Apache CouchDB, the NoSQL database lauded for its speed and querying capacities, but derided for potentially lax default security choices, just rolled out a 3.0 release that addresses the security questions head-on, making the database now “secure by default.”
The CouchDB 3.0 release also addresses some of the database’s horizontal scalability constraints, improves its native full-text search system, and adds other performance optimizations.
Since its inception, CouchDB has favored what its developers describe as an “open by default” philosophy, meaning default configurations were designed to make it easy to get the database up and running. However, these default choices also made CouchDB more vulnerable to attack. In 2017, many open-by-default CouchDB deployments were vandalized.
CouchDB 3.0 follows many of the security practices of the old school, SQL databases. You must supply an admin password upon installation, and all newly created databases are accessible only to server admin users by default, instead of world-readable and world-writeable. CouchDB 3.0 also adds more granular user roles. For example, the new _metrics system role allows users to obtain system statistics from CouchDB API endpoints without admin permissions.
Two new features aim to enhance performance, partitions, and shard splitting. When you set up CouchDB 3.0, you’re given the option to add partitions, which group documents logically according to a partition key and store them together in a single shard. Partitioning speeds up queries for data normally kept together, since the index doesn’t have to be traversed as much.
Shard splitting is an enhancement of the existing sharding technology in CouchDB, which allows a database to be split or “sharded” across multiple nodes. The downside: You have to decide how many shards, and where they go, at install time; you can’t re-shard after the fact. Shard splitting allows you to rebalance shards without having to reconfigure CouchDB. (You can’t yet merge shards, however.)
Another performance-enhancing CouchDB 3.0 feature is I/O queue controls, which allow you to prioritize certain classes of I/O operations. For instance, if you have a read-heavy database, you could opt to allow read I/O operations to bypass the queue for the sake of speed.
CouchDB 2.0 used a clustered, Lucene-powered search system, contributed by IBM, that had a reputation for being difficult to set up and work with. CouchDB 3.0 improves the installation and setup process for the Lucene bundle, with Kubernetes Helm charts and Chef recipes to automate the process.
This story, “CouchDB 3.0 puts safety first” was originally published by
Share this post if you enjoyed! 🙂