incubator-couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Fwd: Noob security question
Date Thu, 01 Sep 2011 15:41:54 GMT
forwarding this thread. Maybe we could make things a little more intuitive here?


---------- Forwarded message ----------
From: Benoit Chesneau <bchesneau@gmail.com>
Date: Thu, Sep 1, 2011 at 3:02 PM
Subject: Re: Noob security question
To: user@couchdb.apache.org


On Thu, Sep 1, 2011 at 2:30 PM, Neil Gibbons <gibbons.n@gmail.com> wrote:
> Hey,
>
> Posted this on stackoverflow.com too, (
> http://stackoverflow.com/questions/7260971/couchdb-iris-couch-noob-security-question),
> which
> led me to the mailing list.
>
> Basically I've been playing with Iris Couch but have come across some
> unexpected behavior.
> I have the following _security set against a test db:
>
> {"admins":{"names":["neil"],"roles":["admin"]},"readers":{"names":["guest"],"roles":["guest"]}}.
>
> When I created a new server admin via Futon:
>
> {"_id":"org.couchdb.user:test2","_rev":"1-084965a94ea3d7a24116f33245a0ef95","name":"test2","type":"user","roles":[]}
>
> This user can read from my test db?
>
> curl -X GET http://test2:test@neil.iriscourchdb.com/test
> curl -X GET http://test2:test@neil.iriscourchdb.com/test/_all_docs
>
> Because neither this users name nor role appear in the _security document
> I'd expect them not to be able to be authorized?
>
>
> Neil
>

I'm also confused. What it happen anyway is:

- The admin created via futon, create an admin user in the ini file.
- This user have admin rights and can see/manage all the dbs
- The  confusing part: a user document is also created but have empty roles.

Imo rather we create all the users in the user db with appropriate
roles, or "super" admins shouldn't appear in it. That's worth a
discussion.

- benoit

Mime
View raw message