Permission

Admin Party

When you start out fresh, CouchDB allows any request to be made by anyone. Create a database and delete some documents? Same deal. CouchDB calls this the Admin Party. Everybody has privileges to do anything.

This is very nice for testing enviroment, but anyone could delete documents or the whole database. By default, CouchDB, will listen only on your loopback network interface (127.0.0.1 or localhost) and thus only you will be able to make requests to CouchDB, nobody else. But when it is necessary to expose the service on public ip, you will want to think about restricting access.

CouchDB has the idea of an admin user (for example, an administrator, a super user, or root) that is allowed to do anything to a CouchDB installation. By default, everybody is an admin.

To restrict permissions, one or more administrators must be created.

Note

In CouchDB 3.X you have to set an admin in the installation process. Doing so will not make Admin Party work anymore.

Create Admin user

Admin Party allows any user to perform any database operation. This could be perfect for application development or on a test machine, but for production it would create many problems. To solve this problem, just create an admin user. At this point the admin user can create/modify/delete documents from the database.

Important

If the password is not specified, it will be prompted. For example, -Authorization admin will ask you to write the password at the prompt. The password has the format *.

$password = "password" | ConvertTo-SecureString -AsPlainText -Force
New-CouchDBAdmin -Userid admin -Password $password

Naturally, all reading requests can be made without user and password.

Members access

To protect a database from unauthorized requests, you must first create a user used for this purpose.

$password = "password" | ConvertTo-SecureString -AsPlainText -Force
New-CouchDBUser -Userid member_user -Password $password -Authorization "admin:password"

And then enable it to the server.

Grant-CouchDBDatabasePermission -Database test -ReaderUser member_user -Authorization "admin:password"

Let’s check the permissions now.

Get-CouchDBDatabaseSecurity -Database test -Authorization "member_user:password"
Get-CouchDBDatabase -Database test -Authorization "member_user:password"

Read only access

To protect a database from write requests, you need to create a design document that will contain a validation function. See this section: Classes

using module PSCouchDB
$ddoc = New-Object -TypeName PSCouchDBDesignDoc
$ddoc.AddValidation($true)
New-CouchDBDesignDocument -Database test -Document "mydesigndoc" -Data $ddoc.GetDesignDocuments() -Authorization "admin:password"

Limit write access

If you want to limit a single database with different admin user for reading and writing, use this cmdlet:

$password = "password" | ConvertTo-SecureString -AsPlainText -Force
New-CouchDBUser -Userid other_admin -Password $password -Authorization "admin:password"
Grant-CouchDBDatabasePermission -Database test -AdminUser other_admin -Authorization "admin:password"
Get-CouchDBDatabase -Database test -Authorization "other_admin:password"

Revoke database permissions

To remove permissions from one database, run this cmdlet:

Revoke-CouchDBDatabasePermission -Database test -Authorization "admin:password"

Remove an admin

To remove an administrative user, run:

Remove-CouchDBAdmin -Userid admin -Authorization "admin:password"

Remove a user

To remove a simple user, run:

$user = Get-CouchDBUser -Userid member_user | Select-Object _id,_rev
Remove-CouchDBUser -Userid $user._id -Revision $user._rev -Authorization "admin:password"

Reset user password

To modify o reset password of a user.

$password = "new_password" | ConvertTo-SecureString -AsPlainText -Force
Set-CouchDBUser -Userid member_user -Password $password -Revision "2-4705a219cdcca7c72aac4f623f5c46a8" -Authorization "admin:password"

Reset admin password

To modify o reset password of an admin.

$password = "new_password" | ConvertTo-SecureString -AsPlainText -Force
Set-CouchDBAdmin -Userid test_user -Password $password -Authorization "admin:password"