couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Couchdb Wiki] Trivial Update of "Security_Features_Overview" by MattAdams
Date Wed, 23 Feb 2011 18:42:13 GMT 
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Couchdb Wiki" for change notification.

The "Security_Features_Overview" page has been changed by MattAdams.
http://wiki.apache.org/couchdb/Security_Features_Overview?action=diff&rev1=18&rev2=19

--------------------------------------------------

  
  The "_id" attribute value must be prefixed with the string "org.couchdb.user:" and the rest
must match the value of the attribute "name". The roles attribute must be an array of roles
(and each role is a string). The "password_sha" attribute is an hexadecimal representation
of the SHA-1 hash computed over a string that matches the user password concatenated with
a salt (ideally a random string). The salt attribute is the hexadecimal representation of
the salt used to generate the user's password hash.
  
- '''Note:''' you will need to use the [[https://github.com/apache/couchdb/blob/trunk/share/www/script/sha1.js|sha1.js
implementation of SHA-1]] to generate `password_sha`.  The SHA-1 hex digest output by Open``SSL
is not compatible with Erlang's crypto:sha/1 -- MattAdams
+ '''Note:''' please see "Generating password_sha" below for more about the SHA-1 hash.
  
  Some rules regarding user documents:
  
@@ -108, +108 @@

  
  All these rules regarding authentication database documents are enforced by the validate
document update function stored in the design document with ID "_design/_auth" found in the
authentication database (it is automatically created by CouchDB).
  
+ === Generating password_sha ===
+ 
+ `password_sha` can be generated a number of different ways.  Open``SSL's `sha` and `sha1`
functions are not compatible.  Below are some methods that work:
+ 
+ Erlang
+ 
+ {{{
+ Erlang R14B01 (erts-5.8.2) [source] [smp:2:2] [rq:2] [async-threads:4] [hipe] [kernel-poll:true]
+ 
+ Eshell V5.8.2  (abort with ^G)
+ 1> Apache CouchDB 1.2.0ab0c6e32-git (LogLevel=info) is starting.
+ Apache CouchDB has started. Time to relax.
+ [info] [<0.37.0>] Apache CouchDB has started on http://127.0.0.1:5984/
+ 
+ 1> couch_util:to_hex(crypto:sha("foobar")).
+ "8843d7f92416211de9ebb963ff4ce28125932878"
+ }}}
+ 
+ Ruby
+ 
+ {{{
+ irb(main):001:0> require 'digest/sha1'
+ => true
+ irb(main):002:0> Digest::SHA1.hexdigest 'foobar'
+ => "8843d7f92416211de9ebb963ff4ce28125932878"
+ }}}
+ 
+ Python
+ 
+ {{{
+ >>> import hashlib
+ >>> h = hashlib.sha1()
+ >>> h.update("foobar")
+ >>> h.digest()
+ '\x88C\xd7\xf9$\x16!\x1d\xe9\xeb\xb9c\xffL\xe2\x81%\x93(x'
+ >>> h.hexdigest()
+ '8843d7f92416211de9ebb963ff4ce28125932878'
+ }}}
+ 
+ sha1.js implementation (from [[https://github.com/apache/couchdb/blob/trunk/share/www/script/sha1.js|CouchDB]])
+ 
+ {{{
+ hex_sha1(foobar);
+ }}}
+ 
  == Document Update Validation ==
  
  See [[Document_Update_Validation]].
Mime
View raw message