Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1CDAAC0F6 for ; Thu, 21 Jun 2012 09:35:01 +0000 (UTC) Received: (qmail 71723 invoked by uid 500); 21 Jun 2012 09:34:59 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 71637 invoked by uid 500); 21 Jun 2012 09:34:59 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 71616 invoked by uid 99); 21 Jun 2012 09:34:58 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 21 Jun 2012 09:34:58 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=FSL_RCVD_USER,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of simon@cloudant.com designates 209.85.212.170 as permitted sender) Received: from [209.85.212.170] (HELO mail-wi0-f170.google.com) (209.85.212.170) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 21 Jun 2012 09:34:49 +0000 Received: by wibhq12 with SMTP id hq12so1612197wib.5 for ; Thu, 21 Jun 2012 02:34:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:message-id:in-reply-to:references:subject:x-mailer :mime-version:content-type:x-gm-message-state; bh=jUfH0MTAAgIFrW0m6Xg4Y140n5FvHcT3MT8DkuIISSk=; b=Qr4GBYnlS4Ckf9h1qFlqmdF2SaDJdkdlnZ2fmOmzf+rj7YpcbWNjS88Y/GsnHMmwIT H1CSrlOS9Q9+puwxSxUfpBhg/r9J5k+eK6PdtGWn/zJS4tQdcyIBSqAwvIcTgGCaY2zq kJwebnJs1Z5yCL00lW7oweR7B6CySYM7n+NLdxBvPkJAonU9ComP4UDs09RBCQw7e3Cv tLmBY37hmfTmFESIOK5dJ67k8TRSytsUXfr2vJbjW7ysN+Y5X/9d5efZRiqzQ+INdgpg m1JCRDXU4H3Fo9xFPxeJoPfncpaTK/0bNE2JIw7tq7H7/NfjdOfrJpnt4ByebvouMeq2 zB/w== Received: by 10.180.83.196 with SMTP id s4mr18693727wiy.15.1340271269112; Thu, 21 Jun 2012 02:34:29 -0700 (PDT) Received: from [192.168.1.73] (host86-149-151-154.range86-149.btcentralplus.com. [86.149.151.154]) by mx.google.com with ESMTPS id gv7sm44856643wib.4.2012.06.21.02.34.27 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 21 Jun 2012 02:34:28 -0700 (PDT) Date: Thu, 21 Jun 2012 10:34:29 +0100 From: Simon Metson To: user@couchdb.apache.org Message-ID: <705DAE12BF7041D68AD9D4B2A56C43C7@cloudant.com> In-Reply-To: References: <57FA970C-94DA-4804-A07D-B5734ACE5632@apache.org> Subject: Re: Replication and validate_doc_field X-Mailer: sparrow 1.6.1 (build 1081.52) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="4fe2eaa5_7c3dbd3d_1265d" X-Gm-Message-State: ALoCoQkZDZLpLn111L6IK7vLFIBy/2715EVuLvs+AL+ZjsS7ZB2K+ucicwjVDBD/LZqmBys9s+1T --4fe2eaa5_7c3dbd3d_1265d Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi, On Thursday, 21 June 2012 at 01:57, Pulkit Singhal wrote: > Right, so what I'm saying is that the replicator client is being run with > the creds of a super-duper-admin who inherently has _admin privileges. > > When the same code is run against a DB without any reader roles, everything > works out. But when it is run against a DB with a reader role, it fails. > > I'm hoping that someone will clarify the security constraints around how > replication behaves with db level security in 1.2.0 > > I think the problem is that the request to the origin DB needs to be authenticated, because you have the readers set up. You need to authorise the read request, and the fact that the replication was created on the destination as _admin means nothing (that would be a massive security hole - if I could read from anyones database just because I was an admin of my own). Sounds like you need to include a username/password in the source URL that has the reader role: curl -X POST 'http://localhost:5984/_replicate' -d '{"target":"my_database", "source":"http://username:password@remotehost:5984/some_other_database"}' HTH Simon --4fe2eaa5_7c3dbd3d_1265d--