[jira] [Created] (COUCHDB-3156) Users could be created by anyone (missing authorization for /_users/* endpoint)
Aleksander Alekseev created COUCHDB-3156: Summary: Users could be created by anyone (missing authorization for /_users/* endpoint) Key: COUCHDB-3156 URL: https://issues.apache.org/jira/browse/COUCHDB-3156 Project: CouchDB Issue Type: Bug Components: HTTP Interface Reporter: Aleksander Alekseev Steps to reproduce: 1. Configure a 3-node cluster (not sure if it also reproduces on a single-node setup), make sure you've created an admin user: {code} curl -X PUT http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d '"password"' {code} 2. Execute: {code} curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d '{"name": "afiskon", "password": "secret", "roles": [], "type": "user"}' {code} Expected behavior: User should not be created since no admin username and password were provided. Actual behavior: {code} {"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"} {code} Affected version: CouchDB 2.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (COUCHDB-3156) Users could be created by anyone (missing authorization for /_users/* endpoint)
[ https://issues.apache.org/jira/browse/COUCHDB-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15513925#comment-15513925 ] Aleksander Alekseev commented on COUCHDB-3156: -- [~wohali] I'm afraid it's not. Here are my exact steps (fortunately I have a habit to record such things). On every node modify /home/couchdb/etc/vm.args like this (ip is different for every node): {code} -name couchdb@10.110.2.4 -setcookie eY2chohl4siecaib {code} Restart all nodes: {code} sudo sv restart couchdb {code} (!) Create admin user on every node and change bind address: {code} curl -X PUT http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d '"password"' curl -X PUT http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/chttpd/bind_address -d '"0.0.0.0"' --user admin {code} Join nodes into a cluster. For this on one node I did the following for every other node: {code} curl -X POST -H "Content-Type: application/json" http://127.0.0.1:5984/_cluster_setup -d '{"action": "enable_cluster", "bind_address":"0.0.0.0", "username": "admin", "password":"password", "port": 5984, "remote_node": "10.110.2.5", "remote_current_user": "admin", "remote_current_password": "password" }' --user admin curl -X POST -H "Content-Type: application/json" http://127.0.0.1:5984/_cluster_setup -d '{"action": "add_node", "host":"10.110.2.7", "port": "5984", "username": "admin", "password":"password"}' --user admin {code} When all nodes added: {code} curl -X POST -H "Content-Type: application/json" http://127.0.0.1:5984/_cluster_setup -d '{"action": "finish_cluster"}' --user admin {code} Re-check that all nodes are in the cluster: {code} curl -X GET http://localhost:5984/_membership --user admin {code} Next steps - see above. Previous steps (installing CouchDB) - see https://github.com/afiskon/install-couchdb OS: Ubuntu 16.04 x64. > Users could be created by anyone (missing authorization for /_users/* > endpoint) > --- > > Key: COUCHDB-3156 > URL: https://issues.apache.org/jira/browse/COUCHDB-3156 > Project: CouchDB > Issue Type: Bug > Components: HTTP Interface >Reporter: Aleksander Alekseev >Priority: Critical > > Steps to reproduce: > 1. Configure a 3-node cluster (not sure if it also reproduces on a > single-node setup), make sure you've created an admin user: > {code} > curl -X PUT > http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d > '"password"' > {code} > 2. Execute: > {code} > curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \ > -H "Accept: application/json" \ > -H "Content-Type: application/json" \ > -d '{"name": "afiskon", "password": "secret", "roles": [], "type": > "user"}' > {code} > Expected behavior: > {code} > {"error":"unauthorized","reason":"You are not a server admin."} > {code} > ( User should not be created since no admin username and password were > provided. ) > Actual behavior: > {code} > {"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"} > {code} > Affected version: > CouchDB 2.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (COUCHDB-3156) Users could be created by anyone (missing authorization for /_users/* endpoint)
[ https://issues.apache.org/jira/browse/COUCHDB-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15514088#comment-15514088 ] Aleksander Alekseev commented on COUCHDB-3156: -- [~kxepal] There is no such feature in CouchDB. Documentation section 1.6.2 clearly describes what this API should and shouldn't do http://docs.couchdb.org/en/latest/intro/security.html . If bug exists for many years in a project it doesn't make it a right behavior. It also doesn't make sense to deny everyone to create databases and documents (it's what CouchDB currently does after creation of the first admin) and allow to create as many users as you want. > Users could be created by anyone (missing authorization for /_users/* > endpoint) > --- > > Key: COUCHDB-3156 > URL: https://issues.apache.org/jira/browse/COUCHDB-3156 > Project: CouchDB > Issue Type: Bug > Components: HTTP Interface >Reporter: Aleksander Alekseev >Priority: Critical > > Steps to reproduce: > 1. Configure a 3-node cluster (not sure if it also reproduces on a > single-node setup), make sure you've created an admin user: > {code} > curl -X PUT > http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d > '"password"' > {code} > 2. Execute: > {code} > curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \ > -H "Accept: application/json" \ > -H "Content-Type: application/json" \ > -d '{"name": "afiskon", "password": "secret", "roles": [], "type": > "user"}' > {code} > Expected behavior: > {code} > {"error":"unauthorized","reason":"You are not a server admin."} > {code} > ( User should not be created since no admin username and password were > provided. ) > Actual behavior: > {code} > {"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"} > {code} > Affected version: > CouchDB 2.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (COUCHDB-3156) Users could be created by anyone (missing authorization for /_users/* endpoint)
[ https://issues.apache.org/jira/browse/COUCHDB-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15514137#comment-15514137 ] Aleksander Alekseev commented on COUCHDB-3156: -- [~kxepal] very well, but in this case it should be documented in 1.6.2. And I propose to use tag since It's a very unexpected behavior. In other databases (e.g. PostgreSQL) or say all *nix system administrator create users and then users change a password (or not). > Users could be created by anyone (missing authorization for /_users/* > endpoint) > --- > > Key: COUCHDB-3156 > URL: https://issues.apache.org/jira/browse/COUCHDB-3156 > Project: CouchDB > Issue Type: Bug > Components: HTTP Interface >Reporter: Aleksander Alekseev >Priority: Critical > > Steps to reproduce: > 1. Configure a 3-node cluster (not sure if it also reproduces on a > single-node setup), make sure you've created an admin user: > {code} > curl -X PUT > http://127.0.0.1:5984/_node/couchdb@10.110.2.4/_config/admins/admin -d > '"password"' > {code} > 2. Execute: > {code} > curl -X PUT http://localhost:5984/_users/org.couchdb.user:afiskon \ > -H "Accept: application/json" \ > -H "Content-Type: application/json" \ > -d '{"name": "afiskon", "password": "secret", "roles": [], "type": > "user"}' > {code} > Expected behavior: > {code} > {"error":"unauthorized","reason":"You are not a server admin."} > {code} > ( User should not be created since no admin username and password were > provided. ) > Actual behavior: > {code} > {"ok":true,"id":"org.couchdb.user:afiskon","rev":"1-ed29e6531747deca44fad127b033fe59"} > {code} > Affected version: > CouchDB 2.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)