rnewson commented on issue #5155: URL: https://github.com/apache/couchdb/issues/5155#issuecomment-2256044471
Perhaps a different existing authentication handler would suit you better? (https://docs.couchdb.org/en/stable/api/server/authn.html) the Proxy and JWT handlers in particular would let you externalise authentication in a way that might better integration with your secrets management solution. Am I inferring correctly that `sops-nix` would arrange for those files to contain the appropriate passwords? If so, is it not capable of writing them in INI format? You've mentioned 'cleartext' a few times, so I must add that couchdb will always hash any cleartext credentials it finds in the `.ini` files and write the hash back down to disk, to protect the secret value. You should always write a hashed value instead (ideally with PBKDF2 and a high iteration count). The enhancement in question is probably not too difficult to do but there are caching concerns. For performance reasons we would need to cache the contents of those files in memory, and it would be unprecedented to monitor those files for changes (we don't do that for our `.ini` files). My take, so far, is that we would not want the additional complexity and failure modes that this would bring, without bringing a feature that would benefit many users. I think there is likely to be a much better way to achieve your goal than the proposal submitted, but please add any further details or comments and we can continue the discussion. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
