Hello again!
I believe I have figured it out. Turns out that the database contains a
'_security' endpoint where I can PUT the a document similar to the following
one:
PUT /mydb/_security HTTP/1.1
Accept: application/json
Content-Length: 121
Content-Type: application/json
Host: localhost:5984
{
"admins": {
"names": [
"tito"
],
"roles": [
"admins"
]
},
"members": {
"names": [
"tito"
],
"roles": [
"everything_else"
]
}
}
For reference, I found information here:
http://docs.couchdb.org/en/1.6.1/api/database/security.html
I realized that I *must* specify a user in the members.names section or else
it'll be open to non-auth'd users. Since I'm the admin and nobody else is
supposed to access it, I suppose that the above ACL is correct, right? It works
well, so I assume this is the way to go. If you have comments, please let me
know.
Thanks!
-- Tito
On 27 Jul, 2016, at 06:02 PM, Tito Ciuro <[email protected]> wrote:
Hello,
I am trying to secure access to a database. From an HTTP request point of view,
it's secure and I know it's working because unit tests and curl commands fail
when the wrong password is used. I open Futon and sure enough, the lower-right
corner confirms that I'm no longer in admin party mode. I cannot create a new
database and I cannot access the configuration, which is expected. Great.
The problem is that any user can access the database I have created. Not only
that, any user can modify it as well! I even created a new account (Mac OS X),
launched Safari and was allowed to manipulate the database without any type of
restriction.
Question: how do I secure the database so that only the admin can access it? Is
there an ACL somewhere I missed?
Thanks!
-- Tito
