CouchDB Developer DaySecurity Lab

Authorization Model• Users can have zero, one or many roles• Every database has an associated security object• This controls which users or roles have access• And what they can do (members or admins)• if no admins defined, only server admins are admins• if no members defined, any user can read/write documents

Start the clusterdev/run --admin=foo:bar

"foo" is a "server admin" and has full control over the server and all databases

Create two users> curl foo:bar@localhost:15984/_users/org.couchdb.user:user1 -X PUT –d '{"type": "user", "name": "user1", "roles": ["foo"], "password": "hello"}'> curl foo:bar@localhost:15984/_users/org.couchdb.user:user2 -X PUT –d '{"type": "user", "name": "user2", "roles": ["foo"], "password": "hello"}'

> curl user1:hello@localhost:15984/_session{"ok":true,"userCtx":{"name":"user1","roles":["foo"]},"info":{"authentication_db":"_users","authentication_handlers":["cookie","default"],"authenticated":"default"}}

Restrict database to usercurl foo:bar@localhost:15984/db1 –X PUTcurl foo:bar@localhost:15984/db1/_security –d '{"admins":{"names":["user1"]}, "members":{"names":["user1"]}}'

curl user1:hello@localhost:15984/db1curl user2:hello@localhost:15984/db1

Restrict database to rolecurl foo:bar@localhost:15984/db1 –X PUTcurl foo:bar@localhost:15984/db1/_security –d '{"admins":{"roles":["foo"]}, "members":{"roles":["foo"]}}'

curl user1:hello@localhost:15984/db1curl user2:hello@localhost:15984/db1

Document Validationcurl foo:bar@localhost:15984/db1/_design/foo –X PUT –d '{"validate_doc_update":"function(newDoc, oldDoc, userCtx, secObj){if (userCtx.name !== \"user1\"){throw({forbidden:\"wrong user\"});}}"}'

> curl user2:hello@localhost:15984/db1/doc1 -X PUT -d {}{"error":"forbidden","reason":"wrong user"}

> curl user1:hello@localhost:15984/db1/doc1 -X PUT -d {}{"ok":true,"id":"doc1","rev":"1-967a00dff5e02add41819138abb3284d"}