[Couchdb Wiki] Update of "Security_Features_Overview" by JoanTouzet

[Apache Wiki]

Dear wiki user,

You have subscribed to a wiki page "Couchdb Wiki" for change notification.

The page "Security_Features_Overview" has been deleted by JoanTouzet:

https://wiki.apache.org/couchdb/Security_Features_Overview?action=diff=43=44

- <>
  
- = Security Features Overview =
- 
- See the official documentation for the 
[[http://docs.couchdb.org/en/latest/api/authn.html|authentication handler]], 
[[http://docs.couchdb.org/en/latest/config_reference.html#couch-httpd-auth-configuration-options|configuration]]
 and 
[[http://docs.couchdb.org/en/latest/json-structure.html#security-object|database
 security]] portions of this topic.
- 

[Couchdb Wiki] Update of "Security_Features_Overview" by JoanTouzet

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Couchdb Wiki" for 
change notification.

The "Security_Features_Overview" page has been changed by JoanTouzet:
https://wiki.apache.org/couchdb/Security_Features_Overview?action=diff=42=43

Comment:
remove obsolete and outdated info in prep for decom

  
  = Security Features Overview =
  
- See also the official documentation for the 
[[http://docs.couchdb.org/en/latest/api/authn.html|authentication handler]], 
[[http://docs.couchdb.org/en/latest/config_reference.html#couch-httpd-auth-configuration-options|configuration]]
 and 
[[http://docs.couchdb.org/en/latest/json-structure.html#security-object|database
 security]] portions of this topic.
+ See the official documentation for the 
[[http://docs.couchdb.org/en/latest/api/authn.html|authentication handler]], 
[[http://docs.couchdb.org/en/latest/config_reference.html#couch-httpd-auth-configuration-options|configuration]]
 and 
[[http://docs.couchdb.org/en/latest/json-structure.html#security-object|database
 security]] portions of this topic.
  
- <>
- 
- An overview of the security features that CouchDB 0.11 provides out of the 
box.
- 
- == Authentication ==
- 
- CouchDB 0.11 ships with several authentication handlers:
- 
-  * OAuth authentication handler
- 
-  * cookie authentication handler (the cookie is a timestamped and 
tamper-proof token)
- 
-  * default authentication handler (looks for HTTP basic authentication as 
defined by RFC 2617)
- 
- For each HTTP request that CouchDB receives, one or more authentication 
handlers are invoked to authenticate the user. Once an authentication handler 
succeeds, the remaining ones are not executed. Which authentication handlers 
are used, as well as the order under which they will be invoked, is defined in 
the .ini configuration files. The default setting, from the 
etc/couchdb/default.ini file, is:
- 
- {{{
- [httpd]
- authentication_handlers = {couch_httpd_oauth, oauth_authentication_handler}, 
{couch_httpd_auth, cookie_authentication_handler}, {couch_httpd_auth, 
default_authentication_handler}
- }}}
- '''Note:''' for testing purposes the authentication handler 
''{couch_httpd_auth, null_authentication_handler}'' can be used. It 
authenticates any request as being originated by a server admin user.
- 
- == Authorization ==
- As of CouchDB 0.11, three types of users can be defined:
- 
-  * database members - Defined per database. They can read all types of 
documents from the DB, and they can write (and edit) documents to the DB except 
for design documents.
- 
-  * database admins - Defined per database. They have all the privileges 
members have plus the privileges: write (and edit) design documents, add/remove 
database admins and members, set the database revisions limit 
(''/somedb/_revs_limit'' API) and execute temporary views against the database 
(''/somedb/_temp_view'' API). They can not create a database and neither delete 
a database.
- 
-  * server admins - Defined per CouchDB server. They have all the privileges.
- 
- Server admins are defined in the ''admins'' section of the .ini configuration 
files. See [[Setting_up_an_Admin_account]] for more details.
- 
- Database admins and members are defined in the security object of a database. 
This security object, located under "/db_name/_security" in CouchDB version 
0.11 and above, is a JSON document having the following structure:
- 
- {{{
- {
-   "admins" : {
-  "names" : ["joe", "phil"],
-  "roles" : ["boss"]
-},
-"members" : {
-  "names" : ["dave"],
-  "roles" : ["producer", "consumer"]
-}
- }
- }}}
- Note that security objects are not regular versioned documents (that is, they 
are not under MVCC rules). This is a design choice to speedup authorization 
checks (avoids traversing a database's documents B-Tree).
- 
- If both the names and roles fields of either the admins or members properties 
are empty arrays, it means the database has no admins or members. Having no 
admins, only server admins (with the reserved _admin role) are able to update 
design document and make other admin level changes. Having no members, any user 
can write regular documents (any non-design document) and read documents from 
the database.
- 
- '''Note:''' If there are any member names or roles defined for a database, 
then only authenticated users having a matching name or role are allowed to 
read documents from the database (or do a GET /db_name/ call).
- 
- Each user name mentioned in a database security object refers to a user that 
is defined in the authentication database. The default name of this database is 
''_users'' but it is configurable in the .ini configuration files:
- 
- {{{
- [couch_httpd_auth]
- authentication_db = _users
- require_valid_user = false
- }}}
- The ''require_valid_user'' configuration parameter shown above causes CouchDB 
to have the following behaviour:
- 
-  1. No server admins are configured:
-   1.