How can I create regular, non-admin users in CouchDB?
Asked
Active
Viewed 5.7k times
78
-
1You might be interested in this wiki article. http://wiki.apache.org/couchdb/How_to_create_users_via_script – user2247543 Apr 05 '13 at 03:57
-
What are the naming rules? I can't seem to find an answer anywhere. Can a username be an email address? – Costa Michailidis Apr 15 '14 at 20:17
-
Usernames can be absolutely any UTF-8 string. For example, that's the reason why `couchdb_peruser` needs to hash usernames to make database names. There is a couple of restrictions that you can find in [the design doc for the _users database](https://github.com/apache/couchdb/blob/103a0624f309ea0d796176a55eb5faea68f26047/src/couch/include/couch_js_functions.hrl#L147): - usernames cannot begin with an underscore `_` - usernames cannot contain a colon `:` _(It's still hard to find an answer to this online in 2019)_ – Leonid Shevtsov Apr 21 '19 at 06:05
3 Answers
113
First you put the user in _users database. The ID of the document must be org.couchdb.user:username, e.g.
With CouchDB 1.2.0 or later use this:
{
"_id": "org.couchdb.user:dbreader",
"name": "dbreader",
"type": "user",
"roles": [],
"password": "plaintext_password"
}
CouchDB will hash & salt the password for you on the server side and save the values in the fields password_sha and salt (see below).
With CouchDB < 1.2.0 the user document needs to look like this:
{
"_id": "org.couchdb.user:dbreader",
"name": "dbreader",
"type": "user",
"roles": [],
"salt": "54935938852dd34f92c672ab31e397cedaf0946d",
"password_sha": "42253ea4461a604f967813aaff90b139d7018806"
}
Note that CouchDB 1.3.0 and later will use PBKDF2 instead of aha & salt for hashing the password.
Then you can create per database authentication by creating document with id _security in specific database which is not versioned, e.g.
{
"admins": {
"names": ["dbadmin"],
"roles": ["editor"]
},
"readers": {
"names": ["dbreader"],
"roles": ["reader"]
}
}
This means that there are 2 users in _users besides the admin dbadmin and dbreader. That should do in case you are too lazy to read the document that has already been suggested.
ReactiveRaven
- 7,203
- 2
- 29
- 38
Gjorgji Tashkovski
- 1,948
- 1
- 13
- 14
-
1I can't seem to figure out the naming conventions. Are there any restrictions on what the username can be? Other than the prefix org.couchdb.user: – Costa Michailidis Apr 15 '14 at 20:15
-
so user passwords are seen by everyone when you store them ? and how to hash them ? – astroanu Mar 17 '15 at 04:58
-
2@astroanu: You post it in clear text, yes, but when it comes back to you from the server (and every GET request thereafter), it's only the salted and hashed version of the password that gets returned. – MidnightLightning Jan 13 '16 at 16:06
-
21
The CouchDB documentation has a short article about the security features of CouchDB, and it includes a section on how to create a new user.
DharmaTurtle
- 6,858
- 6
- 38
- 52
Nikolaus Gradwohl
- 19,708
- 3
- 45
- 61
-
3This is correct. The short answer to IDanil's question is, "create a document in the `_users` database." However your link explains all the details and implications. – JasonSmith Sep 15 '10 at 22:34
-13
I think you have to put a web framework in front to do this the way many sites do. Couchdb admin roles do not work on a record by record basis, so if you create a reader who can read the profiles or account table they can read record.
Jim
- 57
- 3
-
This posting requires an explanation into why so many people down voted it. CouchDB allows you to create users by sending a JSON object to one of the REST-APIs endpoints. The structure of this document has been layed out by Gjorgji in his posting. – SomeDutchGuy Oct 01 '19 at 13:28
-
@SomeDutchGuy I guess because you don't "have to put a web framework in front of it.." ♂️ – Can Rau Jun 06 '22 at 03:01