...
Below are the steps required to configure this security functionality: -
Create a new Admin user
...
For example, creating a system admin with "rootuser" as the username and "adminpass" as the password.
No Format > HOST="http://127.0.0.1:5984" > curl -X PUT $HOST/_config/admins/rootuser -d '"adminpass"' ""
System admin is allowed to do anything to a CouchDB installation.
Confirm that the new system admin has been created successfully
...
Without credentials
No Format > curl -X PUT $HOST/yourdatabase {"error":"unauthorized","reason":"You are not a server admin."}
...
With credentials
No Format > HOST="http://rootuser:adminpass@127.0.0.1:5984" > curl -X PUT $HOST/yourdatabase {"ok":true}
- Create a new database user
...
For example, creating a user "test" with password "pass1"
No Format curl -X PUT http://localhost:5984/_users/org.couchdb.user:test \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d '{"name": "test", "password": "pass1", "roles": [], "type": "user"}'
NB: Passwords for existing databases can be changed.
Check where the new database user exists
Request
No Format curl -X POST http://localhost:5984/_session -d 'name=test&password=pass1'
...
Correct Response
No Format {"ok":true,"name":"test","roles":[]}
Assign the new user to your database (Authorization)
...
This is done by creating authorization rules. These rules are set up by a server admin and can be modified at any time.
...
For Example, assigning yourdatabase "test" admin and member privilege
No Format > curl -X PUT http://localhost:5984/yourdatabase/_security \ -u rootuser:adminpass \ -H "Content-Type: application/json" \ -d '{"admins": { "names": ["test"], "roles": [] }, "members": { "names": ["test"], "roles": [] } }'
→ If both the names and roles fields of either the admins or members properties are emptyarrays, it means the database has no admins or members.
→ Having no admins, onlyserver admins (with the reserved
_admin
role) are able to update design document and make other admin level changes.→ Having no members, any user can write regular documents (any non-design document) and read documents from the database.
→ If there are any member names or roles defined for a database, then only authenticated users having a matching name or role are allowed to read documents from the database.
→ For complex scenarios, use roles i.e. update database users to have roles and assign these roles to your database.
Confirm that authorization rules have been updated
...
Request
No Format curl -X GET -u test:pass1 http://localhost:5984/yourdatabase/_security
...
Correct Response
No Format {"admins":{"names":["test"],"roles":[]},"members":{"names":["test"],"roles":[]}}
In opensrp-client update AllConstants.CloudantSync.class
Code Block language java public static class CloudantSync { ... public static final String COUCH_DATABASE_NAME = "yourdatabase"; public static final String COUCH_DATABASE_USER = "test"; public static final String COUCH_DATABASE_PASS = "pass1"; }
NB: Committing this file after adding your credentials will be a big security risk since the database can be accessed on the browser the the port is open.
- Test your application
To restrict browser access, you can configure [couch_httpd_auth] with require_valid_user:true in couchdb local.ini file although this is not required.
...