Cloudant auth: lacks _users database

Question

I'm getting set up with CouchDB on Cloudant, and I'm confused because Cloudant seems to do auth differently than regular CouchDB. Specifically, Cloudant seems to lack a _users database.

I read the Cloudant auth FAQ here, and it provided the following instructions:

Can I use CouchDB security features (_users database, security objects, validation functions) on Cloudant?

Yes you can. If you want to use the _users database you must first turn off Cloudant's own security for the roles you want to manage via _users. To do this you need to PUT a JSON document like the following to the _security endpoint of the database (for example https://USERNAME.cloudant.com/DATABASE/_security):

{ "cloudant": { "nobody": ["_reader", "_writer", "_admin"] }, "readers": { "names":["demo"],"roles":[] } }

These instructions worked fine, and allowed me to update the _security object of a database.

What wasn't clear was how to set up the _users database. It didn't exist automatically, so I tried creating it using a regular:

curl -X PUT $COUCH/_users

This worked fine, but when I attempt to add a new user to _users as follows:

curl -HContent-Type:application/json \
  -vXPUT $COUCH/_users/org.couchdb.user:me \
  --data-binary '{"_id": "org.couchdb.user:me","name": "me","roles": [],"type": "user","password": "pwd"}'

It appears to create the document correctly:

{"ok":true,"id":"org.couchdb.user:me","rev":"3-86c3801fdb8c32331f5f2580e861a765"}

But the new user in _users on Cloudant lacks a hashed password:

{
   "_id": "org.couchdb.user:me",
   "_rev": "3-86c3801fdb8c32331f5f2580e861a765",
   "name": "me",
   "roles": [
   ],
   "type": "user",
   "password": "pwd"
}

So when I attempt to authenticate at this user, I get the following error:

{"error":"bad_request","reason":"missing password_sha property in user doc"}

On my local CouchDB installation, creating a new user in _users would automatically create the hashed password:

{
   "_id": "org.couchdb.user:test",
   "_rev": "1-9c1c4360eba168468a37d7f623782d23",
   "password_scheme": "pbkdf2",
   "iterations": 10,
   "name": "test",
   "roles": [
   ],
   "type": "user",
   "derived_key": "4a122a20c1a8fdddb5307c29078e2c4269abffa5",
   "salt": "36c0c05cf2a3ee321eabd10c46a8aa2a"
}

I tried copying the "_design/_auth" document from my local CouchDB installation to Cloudant, but the results are the same - no hashed password.

I appear to have gone off the rails at some point, but I'm not sure where this happened. How can I set up Cloudant to use the same kind of auth as regular CouchDB?

Answer 1

I found the answer via #cloudant IRC:

09:59 <+kocolosk> creating _users was the right thing to do

09:59 <+kocolosk> the API matches an older version of CouchDB where the passwords needed to hashed client-side

10:00 < jbeard> oh, I see

10:00 <+kocolosk> we're addressing that lack of support for automatic hashing

10:01 < jbeard> I'm trying to find documentation on client-side hashing in Couch.

10:02 < jbeard> What version of Couch is Cloudant aiming to be compatible with for _users?

10:04 <+kocolosk> jbeard: http://wiki.apache.org/couchdb/Security_Features_Overview

10:04 <+kocolosk> see "Generating password_sha (only applicable for 1.1.x and earlier)"

10:04 <+kocolosk> jbeard: this particular feature is the last bit where we are compatible with 1.1.x but not newer version

10:05 < jbeard> Excellent

10:05 < jbeard> That's what I needed to know

Answer 2

In fact, cloudant does not support the hash value generation. I found this alternative that helps to use the _users db in the cloudant service...

https://github.com/doublerebel/cloudant-user

Answer 3

As of 2020, Cloudant hashes the password but doesn't use the same hashing algorithm as CouchDB currently does (pbkdf2). For better security and compatibilty, it is still advisable to generate the hash yourselves, e.g. with couch-pwd.

And instead of supplying

{ "cloudant": { "nobody": ["_reader", "_writer", "_admin"] }, "readers": { "names":["demo"],"roles":[] } }

The docs now suggest the couchdb_auth_only flag:

{
  "couchdb_auth_only": true,
  "members": {
      "names": ["demo"],"roles":[]
  },
  "admins": {
      "names": ["admin"],"roles":[]
  }
}

But mind that the _admin role is not set automatically as in CouchDB 3.