How CouchDb should behave when "require_valid

Discussion:

How CouchDb should behave when "require_valid_user" option is true/false

Piotr Zarzycki

2018-07-17 21:44:30 UTC

Hello CouchDb Team,

Some time ago we have been started with good results using CouchDb and nano
library. We would like to use CouchDb on Linux server.

We have following scenario:
1) When require_valid_user=true we need to provide login and password to
the users
2) When require_valid_user=false login and password is still required

We are experiencing following behavior and general question is - whether
something is wrong or our understanding is incorrect. Because we think that
in point #2 it shouldn't behave like that.

If someone could shed some light on that.

Thanks,
Piotr

Olaf Krueger

2018-07-18 07:12:51 UTC

Permalink

Hi,
Piotr and me working together on the same project and I just would like to add another observation:

If we set "require_valid_user=true" and we also provide valid credentials while connecting CouchDB by using nano, it always returns with an error which is something like "Authentication required".
So basically, we are not able to connect to CouchDB when "require_valid_user=true".

Any help is appreciated ;-)

Thanks,
Olaf

Joan Touzet

2018-07-18 14:26:40 UTC

Permalink

HI Piotr, Olaf,

Looks like a bug in nano:

https://github.com/apache/couchdb-nano/issues/31

----- Original Message -----
From: "Olaf Krueger" <***@apache.org>
To: ***@couchdb.apache.org
Sent: Wednesday, July 18, 2018 3:12:51 AM
Subject: Re: How CouchDb should behave when "require_valid_user" option is true/false

Hi,
Piotr and me working together on the same project and I just would like to add another observation:

If we set "require_valid_user=true" and we also provide valid credentials while connecting CouchDB by using nano, it always returns with an error which is something like "Authentication required".
So basically, we are not able to connect to CouchDB when "require_valid_user=true".

Any help is appreciated ;-)

Thanks,
Olaf

Olaf Krueger

2018-07-18 15:12:14 UTC

Permalink

Hi John,
Thanks for this hint!
In order to validate this, we will check out the behaviour without using nano.

@Piotr
Maybe we can give it a try to fix this?

Thanks,
Olaf

[1] https://github.com/apache/couchdb-nano/blob/4ef1cff9afd86e441ff389a7692c3693c5272c0f/lib/nano.d.ts

Piotr Zarzycki

2018-07-18 15:20:01 UTC

Permalink

Olaf,

Looks like we could dig into it with some help from current committers.
Having setup environment for development nano would be advantage!

Sounds excited! :)

Piotr

Post by Olaf Krueger
Hi John,
Thanks for this hint!
In order to validate this, we will check out the behaviour without using

nano.

Post by Olaf Krueger
@Piotr
Maybe we can give it a try to fix this?
Thanks,
Olaf
[1]

https://github.com/apache/couchdb-nano/blob/4ef1cff9afd86e441ff389a7692c3693c5272c0f/lib/nano.d.ts

Eiri

2018-07-18 15:44:18 UTC

Permalink

Hi Piotr,

Parameter "require_valid_user" (one in [chttpd] section if we are talking CouchDB 2.x) is controlling if _all_ of end-points would always require a valid credentials to be accessed. When it's set to false this behavior is up to a standard Couch authorization model, i.e. if you'll be promptd for creds depends on existence admin users, security object of a database, presence of AuthSession cookie etc...

Pros of having "require_valid_user" set to true is that any new created database will be immidiately protected even before updating its security object. Cons is that some of usually open end-points will require creds to be accessed, e.g. /_up and /_session

I hope this makes sense.

Regards,
Eric

Post by Piotr Zarzycki
Hello CouchDb Team,
Some time ago we have been started with good results using CouchDb and nano
library. We would like to use CouchDb on Linux server.
1) When require_valid_user=true we need to provide login and password to
the users
2) When require_valid_user=false login and password is still required
We are experiencing following behavior and general question is - whether
something is wrong or our understanding is incorrect. Because we think that
in point #2 it shouldn't behave like that.
If someone could shed some light on that.
Thanks,
Piotr

Olaf Krueger

2018-07-19 09:36:51 UTC

Permalink

Hi Eric,
thanks for the explanation!

I just tested the effect of "require_valid_user=true/false" by using the CouchDB endpoints directly and it seems to me that it works as expected:
You always have to add the credentials (using Basic-Auth) with each call in order to be able to access the CouchDB API.

So, I took a look at the nano source code and it seems to me that "nano.auth()" method is using the "_session" API in order to authenticate and to retrieve a token.
That said and if I understand it correctly, our issue is maybe not a bug in nano but something like "works as designed"?:
(Because of "require_valid_user=true" the "_session" endpoint cannot be accessed and nano always returns with "Authentication required")

However, the only reason why we stumbled over this issue is that in our Linux CouchDB distribution (Bitnami) "require_valid_user" is set to "true" by default which is vice versa to our local Windows environment.

Because we are not concerned about security issues here, I guess we can resolve this by just always setting "require_valid_user=false".

Makes sense?

Thanks,
Olaf

Jan Lehnardt

2018-07-19 09:54:34 UTC

Permalink

Post by Olaf Krueger
Hi Eric,
thanks for the explanation!
You always have to add the credentials (using Basic-Auth) with each call in order to be able to access the CouchDB API.
So, I took a look at the nano source code and it seems to me that "nano.auth()" method is using the "_session" API in order to authenticate and to retrieve a token.
(Because of "require_valid_user=true" the "_session" endpoint cannot be accessed and nano always returns with "Authentication required”)

Nano could try a Basic Auth request to /_session.

Post by Olaf Krueger
However, the only reason why we stumbled over this issue is that in our Linux CouchDB distribution (Bitnami) "require_valid_user" is set to "true" by default which is vice versa to our local Windows environment.

Heads up: we don’t recommend using Bitnami images. They make odd configuration choices and on places like AWS, the review of the AMIs takes a couple of weeks, which is too long for severe security updates.

Post by Olaf Krueger
Because we are not concerned about security issues here, I guess we can resolve this by just always setting "require_valid_user=false”.
Makes sense?

It is certainly an option (and it’s the default setting we ship CouchDB with).

You probably want to block /_all_dbs in a proxy (or using the related configuration setting in the upcoming 2.2.0 release).

Best
Jan

--
Professional Support for Apache CouchDB:
https://neighbourhood.ie/couchdb-support/

Olaf Krueger

2018-07-26 11:52:45 UTC

Permalink

Hi Jan,

Post by Jan Lehnardt
Nano could try a Basic Auth request to /_session.

We'll check out the latest version, maybe it's already fixed.
Otherwise, we'll post at @dev about this.

Anyway, thanks for your comments, that was helpful!

Olaf