2

Sorry for this rather yes/no question, but I haven't found the document that would clarify it, or I must have missed it here. Is it standard behaviour that you can simply create a new user entry to a couchDB (without being an admin user) in the following way:

curl -X PUT http://localhost:5984/_users/org.couchdb.user:jan \
     -H "Accept: application/json" \
     -H "Content-Type: application/json" \
     -d '{"name": "jan", "password": "apple", "roles": [], "type": "user"}'

I just tried it. It does work and create a new user. I was unsure wether this is intended or not (a server admin exists, so it's no admin-party). Can this behaviour be limited/configured, to prevent unwanted mass-signups?

nylki
  • 203
  • 2
  • 9

4 Answers4

6

I found the answer to my question here:

In addition, the _users database is now treated different from other databases:

An anonymous user can only create a new document.

So, yes, an anonymous (unauthenticated) user may create a new user in a CouchDB.

To configure/limit this behaviour you can modify the validate_doc_update function inside the _design/_auth design document, which already handles certain user creation limitations (see official example). The check !is_server_or_database_admin(userCtx, secObj) already exists there. To allow only admins to add new users, you could:

    throw({forbidden : 'Users can only be created by server or db admins in this specific CouchDB installation'})

At the beginning of that statement, to forbid any further action, when not authenticated as db admin.

The part in validate_doc_update then looks something like: 

//[… existing code …]
if(!is_server_or_database_admin(userCtx, secObj)) {
    throw({forbidden : 'Users can only be created by server or db admins in this specific CouchDB installation'})
    //[… existing code …] 
}

Refer to the example (scroll to the bottom) in the official documentation for more details.

nylki
  • 203
  • 2
  • 9
3

To prevent an anonymous user from creating new users in the "_users" database in CouchDB 2.2 open the Fauxton DB manager and click on the "_users" DB.

Click on the "Permissions" tab and set the "Users" to "admin" and "Roles" to "_admin".

Also set the "Members" to "admin" and the "Roles" to "_admin".

Save the file and you're good to go.

(thx to Eric and Chris at CouchDB Users)

Bill Stephenson
  • 31
  • 1
  • Man, anymore details on how this actually works? When it comes to permission tab in the UI idk how to configure it. Your setup works but I am not sure how. What does admin mean in the Users tab and what other roles exist other than "_admin"? – Nobody Feb 02 '19 at 08:56
  • It works pretty much the same as "users" and "roles" on regular databases. To get a better idea of how users and roles work take a look at: https://github.com/pouchdb-community/pouchdb-authentication/blob/master/docs/recipes.md – Bill Stephenson Feb 27 '19 at 07:44
2

The accepted answer is incorrect in suggesting that:

"you can modify the validate_doc_update function inside the _design/_auth design document"

This is not strictly true. CouchDB will allow you to modify the validate_doc_update function inside the _design/_auth design document, but the content of the document will be reverted to its original state upon restarting CouchDB. This means that, if your CouchDB is restarted, the changes will be lost.

See the CouchDB documentation - http://docs.couchdb.org/en/stable/intro/security.html#authentication-database:

There is a special design document _auth that cannot be modified

The correct solution is to change the behaviour from within the CouchDB local.ini config file.

See https://docs.couchdb.org/en/latest/config/auth.html#couch_httpd_auth/require_valid_user

require_valid_user

When this option is set to true, no requests are allowed from anonymous users. Everyone must be authenticated.

[chttpd]
require_valid_user = false

[couch_httpd_auth]
require_valid_user = false
B-rad
  • 21
  • 1
  • I removed the "accepted answer" flag from my answer, since this answer and Bill Stephenson's answer seem more appropriate for todays CouchDB 3.x. Since I am not using CouchDB currently, I can't verify either though. I wrote my initial question, using CouchDB 1.x, today its 3.*. So the answers may be version dependent. – nylki Mar 19 '22 at 20:47
1

EDIT: sorry, this is not answering the question. I did not read it carefully enough.

The standard behaviour is "Admin Party" what means, if no initial admin is created (see below), everybody is admin. So to answer the question - yes.

CouchDB offers basic authentication mechanisms.

The documentation bit most important is this: http://docs.couchdb.org/en/latest/intro/security.html?highlight=security#authentication-database. Users are stored in a authentication database and admins are stored in the local.ini file. To add an admin:

  • find the local.ini file with running the command: couchdb -c
  • open the local.ini file
  • in the section [admins] uncomment the line admin and add a password in plain text
  • relaunch CouchDB. Then, the password will be encrypted (check it with reopening local.ini)

You can fore sure also add a role admin to the users database but even though the name is the same, it is just another user.

Please see also http://docs.couchdb.org/en/latest/api/database/security.html

awenkhh
  • 196
  • 4
  • thanks for the answer. It's however not answering the question, as I explicitly stated that "a server admin exists, so it's no admin-party". I know *how* to create users and admin users. What I wanted to know is wether unauthenticated parties are allowed to create standard users via the REST-API (which worked on my side, but I was not sure if this is normal behaviour) – nylki Dec 12 '15 at 16:47
  • oh I am sorry - I completely oversaw this ... – awenkhh Dec 12 '15 at 23:09