incubator-couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: Noob security question
Date Thu, 01 Sep 2011 18:14:22 GMT
bump

On Thu, Sep 1, 2011 at 5:41 PM, Benoit Chesneau <bchesneau@gmail.com> wrote:
> forwarding this thread. Maybe we could make things a little more intuitive here?
>
>
> ---------- Forwarded message ----------
> From: Benoit Chesneau <bchesneau@gmail.com>
> Date: Thu, Sep 1, 2011 at 3:02 PM
> Subject: Re: Noob security question
> To: user@couchdb.apache.org
>
>
> On Thu, Sep 1, 2011 at 2:30 PM, Neil Gibbons <gibbons.n@gmail.com> wrote:
>> Hey,
>>
>> Posted this on stackoverflow.com too, (
>> http://stackoverflow.com/questions/7260971/couchdb-iris-couch-noob-security-question),
>> which
>> led me to the mailing list.
>>
>> Basically I've been playing with Iris Couch but have come across some
>> unexpected behavior.
>> I have the following _security set against a test db:
>>
>> {"admins":{"names":["neil"],"roles":["admin"]},"readers":{"names":["guest"],"roles":["guest"]}}.
>>
>> When I created a new server admin via Futon:
>>
>> {"_id":"org.couchdb.user:test2","_rev":"1-084965a94ea3d7a24116f33245a0ef95","name":"test2","type":"user","roles":[]}
>>
>> This user can read from my test db?
>>
>> curl -X GET http://test2:test@neil.iriscourchdb.com/test
>> curl -X GET http://test2:test@neil.iriscourchdb.com/test/_all_docs
>>
>> Because neither this users name nor role appear in the _security document
>> I'd expect them not to be able to be authorized?
>>
>>
>> Neil
>>
>
> I'm also confused. What it happen anyway is:
>
> - The admin created via futon, create an admin user in the ini file.
> - This user have admin rights and can see/manage all the dbs
> - The  confusing part: a user document is also created but have empty roles.
>
> Imo rather we create all the users in the user db with appropriate
> roles, or "super" admins shouldn't appear in it. That's worth a
> discussion.
>
> - benoit
>

Mime
View raw message