-
-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add couch configs to enable proxy authentication #9668
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: Robert <[email protected]>
c331dc9
to
ee7bcf5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rmayore this is great! I pulled down the changes and was able to get everything running locally. Thank you for the detailed instructions!
I just left some minor comments inline. 👍
One question I am interested in getting everyones' thoughts on is if we think it would be a problem to have the proxy_authentication_handler
always enabled (even when a deployment is not using SSO)? It seems like you can enable it without any disruption to the default/cookie_authentication_handler
s, so probably the only concern would be around security. The proxy auth could theoretically increase the attack surface since it allows admin access to anyone with the secret and direct access to the Couch instance. However, I am not sure this is a major concern. The Couch secret is already carefully managed with the other sensitive values such as the admin user/pass. Additionally, on a proper production deployment, the Couch ports should not be accessible. Instead all traffic should be proxyed through the api server. Thoughts?
authentication_handlers = {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, proxy_authentication_handler}, {chttpd_auth, default_authentication_handler} | ||
|
||
[chttpd_auth] | ||
require_valid_user = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we need to set this here. It is already set on line 20
(and I think it belongs in the chttpd
section antyway).
require_valid_user = true |
|
||
[chttpd_auth] | ||
require_valid_user = true | ||
secret = 5ec56423-0856-4b13-8ab7-9b476fea2c39 ; CHANGE ME - proxy secret |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also do not think we need to hard-code the secret
here. Unless I am mistaken, the COUCHDB_SECRET envar you can supply to the couch container gets set as the httpd_auth.secret
value.
secret = 5ec56423-0856-4b13-8ab7-9b476fea2c39 ; CHANGE ME - proxy secret |
[chttpd_auth] | ||
require_valid_user = true | ||
secret = 5ec56423-0856-4b13-8ab7-9b476fea2c39 ; CHANGE ME - proxy secret | ||
x_auth_roles = X-Auth-CouchDB-Roles ; http header name for passing the comma separated couch user roles |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like you just kept the default values for these header names. As far as I know, the default values should work fine for our case, but do we even need to include this config here if we just use the default values?
Description
Building couchdb image with proxy auth enabled
npm ci
npm run build-dev
npm run local-images
docker image ls
to get the new, timestamped, locally build couchdb imagedocker-compose.yml
fileRestarting existing couchdb container with proxy auth enabled (thanks @mrjones-plip)
docker exec -it cht-docker-couchdb-1 bash
vi /opt/couchdb/etc/default.d/10-docker-default.ini
. You might have to install your favorite editor if it's not present in the containerCOUCHDB_USER=medic COUCHDB_PASSWORD=password docker compose -f docker-compose.yml -f couchdb-override.yml restart
Generating proxy auth token
Use the secret to generate a HMAC of the username... this will become our proxy token.
echo -n "username" | openssl dgst -sha256 -hmac "the_secret"
Code review checklist
can_view_old_navigation
permission to see the old design.License
The software is provided under AGPL-3.0. Contributions to this project are accepted under the same license.