I'm thinking of writing a CouchDB-backed application that will store sensitive data. Is it possible to set things up so that I can get something like MySQL's and PostgreSQL's access control, where particular users on the system (users in the sense of Unix system users) can be denied or granted access to a particular CouchDB database?
Asked
Active
Viewed 2,432 times
1 Answers
11
Absolutely, you can set up users in the _users database. You can assign roles, groups, as well as any other custom fields for each user. In the validate_doc_update function in your design document(s), you can check user roles and approve or deny access based on that. You can also globally assign users as "readers" and "writers". You can authenticate users via Basic HTTP Authentication, OAuth and a variety of other methods.
Refer to the Security Features Overview and Document Update Validation pages on the wiki to get started.
Dominic Barnes
- 28,083
- 8
- 65
- 90
-
Excellent answer. I am unsure whether Dan meant **actual** Unix system users, or just the concept of multiple users sharing one resource. To let Unix users log in (e.g. via SSH) with their Couch credentials, you must write or find a PAM module for a Couch back-end. To let Couch users log in with their Unix credentials, you must write or find a CouchDB authentication module to use the system accounts instead of `_users`. – JasonSmith Feb 15 '11 at 04:55