User with _users admin Permissions cannot delete document
188 views
Skip to first unread message
max
Sep 22, 2017, 12:36:49 PM9/22/17
to us...@couchdb.apache.org
Hi,
I'm trying CouchDB 2.1 and facing an (strange?) issue. I have given
admin access through "Permissions" to "user1" and every user with the
role "manager". This allowed these users to call view from _design in
_users database. But this is not enough to delete other users, to do
that user have to be a super CouchDB Admin. Is this the expected
behavior? I got "Only admins may delete other user docs" whereas he is
admin.
This is my _users database permissions:
{"error":"unauthorized","reason":"Authentication
required.","admins":{"names":["user1"],"roles":["manager"]}}
Regards,
Max.
I'm trying CouchDB 2.1 and facing an (strange?) issue. I have given
admin access through "Permissions" to "user1" and every user with the
role "manager". This allowed these users to call view from _design in
_users database. But this is not enough to delete other users, to do
that user have to be a super CouchDB Admin. Is this the expected
behavior? I got "Only admins may delete other user docs" whereas he is
admin.
This is my _users database permissions:
{"error":"unauthorized","reason":"Authentication
required.","admins":{"names":["user1"],"roles":["manager"]}}
Regards,
Max.
Stefan du Fresne
Sep 23, 2017, 7:08:23 AM9/23/17
to us...@couchdb.apache.org
This is currently how it works yeah.
I believe the current recommendation for user management is to effectively ignore the permissions matrix in the _users database and instead wrap CouchDB in your own permissions management.
Stefan
I believe the current recommendation for user management is to effectively ignore the permissions matrix in the _users database and instead wrap CouchDB in your own permissions management.
Stefan
max
Sep 23, 2017, 8:40:29 AM9/23/17
to us...@couchdb.apache.org
Thanks,
Any workaround from configuration ? I would like to avoid making more
couchdb admin...
Le 23 sept. 2017 1:08 PM, "Stefan du Fresne" <ste...@medicmobile.org> a
écrit :
Any workaround from configuration ? I would like to avoid making more
couchdb admin...
Le 23 sept. 2017 1:08 PM, "Stefan du Fresne" <ste...@medicmobile.org> a
écrit :
Stefan du Fresne
Sep 23, 2017, 9:14:14 AM9/23/17
to us...@couchdb.apache.org
None that I know of no. Ideally it would just work, but I think editing permissions for _users is effectively deprecated at this point.
Really the only thing you can do is write a security layer yourself, either by wrapping CouchDB and converting those calls (after checking your own security) to be done by an admin user, or provide a separate API etc.
Stefan
Really the only thing you can do is write a security layer yourself, either by wrapping CouchDB and converting those calls (after checking your own security) to be done by an admin user, or provide a separate API etc.
Stefan
max
Sep 23, 2017, 9:17:28 AM9/23/17
to us...@couchdb.apache.org
Thank you for your answers I'll try with simple web services layer.
Le 23 sept. 2017 3:14 PM, "Stefan du Fresne" <ste...@medicmobile.org> a
Le 23 sept. 2017 3:14 PM, "Stefan du Fresne" <ste...@medicmobile.org> a
Jan Lehnardt
Sep 25, 2017, 5:31:30 AM9/25/17
to us...@couchdb.apache.org
Stefan is correct that this is expected behaviour, but I’d reject the notion that
it is in any way recommended to not use the CouchDB user system. All you need to
do is have a CouchDB admin user do the _users edits.
Of course you can build your own system on top, but I wouldn’t recommend that.
Best
Jan
--
--
Professional Support for Apache CouchDB:
https://neighbourhood.ie/couchdb-support/
it is in any way recommended to not use the CouchDB user system. All you need to
do is have a CouchDB admin user do the _users edits.
Of course you can build your own system on top, but I wouldn’t recommend that.
Best
Jan
--
Professional Support for Apache CouchDB:
https://neighbourhood.ie/couchdb-support/
max
Sep 25, 2017, 6:45:59 AM9/25/17
to us...@couchdb.apache.org
Thank you.
I'm gonna create a user admin and I'll use it from local service exposed to
the web with classic CouchDB auth.
Last question about 2.1, in fauxton I couldn't find a way to navigate
through document revisions (like the '' previous version '' button in
1.6.1). Is it still possible ?
I'm gonna create a user admin and I'll use it from local service exposed to
the web with classic CouchDB auth.
Last question about 2.1, in fauxton I couldn't find a way to navigate
through document revisions (like the '' previous version '' button in
1.6.1). Is it still possible ?
Stefan du Fresne
Sep 25, 2017, 8:42:33 AM9/25/17
to us...@couchdb.apache.org
Apologies, I didn't mean to not use the _users system, I was referring to the editing the permissions security properties of the _users DB in an attempt to allow a non-admin user to make edits to that DB.
Jan Lehnardt
Sep 25, 2017, 8:59:27 AM9/25/17
to us...@couchdb.apache.org
Ah gotcha! Thanks for clarifying :)
Cheers
Jan
--
Cheers
Jan
--
max
Sep 29, 2017, 3:15:32 AM9/29/17
to us...@couchdb.apache.org
Last question about 2.1, in fauxton I couldn't find a way to navigate
through document revisions (like the '' previous version '' button in
1.6.1). Is it still possible ?
through document revisions (like the '' previous version '' button in
1.6.1). Is it still possible ?
Jan Lehnardt
Sep 29, 2017, 6:02:47 AM9/29/17
to us...@couchdb.apache.org
We have decided to de-emphasize this “capability” as CouchDB doesn’t
guarantee old revisions to be around post compaction and in 2.x we
recommend compaction to run frequently (Cloudant runs it continuously),
so you’re less likely to be able to navigate old doc revision bodies.
Best
Jan
—
guarantee old revisions to be around post compaction and in 2.x we
recommend compaction to run frequently (Cloudant runs it continuously),
so you’re less likely to be able to navigate old doc revision bodies.
Best
Jan
—
Reply all
Reply to author
Forward
0 new messages