couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: Configuration Load Order
Date Wed, 17 Aug 2011 16:04:20 GMT
On Wednesday, August 17, 2011, Jason Smith <jhs@iriscouch.com> wrote:
> On Wed, Aug 17, 2011 at 10:22 PM, Robert Newson <rnewson@apache.org>
wrote:
>> Jason,
>>
>> The --set-password thing is to ensure there are no plaintext passwords
>> in the first place, which eliminates the oddness of couch rewriting a
>> plaintext pwd to a digested pwd (and putting the output in a different
>> file).
>
> Thanks for the clarification.
>
> If you can read a plaintext password from an .ini file, then you can
> hit the HTTP API as the admin and make changes to the couch. So that
> is privilege escalation.
>
> To answer Benoit's question, it is simpler to tell admins to use the
> HTTP API (or Futon) to create the admin account. The password is
> stored *somewhere* under the hood. IMHO it is less simple to add a
> command-line tool as a requirement (or worse, as an alternative
> option) to deploy Couch.
>
> --
it all depends if you admin via a console.

couchctl set-password username is a way easier than curl -XPUT
http://blah/_users -D... -H...  . at the end if you are a good admin you
will write this script. providing useful helpere don't break the kiss way
here.

benoƮt

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message