Return-Path: Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: (qmail 96646 invoked from network); 21 Feb 2009 13:40:54 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 21 Feb 2009 13:40:54 -0000 Received: (qmail 1402 invoked by uid 500); 21 Feb 2009 13:40:54 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 742 invoked by uid 500); 21 Feb 2009 13:40:52 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 731 invoked by uid 99); 21 Feb 2009 13:40:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 21 Feb 2009 05:40:52 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jrhuggins@gmail.com designates 209.85.200.175 as permitted sender) Received: from [209.85.200.175] (HELO wf-out-1314.google.com) (209.85.200.175) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 21 Feb 2009 13:40:45 +0000 Received: by wf-out-1314.google.com with SMTP id 28so1500945wff.29 for ; Sat, 21 Feb 2009 05:40:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type:content-transfer-encoding; bh=Y9LN12383/ZE5jkM1KrXQVCxh4BDS6szU4mZ1eCWlP8=; b=qc+macfrY4cZ9bN0Y25RycImnkFeI4svtbVbVafZFezkQsnGCLKdipt65y9dMFQHTv n+FGD8ADiOJk7D/P1UI8k2Oz5I1nOgovJ5mu1alCfOYxmRtSSOfZ7wzm87ChNXR/++j9 uO2SxiXKD3ziP4Zi8xqQFfCWO0Og6A7zZIpWo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=ZdlDLm6A7GxWl71+hczr2iQsi6VcZac4g5oisELROvZ/GgyURas9ApxZRfdgDKnV4Q Eg74xvz84r0zDNIjZm/NGsuFiqQ89aL9M4iTvbLaY9kg0udBTy43/RfVDfRpNdNm7+yc qmNbgMr8T7PQhi5XtF51JjCGAWBpp76ybLPFE= MIME-Version: 1.0 Sender: jrhuggins@gmail.com Received: by 10.142.115.10 with SMTP id n10mr964213wfc.89.1235223625049; Sat, 21 Feb 2009 05:40:25 -0800 (PST) In-Reply-To: References: Date: Sat, 21 Feb 2009 07:40:25 -0600 X-Google-Sender-Auth: 14b3fadedfd1033d Message-ID: <53b9568a0902210540i59b31c79p3d794c8ec4e3179@mail.gmail.com> Subject: Re: Managing access From: Jason Huggins To: user@couchdb.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On Sat, Feb 21, 2009 at 5:28 AM, Jyrki Pulliainen wrote: > CouchDB site talks about managing user access on database (Admin, > read, update), but I can't find any documentation about this feature. > Can someone pinpoint a page describing the built-in access management? http://wiki.apache.org/couchdb/Apache_As_a_Reverse_Proxy You could use Apache as a reverse proxy to your couchdb server. At the Apache layer, you can then add an authentication scheme. The above link doesn't have the authentication bits shown, but you can find out how to do that reading ordinary Apache documentation. Authorization (i.e. "can user 'a' edit database 'b'?") is a bit more tricky than simple authentication (i.e. "is this user 'a'?"). Until this kind of thing gets baked into CouchDB (or someone documents how they did it!), you'll probably have to roll your own solution. In my setup, I use Apache to enforce SSL encryption. I then use Django as my authentication and authorization engine, where I first require all connections to be authenticated with Basic Auth. Then, Django allows 'regular' users to only to edit their own databases, and 'admin' users to edit any database. Alas, I have no page to point to yet that shows you how to do the Django part. I will say, though, that the hardest bit was making sure Django properly proxied all the HTTP headers to and from the CouchDB backend. However, the CouchDB unit tests in Futon were invaluable and made developing my auth proxy easier. Cheers, Jason Huggins