Couchdb: [Feature Request] _all_dbs with only accessible databases

Created on 19 Dec 2017  路  5Comments  路  Source: apache/couchdb

Expected Behavior


When we query the _all_dbs endpoint, it returns all the databases even if the current user is not authorized to some of the databases.

I would expect to receive only the databases that are allowed to the current user.

As I discussed with Jan yesterday, such things can't be done by filtering the database list on each call. In order to be scalable, we would need an index or so.

Possible Solution


  1. Make the _all_dbs endpoint available only for admins. (Since they have access to all databases)
  2. We could create an index of databases per user. This index would have the username as a key and an array of databases with read access as a value.
  3. The new index would be updated with when databases are created/deleted or when database's permissions are updated.

I'm not an Erlang dev but I can help you in any way I can :)

Context


Returning all the databases names with the _all_dbs endpoint display private information to all users which is not safe.

api enhancement

Most helpful comment

https://github.com/apache/couchdb/pull/1440 might have fixed the security issue but didn't help from a UI point of view. (Users are still facing issues: https://github.com/apache/couchdb-fauxton/issues/1037#issuecomment-609685270)

With the _all_dbs reserved for server admin only, there's no way in Fauxton to know which database the user has access to. So if a user with access limited to certain databases wants to use Fauxton, the only way to do this is by typing manually the URL.

Maybe I could allow a user to manually search for a database name and show it if valid but that's not really a proper solution.

For this reason, I would like to reopen that issue.

@janl @wohali

All 5 comments

You can configure default_security to admin_only.
https://github.com/apache/couchdb/blob/master/rel/overlay/etc/default.ini#L31

Only admin can read/write databases.

@style95 Correct me if I'm wrong but default_security is for the default security object of database.

So if I switch it to admin_only, only the admins will have access to the databases by default. Consequently, my user Foo won't be able to access any database by default.

Therefore, _all_dbs will still return all the databases names(even if Foo doesn't access to any of them).

default_security has no effects on _all_dbs.

Interesting enhancement request, and definitely non-trivial.

If you are concerned about security, as a workaround you can disable _all_dbs by removing its handler from [httpd_global_handlers], or firewall off access through a reverse proxy (such as haproxy).

https://github.com/apache/couchdb/pull/1440 might have fixed the security issue but didn't help from a UI point of view. (Users are still facing issues: https://github.com/apache/couchdb-fauxton/issues/1037#issuecomment-609685270)

With the _all_dbs reserved for server admin only, there's no way in Fauxton to know which database the user has access to. So if a user with access limited to certain databases wants to use Fauxton, the only way to do this is by typing manually the URL.

Maybe I could allow a user to manually search for a database name and show it if valid but that's not really a proper solution.

For this reason, I would like to reopen that issue.

@janl @wohali

Was this page helpful?
0 / 5 - 0 ratings