[ https://issues.apache.org/jira/browse/COUCHDB-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15513925#comment-15513925 ]
Aleksander Alekseev commented on COUCHDB-3156: ---------------------------------------------- [~wohali] I'm afraid it's not. Here are my exact steps (fortunately I have a habit to record such things). On every node modify /home/couchdb/etc/vm.args like this (ip is different for every node): {code} -name couchdb@10.110.2.4 -setcookie eY2chohl4siecaib {code} Restart all nodes: {code} sudo sv restart couchdb {code} (!) Create admin user on every node and change bind address: {code} curl -X PUT http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d '"password"' curl -X PUT http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/chttpd/bind_address -d '"0.0.0.0"' --user admin {code} Join nodes into a cluster. For this on one node I did the following for every other node: {code} curl -X POST -H "Content-Type: application/json" http://127.0.0.1:5984/_cluster_setup -d '{"action": "enable_cluster", "bind_address":"0.0.0.0", "username": "admin", "password":"password", "port": 5984, "remote_node": "10.110.2.5", "remote_current_user": "admin", "remote_current_password": "password" }' --user admin curl -X POST -H "Content-Type: application/json" http://127.0.0.1:5984/_cluster_setup -d '{"action": "add_node", "host":"10.110.2.7", "port": "5984", "username": "admin", "password":"password"}' --user admin {code} When all nodes added: {code} curl -X POST -H "Content-Type: application/json" http://127.0.0.1:5984/_cluster_setup -d '{"action": "finish_cluster"}' --user admin {code} Re-check that all nodes are in the cluster: {code} curl -X GET http://localhost:5984/_membership --user admin {code} Next steps - see above. Previous steps (installing CouchDB) - see https://github.com/afiskon/install-couchdb OS: Ubuntu 16.04 x64. > Users could be created by anyone (missing authorization for /_users/* > endpoint) > ------------------------------------------------------------------------------- > > Key: COUCHDB-3156 > URL: https://issues.apache.org/jira/browse/COUCHDB-3156 > Project: CouchDB > Issue Type: Bug > Components: HTTP Interface > Reporter: Aleksander Alekseev > Priority: Critical > > Steps to reproduce: > 1. Configure a 3-node cluster (not sure if it also reproduces on a > single-node setup), make sure you've created an admin user: > {code} > curl -X PUT > http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d > '"password"' > {code} > 2. Execute: > {code} > curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \ > -H "Accept: application/json" \ > -H "Content-Type: application/json" \ > -d '{"name": "afiskon", "password": "secret", "roles": [], "type": > "user"}' > {code} > Expected behavior: > {code} > {"error":"unauthorized","reason":"You are not a server admin."} > {code} > ( User should not be created since no admin username and password were > provided. ) > Actual behavior: > {code} > {"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"} > {code} > Affected version: > CouchDB 2.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)