I checked a new feature, Admin accounts.
Admin accounts are used for perform admin restricted actions like
creating/deleting databases and altering the configuration settings.
If there are no admin accounts for a server, then admin checking is
turned off and anyone can perform admin actions.
The admin checking uses HTTP basic authentication, we'll need to
eventually support SSL to make this secure or support a more secure
authentication standard.
When the user attempts to perform an Admin action, the browser checks
the user supplied credentials and sees it if matches any admin
account. If not, a 401 Unauthorized error is returned and the HTTP
client can resubmit with proper credentials. When the credentials
match, the action is allowed to proceed.
To turning admin checking on, in the local.ini file, you add an
accounts section, with user name/password pairs, like this:
[admins]
admin = password
damien katz = foo
/end
When CouchDB starts it will find these new passwords and then hash them:
[admins]
admin = -hashed-
d6bdc9039b19e41051eb1b94ea8ef905b1a11e2e
,b53ce4e92ad24ad8fc14feadb58d8b60
damien katz = -
hashed
-2f3e9eea97e44b2bb09b56d3b1d66a41f0a74be2,6c37137b479369759e8dc591573b0599
/end
The hashed password line consists first of "-hashed-" then 2
hexadecimal encoded numbers separated by a comma, the 160 bit sha
hashed password + salt 160 bit sha hash, and then the 128 bit salt (a
UUID):
user name = -hashed-%160bit hashed value%,%128 bit salt%
So the only restrictions on passwords is they shouldn't start with "-
hashed-" and can't contain newlines.
Once a password is hashed, to change it, reset the password via the
HTTP config api, CouchDB will then automatically hash the password
without restarting. Or edit it by hand by deleting the old hashed
value (everything after the "=") and enter in the new password. Then
restart the server.
Problems/Caveats:
To run the test suite against a server with admin accounts enabled
requires the user to have admin access.
There is a known problem in Futon with Safari, maybe other browsers,
where it doesn't prompt the user for credentials, it just fails the
HTTP request. In Firefox when the tests start to run and the HTTP
client gets the first failure, the user is asked by the browser for
his user name and password, the request automatically retried and all
the tests pass without incident. But in Safari, the tests simply fail
with 401 errors and the user is never prompted for credentials.
A workaround is to do something to force the browser to "log-in" by
trying to view config values, or create a new database. Once logged in
like that, the tests will pass just fine on Safari. We maybe need to
force the log-ins at the beginning of the tests, or provide a Log-in
button somewhere in Futon.
Feedback please.
-Damien
