couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Damien Katz <damien_k...@yahoo.com>
Subject new CouchDB feature: Admin accounts
Date Wed, 22 Oct 2008 17:13:22 GMT
I checked a new feature, Admin accounts.

Admin accounts are used for perform admin restricted actions like  
creating/deleting databases and altering the configuration settings.  
If there are no admin accounts for a server, then admin checking is  
turned off and anyone can perform admin actions.

The admin checking uses HTTP basic authentication, we'll need to  
eventually support SSL to make this secure or support a more secure  
authentication standard.

When the user attempts to perform an Admin action, the browser checks  
the user supplied credentials and sees it if matches any admin  
account. If not, a 401 Unauthorized error is returned and the HTTP  
client can resubmit with proper credentials. When the credentials  
match, the action is allowed to proceed.

To turning admin checking on,  in the local.ini file, you add an  
accounts section, with user name/password pairs, like this:

[admins]
admin = password
damien katz = foo

/end

When CouchDB starts it will find these new passwords and then hash them:

[admins]
admin = -hashed- 
d6bdc9039b19e41051eb1b94ea8ef905b1a11e2e 
,b53ce4e92ad24ad8fc14feadb58d8b60
damien katz = - 
hashed 
-2f3e9eea97e44b2bb09b56d3b1d66a41f0a74be2,6c37137b479369759e8dc591573b0599

/end

The hashed password line consists first of "-hashed-" then 2  
hexadecimal encoded numbers separated by a comma, the 160 bit sha  
hashed password + salt 160 bit sha hash, and then the 128 bit salt (a  
UUID):

   user name = -hashed-%160bit hashed value%,%128 bit salt%

So the only restrictions on passwords is they shouldn't start with "- 
hashed-" and can't contain newlines.

Once a password is hashed, to change it, reset the password via the  
HTTP config api, CouchDB will then automatically hash the password  
without restarting. Or edit it by hand by deleting the old hashed  
value (everything after the "=") and enter in the new password. Then  
restart the server.

Problems/Caveats:

To run the test suite against a server with admin accounts enabled  
requires the user to have admin access.

There is a known problem in Futon with Safari, maybe other browsers,  
where it doesn't prompt the user for credentials, it just fails the  
HTTP request. In Firefox when the tests start to run and the HTTP  
client gets the first failure, the user is asked by the browser for  
his user name and password, the request automatically retried and all  
the tests pass without incident. But in Safari, the tests simply fail  
with 401 errors and the user is never prompted for credentials.

A workaround is to do something to force the browser to "log-in" by  
trying to view config values, or create a new database. Once logged in  
like that, the tests will pass just fine on Safari. We maybe need to  
force the log-ins at the beginning of the tests, or provide a Log-in  
button somewhere in Futon.

Feedback please.

-Damien


Mime
View raw message