couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: Configuration Load Order
Date Tue, 16 Aug 2011 22:07:37 GMT
nice idea to have a separate htpasswd (-like) file. Passwords are
special, let's treat them accordingly.

B.

On 16 August 2011 23:03, Randall Leeds <randall.leeds@gmail.com> wrote:
> On Tue, Aug 16, 2011 at 11:33, Jan Lehnardt <jan@apache.org> wrote:
>
>>
>> On Aug 16, 2011, at 8:31 PM, Noah Slater wrote:
>>
>> >
>> > On 16 Aug 2011, at 10:33, Benoit Chesneau wrote:
>> >
>> >> Imo we shouldn't at all provide plaintext passwords. Maybe a safer
>> >> option would be to let the admin create the first one via http or put
>> >> the hash in the a password.ini file manually. If we are enough kind we
>> >> could also provide a couchctl script allowing user management, config
>> >> changes ... ?
>> >
>> > This sounds like a decent proposal. Much like you have to use htpasswd to
>> generate passwords for Apache httpd, we could bundle a script that lets you
>> generate passwords for the CouchDB ini files, and then forbid the use of
>> plaintext. This solves both the technical problem (I think?) and helps us
>> re-enforce better security practices across the board.
>>
>> Agreed.
>>
>>
> Agreed also. We still have a question about load and save order.
> One idea would be to track the .ini file from whence an option came. If an
> option comes from a local.ini or local.d/ file it could be updated in place.
> If it comes from a default.ini or default.d/ file, updates should be placed
> in local.ini. This would make the most sense to me.
>
> I would also be in favor of enforcing a load order that supports a directory
> structure like:
> local.d/
>  010-stuff.ini
>  020-others.ini
>
> We don't need to ship anything like that by default. I think right now we
> take the load directories on the command line, no? It'd be nice if the order
> of resolution within those directories was well specified.
>
> -Randall
>

Mime
View raw message