[jira] [Commented] (COUCHDB-3156) Users could be created by anyone (missing authorization for /_users/* endpoint)
[
https://issues.apache.org/jira/browse/COUCHDB-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15513925#comment-15513925
]
Aleksander Alekseev commented on COUCHDB-3156:
--
[~wohali] I'm afraid it's not. Here are my exact steps (fortunately I have a
habit to record such things).
On every node modify /home/couchdb/etc/vm.args like this (ip is different for
every node):
{code}
-name couchdb@10.110.2.4
-setcookie eY2chohl4siecaib
{code}
Restart all nodes:
{code}
sudo sv restart couchdb
{code}
(!) Create admin user on every node and change bind address:
{code}
curl -X PUT http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin
-d '"password"'
curl -X PUT
http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/chttpd/bind_address -d
'"0.0.0.0"' --user admin
{code}
Join nodes into a cluster. For this on one node I did the following for every
other node:
{code}
curl -X POST -H "Content-Type: application/json"
http://127.0.0.1:5984/_cluster_setup -d '{"action": "enable_cluster",
"bind_address":"0.0.0.0", "username": "admin", "password":"password", "port":
5984, "remote_node": "10.110.2.5", "remote_current_user": "admin",
"remote_current_password": "password" }' --user admin
curl -X POST -H "Content-Type: application/json"
http://127.0.0.1:5984/_cluster_setup -d '{"action": "add_node",
"host":"10.110.2.7", "port": "5984", "username": "admin",
"password":"password"}' --user admin
{code}
When all nodes added:
{code}
curl -X POST -H "Content-Type: application/json"
http://127.0.0.1:5984/_cluster_setup -d '{"action": "finish_cluster"}' --user
admin
{code}
Re-check that all nodes are in the cluster:
{code}
curl -X GET http://localhost:5984/_membership --user admin
{code}
Next steps - see above.
Previous steps (installing CouchDB) - see
https://github.com/afiskon/install-couchdb
OS: Ubuntu 16.04 x64.
> Users could be created by anyone (missing authorization for /_users/*
> endpoint)
> ---
>
> Key: COUCHDB-3156
> URL: https://issues.apache.org/jira/browse/COUCHDB-3156
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
>Reporter: Aleksander Alekseev
>Priority: Critical
>
> Steps to reproduce:
> 1. Configure a 3-node cluster (not sure if it also reproduces on a
> single-node setup), make sure you've created an admin user:
> {code}
> curl -X PUT
> http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d
> '"password"'
> {code}
> 2. Execute:
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \
> -H "Accept: application/json" \
> -H "Content-Type: application/json" \
> -d '{"name": "afiskon", "password": "secret", "roles": [], "type":
> "user"}'
> {code}
> Expected behavior:
> {code}
> {"error":"unauthorized","reason":"You are not a server admin."}
> {code}
> ( User should not be created since no admin username and password were
> provided. )
> Actual behavior:
> {code}
> {"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"}
> {code}
> Affected version:
> CouchDB 2.0
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (COUCHDB-3156) Users could be created by anyone (missing authorization for /_users/* endpoint)
[
https://issues.apache.org/jira/browse/COUCHDB-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15514088#comment-15514088
]
Aleksander Alekseev commented on COUCHDB-3156:
--
[~kxepal] There is no such feature in CouchDB. Documentation section 1.6.2
clearly describes what this API should and shouldn't do
http://docs.couchdb.org/en/latest/intro/security.html . If bug exists for many
years in a project it doesn't make it a right behavior. It also doesn't make
sense to deny everyone to create databases and documents (it's what CouchDB
currently does after creation of the first admin) and allow to create as many
users as you want.
> Users could be created by anyone (missing authorization for /_users/*
> endpoint)
> ---
>
> Key: COUCHDB-3156
> URL: https://issues.apache.org/jira/browse/COUCHDB-3156
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
>Reporter: Aleksander Alekseev
>Priority: Critical
>
> Steps to reproduce:
> 1. Configure a 3-node cluster (not sure if it also reproduces on a
> single-node setup), make sure you've created an admin user:
> {code}
> curl -X PUT
> http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d
> '"password"'
> {code}
> 2. Execute:
> {code}
> curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \
> -H "Accept: application/json" \
> -H "Content-Type: application/json" \
> -d '{"name": "afiskon", "password": "secret", "roles": [], "type":
> "user"}'
> {code}
> Expected behavior:
> {code}
> {"error":"unauthorized","reason":"You are not a server admin."}
> {code}
> ( User should not be created since no admin username and password were
> provided. )
> Actual behavior:
> {code}
> {"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"}
> {code}
> Affected version:
> CouchDB 2.0
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Created] (COUCHDB-3156) Users could be created by anyone (missing authorization for /_users/* endpoint)
Aleksander Alekseev created COUCHDB-3156:
Summary: Users could be created by anyone (missing authorization
for /_users/* endpoint)
Key: COUCHDB-3156
URL: https://issues.apache.org/jira/browse/COUCHDB-3156
Project: CouchDB
Issue Type: Bug
Components: HTTP Interface
Reporter: Aleksander Alekseev
Steps to reproduce:
1. Configure a 3-node cluster (not sure if it also reproduces on a single-node
setup), make sure you've created an admin user:
{code}
curl -X PUT http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin
-d '"password"'
{code}
2. Execute:
{code}
curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{"name": "afiskon", "password": "secret", "roles": [], "type": "user"}'
{code}
Expected behavior:
User should not be created since no admin username and password were provided.
Actual behavior:
{code}
{"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"}
{code}
Affected version:
CouchDB 2.0
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
