Configure CouchDB as read-only for non-admins

Question

I recently set up CouchDB on my server, but I'm running into a lack of information regarding changing permissions. I have an admin account, so it's not an admin party, but the restrictions are still looser than I'd like.

I'd like the Futon interface (which I've exposed) to be read-only for unauthenticated users. If I understand correctly, as it is, any visitor to the exposed Futon interface can become a member, who is

allowed to read all documents and create and modify any document except for design documents.

I'd like to take these abilities away, and configure CouchDB so that unauthenticated users can neither create documents nor become users. Basically, I want CouchDB to be read-only for everyone besides me.

Looking at the docs about security, there are ways to restrict access to the database of any kind to registered members, but I'd like to keep letting unauthenticated users have read-only access. According to this page,

If there are any member names or roles defined for a database, then only authenticated users having a matching name or role are allowed to read documents from the database (or do a GET /{db} call).

so that would restrict read access as well.

Are there any ways to fine-tune the permissions settings on CouchDB?

score 1 · Answer 1 · answered Jun 30 '16 at 19:43

1

To simply solve your problems, assign your admin a role (eg: "ADMIN").

Then, foreach databases, restrict the "Admin" permissions to the role "ADMIN".

By default, a newly registered user won't have any role so he won't be able to access a database as an admin.

answered Jun 30 '16 at 19:43

Alexis Côté

3,670
2
14
30

Can't a newly registered user still create documents, though? – Luke Taylor Jun 30 '16 at 19:44
2

You're correct, this won't resolve your problem. Have a look at [this](http://stackoverflow.com/questions/10713437/couchdb-wide-read-only-access-rights) – Alexis Côté Jun 30 '16 at 20:01
2

Validation functions look like the answer I'm looking for. Thanks! – Luke Taylor Jun 30 '16 at 20:30

score 1 · Accepted Answer · answered Jun 30 '16 at 19:52

I ended up using nginx configuration to block all non-GET requests. This allows anyone to read the database, but prevents writing to the database.

However:

I can't safely expose futon now
As an admin, I can't edit the database

but to solve these

I could potentially write a new interface for CouchDB that only exposed read functionality
I can do my administration through SSH port forwarding.

If nginx blocking isn't secure, I'd love it if someone could let me know

Configure CouchDB as read-only for non-admins

2 Answers2