replication & auth

[Wojciech Kaczmarek <ka...@gmail.com>]

Hi!

I just observed that authentication for replication is only needed for
design documents, anyone can replicate normal documents into a remote
database. Is this a bug? This behaviour occurs for push replication,
0.9.0 code.

Unfortunately I'm going to have a lots of push replication as the main
source of data are offline machines which occasionally get connected
to online nodes. I'm considering using some reverse tunnels but for
now it'd be a PITA; so what are the exact deficiencies of push vs
pull?

cheers,
Wojtek

Re: replication & auth

[Chris Anderson <jc...@apache.org>]

On Tue, May 26, 2009 at 9:06 AM, Wojciech Kaczmarek
<ka...@gmail.com> wrote:
> Hi!
>
> I just observed that authentication for replication is only needed for
> design documents, anyone can replicate normal documents into a remote
> database. Is this a bug? This behaviour occurs for push replication,
> 0.9.0 code.
>
> Unfortunately I'm going to have a lots of push replication as the main
> source of data are offline machines which occasionally get connected
> to online nodes. I'm considering using some reverse tunnels but for
> now it'd be a PITA; so what are the exact deficiencies of push vs
> pull?
>

Replication is just another HTTP client, so unless you have a
validation function that blocks anonymous users from saving to your
database, anyone can push replicate. By default only admins can make a
design documents, so as long as you have a database admin setup, you
won't see untrusted users editing design docs.

Pull replication is just GET requests, so anyone who can browse your
database can replicate from it.

Chris




-- 
Chris Anderson
http://jchrisa.net
http://couch.io