You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/09/23 08:42:55 UTC
[GitHub] [couchdb] skeyby opened a new issue #3170: Normal users can't access their /_users/org.couchdb.user: document when new _users permissions are applied
skeyby opened a new issue #3170:
URL: https://github.com/apache/couchdb/issues/3170
## Description
As partial described in discussion #3163, when installing a brand new copy of CouchDB 3.1, the _users database have the new permission schema applied, that enforces that only _admin roles users can administer the DB and that only _admin roles users can be members of the database.
Unfortunately this permission doesn't allow anymore a regular user to access it's personal document (in order to fetch any extra information that may be stored in it - for example a full name or whatever), neither update it (for example to update it's own password).
Turning off the users_db_security_editable configuration parameters and removing the _admin role from the Membership of the database bring back the old 2.x behavior, that also matched the documented behavior at https://docs.couchdb.org/en/stable/intro/security.html?highlight=_users#authentication-database
## Steps to Reproduce
In a brand new couchdb with a standard admin user with xxxx password you can run this:
```
root@esc:~ # curl -X PUT http://admin:xxxx@localhost:5984/_users/org.couchdb.user:jan -H "Accept: application/json" -H "Content-Type: application/json" -d '{"name": "jan", "password": "apple", "roles": [], "type": "user"}'
{"ok":true,"id":"org.couchdb.user:jan","rev":"1-29a185047e727b3c8788a2b512212f17"}
root@esc:~ # curl -X POST http://localhost:5984/_session -d 'name=jan&password=apple'
{"ok":true,"name":"jan","roles":[]}
root@esc:~ # curl http://jan:apple@127.0.0.1:5984/_users/org.couchdb.user:jan
{"error":"forbidden","reason":"You are not allowed to access this db."}
```
As supposed, enabling couchdb.users_db_security_editable and removing the Members / Role _admin permission fixes the issue.
```
root@esc:~ # curl http://jan:apple@127.0.0.1:5984/_users/org.couchdb.user:jan
{"_id":"org.couchdb.user:jan","_rev":"1-29a185047e727b3c8788a2b512212f17","name":"jan","roles":[],"type":"user","password_scheme":"pbkdf2","iterations":10000,"derived_key":"1d32b417b1446398bc531abd46414c31e0e1e37b","salt":"417bf934e4fc59f62320109af8b8a750"}
```
## Expected Behaviour
Default CouchDB setting should allow an user to access it's own document in _users database.
## Your Environment
CouchDB 3.1, FreeBSD 12.1.
```
root@esc:~ # curl --silent http://127.1:5984 | jq
{
"couchdb": "Welcome",
"version": "3.1.0",
"git_sha": "ff0feea20",
"uuid": "fca1fcf73ceab1d158777fc2ade7a583",
"features": [
"access-ready",
"partitioned",
"pluggable-storage-engines",
"reshard",
"scheduler"
],
"vendor": {
"name": "FreeBSD"
}
}
```
## Additional Context
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] wohali commented on issue #3170: Normal users can't access their /_users/org.couchdb.user: document when new _users permissions are applied
Posted by GitBox <gi...@apache.org>.
wohali commented on issue #3170:
URL: https://github.com/apache/couchdb/issues/3170#issuecomment-703749436
I believe this was intentional, @janl do you know if so?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] wohali commented on issue #3170: Normal users can't access their /_users/org.couchdb.user: document when new _users permissions are applied
Posted by GitBox <gi...@apache.org>.
wohali commented on issue #3170:
URL: https://github.com/apache/couchdb/issues/3170#issuecomment-708486293
FYI if someone wants to submit a documentation update to fix the docs, I'll +1 and merge it straight away.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] wohali commented on issue #3170: Normal users can't access their /_users/org.couchdb.user: document when new _users permissions are applied
Posted by GitBox <gi...@apache.org>.
wohali commented on issue #3170:
URL: https://github.com/apache/couchdb/issues/3170#issuecomment-708486031
The default was changed from "self-signup" to "admin manages all user records." As such the default is not to allow users to change their own documents.
It is easily changeable by any admin as mentioned in the initial post, so this is a request to change the defaults, which I don't see happening.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] skeyby commented on issue #3170: Normal users can't access their /_users/org.couchdb.user: document when new _users permissions are applied
Posted by GitBox <gi...@apache.org>.
skeyby commented on issue #3170:
URL: https://github.com/apache/couchdb/issues/3170#issuecomment-708376333
while we wait a feedback from @janl, Joan, what would be the open point with removing the "_admin" from the default member?
The _user database is already locked by the code that locks the single user to it's single doc.
I don't seem to see any particular improvement by locking the database to _admins only (as for membership --- for administration I can easily see the reason why).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] SinanGabel commented on issue #3170: Normal users can't access their /_users/org.couchdb.user: document when new _users permissions are applied
Posted by GitBox <gi...@apache.org>.
SinanGabel commented on issue #3170:
URL: https://github.com/apache/couchdb/issues/3170#issuecomment-708394864
@Joan & intentional:
I guess one could view different use cases for/against:
"for": if couchdb is handled by admin and the admin uses "secret" meta
information stored within each _users/org.couchdb.user:xxx .meta (i.e. the
.meta information is not meant to be accessible for the user herself/himself
"against": the said .meta information is meant to be readable by
_users/org.couchdb.user:xxx / perhaps even writable by user.
... perhaps there are more different cases ...
On Mon, 5 Oct 2020 at 18:40, Joan Touzet <no...@github.com> wrote:
> I believe this was intentional, @janl <https://github.com/janl> do you
> know if so?
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <https://github.com/apache/couchdb/issues/3170#issuecomment-703749436>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ABKTZUUOVUAMQHB5H2OP23DSJHZIBANCNFSM4RWX6NNQ>
> .
>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] wohali closed issue #3170: Normal users can't access their /_users/org.couchdb.user: document when new _users permissions are applied
Posted by GitBox <gi...@apache.org>.
wohali closed issue #3170:
URL: https://github.com/apache/couchdb/issues/3170
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org