Dear Wiki user, You have subscribed to a wiki page or wiki category on "Couchdb Wiki" for change notification.
The "Security_Features_Overview" page has been changed by MattAdams. http://wiki.apache.org/couchdb/Security_Features_Overview?action=diff&rev1=18&rev2=19 -------------------------------------------------- The "_id" attribute value must be prefixed with the string "org.couchdb.user:" and the rest must match the value of the attribute "name". The roles attribute must be an array of roles (and each role is a string). The "password_sha" attribute is an hexadecimal representation of the SHA-1 hash computed over a string that matches the user password concatenated with a salt (ideally a random string). The salt attribute is the hexadecimal representation of the salt used to generate the user's password hash. - '''Note:''' you will need to use the [[https://github.com/apache/couchdb/blob/trunk/share/www/script/sha1.js|sha1.js implementation of SHA-1]] to generate `password_sha`. The SHA-1 hex digest output by Open``SSL is not compatible with Erlang's crypto:sha/1 -- MattAdams + '''Note:''' please see "Generating password_sha" below for more about the SHA-1 hash. Some rules regarding user documents: @@ -108, +108 @@ All these rules regarding authentication database documents are enforced by the validate document update function stored in the design document with ID "_design/_auth" found in the authentication database (it is automatically created by CouchDB). + === Generating password_sha === + + `password_sha` can be generated a number of different ways. Open``SSL's `sha` and `sha1` functions are not compatible. Below are some methods that work: + + Erlang + + {{{ + Erlang R14B01 (erts-5.8.2) [source] [smp:2:2] [rq:2] [async-threads:4] [hipe] [kernel-poll:true] + + Eshell V5.8.2 (abort with ^G) + 1> Apache CouchDB 1.2.0ab0c6e32-git (LogLevel=info) is starting. + Apache CouchDB has started. Time to relax. + [info] [<0.37.0>] Apache CouchDB has started on http://127.0.0.1:5984/ + + 1> couch_util:to_hex(crypto:sha("foobar")). + "8843d7f92416211de9ebb963ff4ce28125932878" + }}} + + Ruby + + {{{ + irb(main):001:0> require 'digest/sha1' + => true + irb(main):002:0> Digest::SHA1.hexdigest 'foobar' + => "8843d7f92416211de9ebb963ff4ce28125932878" + }}} + + Python + + {{{ + >>> import hashlib + >>> h = hashlib.sha1() + >>> h.update("foobar") + >>> h.digest() + '\x88C\xd7\xf9$\x16!\x1d\xe9\xeb\xb9c\xffL\xe2\x81%\x93(x' + >>> h.hexdigest() + '8843d7f92416211de9ebb963ff4ce28125932878' + }}} + + sha1.js implementation (from [[https://github.com/apache/couchdb/blob/trunk/share/www/script/sha1.js|CouchDB]]) + + {{{ + hex_sha1(foobar); + }}} + == Document Update Validation == See [[Document_Update_Validation]].
