couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin R. Coombes" <kevin.r.coom...@gmail.com>
Subject Re: require admin for temporary view?
Date Tue, 21 Feb 2012 22:16:10 GMT
I don't use them myself for anything.  But the API defines them, so some 
rogue user could conceivably write the equivalent of
     for each document
         emit it a million times
and cripple the server.

When I google "couchdb disable temporary view", nothing particularly 
useful comes back. When you suggest disabling them, do you mean using a 
proxy to block them? Or is there a couch-specific way to configure the 
couch server to refuse them (either totally or conditionally on the 
provision of admin credentials)?

     Kevin

On 2/21/2012 4:07 PM, Sam Bisbee wrote:
> On Tue, Feb 21, 2012 at 5:01 PM, Kevin R. Coombes
> <kevin.r.coombes@gmail.com>  wrote:
>> Our local sysadmins (who are doing their best to train me to be paranoid)
>> raised a question about couchdb applications. They  are worried about the
>> potential for DoS attacks (and if they had their way, would disable all POST
>> and PUT commands on everything...).
>>
>> Is it possible to configure the server to require admin (or at least
>> database admin) credentials in order to post a temporary view? Is it
>> desirable?
> If this is a production system then I would just disable temporary
> views altogether, but leave them enabled on developer boxes/servers.
> You should not be using temporary views for anything other than
> development, using something like couchdb-lucene instead for adhoc
> queries (https://github.com/rnewson/couchdb-lucene).
>
> Cheers,
>
> --
> Sam Bisbee

Mime
View raw message