Permission

Admin Party

Starting from CouchDB 3.X, during installation and configuration, an administrator user must be specified. This effectively breaks the old Admin Party logic of the previous version.

Create Admin user

At this point the admin user can create/modify/delete documents from the database.

Important

The -Authorization parameter, accept two format: string and PSCredential. The string must be in this format: user:password. If you don’t want the password to be displayed inside the terminal, this is the form of the parameter: -Authorization (Get-Credential). See this section: Permission

$password = "password" | ConvertTo-SecureString -AsPlainText -Force
New-CouchDBAdmin -Userid admin -Password $password -Authorization "admin:password"

Naturally, all reading requests can be made without user and password.

Members access

To protect a database from unauthorized requests, you must first create a user used for this purpose.

$password = "password" | ConvertTo-SecureString -AsPlainText -Force
New-CouchDBUser -Userid member_user -Password $password -Authorization "admin:password"

And then enable it to the server.

using module PSCouchDB
$sec = New-Object PSCouchDBSecurity
$sec.AddMembers('member_user')
Grant-CouchDBDatabasePermission -Database test -Data $sec -Authorization "admin:password"

Let’s check the permissions now.

Get-CouchDBDatabaseSecurity -Database test -Authorization "member_user:password"
Get-CouchDBDatabase -Database test -Authorization "member_user:password"

Read only access

To protect a database from write requests, you need to create a design document that will contain a validation function. See this section: Classes

using module PSCouchDB
$ddoc = New-Object -TypeName PSCouchDBDesignDoc
$read_only = @"
function(newDoc, oldDoc, userCtx, secObj) {
    if (userCtx.roles.indexOf('admin') !== -1) {
        return;
    } else {
        throw({forbidden: "Only admin can edit documents!"})
    }
}
"@
$ddoc.SetValidateFunction($read_only)
New-CouchDBDesignDocument -Database test -Document "mydesigndoc" -Data $ddoc -Authorization "admin:password"

Limit write access

If you want to limit a single database with different admin user for reading and writing, use this cmdlet:

using module PSCouchDB
$password = "password" | ConvertTo-SecureString -AsPlainText -Force
New-CouchDBUser -Userid other_admin -Password $password -Authorization "admin:password"
$sec = New-Object PSCouchDBSecurity -ArgumentList 'other_admin'
Grant-CouchDBDatabasePermission -Database test -Data $sec -Authorization "admin:password"
Get-CouchDBDatabase -Database test -Authorization "other_admin:password"

Revoke database permissions

To remove all permissions from one database, run this cmdlet:

Revoke-CouchDBDatabasePermission -Database test -Authorization "admin:password"

Remove an admin

To remove an administrative user, run:

Remove-CouchDBAdmin -Userid admin -Authorization "admin:password"

Remove a user

To remove a simple user, run:

$user = Get-CouchDBUser -Userid member_user | Select-Object _id,_rev
Remove-CouchDBUser -Userid $user._id -Revision $user._rev -Authorization "admin:password"

Reset user password

To modify o reset password of a user.

$password = "new_password" | ConvertTo-SecureString -AsPlainText -Force
Set-CouchDBUser -Userid member_user -Password $password -Revision "2-4705a219cdcca7c72aac4f623f5c46a8" -Authorization "admin:password"

Reset admin password

To modify o reset password of an admin.

$password = "new_password" | ConvertTo-SecureString -AsPlainText -Force
Set-CouchDBAdmin -Userid admin -Password $password -Authorization "admin:password"