You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@couchdb.apache.org by Andrew Straw <st...@astraw.com> on 2010/02/23 10:42:08 UTC

confused about security

Hi,

Are members of the admins and readers lists supposed to be able to
execute saved views? I can't get this to work using the 0.11.x git
branch, although accessing individual docs works as I expect. I will
happily provide more information if need be. I'm very new to CouchDB and
may simply be missing something, so please bear with me.

Steps to reproduce.

Start with clean CouchDB install.

Signup two users. The first ("astraw") is an admin user, and the second
("strawman") has no privs. (Side note: the Definitive Guide chapter 22
does not correspond with 0.11.x behavior. Specifically, the POST to
_session with username and password  no longer returns a working
AuthSession cookie.)

Create a db as admin:

curl -X PUT http://astraw:abc123@localhost:5984/cooldb

Add a document:

curl -X PUT http://localhost:5984/cooldb/doc1 -d '{"title":"This is
document 1"}'

And I add a design document:

curl -X PUT http://astraw:abc123@127.0.0.1:5984/cooldb/_design/example
-d \
'{"_id":"_design/example","views":{"foo":{"map":"function(doc){emit(doc._id,doc._rev)}"}}}'


I can execute the view:

curl
http://strawman:strawman@127.0.0.1:5984/cooldb/_design/example/_view/foo
{"total_rows":1,"offset":0,"rows":[
{"id":"doc1","key":"doc1","value":"1-d4d7c84b286776200bcf12d5d481ebda"}
]}





Now I enable turn on security by adding strawman to the reader list.

curl -X PUT http://astraw:abc123@localhost:5984/cooldb/_security \
-d
'{"admins":{"names":[],"roles":[]},"readers":{"names":["strawman"],"roles":[]}}'

OK, so now anonymous reads are forbidden, which is expected:

curl http://localhost:5984/cooldb/doc1
{"error":"unauthorized","reason":"You are not authorized to access this
db."}

and authorized reads are OK, which is also as expected:

curl http://strawman:strawman@127.0.0.1:5984/cooldb/doc1
{"_id":"doc1","_rev":"1-d4d7c84b286776200bcf12d5d481ebda","title":"This
is document 1"}

same with reads from the _admin user:

curl http://astraw:abc123@127.0.0.1:5984/cooldb/doc1
{"_id":"doc1","_rev":"1-d4d7c84b286776200bcf12d5d481ebda","title":"This
is document 1"}

So far, so good.  But now, I can't execute the view, even as admin:

curl http://astraw:abc123@127.0.0.1:5984/cooldb/_design/example/_view/foo
{"error":"unauthorized","reason":"You are not authorized to access this
db."}

If I delete the _security, I can see the view again, even anonymously:

curl -X PUT http://astraw:abc123@localhost:5984/cooldb/_security -d
'{"admins":{"names":[],"roles":[]},"readers":{"names":[],"roles":[]}}'

curl http://127.0.0.1:5984/cooldb/_design/example/_view/foo
{"total_rows":1,"offset":0,"rows":[
{"id":"doc1","key":"doc1","value":"1-d4d7c84b286776200bcf12d5d481ebda"}
]}

-Andrew

Re: confused about security

Posted by Andrew Straw <st...@astraw.com>.

J Chris Anderson wrote:
> On Feb 23, 2010, at 1:42 AM, Andrew Straw wrote:
>   
>> So far, so good.  But now, I can't execute the view, even as admin:
>>
>> curl http://astraw:abc123@127.0.0.1:5984/cooldb/_design/example/_view/foo
>> {"error":"unauthorized","reason":"You are not authorized to access this
>> db."}
>>
>>     
>
> Doh. That is too much security!
>
> This will be a simple fix (embarrassing that I didn't test it before.)
>
> I'll have a go at it after dinner unless I just plain fall asleep as I've been traveling all day.
>
> I'd say this is worth waiting on building 0.11 release artifacts. Sorry Noah.
>
> Hopefully I'll have the resolved before it causes any delays in the release.
>
>   
Well, I'm happy that I'm not going insane, but I was having a devil of a
time getting the auth stuff to work. I appreciate you looking into this.

-Andrew

Re: confused about security

Posted by J Chris Anderson <jc...@gmail.com>.

On Feb 23, 2010, at 1:42 AM, Andrew Straw wrote:

> Hi,
> 
> Are members of the admins and readers lists supposed to be able to
> execute saved views? I can't get this to work using the 0.11.x git
> branch, although accessing individual docs works as I expect. I will
> happily provide more information if need be. I'm very new to CouchDB and
> may simply be missing something, so please bear with me.
> 
> Steps to reproduce.
> 
> Start with clean CouchDB install.
> 
> Signup two users. The first ("astraw") is an admin user, and the second
> ("strawman") has no privs. (Side note: the Definitive Guide chapter 22
> does not correspond with 0.11.x behavior. Specifically, the POST to
> _session with username and password  no longer returns a working
> AuthSession cookie.)
> 
> Create a db as admin:
> 
> curl -X PUT http://astraw:abc123@localhost:5984/cooldb
> 
> Add a document:
> 
> curl -X PUT http://localhost:5984/cooldb/doc1 -d '{"title":"This is
> document 1"}'
> 
> And I add a design document:
> 
> curl -X PUT http://astraw:abc123@127.0.0.1:5984/cooldb/_design/example
> -d \
> '{"_id":"_design/example","views":{"foo":{"map":"function(doc){emit(doc._id,doc._rev)}"}}}'
> 
> 
> I can execute the view:
> 
> curl
> http://strawman:strawman@127.0.0.1:5984/cooldb/_design/example/_view/foo
> {"total_rows":1,"offset":0,"rows":[
> {"id":"doc1","key":"doc1","value":"1-d4d7c84b286776200bcf12d5d481ebda"}
> ]}
> 
> 
> 
> 
> 
> Now I enable turn on security by adding strawman to the reader list.
> 
> curl -X PUT http://astraw:abc123@localhost:5984/cooldb/_security \
> -d
> '{"admins":{"names":[],"roles":[]},"readers":{"names":["strawman"],"roles":[]}}'
> 
> OK, so now anonymous reads are forbidden, which is expected:
> 
> curl http://localhost:5984/cooldb/doc1
> {"error":"unauthorized","reason":"You are not authorized to access this
> db."}
> 
> and authorized reads are OK, which is also as expected:
> 
> curl http://strawman:strawman@127.0.0.1:5984/cooldb/doc1
> {"_id":"doc1","_rev":"1-d4d7c84b286776200bcf12d5d481ebda","title":"This
> is document 1"}
> 
> same with reads from the _admin user:
> 
> curl http://astraw:abc123@127.0.0.1:5984/cooldb/doc1
> {"_id":"doc1","_rev":"1-d4d7c84b286776200bcf12d5d481ebda","title":"This
> is document 1"}
> 
> So far, so good.  But now, I can't execute the view, even as admin:
> 
> curl http://astraw:abc123@127.0.0.1:5984/cooldb/_design/example/_view/foo
> {"error":"unauthorized","reason":"You are not authorized to access this
> db."}
> 

Doh. That is too much security!

This will be a simple fix (embarrassing that I didn't test it before.)

I'll have a go at it after dinner unless I just plain fall asleep as I've been traveling all day.

I'd say this is worth waiting on building 0.11 release artifacts. Sorry Noah.

Hopefully I'll have the resolved before it causes any delays in the release.

Chris

> If I delete the _security, I can see the view again, even anonymously:
> 
> curl -X PUT http://astraw:abc123@localhost:5984/cooldb/_security -d
> '{"admins":{"names":[],"roles":[]},"readers":{"names":[],"roles":[]}}'
> 
> curl http://127.0.0.1:5984/cooldb/_design/example/_view/foo
> {"total_rows":1,"offset":0,"rows":[
> {"id":"doc1","key":"doc1","value":"1-d4d7c84b286776200bcf12d5d481ebda"}
> ]}
> 
> -Andrew