Cloudant auth: lacks _users database
In fact, cloudant does not support the hash value generation. I found this alternative that helps to use the _users db in the cloudant service...
https://github.com/doublerebel/cloudant-user
As of 2020, Cloudant hashes the password but doesn't use the same hashing algorithm as CouchDB currently does (pbkdf2). For better security and compatibilty, it is still advisable to generate the hash yourselves, e.g. with couch-pwd.
And instead of supplying
{ "cloudant": { "nobody": ["_reader", "_writer", "_admin"] }, "readers": { "names":["demo"],"roles":[] } }
The docs now suggest the couchdb_auth_only
flag:
{
"couchdb_auth_only": true,
"members": {
"names": ["demo"],"roles":[]
},
"admins": {
"names": ["admin"],"roles":[]
}
}
But mind that the _admin
role is not set automatically as in CouchDB 3.
I found the answer via #cloudant IRC:
09:59 <+kocolosk> creating _users was the right thing to do
09:59 <+kocolosk> the API matches an older version of CouchDB where the passwords needed to hashed client-side
10:00 < jbeard> oh, I see
10:00 <+kocolosk> we're addressing that lack of support for automatic hashing
10:01 < jbeard> I'm trying to find documentation on client-side hashing in Couch.
10:02 < jbeard> What version of Couch is Cloudant aiming to be compatible with for _users?
10:04 <+kocolosk> jbeard: http://wiki.apache.org/couchdb/Security_Features_Overview
10:04 <+kocolosk> see "Generating password_sha (only applicable for 1.1.x and earlier)"
10:04 <+kocolosk> jbeard: this particular feature is the last bit where we are compatible with 1.1.x but not newer version
10:05 < jbeard> Excellent
10:05 < jbeard> That's what I needed to know