How can I create regular, non-admin users in CouchDB?
73
votes
3 Answers
106
votes
First you put the user in _users database. The ID of the document must be org.couchdb.user:username, e.g.
With CouchDB 1.2.0 or later use this:
{
"_id": "org.couchdb.user:dbreader",
"name": "dbreader",
"type": "user",
"roles": [],
"password": "plaintext_password"
}
CouchDB will hash & salt the password for you on the server side and save the values in the fields password_sha and salt (see below).
With CouchDB < 1.2.0 the user document needs to look like this:
{
"_id": "org.couchdb.user:dbreader",
"name": "dbreader",
"type": "user",
"roles": [],
"salt": "54935938852dd34f92c672ab31e397cedaf0946d",
"password_sha": "42253ea4461a604f967813aaff90b139d7018806"
}
Note that CouchDB 1.3.0 and later will use PBKDF2 instead of aha & salt for hashing the password.
Then you can create per database authentication by creating document with id _security in specific database which is not versioned, e.g.
{
"admins": {
"names": ["dbadmin"],
"roles": ["editor"]
},
"readers": {
"names": ["dbreader"],
"roles": ["reader"]
}
}
This means that there are 2 users in _users besides the admin dbadmin and dbreader. That should do in case you are too lazy to read the document that has already been suggested.
21
votes
The CouchDB documentation has a short article about the security features of CouchDB, and it includes a section on how to create a new user.
couchdb_peruserneeds to hash usernames to make database names. There is a couple of restrictions that you can find in the design doc for the users database: - usernames cannot begin with an underscore_- usernames cannot contain a colon:_(It's still hard to find an answer to this online in 2019) - Leonid Shevtsov