couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ahmed Suhail Manzoor <suhail...@gmail.com>
Subject Re: Couchdb with OpenSSO
Date Tue, 20 Oct 2009 06:50:37 GMT
Thank you Hallett,

The solution I seek is more along the third option and has more to do 
with permissions and role based access than just network security so I 
will go off and sign on to the dev mailing list.

Cheers
su./hail

Jesse Hallett wrote:
> Do you mean that users could bypass Apache by accessing CouchDB directly?
> For example, by connecting to port 5984?  If that is the problem you should
> configure CouchDB to bind to the local interface so that it refuses
> connections from other machines.  Then set up Apache as a reverse proxy to
> forward requests to CouchDB.  That way all connections to CouchDB will be
> forced through the Apache authentication step.
>
> If the problem is setting up more granular permissions than a simple allow
> or deny for the whole CouchDB server I think that mod_auth will give you
> some options.  There is probably a way to handle authorization differently
> for different request paths.  Or it might be possible to rewrite OpenSSO
> credentials to basic auth headers in Apache.  That way you could map OpenSSO
> users to CouchDB groups to make use of CouchDB's internal permissions
> systems.
>
> You could of course modify the CouchDB code instead.  I'm sure the devs
> would appreciate patches for new features.  However I'm pretty certain that
> that is the hard way.
>
> On Oct 19, 2009 9:21 AM, "Suhail Ahmed" <suhailski@gmail.com> wrote:
>
> Thanks
>
> Unfortunately, apache mod_auth is not an option with me because my
> requirements are to provide security in depth and since Couchdb still
> exposes its rest interfaces independent of Apache, I need to lock that down
> in a more integration architecture.
>
> Cheers
> su./hail
>
> On Mon, Oct 19, 2009 at 1:13 PM, Miles Fidelman
> <mfidelman@meetinghouse.net>wrote:
>
>   
>> Suhail Ahmed wrote: > >> Hi, >> >> I am looking to replacing
my existing
>>     
> content management engin...
>
>   


Mime
View raw message