You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by "Kevin R. Coombes" <ke...@gmail.com> on 2012/02/21 23:01:08 UTC
require admin for temporary view?
Our local sysadmins (who are doing their best to train me to be
paranoid) raised a question about couchdb applications. They are
worried about the potential for DoS attacks (and if they had their way,
would disable all POST and PUT commands on everything...).
Is it possible to configure the server to require admin (or at least
database admin) credentials in order to post a temporary view? Is it
desirable?
Kevin
Re: require admin for temporary view?
Posted by "Kevin R. Coombes" <ke...@gmail.com>.
I don't use them myself for anything. But the API defines them, so some
rogue user could conceivably write the equivalent of
for each document
emit it a million times
and cripple the server.
When I google "couchdb disable temporary view", nothing particularly
useful comes back. When you suggest disabling them, do you mean using a
proxy to block them? Or is there a couch-specific way to configure the
couch server to refuse them (either totally or conditionally on the
provision of admin credentials)?
Kevin
On 2/21/2012 4:07 PM, Sam Bisbee wrote:
> On Tue, Feb 21, 2012 at 5:01 PM, Kevin R. Coombes
> <ke...@gmail.com> wrote:
>> Our local sysadmins (who are doing their best to train me to be paranoid)
>> raised a question about couchdb applications. They are worried about the
>> potential for DoS attacks (and if they had their way, would disable all POST
>> and PUT commands on everything...).
>>
>> Is it possible to configure the server to require admin (or at least
>> database admin) credentials in order to post a temporary view? Is it
>> desirable?
> If this is a production system then I would just disable temporary
> views altogether, but leave them enabled on developer boxes/servers.
> You should not be using temporary views for anything other than
> development, using something like couchdb-lucene instead for adhoc
> queries (https://github.com/rnewson/couchdb-lucene).
>
> Cheers,
>
> --
> Sam Bisbee
Re: require admin for temporary view?
Posted by Robert Newson <rn...@apache.org>.
To disable it server-wide with;
curl localhost:5984/_config/httpd_db_handlers/_temp_view -X DELETE
B.
On 21 February 2012 22:07, Sam Bisbee <sa...@sbisbee.com> wrote:
> On Tue, Feb 21, 2012 at 5:01 PM, Kevin R. Coombes
> <ke...@gmail.com> wrote:
>> Our local sysadmins (who are doing their best to train me to be paranoid)
>> raised a question about couchdb applications. They are worried about the
>> potential for DoS attacks (and if they had their way, would disable all POST
>> and PUT commands on everything...).
>>
>> Is it possible to configure the server to require admin (or at least
>> database admin) credentials in order to post a temporary view? Is it
>> desirable?
>
> If this is a production system then I would just disable temporary
> views altogether, but leave them enabled on developer boxes/servers.
> You should not be using temporary views for anything other than
> development, using something like couchdb-lucene instead for adhoc
> queries (https://github.com/rnewson/couchdb-lucene).
>
> Cheers,
>
> --
> Sam Bisbee
Re: require admin for temporary view?
Posted by Sam Bisbee <sa...@sbisbee.com>.
On Tue, Feb 21, 2012 at 5:01 PM, Kevin R. Coombes
<ke...@gmail.com> wrote:
> Our local sysadmins (who are doing their best to train me to be paranoid)
> raised a question about couchdb applications. They are worried about the
> potential for DoS attacks (and if they had their way, would disable all POST
> and PUT commands on everything...).
>
> Is it possible to configure the server to require admin (or at least
> database admin) credentials in order to post a temporary view? Is it
> desirable?
If this is a production system then I would just disable temporary
views altogether, but leave them enabled on developer boxes/servers.
You should not be using temporary views for anything other than
development, using something like couchdb-lucene instead for adhoc
queries (https://github.com/rnewson/couchdb-lucene).
Cheers,
--
Sam Bisbee