4.6. Authentication and Authorization

4.6.1. Server Administrators

[admins]

A default CouchDB install provides admin-level access to all connectingusers. This configuration is known as Admin Party, and is not recommendedfor in-production usage. You can crash the party simply by creating thefirst admin account. CouchDB server administrators and passwords are notstored in the users database, but in the last [admins] sectionthat CouchDB finds when loading its ini files. See :config:intro fordetails on config file order and behaviour. This file (which could besomething like etc/local.ini or etc/local.d/10-admins.ini on aDebian/Ubuntu system installed from packages) should be appropriatelysecured and readable only by system administrators:




  1. [admins]
    ;admin = mysecretpassword
    admin = -hashed-6d3c30241ba0aaa4e16c6ea99224f915687ed8cd,7f4a3e05e0cbc6f48a0035e3508eef90
    architect = -pbkdf2-43ecbd256a70a3a2f7de40d2374b6c3002918834,921a12f74df0c1052b3e562a23cd227f,10000




Administrators can be added directly to the [admins] section, and whenCouchDB is restarted, the passwords will be salted and encrypted. You mayalso use the HTTP interface to create administrator accounts; this way,you don’t need to restart CouchDB, and there’s no need to temporarily storeor transmit passwords in plaintext. The HTTP/_node/{node-name}/_config/admins endpoint supports querying, deletingor creating new admin accounts:




  1. GET /_node/nonode@nohost/_config/admins HTTP/1.1
    Accept: application/json
    Host: localhost:5984







  1. HTTP/1.1 200 OK
    Cache-Control: must-revalidate
    Content-Length: 196
    Content-Type: application/json
    Date: Fri, 30 Nov 2012 11:37:18 GMT
    Server: CouchDB (Erlang/OTP)







  1. {
        "admin": "-hashed-6d3c30241ba0aaa4e16c6ea99224f915687ed8cd,7f4a3e05e0cbc6f48a0035e3508eef90",
        "architect": "-pbkdf2-43ecbd256a70a3a2f7de40d2374b6c3002918834,921a12f74df0c1052b3e562a23cd227f,10000"
    }




If you already have a salted, encrypted password string (for example, froman old ini file, or from a different CouchDB server), then you can storethe “raw” encrypted string, without having CouchDB doubly encrypt it.




  1. PUT /_node/nonode@nohost/_config/admins/architect?raw=true HTTP/1.1
    Accept: application/json
    Content-Type: application/json
    Content-Length: 89
    Host: localhost:5984

    "-pbkdf2-43ecbd256a70a3a2f7de40d2374b6c3002918834,921a12f74df0c1052b3e562a23cd227f,10000"







  1. HTTP/1.1 200 OK
    Cache-Control: must-revalidate
    Content-Length: 89
    Content-Type: application/json
    Date: Fri, 30 Nov 2012 11:39:18 GMT
    Server: CouchDB (Erlang/OTP)

    "-pbkdf2-43ecbd256a70a3a2f7de40d2374b6c3002918834,921a12f74df0c1052b3e562a23cd227f,10000"




Further details are available in _security, including configuring the workfactor for PBKDF2, and the algorithm itself atPBKDF2 (RFC-2898).


Changed in version 1.4: PBKDF2 server-side hashed salted password support added, now as asynchronous call for the _config/admins API.

4.6.2. Authentication Configuration

[chttpd]
requirevalid_user

When this option is set to true, no requests are allowed fromanonymous users. Everyone must be authenticated.




  1. [chttpd]
    require_valid_user = false





Note

This setting only affects the clustered-port (5984 by default).To make the same change for the node-local port (5986 by default),set the [couch_httpd_auth] setting of the same name.

[couch_httpd_auth]
allow_persistent_cookies

Makes cookies persistent if true.




  1. [couch_httpd_auth]
    allow_persistent_cookies = false



auth_cache_size

Number of User Context Object to cache in memory, to reduce disklookups.




  1. [couch_httpd_auth]
    auth_cache_size = 50



authentication_redirect

Specifies the location for redirection on successful authentication ifa text/html response is accepted by the client (via an Acceptheader).




  1. [couch_httpd_auth]
    authentication_redirect = /_utils/session.html





Note

This setting affects both the clustered-port (5984 by default)and the node-local port (5986 by default).

iterations


New in version 1.3.


The number of iterations for password hashing by the PBKDF2 algorithm.A higher number provides better hash durability, but comes at a costin performance for each request that requires authentication.




  1. [couch_httpd_auth]
    iterations = 10000



min_iterations


New in version 1.6.


The minimum number of iterations allowed for passwords hashed by thePBKDF2 algorithm. Any user with fewer iterations is forbidden.




  1. [couch_httpd_auth]
    min_iterations = 100



max_iterations


New in version 1.6.


The maximum number of iterations allowed for passwords hashed by thePBKDF2 algorithm. Any user with greater iterations is forbidden.




  1. [couch_httpd_auth]
    max_iterations = 100000



proxy_use_secret

When this option is set to true, thecouch_httpd_auth/secret option is required forProxy Authentication.




  1. [couch_httpd_auth]
    proxy_use_secret = false



public_fields


New in version 1.4.


A comma-separated list of field names in user documents (incouchdb/users_db_suffix) that can be read by anyuser. If unset or not specified, authenticated users can only retrievetheir own document.




  1. [couch_httpd_auth]
    public_fields = first_name, last_name, contacts, url





Note

Using the public_fields whitelist for user document propertiesrequires setting the couch_httpd_auth/users_db_publicoption to true (the latter option has no other purpose):




  1. [couch_httpd_auth]
    users_db_public = true




require_valid_user

When this option is set to true, no requests are allowed fromanonymous users. Everyone must be authenticated.




  1. [couch_httpd_auth]
    require_valid_user = false





Warning

This setting only affects the node-local port (5986 by default).Most administrators want the [chttpd] setting of the same namefor clustered-port (5984) behaviour.

secret

The secret token is used for Proxy Authentication and for Cookie Authentication.




  1. [couch_httpd_auth]
    secret = 92de07df7e7a3fe14808cef90a7cc0d91



timeout

Number of seconds since the last request before sessions will beexpired.




  1. [couch_httpd_auth]
    timeout = 600



users_db_public


New in version 1.4.


Allow all users to view user documents. By default, only admins maybrowse all users documents, while users may browse only their owndocument.




  1. [couch_httpd_auth]
    users_db_public = false





Note

This setting affects both the clustered-port (5984 by default)and the node-local port (5986 by default).

x_auth_roles

The HTTP header name (X-Auth-CouchDB-Roles by default) thatcontains the list of a user’s roles, separated by a comma. Used forProxy Authentication.




  1. [couch_httpd_auth]
    x_auth_roles = X-Auth-CouchDB-Roles



x_auth_token

The HTTP header name (X-Auth-CouchDB-Token by default) containingthe token used to authenticate the authorization. This token is an_HMAC-SHA1 created from the couch_httpd_auth/secret andcouch_httpd_auth/x_auth_username. The secret key should bethe same on the client and the CouchDB node. This token is optional ifthe value of the couch_httpd_auth/proxy_use_secret option isnot true. Used for Proxy Authentication.




  1. [couch_httpd_auth]
    x_auth_token = X-Auth-CouchDB-Token



x_auth_username

The HTTP header name (X-Auth-CouchDB-UserName by default)containing the username. Used for Proxy Authentication.




  1. [couch_httpd_auth]
    x_auth_username = X-Auth-CouchDB-UserName



原文: http://docs.couchdb.org/en/stable/config/auth.html