Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 077538056 for ; Thu, 1 Sep 2011 18:14:51 +0000 (UTC) Received: (qmail 85353 invoked by uid 500); 1 Sep 2011 18:14:50 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 85218 invoked by uid 500); 1 Sep 2011 18:14:49 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 85210 invoked by uid 99); 1 Sep 2011 18:14:49 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Sep 2011 18:14:49 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of bchesneau@gmail.com designates 209.85.215.172 as permitted sender) Received: from [209.85.215.172] (HELO mail-ey0-f172.google.com) (209.85.215.172) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Sep 2011 18:14:44 +0000 Received: by eye4 with SMTP id 4so2534242eye.17 for ; Thu, 01 Sep 2011 11:14:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=9WjcjRoMVV1xYi0Gx6I1i4EInyqQGSByoLGIMo4gjxg=; b=Cl2QeS5zQKRYDdnJBgn52wkS/FkCUgRmm0z7kaHdKeY3Re96aZzUo6qhrUc0tGAIyZ 7bKPviXTUpIVgvLAgha+z4WXBG9MFr8o7kYOJ14/lcEiLFId+RZL2zWQu8im3rEbK0rQ XndUp3vPhd/luqsoGVQkKD+QYBbj/IWyf9dNY= MIME-Version: 1.0 Received: by 10.213.16.195 with SMTP id p3mr171539eba.64.1314900862336; Thu, 01 Sep 2011 11:14:22 -0700 (PDT) Received: by 10.213.113.132 with HTTP; Thu, 1 Sep 2011 11:14:22 -0700 (PDT) In-Reply-To: References: Date: Thu, 1 Sep 2011 20:14:22 +0200 Message-ID: Subject: Re: Noob security question From: Benoit Chesneau To: dev@couchdb.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable bump On Thu, Sep 1, 2011 at 5:41 PM, Benoit Chesneau wrote= : > forwarding this thread. Maybe we could make things a little more intuitiv= e here? > > > ---------- Forwarded message ---------- > From: Benoit Chesneau > Date: Thu, Sep 1, 2011 at 3:02 PM > Subject: Re: Noob security question > To: user@couchdb.apache.org > > > On Thu, Sep 1, 2011 at 2:30 PM, Neil Gibbons wrote: >> Hey, >> >> Posted this on stackoverflow.com too, ( >> http://stackoverflow.com/questions/7260971/couchdb-iris-couch-noob-secur= ity-question), >> which >> led me to the mailing list. >> >> Basically I've been playing with Iris Couch but have come across some >> unexpected behavior. >> I have the following _security set against a test db: >> >> {"admins":{"names":["neil"],"roles":["admin"]},"readers":{"names":["gues= t"],"roles":["guest"]}}. >> >> When I created a new server admin via Futon: >> >> {"_id":"org.couchdb.user:test2","_rev":"1-084965a94ea3d7a24116f33245a0ef= 95","name":"test2","type":"user","roles":[]} >> >> This user can read from my test db? >> >> curl -X GET http://test2:test@neil.iriscourchdb.com/test >> curl -X GET http://test2:test@neil.iriscourchdb.com/test/_all_docs >> >> Because neither this users name nor role appear in the _security documen= t >> I'd expect them not to be able to be authorized? >> >> >> Neil >> > > I'm also confused. What it happen anyway is: > > - The admin created via futon, create an admin user in the ini file. > - This user have admin rights and can see/manage all the dbs > - The =A0confusing part: a user document is also created but have empty r= oles. > > Imo rather we create all the users in the user db with appropriate > roles, or "super" admins shouldn't appear in it. That's worth a > discussion. > > - benoit >