CouchDB read authorization

Question

In couchdb website -> technical overview -> security and validation - http://couchdb.apache.org/docs/overview.html - it writes that (on reader access part) \"To protect do

Answer 1

You are right, it is confusing. Please see the 0.11 "breaking" changes for more information.

Per-document read control is not possible; the readers field is for access to the entire DB. For more information, load your database in Futon and click the Security... link at the top.

The reason read control is not possible is because views (map and reduce) can draw information from all documents in the database, so it is generally impossible to prevent users from seeing private data in some form.

For detailed access control, you have two major choices:

1. Have an application between your users and the DB. 99% of web applications using MySQL do this already (e.g. Ruby on Rails). Keep ACL information in the DB and your application grants/rejects access based on the ACL.
2. Keep a dedicated database per user. You may have to modify your architecture but maybe not. You can use replication with a filter to copy only a user's data into his database. Then he reads from his database and writes to the central database.

Answer 2

1. Login to the CouchDB as admin.
2. Open a particular database you want to secure
3. Click on Security button of that particular database.
4. Add users to Members names who can read. (At least add admins username) as string element of an array.
   Ex. Names: ["username1", "username2"]
5. Click on update button

Click here to see the image