Search code examples
couchdbfauxtoncouchdb-3.x

creating new user in couchdb 3 without admin password


I just downloaded and installed CouchDB v3.

On first start, it prompted me to set an admin password which I did.

For the web app that I'm building, I want to use the CouchDB user authentication feature, so I created a new _users database using the Fauxton UI.

After creating the _users database I made a call to the REST API to insert a new user (this is the example code taken from the documentation):

$ curl -X PUT http://localhost:5984/_users/org.couchdb.user:jan \
     -H "Accept: application/json" \
     -H "Content-Type: application/json" \
     -d '{"name": "jan", "password": "apple", "roles": [], "type": "user"}'

Instead of the expected response

{"ok":true,"id":"org.couchdb.user:jan","rev":..."}

I'm getting

{"error":"unauthorized","reason":"You are not authorized to access this db."}

When adding the admin credentials to the API call, it works as expected:

$ curl -X PUT http://admin:____@localhost:5984/_users/org.couchdb.user:jan \
     -H "Accept: application/json" \
     -H "Content-Type: application/json" \
     -d '{"name": "jan", "password": "apple", "roles": [], "type": "user"}'

{"ok":true,"id":"org.couchdb.user:jan","rev":"..."}

My question:

Are there any settings or permissions I can set to make the request work without having to add the admin credentials? (AFAIK this worked fine in v2.x)


Solution

  • You are missing the fun of the good old Admin Party, which for many years was the default setting for CouchDB, meaning it was installed with zero security as everyone was effectively an admin.

    From The Road to CouchDB 3.0: Security[1]

    One of the aspects of getting started easily was a 1.x-era choice to make it easy to use CouchDB: the Admin Party. Admin Party means that, by default, any request made against CouchDB was done in the context of an admin user, i.e. you were allowed to do anything.

    3.0 changed all of that by shutting down the Admin Party - what a bunch of buzz kills!

    I suspect there are more sophisticated solutions, but for those that want to party on[2] quickly, minor changes to etc/local.ini and any permissions on _users will satisfy.

    The key is the configuration property require_valid_user[3].

    In etc/local.ini, modify the chttpd and couch_httpd_auth sections

    [chttpd]
    require_valid_user = false
    
    [couch_httpd_auth]
    require_valid_user = false
    

    That's all that is needed unless there are members and/or roles defined for the _users database. If there are, they must be deleted (easily with Fauxton).

    After cleaning up members/roles and altering the etc/local.ini restart CouchDB and you should be able to create users without a problem. Party on! 👍

    Just be sure to consider the ramifications of such changes.

    Disclaimer - I don't recommend running CouchDB in any security context resembling Admin Party!


    1 The Road to CouchDB 3.0: Security
    2 Party On
    3 require_valid_user