基于每个数据库的CouchDB授权 [英] CouchDB Authorization on a Per-Database Basis
问题描述
我正在开发CouchDB支持的应用程序。本质上,我想为我的应用程序的每个用户创建一个数据库。为此,管理员用户将创建数据库,但以后,该用户将需要访问其数据库(使用基于SSL的HTTP Auth)。我一直想弄清楚这一点。
I'm working on an application supported by CouchDB. Essentially, I want to create a database for each individual user of my app. To accomplish this, the admin user will create the database, but going forward, the user will need to access their database (using HTTP Auth over SSL). I've been having a hell of a time figuring this out.
我发现的最佳资源是CouchDB Wiki,位于此链接:
The best resource I have found is in the CouchDB wiki, at this link:
http://wiki.apache.org/couchdb/Security_Features_Overview#Authorization
它建议您可以通过创建一个名为 _security的文档来设置每个数据库的授权,在该文档中添加管理员和读者的哈希。当我尝试创建该文档时,我得到的消息是错误的特殊文档成员:_security。
It suggests that you can set per-database authorization by creating a document called "_security" to which you add a hash of admins and readers. When I attempt to create that document, the message I get back is "Bad special document member: _security".
$ curl -X GET http://localhost:5984
{"couchdb":"Welcome","version":"1.0.1"}
任何帮助将不胜感激!
干杯,
Aaron 。
推荐答案
该方法应该没有问题。
假设您有一个数据库 test,并且已经有一个管理员帐户:
Let's say you have a database "test", and have an admin account already:
curl -X PUT http://localhost:5984/test -u "admin:123"
现在您可以为其创建_security文档:
Now you can create a _security document for it:
curl -X PUT http://localhost:5984/test/_security -u "admin:123" -d '{"admins":{"names":[], "roles":[]}, "readers":{"names":["joe"],"roles":[]}}'
只有用户 joe才能读取数据库。要创建用户,您必须已经具有sha1哈希密码:
Them only the user "joe" will be able to read the database. To create the user you must have already the sha1 hashed password:
curl -X POST http://localhost:5984/_users -d '{"_id":"org.couchdb.user:joe","type":"user","name":"joe","roles":[],"password_sha":"c348c1794df04a0473a11234389e74a236833822", "salt":"1"}' -H "Content-Type: application/json"
该用户将密码 123使用带有盐 1的sha1(sha1( 123 + 1))进行哈希运算,以便他可以读取数据库:
This user have the password "123" hashed using sha1 with salt "1" (sha1("123"+"1")), so he can read the database:
curl -X GET http://localhost:5984/test -u "joe:123"
他现在可以读取该数据库上的任何文档,其他用户(但他和管理员)都不能读取。
He can read any document now on that database, and no other user (but him and admin) can.
更新:作家安全性
上述方法会引发读者问题,但这里的读者权限实际上表示读/写普通文档,因此它允许编写文档,但用于设计文档。允许_security文档中的管理员在该数据库中编写do design文档。
The above method issues the reader problem, but the reader permission here actually mean "read/write common docs", so it allows to write docs except for design-docs. The "admin"s in the _security doc are allowed to write do design-docs in this database.
从您自己的答案中获得的另一种方法是 validate_doc_update,您可以在文件中添加一个validate_doc_update,如下所示:
The other approach, as taken from your own answer, is the "validate_doc_update", you can have a validate_doc_update as follow in a file:
function(new_doc, old_doc, userCtx) {
if(!userCtx || userCtx.name != "joe") {
throw({forbidden: "Bad user"});
}
}
并将其推入ouchdb设计:
And push it into a couchdb design:
curl -X PUT http://localhost:5984/test/_design/security -d "{ \"validate_doc_update\": \"function(new_doc,doc,userCtx) { if(userCtx || userCtx.name != 'joe') {throw({forbidden: 'Bad user'})}}\"}" --user 'admin:123'
他们的 joe可以使用基本身份验证写入数据库:
Them "joe" can write to the database using Basic Authentication:
curl -X PUT http://localhost:5984/test/foobar -d '{"foo":"bar"}' -u 'joe:123'
正如您还提到的那样,您可以使用_session api获取用于身份验证的cookie:
As you also addressed you can use the _session api to get a cookie for authentication:
curl http://localhost:5984/_session -v -X POST -d 'name=joe&password=123' -H "Content-Type: application/x-www-form-urlencodeddata"
这将返回一个标头如下:
This will return a header like:
Set-Cookie: AuthSession=am9lOjRDRDE1NzQ1Oj_xIexerFtLI6EWrBN8IWYWoDRz; Version=1; Path=/; HttpOnly
因此您可以在下一个请求中包含cookie AuthSession = am9lOjRDRDE1NzQ1Oj_xIexerFtLI6EWrBN8IWYWoDRz,它们将通过身份验证
So you can include the cookie "AuthSession=am9lOjRDRDE1NzQ1Oj_xIexerFtLI6EWrBN8IWYWoDRz" in your next requests and they will be authenticated.
这篇关于基于每个数据库的CouchDB授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
