apr 2009 00:04:12 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Couchdb Wiki" for change notification.

The following page has been changed by SamuelWan:
http://wiki.apache.org/couchdb/Security_Features_Overview

New page:
An overview of security features focusing on what CouchDB provides out of the box. Points
of integration to other tiers may be mentioned but better elaborated elsewhere.

=== Authentication ===
CouchDB ships with basic authentication that compares user credentials to Admin accounts.
See Setting_up_an_Admin_account for more details.

You can specify a custom authentication handler and the web authentication scheme in the configuration
file. The example below specifies that CouchDB will use the default_authentication_handler
method defined in the [http://svn.apache.org/viewvc/couchdb/trunk/src/couchdb/couch_httpd.erl?view=markup
couch_httpd] module:

{{{
authentication_handler = {couch_httpd, default_authentication_handler}
WWW-Authenticate = Basic realm="administrator"
}}}

Other notes: The "null_authentication_handler" in "couch_httpd" allows any user credentials
to run as admin. Web servers such as Apache or Nginx can also provide an authentication layer
as a reverse-proxy to CouchDB.

=== Authorization ===
CouchDB supports one role, the "admin" group, which can execute any of the HTTP API on any
database in the CouchDB instance. See Setting_up_an_Admin_account for more details.

CouchDB does not support other roles at this time.

=== Validation ===
A design document may define a member function called "validate_doc_update". Any request to
create or update a document must first pass through each "validate_doc_update" function defined
in each design document. The validation functions are executed in an unspecified order. A
design document can contain only one validation function.

Example of a design document that validates the presence of an "address" field and returns
:

{{{
{
   _id: "_design/myview",
   validate_doc_update: "function(newDoc, oldDoc, userCtx) {
      if(newDoc.address === undefined) {
         throw {missing_field: 'Document must have an address.'};
      }"
}
}}}

The result of a document update without the address field will look like this:
{{{
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="administrator"
Server: CouchDB/0.9.0 (Erlang OTP/R12B)
Date: Tue, 21 Apr 2009 00:02:32 GMT
Content-Type: text/plain;charset=utf-8
Content-Length: 57
Cache-Control: must-revalidate

{"error":"missing_field","reason":"Document must have an address."} 
}}}

Mime
View raw message