You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Suhail Ahmed <su...@gmail.com> on 2009/10/19 13:54:28 UTC
Couchdb with OpenSSO
Hi,
I am looking to replacing my existing content management engine with
couchdb. In order to do this properly, I would have to lock down the couchdb
REST interface using OpenSSO. I would be much obliged if anyone could point
out how I should go about it. There are a number of ways OpenSSO can be
integrated, RPC/REST, SOAP, Native Java API etc. In my current system, both
authentication and authorization is performed against OpenSSO (the reason
being that the system consists of more than just the content management
engine) centrally.
Where would I go about plugging in OpenSSO? Should I do it at the Erlang
layer? The couchdb layer or the mochiweb layer?
Looking forward to hearing from you.
Thanks and cheers
su./hail
Re: Couchdb with OpenSSO
Posted by Ahmed Suhail Manzoor <su...@gmail.com>.
Thank you Hallett,
The solution I seek is more along the third option and has more to do
with permissions and role based access than just network security so I
will go off and sign on to the dev mailing list.
Cheers
su./hail
Jesse Hallett wrote:
> Do you mean that users could bypass Apache by accessing CouchDB directly?
> For example, by connecting to port 5984? If that is the problem you should
> configure CouchDB to bind to the local interface so that it refuses
> connections from other machines. Then set up Apache as a reverse proxy to
> forward requests to CouchDB. That way all connections to CouchDB will be
> forced through the Apache authentication step.
>
> If the problem is setting up more granular permissions than a simple allow
> or deny for the whole CouchDB server I think that mod_auth will give you
> some options. There is probably a way to handle authorization differently
> for different request paths. Or it might be possible to rewrite OpenSSO
> credentials to basic auth headers in Apache. That way you could map OpenSSO
> users to CouchDB groups to make use of CouchDB's internal permissions
> systems.
>
> You could of course modify the CouchDB code instead. I'm sure the devs
> would appreciate patches for new features. However I'm pretty certain that
> that is the hard way.
>
> On Oct 19, 2009 9:21 AM, "Suhail Ahmed" <su...@gmail.com> wrote:
>
> Thanks
>
> Unfortunately, apache mod_auth is not an option with me because my
> requirements are to provide security in depth and since Couchdb still
> exposes its rest interfaces independent of Apache, I need to lock that down
> in a more integration architecture.
>
> Cheers
> su./hail
>
> On Mon, Oct 19, 2009 at 1:13 PM, Miles Fidelman
> <mf...@meetinghouse.net>wrote:
>
>
>> Suhail Ahmed wrote: > >> Hi, >> >> I am looking to replacing my existing
>>
> content management engin...
>
>
Re: Couchdb with OpenSSO
Posted by Adam Wolff <aw...@gmail.com>.
On Mon, Oct 19, 2009 at 10:09 AM, Jesse Hallett <ha...@gmail.com> wrote:
> Do you mean that users could bypass Apache by accessing CouchDB directly?
> For example, by connecting to port 5984? If that is the problem you should
> configure CouchDB to bind to the local interface so that it refuses
> connections from other machines.
>
Or even easier just configure ipchains to firewall all but port 80 for
external connections.
A
Re: Couchdb with OpenSSO
Posted by Jesse Hallett <ha...@gmail.com>.
Do you mean that users could bypass Apache by accessing CouchDB directly?
For example, by connecting to port 5984? If that is the problem you should
configure CouchDB to bind to the local interface so that it refuses
connections from other machines. Then set up Apache as a reverse proxy to
forward requests to CouchDB. That way all connections to CouchDB will be
forced through the Apache authentication step.
If the problem is setting up more granular permissions than a simple allow
or deny for the whole CouchDB server I think that mod_auth will give you
some options. There is probably a way to handle authorization differently
for different request paths. Or it might be possible to rewrite OpenSSO
credentials to basic auth headers in Apache. That way you could map OpenSSO
users to CouchDB groups to make use of CouchDB's internal permissions
systems.
You could of course modify the CouchDB code instead. I'm sure the devs
would appreciate patches for new features. However I'm pretty certain that
that is the hard way.
On Oct 19, 2009 9:21 AM, "Suhail Ahmed" <su...@gmail.com> wrote:
Thanks
Unfortunately, apache mod_auth is not an option with me because my
requirements are to provide security in depth and since Couchdb still
exposes its rest interfaces independent of Apache, I need to lock that down
in a more integration architecture.
Cheers
su./hail
On Mon, Oct 19, 2009 at 1:13 PM, Miles Fidelman
<mf...@meetinghouse.net>wrote:
> Suhail Ahmed wrote: > >> Hi, >> >> I am looking to replacing my existing
content management engin...
Re: Couchdb with OpenSSO
Posted by Suhail Ahmed <su...@gmail.com>.
Thanks
Unfortunately, apache mod_auth is not an option with me because my
requirements are to provide security in depth and since Couchdb still
exposes its rest interfaces independent of Apache, I need to lock that down
in a more integration architecture.
Cheers
su./hail
On Mon, Oct 19, 2009 at 1:13 PM, Miles Fidelman
<mf...@meetinghouse.net>wrote:
> Suhail Ahmed wrote:
>
>> Hi,
>>
>> I am looking to replacing my existing content management engine with
>> couchdb. In order to do this properly, I would have to lock down the
>> couchdb
>> REST interface using OpenSSO. I would be much obliged if anyone could
>> point
>> out how I should go about it. There are a number of ways OpenSSO can be
>> integrated, RPC/REST, SOAP, Native Java API etc. In my current system,
>> both
>> authentication and authorization is performed against OpenSSO (the reason
>> being that the system consists of more than just the content management
>> engine) centrally.
>> Where would I go about plugging in OpenSSO? Should I do it at the Erlang
>> layer? The couchdb layer or the mochiweb layer?
>>
>>
> If you're running behind Apache, I'd suggest using one of the mod_auth
> modules, that's what they're for.
>
>
> --
> In theory, there is no difference between theory and practice.
> In practice, there is. .... Yogi Berra
>
>
>
Re: Couchdb with OpenSSO
Posted by Miles Fidelman <mf...@meetinghouse.net>.
Suhail Ahmed wrote:
> Hi,
>
> I am looking to replacing my existing content management engine with
> couchdb. In order to do this properly, I would have to lock down the couchdb
> REST interface using OpenSSO. I would be much obliged if anyone could point
> out how I should go about it. There are a number of ways OpenSSO can be
> integrated, RPC/REST, SOAP, Native Java API etc. In my current system, both
> authentication and authorization is performed against OpenSSO (the reason
> being that the system consists of more than just the content management
> engine) centrally.
> Where would I go about plugging in OpenSSO? Should I do it at the Erlang
> layer? The couchdb layer or the mochiweb layer?
>
If you're running behind Apache, I'd suggest using one of the mod_auth
modules, that's what they're for.
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra