Return-Path: <dev-return-46623-archive-asf-public=cust-asf.ponee.io@couchdb.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 2A91E200BB8
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Sat, 29 Oct 2016 00:42:03 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 295DE160AF5; Fri, 28 Oct 2016 22:42:03 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 718F6160AE4
	for <archive-asf-public@cust-asf.ponee.io>; Sat, 29 Oct 2016 00:42:02 +0200 (CEST)
Received: (qmail 53016 invoked by uid 500); 28 Oct 2016 22:42:01 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 53004 invoked by uid 99); 28 Oct 2016 22:42:01 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Oct 2016 22:42:01 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id BA747C1A29
	for <dev@couchdb.apache.org>; Fri, 28 Oct 2016 22:42:00 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0.398
X-Spam-Level: 
X-Spam-Status: No, score=0.398 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
	RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id MfjXLIMjhRSH for <dev@couchdb.apache.org>;
	Fri, 28 Oct 2016 22:41:58 +0000 (UTC)
Received: from mail-oi0-f48.google.com (mail-oi0-f48.google.com [209.85.218.48])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 37C9E5FBCF
	for <dev@couchdb.apache.org>; Fri, 28 Oct 2016 22:41:57 +0000 (UTC)
Received: by mail-oi0-f48.google.com with SMTP id n202so139333697oig.3
        for <dev@couchdb.apache.org>; Fri, 28 Oct 2016 15:41:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=v8YzBgF5JlJJOl1JIYTCzpjYPWyRfJ6cKAIHI4rtKdY=;
        b=sgxhu6d/9kqvNaZbi3ySc3yLdSE8hRybKf6nEQrzah5wVwCwddnfEw5umjBAiWh9Ea
         RgTA/6daBa8y+a7Bct9hspWrXoRMVKnW0wrEisKmIyFEXWDOiWE/zF76VztH9knC4Lqm
         fgjGLi/FpcC155OdWBF1n71zvuVr/irLn33+lZUC0dzt0EVfk7z97xYXU3RCrk2htDoO
         ObpCDGlu0Z0SgX3uGU7RDmmWPb6uW8JWOW9mVdEjURFXeYoIpY8GzqG+DkGkDCrHBaoa
         campMxngJsqtwF/ofjx4T4BiDwBNeNvGjqmkwJ96bs1h7B0S/dA1ozhS6tWOW4d5ItH/
         mmzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=v8YzBgF5JlJJOl1JIYTCzpjYPWyRfJ6cKAIHI4rtKdY=;
        b=h7ZeEVs1EHS2Q1RmegquN/mku5kvDnPS54RK/zyUARCLezXfM0sXqLntsl5rXSoCZY
         uNkjjcn8C3t7M+H0AoS0jdYTq9bRCNZDIelo45nS3/f9AiHG5lWnPQ+XwrA2COUiJ8R9
         aSfed5kzZujVQYMORs89H8euzn8/J59HT0GnupnhwybiYiTtmNsdBfyPpRpvbw/kpTWF
         Rz4DaPXja1y+WbPoHVYlEIPS5BO/a+iyuaKyvjAIVeufUJeQAmpiCwYg5oS6IzGC1OFR
         VSEZ79GAA2xFLEMNXAI5+IKC3JUzZiKRLvlMxq0YPLGHtScYCF8XQobxFdWKWEilS9e8
         lWIw==
X-Gm-Message-State: ABUngvcH7KUxhGlFUhkHR+sd8WEEx4jiWH1XJxCiLS/IJ7YKF1SEUSgIhNaOR37zbWyNjDKh9QyUhmorPsUEBg==
X-Received: by 10.157.42.21 with SMTP id t21mr12091907ota.1.1477694511979;
 Fri, 28 Oct 2016 15:41:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.97.2 with HTTP; Fri, 28 Oct 2016 15:41:51 -0700 (PDT)
In-Reply-To: <668DE6C0-3103-44AE-BDC6-53BDB8D90FE4@apache.org>
References: <CAHkN8V9pTiU=_Sr4t63_daaYqbitskFJkA0roSLSW0rO1QJxRw@mail.gmail.com>
 <668DE6C0-3103-44AE-BDC6-53BDB8D90FE4@apache.org>
From: Samuel Williams <space.ship.traveller@gmail.com>
Date: Sat, 29 Oct 2016 11:41:51 +1300
Message-ID: <CAHkN8V8L=_ARdKUh99T9YthGvJz_z8wODgNwet5mnFB_4yLJyg@mail.gmail.com>
Subject: Re: CouchDB no authentication when connecting via localhost
To: dev@couchdb.apache.org
Content-Type: text/plain; charset=UTF-8
archived-at: Fri, 28 Oct 2016 22:42:03 -0000

Thanks for the quick reply.

Can you elaborate why this isn't recommended?

The alternative is embedding usernames and passwords somewhere in the
front-end app, or container, or elsewhere..

In comparison to MySQL, it might be less secure.. since in theory with
MySQL, you can limit access to localhost for specific users, but this
doesn't appear possible with CouchDB, so if someone got the
credentials, it would be game over if the server has any kind of
publicly visible CouchDB (which would be the norm for a global
cluster) instance.

The model that feels good to me, is to have completely open access via
a socket or localhost, and then a public API protected by a
public/private key and an iptables rule. But this might not fit well
with CouchDB?

Thanks
Samuel

On 29 October 2016 at 02:52, Jan Lehnardt <jan@apache.org> wrote:
> This is not recommended.
>
> Best
> Jan
> --
>
>> On 28 Oct 2016, at 14:40, Samuel Williams <space.ship.traveller@gmail.com> wrote:
>>
>> Is this possible? Desirable? We use this model when deploying MySQL
>> and it works very well.
>
> --
> Professional Support for Apache CouchDB:
> https://neighbourhood.ie/couchdb-support/
>