From dev-return-3190-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org Sat Mar 07 01:55:32 2009 Return-Path: Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: (qmail 68083 invoked from network); 7 Mar 2009 01:55:32 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 7 Mar 2009 01:55:32 -0000 Received: (qmail 403 invoked by uid 500); 7 Mar 2009 01:55:31 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 363 invoked by uid 500); 7 Mar 2009 01:55:31 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 351 invoked by uid 99); 7 Mar 2009 01:55:31 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Mar 2009 17:55:31 -0800 X-ASF-Spam-Status: No, hits=1.4 required=10.0 tests=FS_REPLICA,RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [209.68.5.17] (HELO relay03.pair.com) (209.68.5.17) by apache.org (qpsmtpd/0.29) with SMTP; Sat, 07 Mar 2009 01:55:23 +0000 Received: (qmail 70836 invoked from network); 7 Mar 2009 01:55:00 -0000 Received: from 96.33.90.152 (HELO ?192.168.1.195?) (96.33.90.152) by relay03.pair.com with SMTP; 7 Mar 2009 01:55:00 -0000 X-pair-Authenticated: 96.33.90.152 Message-Id: From: Damien Katz To: dev@couchdb.apache.org In-Reply-To: <424B466D-E99C-43ED-9889-1F053E28DE92@apache.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Subject: Re: Replication security branch almost done Date: Fri, 6 Mar 2009 20:55:00 -0500 References: <6EFA50CD-65EC-4FC2-9D47-CF8C3111272E@apache.org> <66F84A16-00F5-434A-8443-DBC544B183AA@gmail.com> <424B466D-E99C-43ED-9889-1F053E28DE92@apache.org> X-Mailer: Apple Mail (2.930.3) X-Virus-Checked: Checked by ClamAV on apache.org On Mar 6, 2009, at 9:13 AM, Damien Katz wrote: > > On Mar 5, 2009, at 12:44 PM, Adam Kocoloski wrote: > >> On Mar 4, 2009, at 3:24 PM, Damien Katz wrote: >> >>> The replication security branch is finally near completion, this >>> work is makes CouchDB enforces security during replication, to >>> allow CouchDB databases to be exposed directly to clients and >>> replicators. >>> svn co http://svn.apache.org/repos/asf/couchdb/branches/rep_security >>> This branch also has revision stemming work, but it doesn't >>> actually do the stemming yet. But that's simple to add later and >>> will still work with the same replication protocol. >>> >>> This version removes all or nothing bulk updates w/ conflict >>> checking as it was the only way I could get everything else >>> working. However, it's still possible we'll add it back if needed. >>> I'm in favor of removing it all together for now and seeing if we >>> can live with it. Thoughts please. >>> >>> I'd appreciate people testing it out. Also writing more JS tests >>> would be a big help too. >>> >>> This branch right now is a month or so behind trunk, so recent >>> fixes/features are missing until I merge it to latest. Sorry. >>> >>> -Damien >> >> Hi Damien, at the end of security_validation.js, you have >> >>> // this is a legal edit >>> var foo2 = dbB.open("foo2"); >>> foo2.value = "b"; >>> dbB.save(foo2); >>> >>> var results = CouchDB.replicate(B, A); >>> >>> >>> >>> // The edit to foo2 should have replicated. >>> T(dbA.open("foo2").value == "a"); >> >> I'm confused. If that was a legal edit, shouldn't the value of >> foo2 on dbA == "b"? I noticed a line in the log when I run this test >> >>> [info] [<0.121.0>] error replicating document "foo2" rev >>> "2-3418587803":{unauthorized, <<"You are not the author of this >>> document. You jerk.">>} >> >> and I if I inspect the two DBs I see that the change did not >> replicate. Hope it helps, Adam > > Thanks Adam. I'm doing more testing and debugging today. > > -Damien I've got this all fixed up and lots more testing in general on replication. I also completed revision stemming today. By default, revisions are limited to 1000, and the limit is settable: "PUT /db/_revs_limit" See the rev_stemming test for more usage details. This branch is starting to look pretty solid. -Damien