2

I watched DEFCON, devoted to NoSQL at all and CouchDB in particular. They observe some vectors of attack like access to client library(Pseudo SQL Transparent layer), access to db and then brute keys.(in Schema-less way), json/view injection. If i left access to db direct from internet, and use in db validation, authentication. Does that way make my database less secure?

Unfortunately, the lack of experience of working with CouchDB prevents an accurate analysis, rely on your opinion dear colleagues.

Thank you.

Darius
  • 180
  • 1
  • 13

3 Answers3

4

No, I would not do this.

I don't feel the CouchDB security is granular enough to make it suitable to be posted on the internet. There's no way to let "some" data through, and not all. On a normal SQL DB, you can restrict some tables, etc. But not in Couch. Being schema-less and a document store, a document is a document is a document, whether it's a "secret" or "important" one or not.

It's a fine back end, but not on the wild internet.

Will Hartung
  • 115,893
  • 19
  • 128
  • 203
  • 1
    Is authorization in combination with data validation not secure enough? – GijsjanB Aug 18 '12 at 22:30
  • My point is simply that in my experience, not everything in the database is designed for public consumption. And with Couch, if you have access to any of it, you have access to all of it. – Will Hartung Aug 18 '12 at 23:57
0

Giving direct access to any web based DB would be asking for trouble, but I suppose it depends on your design...

With CouchDB, you have the option of providing each user with their own database, which would mitigate certain problems. You can also change the read/write permissions of 'direct' CouchDB users.

Detailed explanations for both techniques can be found here: CouchDB Authorization on a Per-Database Basis

Community
  • 1
  • 1
Charlie
  • 4,197
  • 5
  • 42
  • 59
0

In my opinion, anyone can use couchDB directly with your frontend without having to design intermediate backend service. I would like to highlight the things you need to do at least. I am not an expert though, and one should give it a second thought too.

  • Create user in couchdb for every user of the application with desired role.
  • Of course, you should only add this user to database as a member so that they won't be able to modify design documents which will contain the validation data.
  • In my scenario, I want a user to access only his/her own document only. For which, we have validation documents so that I can check whether user's document in built-in _users database has the documentId s/he is authorized for. If so, he can write to the document or modify it. And of course, he can only modify the existing one which I can verify by comparing the _id of the document which must be same as before.

So, I guess, if a user can only read and write to his own document, it is safe. However, either you will have to create such users in database yourself or a secure API which will use an admin password to modify design documents and add to _users database. Another idea would be to create a admin dashboard to accept a user creation request. You can of course create an admin user for yourself, and whenever someone creates an account, you will simply click Allow to do some changes in _users databases with your created admin user in couchDB.

Imran Faruqi
  • 663
  • 9
  • 19