couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (COUCHDB-2390) Fauxton config, admin sections considered dangerous in 2.0
Date Fri, 20 Feb 2015 14:54:14 GMT


ASF subversion and git services commented on COUCHDB-2390:

Commit 2a583cb0dfcd446ae259b272acd58068079c9b52 in couchdb-chttpd's branch refs/heads/master
from [~robertkowalski]
[;h=2a583cb ]

Remove _config route on cluster

In order to avoid users shooting themselves in the foot by using
`/_config/` on a clustered CouchDB with a loadbalancer in front,
we remove it on `15984` - it will be available for single-node-
mode on the backdoor port (`15986`) or for users that are feeling
lucky which want to fire curl requests to every node.

It also allows Fauxton to detect if it is running on a the backdoor
port. Fauxton will - if it gets a 200 instead of a 404 - show the
config-section to the user.


> Fauxton config, admin sections considered dangerous in 2.0
> ----------------------------------------------------------
>                 Key: COUCHDB-2390
>                 URL:
>             Project: CouchDB
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: BigCouch, Fauxton
>            Reporter: Joan Touzet
>            Assignee: Ben Keen
>            Priority: Blocker
>             Fix For: 2.0.0
> In Fauxton today, there is are 2 sections to edit config-file settings and to create
new admins. Neither of these sections will work as intended in a clustered setup.
> Any Fauxton session will necessarily be speaking to a single machine. The config APIs
and admin user info as exposed will only add that information to a single node's .ini file.
> We should hide these features in Fauxton for now (short-term fix) and correct the config
/admin creation APIs to work correctly in a clustered setup (medium-term fix).

This message was sent by Atlassian JIRA

View raw message