incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Travis Paul ...@visPaul.me>
Subject Re: Curiosity how you use CouchDB in your web env.
Date Wed, 06 Mar 2013 19:36:26 GMT
> even though admin account was set up.
Creating an admin account doesn't add security to your databases it just
takes you out of "admin party" mode, see:
http://wiki.apache.org/couchdb/Security_Features_Overview#Authorization



On Wed, Mar 6, 2013 at 2:31 PM, TAE JIN KIM <snowebang@hotmail.com> wrote:

> If you setup members on your database anonymous users can see the DB name
> > but they can't see/edit the documents.
>
> Are you sure about that?
> According to my testing, anonymous users still can see and edit (both) the
> documents, even though admin account was set up.
>
> Thanks,
>
> > Date: Wed, 6 Mar 2013 14:21:04 -0500
> > Subject: Re: Curiosity how you use CouchDB in your web env.
> > From: Tr@visPaul.me
> > To: user@couchdb.apache.org
> >
> > >but still anonymous users still are able to read futon management
> > page(_utils) for all of database and documents...
> >
> > If you setup members on your database anonymous users can see the DB name
> > but they can't see/edit the documents.
> >
> > If you are concerned about users being able to access _utils in general,
> > even if they don't have rights to do anything you can use a reverse
> proxy,
> > though I can't think of any legitimate security reason too do so besides
> > (hiding database names) and there may be a better approach if that is
> what
> > you are after
> >
> > For example in nginx:
> >
> >  location /_utils {
> >     deny all;
> >  }
> >
> >
> >
> > On Wed, Mar 6, 2013 at 2:11 PM, TAE JIN KIM <snowebang@hotmail.com>
> wrote:
> >
> > > Let's suppose that you deployed your html to
> > > http://127.0.0.1:5984/testdb/_design/frontend/Index.htm served by your
> > > CouchDB directly.
> > > How do you set up in a way that anonymous users are only able to access
> > > _design/front-end, but nothing else like futon management pages(_utils)
> > > Looks like you may be able to set up an account, but still anonymous
> users
> > > still are able to read futon management page(_utils) for all of
> database
> > > and documents...
> > >
> > > Thanks,
> > >
> > > > Date: Wed, 6 Mar 2013 12:42:28 -0600
> > > > Subject: Re: Curiosity how you use CouchDB in your web env.
> > > > From: rnewson@apache.org
> > > > To: user@couchdb.apache.org
> > > >
> > > > Don't grant users access to databases you don't want them to read. :)
> > > >
> > > >
> http://wiki.apache.org/couchdb/Security_Features_Overview#Authorization
> > > >
> > > > B.
> > > >
> > > > On 6 March 2013 12:33, Mark Hahn <mark@hahnca.com> wrote:
> > > > > Anyone logged in can read any document in the DB.  I have to check
> each
> > > > > user and what they are trying to do to block illegal actions.
> > > > >
> > > > >
> > > > > On Wed, Mar 6, 2013 at 9:51 AM, Robert Newson <rnewson@apache.org>
> > > wrote:
> > > > >
> > > > >> "How does everyone solve the security issue?"
> > > > >>
> > > > >> What security problem? Only administrators can modify design
> > > documents.
> > > > >>
> > > > >> B.
> > > > >>
> > > > >> On 6 March 2013 11:38, Aurélien Bénel <aurelien.benel@utt.fr>
> wrote:
> > > > >> > Hi,
> > > > >> >
> > > > >> >> just out of curiosity, would like to hear how CouchDB
is being
> > > used in
> > > > >> your web environment....
> > > > >> >
> > > > >> > We have two main setups:
> > > > >> > - CouchApps,
> > > > >> > - REST APIs used by heavy clients (Java or Firefox extensions)
> and
> > > > >> attached Web applications.
> > > > >> >
> > > > >> >> How does everyone solve the security issue?
> > > > >> >
> > > > >> > We always use CouchDB behind a reverse proxy to add LDAP
> > > authentication
> > > > >> and authorization when needed.
> > > > >> >
> > > > >> >
> > > > >> > Regards,
> > > > >> >
> > > > >> > Aurélien
> > > > >>
> > >
> > >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message