search

rnewson / couchdb-lucene

Enables full-text searching of CouchDB documents using Lucene
Apache License 2.0
768 stars 147 forks source link

Please add a way to authenticate requests to couchdb-lucene #79

Open james-w opened 13 years ago

james-w commented 13 years ago

Hi,

I have no idea if this fits in to your plans, but I wanted to record our use case as it may be one that you want to support.

We want to make use of couchdb-lucene in an environment where can't fully restrict access to its port. Basically we want to add full-text-search capabilities to desktopcouch. We think we have a solution to running up a private instance of couchdb-lucene that can talk with the private couchdb, but we are stuck on security.

In this environment couchdb-lucene would just bind to localhost, but we can't stop other users on the same machine from reaching its port, and that could lead to information disclosure at the least.

Therefore we want some way for couchdb-lucene to authenticate requests so that it can only be used by the user that it is intended for.

After some discussion with aquarius he suggested that having couchdb-lucene listen on an AF_UNIX socket would be perfect, as we can use UNIX DAC to lock down access, and as all communication from couchdb to couchdb-lucene is mediated by the external helper it doesn't have to be over TCP. However, this doesn't fit too well with the new externals API

http://davispj.com/2010/09/26/new-couchdb-externals-api

as couch itself would have to proxy over an AF_UNIX socket.

I assume that you plan to move to the new API when it is merged?

Another alternative would then be to use the same strategy as we use for desktopcouch, which is to use oauth-signed requests, where the credentials are available to any process running as the target user (and root). If couchdb-lucene could be configured to only accept oauth signed requests too that would be great. With the new API it might even be reasonable to have it use the same oauth db, and so we can sign all requests with the same credentials, but given that the nonce db etc. wouldn't be shared that may not be reasonable.

Do you have any other suggestions? Does any of this fit in with your plans for couchdb-lucene?

Thanks,

James

rnewson commented 13 years ago

Incorporating an authentication mechanism to c-l interests me but I am the sole contributor to the project and my time is limited. I would certainly take a patch to add some kind of authentication if you are working on it?

Assuming you're not, then I take your suggestion seriously and I expect it to get done at some point. Obviously I cannot commit to a timeframe.

Paul's proposed new externals method should allow authentication but I will raise that topic with him directly.

rnewson commented 13 years ago

The current externals hook exposes the userCtx and secObj objects to couchdb-lucene, perhaps it's an easy fix?

"userCtx":{"db":"db1","name":null,"roles":["_admin"]},"secObj":{}

james-w commented 13 years ago

Hi,

Thanks for looking at this.

I'm not working on it right now, but clearly if it is important enough to me I should.

I don't think that we can use the userCtx passed by couchdb, as it isn't authenticated, and so easy enough to spoof.

Thanks,

James

diversario commented 13 years ago

I second the request, but in the meantime, I just went with this:

couchdb-lucene.ini:

[local]
url = http://user:password@127.0.0.1:5984/

It works and since it's on the same server as couchdb and all application code I don't worry about security of this approach.