Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Solving "one database per user" in CouchDB/IrisCouch/Cloudant

Background

Security in a single CouchDB can only be set up to do either:

  • Everyone can read/write everything (admin party)
  • Everyone can read, some can write
  • Some can read everything, and those same people can write everything

So in the very common situation where you want user data to be private, the current best practice is to give every user a database. This sounds nuts at first, but it turns out that databases are cheap in CouchDB; Cloudant boasts that 100k databases in a single Couch is not uncommon (source).

However, actually implementing one database per user is not open-and-shut. You need a separate server process outside of CouchDB to handle it. Everyone has their own solution; here are some popular ones:

Update: the CouchDB docker image now has a built-in couch-per-user support, making this much easier to implement: https://hub.docker.com/r/klaemo/couchdb/

@bshikhar13

This comment has been minimized.

Copy link

commented Apr 5, 2017

I thought the couch_peruser is added in CouchDB in 2.0. When I tested it, it was not functioning. I also tried with CouchDB 1.6 and couldn't find the couch_peruser flag anywhere. I am working on an Ubuntu Machine. What shall I do?

@spencerthayer

This comment has been minimized.

Copy link

commented Jun 26, 2017

I don't think couch_peruser was ever implemented.

@bastiantowers

This comment has been minimized.

Copy link

commented Jul 11, 2017

I've tested this too and it didn't work neither, I think. In my case, when you create a user, it never creates this user's correspondant database.
It's weird because this couch_peruser feature is in the official documentation, but I've activated this flag and I didn't see any magic flowing....

Does anybody know if this couchperuser plugin works with Couch v2? Or it only works with the V1.6 only?

I've tried to install it on a Mac without success. When I've followed the README steps and executed the make command, I've received an error trying to find some couch-config command. I couldn't install this command in my PATH and couldn't find a way to have it available in my system.

I would really appreciate if someone can help me with this! 😄

Maybe a downgrade to Couch v1.6 and using this couch_peruser daemon is a possible answer...

Thanks!!!

@gastonmorixe

This comment has been minimized.

Copy link

commented Jul 25, 2017

@bastiantowers @spencerthayer couch_peruser is working on master recently, you need to compile it from master. 2.0 has a bug and does not work. Got it magically working on v. 2.1.0-82559b0

@bastiantowers

This comment has been minimized.

Copy link

commented Jul 27, 2017

@gastonmorixe Thanks for your tip! I'm gonna try this out later, and see what happens. Have you tried this in a production environment, such as AWS or Cloudant or something similar?

Finally the implementation of the database-per-user using just the native Couch roles system was far more easy than I believed. The only cuestionable thing is that I had to implement a server-side endpoint to manage this configuration when a new user/db is created, but it's fine for my requirements.
Thanks for your help!

@ozexpert

This comment has been minimized.

Copy link

commented Nov 28, 2017

if we have per user database wouldn't it be super painful to do multiple remote replicas?

@motin

This comment has been minimized.

Copy link

commented Sep 18, 2018

As for Cloudant, I have found https://github.com/cloudant-labs/envoy (covered in https://developer.ibm.com/code/open/projects/cloudant-envoy/ and ):

Cloudant Envoy
Cloudant Envoy is a microservice that sits between your mobile or web application and your cloud database, allowing users to replicate your data layer, but handling the authentication and data segregation so that each user only sees his or her own data.

I am unsure if it is used by anyone though - no activity on the Github repo for over a year. There is also https://github.com/glynnbird/envoy-serverless (covered in https://medium.com/ibm-watson-data-lab/cloudant-envoy-serverless-edition-d68b08d536d7) but it seems even less used/tried.

@fredguth

This comment has been minimized.

Copy link

commented Jan 8, 2019

@motin, I was checking the same. It seems interesting. I am not sure if it is an overkill for most though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.