10.3.9. /db/_security

GET /{db}/_security

Returns the current security object from the specified database.

The security object consists of two compulsory elements, admins and members, which are used to specify the list of users and/or roles that have admin and members rights to the database respectively:

  • members: they can read all types of documents from the DB, and they can write (and edit) documents to the DB except for design documents.
  • admins: they have all the privileges of members plus the privileges: write (and edit) design documents, add/remove database admins and members, set the database revisions limit and execute temporary views against the database. They can not create a database nor delete a database.

Both members and admins objects are contains two array-typed fields:

  • names: List of CouchDB user names
  • roles: List of users roles

Any other additional fields in the security object are optional. The entire security object is made available to validation and other internal functions so that the database can control and limit functionality.

If both the names and roles fields of either the admins or members properties are empty arrays, it means the database has no admins or members.

Having no admins, only server admins (with the reserved _admin role) are able to update design document and make other admin level changes.

Having no members, any user can write regular documents (any non-design document) and read documents from the database.

If there are any member names or roles defined for a database, then only authenticated users having a matching name or role are allowed to read documents from the database (or do a GET /{db} call).

Note

If the security object for a database has never been set, then the value returned will be empty.

Also note, that security objects are not regular versioned documents (that is, they are not under MVCC rules). This is a design choice to speedup authorization checks (avoids traversing a database`s documents B-Tree).

Parameters:
  • db – Database name
Request Headers:
 
  • Accept
    • application/json
    • text/plain
Response Headers:
 
  • Content-Type
    • application/json
    • text/plain; charset=utf-8
Response JSON Object:
 
  • admins (object) – Object with two fields as names and roles. See description above for more info.
  • members (object) – Object with two fields as names and roles. See description above for more info.
Status Codes:
  • 200 OK – Request completed successfully

Request:

GET /db/_security HTTP/1.1
Accept: application/json
Host: localhost:5984

Response:

HTTP/1.1 200 OK
Cache-Control: must-revalidate
Content-Length: 109
Content-Type: application/json
Date: Mon, 12 Aug 2013 19:05:29 GMT
Server: CouchDB (Erlang/OTP)

{
    "admins": {
        "names": [
            "superuser"
        ],
        "roles": [
            "admins"
        ]
    },
    "members": {
        "names": [
            "user1",
            "user2"
        ],
        "roles": [
            "developers"
        ]
    }
}
PUT /{db}/_security

Sets the security object for the given database.

Parameters:
  • db – Database name
Request Headers:
 
Request JSON Object:
 
Response Headers:
 
  • Content-Type
    • application/json
    • text/plain; charset=utf-8
Response JSON Object:
 
  • ok (boolean) – Operation status
Status Codes:
  • 200 OK – Request completed successfully
  • 401 Unauthorized – CouchDB Server Administrator privileges required

Request:

PUT /db/_security HTTP/1.1
Accept: application/json
Content-Length: 121
Content-Type: application/json
Host: localhost:5984

{
    "admins": {
        "names": [
            "superuser"
        ],
        "roles": [
            "admins"
        ]
    },
    "members": {
        "names": [
            "user1",
            "user2"
        ],
        "roles": [
            "developers"
        ]
    }
}

Response:

HTTP/1.1 200 OK
Cache-Control: must-revalidate
Content-Length: 12
Content-Type: application/json
Date: Tue, 13 Aug 2013 11:26:28 GMT
Server: CouchDB (Erlang/OTP)

{
    "ok": true
}

Previous topic

10.3.5. /db/_compact

Next topic

10.3.10. /db/_temp_view

More Help