You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by "Jan Lehnardt (JIRA)" <ji...@apache.org> on 2016/05/10 17:25:13 UTC
[jira] [Commented] (COUCHDB-2990) admins not honored in _security
[ https://issues.apache.org/jira/browse/COUCHDB-2990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15278507#comment-15278507 ]
Jan Lehnardt commented on COUCHDB-2990:
---------------------------------------
Update from [~chewbranca] via IRC: “I think the best approach is to rip out all of the calls to the admin checks and move them into cassim, leaving the existing logic in place to facilitate migrations from old style security docs. That would also provide us an opportunity to change up the auth system if we desire I think trying to cram the logic in to work with the existing flow is awkward and we should fix it properly once and for all by moving all the auth to an isolated app and then do the auth checks at the API level rather than the additional shard level checks.”
As for whether to hold 2.0 for this or leave it for later: “I think we punt on it for 2.0 until we can completely remove the auth from the shard level”
+1 from my end
> admins not honored in _security
> -------------------------------
>
> Key: COUCHDB-2990
> URL: https://issues.apache.org/jira/browse/COUCHDB-2990
> Project: CouchDB
> Issue Type: Bug
> Components: BigCouch
> Reporter: Sebastian Rothbucher
> Priority: Blocker
> Labels: needs-pr
>
> Setting a user as admin (by name) and invoking a command (giving credentials via Basic Auth) comes back saying the user is no DB admin.
> Certainly minor thing for 2.1+ but 2 keep in mind; steps 2 reproduce (sorry 4 the C&P error earlier):
> {noformat}
> [root@localhost couchdb]# curl -X PUT 'http://localhost:15984/play'
> {"ok":true}
> [root@localhost couchdb]# curl -X PUT 'http://localhost:15984/_users/org.couchdb.user:jerry' -d '{"_id":"org.couchdb.user:jerry","name":"jerry","password":"mouse","type":"user","roles":[]}'
> {"ok":true,"id":"org.couchdb.user:jerry","rev":"1-f97ddcb58c67b47084168f5945217d10"}
> [root@localhost couchdb]# curl -X PUT 'http://localhost:15984/play/_security' -d '{"admins": {"names": ["jerry"]}}'
> {"ok":true,"id":"db/play/_security.1461053645","rev":"2-dfe4d0fbab9b154d2100a95cefa66a92"}
> [root@localhost couchdb]# curl -X PUT 'http://localhost:15984/play/test' -d '{}' -u jerry:mouseee
> {"error":"unauthorized","reason":"Name or password is incorrect."}
> [root@localhost couchdb]# curl -X PUT 'http://localhost:15984/play/test' -d '{}' -u jerry:mouse
> {"ok":true,"id":"test","rev":"1-967a00dff5e02add41819138abb3284d"}
> [root@localhost couchdb]# curl -X PUT 'http://localhost:15984/play/_design/test' -d '{}' -u jerry:mouse
> {"error":"forbidden","reason":"You are not a db or server admin."}
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)