Couchdb: proxy authentication documentation needs updating

Created on 11 Aug 2017  路  14Comments  路  Source: apache/couchdb


Can't have proxy authentication working with next configuration:

[httpd]
authentication_handlers = {couch_httpd_auth, cookie_authentication_handler}, {couch_httpd_auth, proxy_authentication_handler}, {couch_httpd_auth, default_authentication_handler}

Expected Behavior



I have "testdb" with next "_security" document:

{
    "admins": {
        "names": [
            "testuser"
        ]
    },
    "members": {
        "names": [
            "testuser"
        ]
    }
}

I need to send any requests to "testdb" with header: "X-Auth-CouchDB-UserName: testuser" and get success responses:)

Current Behavior



but all I have is:

{
    "error": "unauthorized",
    "reason": "You are not authorized to access this db."
}

also sending GET request to "/_session" it responses with:

{
    "ok": true,
    "userCtx": {
        "name": null,
        "roles": []
    },
    "info": {
        "authentication_db": "_users",
        "authentication_handlers": [
            "cookie",
            "default"
        ]
    }
}

so no "proxy" in authentication_handlers

Also I should mention that I've tried both with require_valid_user=true and false

I was waiting so long for 2.1.0 expecting proxy_authentication to be fixed... I need it for my app...
I can't believe I have to get back to 1.6.1 again:(

Does anyone have the same issue?

I'm using express app as a middleware between client and couchdb.
As possible solution of this problem I'm thinking about generating couchdb cookie on the fly... but it seems overwhelmed to me. Proxy authentication should just work as it is in 1.6.1

Your Environment

  • Version used: CouchDB 2.1.0
  • Browser Name and version: Chrome 60
  • For sending requests I use: Postman 5.1.3
  • Operating System and version: Mac OS 10.12.5
documentation

Most helpful comment

I had the same issue and then I moved authentication_handlers from [httpd] into [chttpd] and now proxy auth works for me. Perhaps the doco is wrong ( or it's a bug and it's looking in the wrong section )

I have a copy of my config in a gist here

All 14 comments

Our test passes, so this looks like you're missing the correct information (and our documentation is probably out of date).

Use the following stanzas:

[httpd]
authentication_handlers = {chttpd_auth, proxy_authentification_handler}, {chttpd_auth, default_authentication_handler}

[chttpd_auth]
authentication_db = _users
x_auth_username = X-Auth-CouchDB-Username
x_auth_roles = X-Auth-CouchDB-Roles
x_auth_token = X-Auth-CouchDB-Token
proxy_use_secret = false
secret = secret

See https://github.com/apache/couchdb/blob/master/test/javascript/tests/proxyauth.js#L108-L131

Thanks a lot for your answer.
I've tried this configuration, but nothing's changed.
here is my configuration:
2017-08-12 9 36 47

2017-08-12 9 31 39
list of dbs
2017-08-12 9 58 13

GET /test/_security with basic authentication (by the way I also get this bug with error and reason)
2017-08-12 10 01 33
I've noticed that this error and reason appears only if I add "testuser" twice via fauxton (it doesn't show already added admins and members)

GET /_session with proxy header
2017-08-12 9 46 15

GET /test with proxy header
2017-08-12 9 46 59

I can't understand what am I doing wrong....

There is currently a bug with setting a database's _security object using Fauxton - see https://github.com/apache/couchdb/issues/741 for details. Try setting it correctly using something like curl and try again?

Yes, when I use cURL or postman to set up _security document there is no bugs...
Anyway, problem with _security not worries me as much as problem with proxy authentication.

So, using cURL, I'm getting my config with admin username and password
curl -X GET \ http://localhost:5984/_node/couchdb@localhost/_config/ \ -H 'authorization: Basic YWRtaW46Y291Y2hkYmFkbWlu'
here it is:

{
"native_query_servers": {
"query": "{mango_native_proc, start_link, []}"
},
"httpd_design_handlers": {
"_compact": "{couch_mrview_http, handle_compact_req}",
"_info": "{couch_mrview_http, handle_info_req}",
"_list": "{couch_mrview_show, handle_view_list_req}",
"_rewrite": "{couch_httpd_rewrite, handle_rewrite_req}",
"_show": "{couch_mrview_show, handle_doc_show_req}",
"_update": "{couch_mrview_show, handle_doc_update_req}",
"_view": "{couch_mrview_http, handle_view_req}",
"_view_changes": "{couch_mrview_http, handle_view_changes_req}"
},
"uuids": {
"algorithm": "sequential",
"max_count": "1000"
},
"cluster": {
"n": "1",
"q": "2"
},
"cors": {
"credentials": "false"
},
"chttpd": {
"backlog": "512",
"bind_address": "0.0.0.0",
"docroot": "./share/www",
"port": "5984",
"require_valid_user": "false",
"socket_options": "[{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}]"
},
"httpd_global_handlers": {
"/": "{couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome">>}",
"_active_tasks": "{couch_httpd_misc_handlers, handle_task_status_req}",
"_all_dbs": "{couch_httpd_misc_handlers, handle_all_dbs_req}",
"_config": "{couch_httpd_misc_handlers, handle_config_req}",
"_plugins": "{couch_plugins_httpd, handle_req}",
"_replicate": "{couch_replicator_httpd, handle_req}",
"_restart": "{couch_httpd_misc_handlers, handle_restart_req}",
"_session": "{couch_httpd_auth, handle_session_req}",
"_stats": "{couch_stats_httpd, handle_stats_req}",
"_system": "{chttpd_misc, handle_system_req}",
"_utils": "{couch_httpd_misc_handlers, handle_utils_dir_req, "./share/www"}",
"_uuids": "{couch_httpd_misc_handlers, handle_uuids_req}",
"favicon.ico": "{couch_httpd_misc_handlers, handle_favicon_req, "./share/www"}"
},
"attachments": {
"compressible_types": "text/*, application/javascript, application/json, application/xml",
"compression_level": "8"
},
"admins": {
"admin": "-pbkdf2-b1d43483c194bfec3513950d35b196a430961363,05c745791b552869aac2ba9afcd1043b,10"
},
"query_server_config": {
"os_process_limit": "100",
"reduce_limit": "true"
},
"vendor": {
"name": "The Apache Software Foundation"
},
"chttpd_auth": {
"authentication_db": "_users",
"proxy_use_secret": "false",
"secret": "secret",
"x_auth_roles": "X-Auth-CouchDB-Roles",
"x_auth_token": "X-Auth-CouchDB-Token",
"x_auth_username": "X-Auth-CouchDB-UserName"
},

"replicator": {
"connection_timeout": "30000",
"http_connections": "20",
"interval": "60000",
"max_churn": "20",
"max_jobs": "500",
"retries_per_request": "10",
"socket_options": "[{keepalive, true}, {nodelay, false}]",
"ssl_certificate_max_depth": "3",
"startup_jitter": "5000",
"verify_ssl_certificates": "false",
"worker_batch_size": "500",
"worker_processes": "4"
},
"ssl": {
"port": "6984"
},
"log": {
"file": "/Users/konstantin/Library/Logs/CouchDB2.log",
"level": "info",
"writer": "file"
},
"indexers": {
"couch_mrview": "true"
},
"view_compaction": {
"keyvalue_buffer_size": "2097152"
},
"query_servers": {
"coffeescript": "./bin/couchjs ./share/server/main-coffee.js",
"javascript": "./bin/couchjs ./share/server/main.js"
},
"features": {
"scheduler": "true"
},
"daemons": {
"auth_cache": "{couch_auth_cache, start_link, []}",
"compaction_daemon": "{couch_compaction_daemon, start_link, []}",
"couch_peruser": "{couch_peruser, start_link, []}",
"external_manager": "{couch_external_manager, start_link, []}",
"httpd": "{couch_httpd, start_link, []}",
"index_server": "{couch_index_server, start_link, []}",
"os_daemons": "{couch_os_daemons, start_link, []}",
"query_servers": "{couch_proc_manager, start_link, []}",
"uuids": "{couch_uuids, start, []}",
"vhosts": "{couch_httpd_vhost, start_link, []}"
},
"couch_peruser": {
"delete_dbs": "false",
"enable": "false"
},
"httpd": {
"allow_jsonp": "false",
"authentication_handlers": "{chttpd_auth, proxy_authentification_handler}, {chttpd_auth, default_authentication_handler}",
"bind_address": "127.0.0.1",
"default_handler": "{couch_httpd_db, handle_request}",
"enable_cors": "false",
"enable_xframe_options": "false",
"max_http_request_size": "67108864",
"port": "5986",
"secure_rewrites": "true",
"socket_options": "[{recbuf, 262144}, {sndbuf, 262144}]",
"vhost_global_handlers": "_utils, _uuids, _session, _users"
},
"httpd_db_handlers": {
"_all_docs": "{couch_mrview_http, handle_all_docs_req}",
"_changes": "{couch_httpd_db, handle_db_changes_req}",
"_compact": "{couch_httpd_db, handle_compact_req}",
"_design": "{couch_httpd_db, handle_design_req}",
"_design_docs": "{couch_mrview_http, handle_design_docs_req}",
"_local_docs": "{couch_mrview_http, handle_local_docs_req}",
"_temp_view": "{couch_mrview_http, handle_temp_view_req}",
"_view_cleanup": "{couch_mrview_http, handle_cleanup_req}"
},
"database_compaction": {
"checkpoint_after": "5242880",
"doc_buffer_size": "524288"
},
"csp": {
"enable": "true"
},
"couch_httpd_auth": {
"allow_persistent_cookies": "false",
"auth_cache_size": "50",
"authentication_db": "_users",
"authentication_redirect": "/_utils/session.html",
"iterations": "10",
"require_valid_user": "true",
"secret": "734b6574959bc80b2178a26ea227426b",
"timeout": "600"
},
"couchdb": {
"attachment_stream_buffer_size": "4096",
"changes_doc_ids_optimization_threshold": "100",
"database_dir": "/Users/konstantin/Library/Application Support/CouchDB2/var/lib/couchdb",
"default_security": "admin_local",
"delayed_commits": "false",
"file_compression": "snappy",
"max_dbs_open": "500",
"os_process_timeout": "5000",
"uri_file": "/Users/konstantin/Library/Application Support/CouchDB2/var/run/couchdb/couch.uri",
"uuid": "58ec703a7dbd7c09602dd53365e74f00",
"view_index_dir": "/Users/konstantin/Library/Application Support/CouchDB2/var/lib/couchdb"
},
"compactions": {
"_default": "[{db_fragmentation, "70%"}, {view_fragmentation, "60%"}]"
},
"compaction_daemon": {
"check_interval": "300",
"min_file_size": "131072"
}
}

Then I do this:
curl -X GET \ http://localhost:5984/_session \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'X-Auth-CouchDB-UserName: testuser'
response:

{
"ok": true,
"userCtx": {
"name": null,
"roles": []
},
"info": {
"authentication_db": "_users",
"authentication_handlers": [
"cookie",
"default"
]
}
}

so there is no "proxy" in authentication_handlers

getting _security of test database with admin username and password
curl -X GET \ http://localhost:5984/test/_security \ -H 'authorization: Basic YWRtaW46Y291Y2hkYmFkbWlu'
response:

{
"admins": {
"names": [
"testuser"
]
},
"members": {
"names": [
"testuser"
]
}
}

trying to GET db with proxy header
curl -X GET \ http://localhost:5984/test \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'X-Auth-CouchDB-UserName: testuser'
response:

{
"error": "unauthorized",
"reason": "You are not authorized to access this db."
}

proxy not working...

Today I've also tried the same operations on Windows 10 with postman and got exactly the same results.

Our test passes, so this looks like you're missing the correct information (and our documentation is probably out of date).

But according to this, it doesn't look like Proxy authentication is implemented yet.

Is that the case or am I doing something wrong?

My config:

[httpd]
authentication_handlers = {chttpd_auth, proxy_authentication_handler}, {chttpd_auth, default_authentication_handler}

[chttpd_auth]
x_auth_username = X-Auth-CouchDB-UserName
x_auth_roles = X-Auth-CouchDB-Roles
x_auth_token = X-Auth-CouchDB-Token
authentication_db = _users
proxy_use_secret = false
secret = secret

I had the same issue and then I moved authentication_handlers from [httpd] into [chttpd] and now proxy auth works for me. Perhaps the doco is wrong ( or it's a bug and it's looking in the wrong section )

I have a copy of my config in a gist here

@gbiellem, thanks! I've tried your approach and it changed nothing. Proxy authentication still is not working for me.
Now I actually rolled back to 1.6.1 and it works fine:)
Since title of this issue is changed, I'm going to wait until docs will be updated and then try it out.

@wohali, should I close this issue?

No, please - clearly we need to update our docs.

@gbiellem Are you running in cluster mode or in single mode?

@domachine single mode

Documentation bug fixed via apache/couchdb-documentation#167.

@S-Aggarwal your problem is that you need to change this:

[httpd]
authentication_handlers = {chttpd_auth, proxy_authentication_handler}, {chttpd_auth, default_authentication_handler}

to this:

[chttpd]
authentication_handlers = {couch_httpd_auth, cookie_authentication_handler}, {couch_httpd_auth, proxy_authentication_handler}, {couch_httpd_auth, default_authentication_handler}

I came here via the current docker official couchdb installation (2.3.1) - still in its default configuration, couchdb has

[httpd]
authentication_handlers = {couch_httpd_auth, cookie_authentication_handler}, {couch_httpd_auth, default_authentication_handler}

and if I delete this entry in favour of the [chttpd] one - couchdb instantly terminates

https://docs.couchdb.org/en/stable/api/server/authn.html#proxy-authentication has the correct information, note the configuration is slightly different than what you tried.

I also ended up here because of confusion with the default configuration of the Docker image for Couch which only has authentication_handlers defined in the httpd section, while the Couch docs only mention that config parameter under chttpd.

Does anybody know if authentication_handlers can/should still be defined on both sides of it if only exists/is relevant in the chttpd section?

I'd like to set a good security baseline for our production instance.

Was this page helpful?
0 / 5 - 0 ratings