Permission¶
Admin Party¶
When you start out fresh, CouchDB allows any request to be made by anyone. Create a database and delete some documents? Same deal. CouchDB calls this the Admin Party. Everybody has privileges to do anything.
This is very nice for testing enviroment, but anyone could delete documents or the whole database. By default, CouchDB, will listen only on your loopback network interface (127.0.0.1 or localhost) and thus only you will be able to make requests to CouchDB, nobody else. But when it is necessary to expose the service on public ip, you will want to think about restricting access.
CouchDB has the idea of an admin user (for example, an administrator, a super user, or root) that is allowed to do anything to a CouchDB installation. By default, everybody is an admin.
To restrict permissions, one or more administrators must be created.
Note
In CouchDB 3.X you have to set an admin in the installation process. Doing so will not make Admin Party work anymore.
Create Admin user¶
Admin Party allows any user to perform any database operation. This could be perfect for application development or on a test machine, but for production it would create many problems. To solve this problem, just create an admin user. At this point the admin user can create/modify/delete documents from the database.
Important
If the password is not specified, it will be prompted. For example, -Authorization admin
will ask you to write the password at the prompt.
The password has the format *.
$password = "password" | ConvertTo-SecureString -AsPlainText -Force
New-CouchDBAdmin -Userid admin -Password $password
Naturally, all reading requests can be made without user and password.
Members access¶
To protect a database from unauthorized requests, you must first create a user used for this purpose.
$password = "password" | ConvertTo-SecureString -AsPlainText -Force
New-CouchDBUser -Userid member_user -Password $password -Authorization "admin:password"
And then enable it to the server.
Grant-CouchDBDatabasePermission -Database test -ReaderUser member_user -Authorization "admin:password"
Let’s check the permissions now.
Get-CouchDBDatabaseSecurity -Database test -Authorization "member_user:password"
Get-CouchDBDatabase -Database test -Authorization "member_user:password"
Read only access¶
To protect a database from write requests, you need to create a design document that will contain a validation function. See this section: Classes
using module PSCouchDB
$ddoc = New-Object -TypeName PSCouchDBDesignDoc
$ddoc.AddValidation($true)
New-CouchDBDesignDocument -Database test -Document "mydesigndoc" -Data $ddoc.GetDesignDocuments() -Authorization "admin:password"
Limit write access¶
If you want to limit a single database with different admin user for reading and writing, use this cmdlet:
$password = "password" | ConvertTo-SecureString -AsPlainText -Force
New-CouchDBUser -Userid other_admin -Password $password -Authorization "admin:password"
Grant-CouchDBDatabasePermission -Database test -AdminUser other_admin -Authorization "admin:password"
Get-CouchDBDatabase -Database test -Authorization "other_admin:password"
Revoke database permissions¶
To remove permissions from one database, run this cmdlet:
Revoke-CouchDBDatabasePermission -Database test -Authorization "admin:password"
Remove an admin¶
To remove an administrative user, run:
Remove-CouchDBAdmin -Userid admin -Authorization "admin:password"
Remove a user¶
To remove a simple user, run:
$user = Get-CouchDBUser -Userid member_user | Select-Object _id,_rev
Remove-CouchDBUser -Userid $user._id -Revision $user._rev -Authorization "admin:password"
Reset user password¶
To modify o reset password of a user.
$password = "new_password" | ConvertTo-SecureString -AsPlainText -Force
Set-CouchDBUser -Userid member_user -Password $password -Revision "2-4705a219cdcca7c72aac4f623f5c46a8" -Authorization "admin:password"
Reset admin password¶
To modify o reset password of an admin.
$password = "new_password" | ConvertTo-SecureString -AsPlainText -Force
Set-CouchDBAdmin -Userid test_user -Password $password -Authorization "admin:password"