Couchdb: Access to db/_all_docs results in 500 in 1.7.0 if user is only a DB member

Created on 8 Nov 2017  路  12Comments  路  Source: apache/couchdb

Expected Behavior

When accessing the endpoint db/_all_docs with a user that is defined as a member in the security object, I expect to get access to all documents, which is the case for CouchDB 1.6.1 (tested with the docker image couchdb:1.6.1).

Current Behavior

CouchDB 1.7.0 (tested with a docker image couchdb:1.7.0) will return HTTP 500 "forbidden,<<\"You are not a db or server admin.\">>" for the same request.

Steps to Reproduce (for bugs)

CouchDB 1.6.1 (access to _all_docs is possible):

`$ docker run -e COUCHDB_USER=admin -e COUCHDB_PASSWORD=password -p 5984:5984 --name couchdb161 -d couchdb:1.6.1
$ COUCH161=http://127.0.0.1:5984
$ curl -u admin:password -X PUT $COUCH161/my_db
$ curl -u admin:password -HContent-Type:application/json -XPUT $COUCH161/_users/org.couchdb.user:foo --data-binary '{"_id": "org.couchdb.user:foo","name": "foo","roles": [],"type": "user","password": "secret"}'
$ curl -u admin:password -X PUT $COUCH161/my_db/_security -d '{"members":{"names":["foo"], "roles":[]}}'

$ curl -i -u foo:secret $COUCH161/my_db/_all_docs
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Server: CouchDB/1.6.1 (Erlang OTP/17)
ETag: "DQ33O408457E9YLAX8TIS1VT1"
Date: Wed, 08 Nov 2017 10:39:01 GMT
Content-Type: text/plain; charset=utf-8
Cache-Control: must-revalidate

{"total_rows":0,"offset":0,"rows":[

]}`

CouchDB 1.7.0 (access to _all_docs results in 500 error):

$ docker run -e COUCHDB_USER=admin -e COUCHDB_PASSWORD=password -p 5985:5984 --name couchdb170 -d couchdb:1.7.0
$ COUCH170=http://127.0.0.1:5985
$ curl -u admin:password -X PUT $COUCH170/my_db
$ curl -u admin:password -HContent-Type:application/json -XPUT $COUCH170/_users/org.couchdb.user:foo --data-binary '{"_id": "org.couchdb.user:foo","name": "foo","roles": [],"type": "user","password": "secret"}'
$ curl -u admin:password -X PUT $COUCH170/my_db/_security -d '{"members":{"names":["foo"], "roles":[]}}'

$ curl -i -u foo:secret $COUCH170/my_db/_all_docs
HTTP/1.1 500 Internal Server Error
Server: CouchDB/1.7.0 (Erlang OTP/17)
Date: Wed, 08 Nov 2017 10:39:13 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 89
Cache-Control: must-revalidate

{"error":"case_clause","reason":"{forbidden,<<\"You are not a db or server admin.\">>}"}
`

Context

I discovered it due to replication errors using PouchDB (6.3.4). The same app works fine with 1.6.1. When making the user foo a DB-admin, access in 1.7 works also correctly.

Your Environment

api bug

All 12 comments

Some significant changes to this part of the codebase landed in https://github.com/apache/couchdb-couch/pull/29. I think that's the place to look.

@tmende thank you for the detailed bug report! It really does simplify things when we have detailed reproducer steps, so the extra effort is greatly appreciated!

Good call @kocolosk, the underlying issue from that PR is the introduction of second auth failure type forbidden, in addition to just unauthorized [1], without the corresponding case clause to handle it [2]. There's a simple fix in #975.

[1] https://github.com/apache/couchdb/blob/5f88da2a5ee8ba78917fafd572c7b9fa37e76460/src/couchdb/couch_db.erl#L388-L391
[2] https://github.com/apache/couchdb/blob/5f88da2a5ee8ba78917fafd572c7b9fa37e76460/src/couch_mrview/src/couch_mrview_http.erl#L158-L163

This bug prevents us from migrating to 1.7.0 or doing any testing, because it breaks our application completely. Are there any chances of postponing publication of the description of the security problems that triggered the 1.7.0 release in the first place? I'm afraid that we won't be able to do extensive tests before November 14th.

1.7.1-RC1 is out: https://lists.apache.org/thread.html/9d3aad16cf2341eca1566e07aff0eee7fd604feb5b64894846d5921d@%3Cdev.couchdb.apache.org%3E

Can everyone on this thread give that a spin and report back. Thanks! <3

I confirm that the bug is no longer present in 1.7.1-RC1 馃憤

Yep, I can also confirm that the Bug is gone.

Same here, thanks a lot for the super fast fix & release process!

Reminder that -RC1 isn't a release, and we'll have an official 1.7.1 in a couple of days, just as soon as the formal release process completes. :)

Does this bug also affect the 2.1.x release?

I did a quick test with the 2.1.1 docker image, and was not able to trigger the error, so it looks like 2.1.x is not affected

Great, thanks for the effort @tmende!

1.7.1 is out now: https://blog.couchdb.org/2017/11/11/1-7-1/

Thanks everyone for your help and patience here <3

Was this page helpful?
0 / 5 - 0 ratings