I'm getting set up with CouchDB on Cloudant, and I'm confused because Cloudant seems to do auth differently than regular CouchDB. Specifically, Cloudant seems to lack a _users database.
I read the Cloudant auth FAQ here, and it provided the following instructions:
Can I use CouchDB security features (_users database, security objects, validation functions) on Cloudant?
Yes you can. If you want to use the _users database you must first turn off Cloudant's own security for the roles you want to manage via _users. To do this you need to PUT a JSON document like the following to the _security endpoint of the database (for example https://USERNAME.cloudant.com/DATABASE/_security):
{ "cloudant": { "nobody": ["_reader", "_writer", "_admin"] }, "readers": { "names":["demo"],"roles":[] } }
These instructions worked fine, and allowed me to update the _security object of a database.
What wasn't clear was how to set up the _users database. It didn't exist automatically, so I tried creating it using a regular:
curl -X PUT $COUCH/_users
This worked fine, but when I attempt to add a new user to _users as follows:
curl -HContent-Type:application/json \
-vXPUT $COUCH/_users/org.couchdb.user:me \
--data-binary '{"_id": "org.couchdb.user:me","name": "me","roles": [],"type": "user","password": "pwd"}'
It appears to create the document correctly:
{"ok":true,"id":"org.couchdb.user:me","rev":"3-86c3801fdb8c32331f5f2580e861a765"}
But the new user in _users on Cloudant lacks a hashed password:
{
"_id": "org.couchdb.user:me",
"_rev": "3-86c3801fdb8c32331f5f2580e861a765",
"name": "me",
"roles": [
],
"type": "user",
"password": "pwd"
}
So when I attempt to authenticate at this user, I get the following error:
{"error":"bad_request","reason":"missing password_sha property in user doc"}
On my local CouchDB installation, creating a new user in _users would automatically create the hashed password:
{
"_id": "org.couchdb.user:test",
"_rev": "1-9c1c4360eba168468a37d7f623782d23",
"password_scheme": "pbkdf2",
"iterations": 10,
"name": "test",
"roles": [
],
"type": "user",
"derived_key": "4a122a20c1a8fdddb5307c29078e2c4269abffa5",
"salt": "36c0c05cf2a3ee321eabd10c46a8aa2a"
}
I tried copying the "_design/_auth" document from my local CouchDB installation to Cloudant, but the results are the same - no hashed password.
I appear to have gone off the rails at some point, but I'm not sure where this happened. How can I set up Cloudant to use the same kind of auth as regular CouchDB?
I found the answer via #cloudant IRC:
09:59 <+kocolosk> creating _users was the right thing to do
09:59 <+kocolosk> the API matches an older version of CouchDB where the passwords needed to hashed client-side
10:00 < jbeard> oh, I see
10:00 <+kocolosk> we're addressing that lack of support for automatic hashing
10:01 < jbeard> I'm trying to find documentation on client-side hashing in Couch.
10:02 < jbeard> What version of Couch is Cloudant aiming to be compatible with for _users?
10:04 <+kocolosk> jbeard: http://wiki.apache.org/couchdb/Security_Features_Overview
10:04 <+kocolosk> see "Generating password_sha (only applicable for 1.1.x and earlier)"
10:04 <+kocolosk> jbeard: this particular feature is the last bit where we are compatible with 1.1.x but not newer version
10:05 < jbeard> Excellent
10:05 < jbeard> That's what I needed to know