couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: CouchDB Authentication and Authorization
Date Fri, 26 Jun 2009 06:09:00 GMT
2009/6/26 Jan Lehnardt <jan@apache.org>:
>
> On 25 Jun 2009, at 20:49, Benoit Chesneau wrote:
>>
>> That sound good for me except for the anonymous stuff and user
>> specific data. Why not keeping same roles as other and just specify
>> writer when you want to allow write for guests ?
>
> Can you elaborate on the "keeping same roles as other"? I'm open
> for suggestions :)
>
I was thinking that anonymous could be owner, reader and writer and by
default reader. There is no need for another role imo.

>
>> About the user specific data I'm a little afraid about security. I
>> think user database should be protected for all users except admins.
>
> Sure, the users database is a admin-only resource.
>
Oh I didn't understand that at first, sorry :)

>
>> Sure password is hashed/encrypted but this is just a question of
>> time/number of cpu that some could decrypt these password. I would
>> prefer them not so easyly available. So maybe user profiles & co could
>> be in an optionnal  "profile" db. This for case when you expose
>> database to the public. Maybe it's a little paranoid though.
>
> User-specific data that an app needs should live in documents
> separate from the docs that contain the hashes. Does that work
> for you?
>
>

Sure, that works if doc with hashes are protected against read. And
it's better since all  data are in same db.


- benoît

Mime
View raw message