Aleksander Alekseev commented on COUCHDB-3156:

[~wohali] I'm afraid it's not. Here are my exact steps (fortunately I have a 
habit to record such things).

On every node modify /home/couchdb/etc/vm.args like this (ip is different for 
every node):
-name couchdb@
-setcookie eY2chohl4siecaib

Restart all nodes:

sudo sv restart couchdb

(!) Create admin user on every node and change bind address:

curl -X PUT 
-d '"password"'
curl -X PUT -d 
'""' --user admin

Join nodes into a cluster. For this on one node I did the following for every 
other node:

curl -X POST -H "Content-Type: application/json" -d '{"action": "enable_cluster", 
"bind_address":"", "username": "admin", "password":"password", "port": 
5984, "remote_node": "", "remote_current_user": "admin", 
"remote_current_password": "password" }' --user admin

curl -X POST -H "Content-Type: application/json" -d '{"action": "add_node", 
"host":"", "port": "5984", "username": "admin", 
"password":"password"}' --user admin

When all nodes added:

curl -X POST -H "Content-Type: application/json" -d '{"action": "finish_cluster"}' --user 

Re-check that all nodes are in the cluster:

curl -X GET http://localhost:5984/_membership --user admin

Next steps - see above.
Previous steps (installing CouchDB) - see 

OS: Ubuntu 16.04 x64. 

> Users could be created by anyone (missing authorization for /_users/* 
> endpoint)
> -------------------------------------------------------------------------------
>                 Key: COUCHDB-3156
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-3156
>             Project: CouchDB
>          Issue Type: Bug
>          Components: HTTP Interface
>            Reporter: Aleksander Alekseev
>            Priority: Critical
> Steps to reproduce:
> 1. Configure a 3-node cluster (not sure if it also reproduces on a 
> single-node setup), make sure you've created an admin user:
> {code}
> curl -X PUT 
> -d 
> '"password"'
> {code}
> 2. Execute:
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \
>      -H "Accept: application/json" \
>      -H "Content-Type: application/json" \
>      -d '{"name": "afiskon", "password": "secret", "roles": [], "type": 
> "user"}'
> {code}
> Expected behavior:
> {code}
> {"error":"unauthorized","reason":"You are not a server admin."}
> {code}
> ( User should not be created since no admin username and password were 
> provided. )
> Actual behavior:
> {code}
> {"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"}
> {code}
> Affected version:
> CouchDB 2.0

This message was sent by Atlassian JIRA

Reply via email to