couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Couchdb Wiki] Update of "Security_Features_Overview" by GregorMartynus
Date Mon, 12 Nov 2012 12:59:12 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Couchdb Wiki" for change notification.

The "Security_Features_Overview" page has been changed by GregorMartynus:
http://wiki.apache.org/couchdb/Security_Features_Overview?action=diff&rev1=33&rev2=34

Comment:
As of 1.2, "readers" group in _security object has been renamed to "members"

  == Authorization ==
  As of CouchDB 0.11, three types of users can be defined:
  
-  * database readers - Defined per database. They can read all types of documents from the
DB, and they can write (and edit) documents to the DB except for design documents.
+  * database members - Defined per database. They can read all types of documents from the
DB, and they can write (and edit) documents to the DB except for design documents.
  
-  * database admins - Defined per database. They have all the privileges readers have plus
the privileges: write (and edit) design documents, add/remove database admins and readers,
set the database revisions limit (''/somedb/_revs_limit'' API) and execute temporary views
against the database (''/somedb/_temp_view'' API). They can not create a database and neither
delete a database.
+  * database admins - Defined per database. They have all the privileges members have plus
the privileges: write (and edit) design documents, add/remove database admins and members,
set the database revisions limit (''/somedb/_revs_limit'' API) and execute temporary views
against the database (''/somedb/_temp_view'' API). They can not create a database and neither
delete a database.
  
   * server admins - Defined per CouchDB server. They have all the privileges.
  
  Server admins are defined in the ''admins'' section of the .ini configuration files. See
[[Setting_up_an_Admin_account]] for more details.
  
- Database admins and readers are defined in the security object of a database. This security
object, located under "/db_name/_security" in CouchDB version 0.11 and above, is a JSON document
having the following structure:
+ Database admins and members are defined in the security object of a database. This security
object, located under "/db_name/_security" in CouchDB version 0.11 and above, is a JSON document
having the following structure:
  
  {{{
  {
@@ -43, +43 @@

       "names" : ["joe", "phil"],
       "roles" : ["boss"]
     },
-    "readers" : {
+    "members" : {
       "names" : ["dave"],
       "roles" : ["producer", "consumer"]
     }
@@ -51, +51 @@

  }}}
  Note that security objects are not regular versioned documents (that is, they are not under
MVCC rules). This is a design choice to speedup authorization checks (avoids traversing a
database's documents B-Tree).
  
- If both the names and roles fields of either the admins or readers properties are empty
arrays, it means the database has no admins or readers. Having no admins, only server admins
(with the reserved _admin role) are able to update design document and make other admin level
changes. Having no readers, any user can write regular documents (any non-design document)
and read documents from the database.
+ If both the names and roles fields of either the admins or members properties are empty
arrays, it means the database has no admins or members. Having no admins, only server admins
(with the reserved _admin role) are able to update design document and make other admin level
changes. Having no members, any user can write regular documents (any non-design document)
and read documents from the database.
  
  '''Note:''' If there are any reader names or roles defined for a database, then only authenticated
users having a matching name or role are allowed to read documents from the database (or do
a GET /db_name/ call).
  

Mime
View raw message