You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/03/30 20:41:28 UTC
[GitHub] [couchdb] dholth opened a new issue #2734: proxy authenticated user
can't fetch own org.couchdb.users: object
dholth opened a new issue #2734: proxy authenticated user can't fetch own org.couchdb.users: object
URL: https://github.com/apache/couchdb/issues/2734
## Description
I'm using an nginx config to send the username to CouchDB.This works in CouchDB 2.0, and gets you a proper _session in CouchDB 3.0, but users are denied access to their own user objects.
I noticed the test that contains the X-Auth-CouchDB-UserName header name is commented out.
## Steps to Reproduce
- Enable proxy authentication.
- Create user object.
- Fetch _session, sending X-Auth-CouchDB-UserName user@example.com header. Expect to be logged in.
- Fetch _users/org.couchdb.user:user@example.com, sending username in header. Expect user object in CouchDB 2, but error in CouchDB 3.
## Your Environment
nginx headers:
```
proxy_set_header X-Auth-CouchDB-UserName user@example.com;
proxy_set_header X-Auth-CouchDB-Token (hmac);
```
relevant local.ini sections:
```
[chttpd]
bind_address = 0.0.0.0
authentication_handlers = {chttpd_auth, proxy_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}
[couch_httpd_auth]
proxy_use_secret = true
; place same secret in /usr/local/openresty/nginx/conf/dgf.conf
; secret = (python -c "import os; print os.urandom(16).encode('hex')")
timeout = 6000
```
user object:
```
{
"_id": "org.couchdb.user:user@example.com",
"name": "user@example.com",
"type": "user",
"roles": [
"application_role"
],
"full_name": "Test"
}
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [couchdb] rnewson commented on issue #2734: proxy authenticated
user can't fetch own org.couchdb.users: object
Posted by GitBox <gi...@apache.org>.
rnewson commented on issue #2734: proxy authenticated user can't fetch own org.couchdb.users: object
URL: https://github.com/apache/couchdb/issues/2734#issuecomment-606496445
Same reason as https://github.com/apache/couchdb/issues/2730, the default _security setting changed in 3.0 to a more secure setting (admin only). You can relax this yourself by modifying the _security object of the _users database.
Mentioned in the upgrade notes for the 3.0 major release here: https://docs.couchdb.org/en/stable/whatsnew/3.0.html
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [couchdb] rnewson closed issue #2734: proxy authenticated user
can't fetch own org.couchdb.users: object
Posted by GitBox <gi...@apache.org>.
rnewson closed issue #2734: proxy authenticated user can't fetch own org.couchdb.users: object
URL: https://github.com/apache/couchdb/issues/2734
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services