Guillaume Belrose wrote:
Hi all,
I’ve deployed a cluster of CouchDB servers (CentOS 6.7 CouchDB 1.6.1) which are
configured to replicate each other. The cluster runs within a production
facility that is cut of from the outside world, so so far, we’ve been running
in Admin Party mode.
When looking at the log files today, I realised that most documents would get
correctly replicated except the design documents. Replicating such documents
fails with an error message that looks like this:
[Thu, 11 Feb 2016 11:46:12 GMT] [error] [<0.297.0>] Replicator: couldn't write
document `_design/vistas`, revision `3-aa26ce096d35048c7c6182624bd6ce77`, to target
database `qstack_occasions`. Error: `unauthorized`, reaso
n: `You are not a db or server admin.`.
Is there an easy way around this? I could add a server admin to each of my
nodes, but that would mean that all the client applications (the code which
uses CouchDB) would not be able to create or delete databases (unless they use
the right credentials). This is a lot of code to change as we’ve have not taken
security into account (there was no need to given the isolation provided
elsewhere). Is it somehow possible to allow anonymous users to create / delete
databases when the admin party is off?
I am a bit confused by the semantics as Admin Party seems to mean everybody is
an admin expect when it comes to replicating design documents.
I use the _replicator endpoint to replicate my databases. The replication is
set via Ansible and I post a JSON document that is create from the following
template:
- name: setup (continuous) replication for each of the databases
local_action: uri
url="http://{{ inventory_hostname }}:5984/_replicator/{{ item[1] }}_to_{{
item[0] }}"
method=PUT
body='{"continuous":true,"target":"{{ item[0] }}","source":"http://{{ item[1]
}}:5984/{{ item[0] }}"}'
HEADER_Content-Type="application/json"
status_code=201,409
If the target is local then you should be able to add "user_ctx" to the
replication document so it has sufficient privileges to write the design
documents.
{
...
"usert_ctx": {
"roles": [
"_admin"
]
},
...
}
If the target is remote you will need to authenticate the connection
with a user that has admin privileges for that database or is a global
admin.
James
Zynstra is a private limited company registered in England and Wales
(registered number 07864369). Our registered office and Headquarters are at The
Innovation Centre, Broad Quay, Bath, BA1 1UD. This email, its contents and any
attachments are confidential. If you have received this message in error please
delete it from your system and advise the sender immediately.
