It makes sense to perform the PUT to _config, yes, though I was thinking it just updated the file. As long as the PUT in_ config for passwords explicitly writes to a dedicated password file, not any of the .ini files. Or something.
B. On 17 August 2011 18:15, Noah Slater <nsla...@apache.org> wrote: > To be clear, is the suggestion that this script simply be a wrapper around > updating the password via CouchDB's HTTP API? Having gone back and forth on > this thread for the past few days, I think it makes sense to keep user info > in CouchDB, and not in the ini files. If a user manages to lock themselves > out of the server, they can start it with --admin-party and disable the auth > system while they fix things up. > > On 17 Aug 2011, at 17:09, Robert Newson wrote: > >> It's also the sort of thing one would expect in a Debian postinst via Dialog. >> >> B. >> >> On 17 August 2011 17:04, Benoit Chesneau <bchesn...@gmail.com> wrote: >>> On Wednesday, August 17, 2011, Jason Smith <j...@iriscouch.com> wrote: >>>> On Wed, Aug 17, 2011 at 10:22 PM, Robert Newson <rnew...@apache.org> >>> wrote: >>>>> Jason, >>>>> >>>>> The --set-password thing is to ensure there are no plaintext passwords >>>>> in the first place, which eliminates the oddness of couch rewriting a >>>>> plaintext pwd to a digested pwd (and putting the output in a different >>>>> file). >>>> >>>> Thanks for the clarification. >>>> >>>> If you can read a plaintext password from an .ini file, then you can >>>> hit the HTTP API as the admin and make changes to the couch. So that >>>> is privilege escalation. >>>> >>>> To answer Benoit's question, it is simpler to tell admins to use the >>>> HTTP API (or Futon) to create the admin account. The password is >>>> stored *somewhere* under the hood. IMHO it is less simple to add a >>>> command-line tool as a requirement (or worse, as an alternative >>>> option) to deploy Couch. >>>> >>>> -- >>> it all depends if you admin via a console. >>> >>> couchctl set-password username is a way easier than curl -XPUT >>> http://blah/_users -D... -H... . at the end if you are a good admin you >>> will write this script. providing useful helpere don't break the kiss way >>> here. >>> >>> benoît >>> > >
