Friday, February 11, 2011

Securing a couchdb database

Last week, for a post on our corporate blog, I created and populated a hosted CouchDB database (on CouchOne, now CouchBase). Since I put the code on github and it contains references to my publicly available database, I had to secure it a bit. Here is what I did.

Note: this is not a tutorial on CouchDB security issues, only a list of steps I did to secure my database. For a comprehensive guide on CouchDB security, there are excellent online sources.

1. Creating the user/password

The first thing to do is to create a new user with an associated password on the instance.
% curl -X PUT 'https://dboucher.couchone.com/_config/admins/username' -d '"password"'
2. Configuring the user

The next step is to configure the user account by setting its type and roles. In my case, I wanted to add the editor role to my account so I could restrict the creation of new documents to this role (the validator below is kept in a document on the database itself, so it is readable by everyone and I don't want other people to know which user account to hack).

The user account configuration is done using another simple HTTP request:
% curl -X PUT 'https://username:password@dboucher.couchone.com/_users/org.couchdb.user:username' -d@userdata.json
where the file userdata.json contains the following text:
{
  "name": "newuser",
  "type": "user",
  "roles": ["editor"]
}

3. Validator

Finally, to prevent creation of new documents (and modifications or deletion as well) from unauthorized users, I created a design document for my database that only contains a validate_doc_update function. The validation function checks that the user that tries to create/modify/delete a document has the role editor. The code goes as follows:
{
  "_id": "_design/address",
  "validate_doc_update": "function (newdoc, olddoc, userCtx) { if (userCtx.roles.indexOf(\"editor\") == -1) throw({unauthorized: \"illegal access\"});}"
}
To create the design document, I simply entered the following at the shell prompt:
% curl -X PUT 'https://username:password@dboucher.couchone.com/streets/_design/address' -d@designdoc.json
That's it. I could certainly have done something fancier, but that worked and that was really easy to setup.
Tags: ,

1 comments:

Android app developers said...

This is one of the important post.I like your blog effort.This is one of the useful post.

February 07, 2012 2:01 AM

Post a Comment

Subscribe to: Post Comments (Atom)