couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Anderson <jch...@apache.org>
Subject Re: replication & auth
Date Tue, 26 May 2009 16:38:58 GMT
On Tue, May 26, 2009 at 9:06 AM, Wojciech Kaczmarek
<kaczmarek.w@gmail.com> wrote:
> Hi!
>
> I just observed that authentication for replication is only needed for
> design documents, anyone can replicate normal documents into a remote
> database. Is this a bug? This behaviour occurs for push replication,
> 0.9.0 code.
>
> Unfortunately I'm going to have a lots of push replication as the main
> source of data are offline machines which occasionally get connected
> to online nodes. I'm considering using some reverse tunnels but for
> now it'd be a PITA; so what are the exact deficiencies of push vs
> pull?
>

Replication is just another HTTP client, so unless you have a
validation function that blocks anonymous users from saving to your
database, anyone can push replicate. By default only admins can make a
design documents, so as long as you have a database admin setup, you
won't see untrusted users editing design docs.

Pull replication is just GET requests, so anyone who can browse your
database can replicate from it.

Chris




-- 
Chris Anderson
http://jchrisa.net
http://couch.io

Mime
View raw message