incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Metson <>
Subject Re: Alternate Authentication Mechanisms
Date Mon, 21 Feb 2011 21:51:49 GMT
	We did some front end auth{n,z}. In our set up Couch runs behind an httpd reverse-proxy,
which also proxies other applications. All the applications use the front end to authenticate/authorise
the request and the front end passes a signed header (with role/group ACL's) to the back end.
James (cc'ed) added an auth handler to read these signed headers and set the user context
accordingly. This is nice because the two are totally decoupled (which works well for our
use case) and reuses our existing auth{n,z} infrastructure.

IIRC the code is up on github, but I don't have the URL to hand right now...

On 21 Feb 2011, at 18:42, Timothy Shead wrote:

> I'm interested in hearing about any alternatives to the current authentication mechanisms
in CouchDB.  In particular, I'd like to bypass the _users database to base authentication
and access control on existing directories of user and group information (LDAP, Kerberos,
or what-have-you).  Any experience out there?
> In an ideal world, I'd love to have some sort of "external auth" mechanism that would
be comparable to the current external processes, making it possible to implement authentication
logic in any language / use whatever libraries are available.  Any thoughts?
> Cheers,
> Tim
> -- 
> Timothy M. Shead
> Sandia National Laboratories
> 1461, Scalable Analysis and Visualization

View raw message