couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <>
Subject Re: Per-DB Auth Ideas and Proposal
Date Tue, 15 Sep 2009 16:38:08 GMT
On Mon, Sep 14, 2009 at 10:09 PM, Jason Davies <> wrote:
> Hi all,
> Thanks for all the excellent responses!
> With Chris Anderson's "simplest thing that could possibly work" idea in
> mind, here's a quick summary of what I plan to implement as a first cut.
>  I've taken ideas from multiple responses on this thread, so I wasn't sure
> which message to reply to, but this plan is mostly inspired by Adam's ACL
> ideas so I've included that message below this one for reference.
> The simplest idea is that we have a special doc in each database,
> "_local/_acl" or similar, containing a list of [role(s), "read" or "write"]
> pairs.  By default everything is denied to everyone (except _admin).  The
> most common use case would be to then have ["username", "read"] and
> ["username", "write"] to give a user read and write permissions to that
> particular database.  (In this example, I've assumed that in the _users
> database we map the "username" user to the "username" role for simplicity).
>  If we want to give particular access (e.g. read-only) to *everyone*, we can
> use the special "*" string to denote a wildcard, which matches any role,
> including no role at all e.g. ["*", "read"].

Will this doc be replicated ?

> I envisage this default "deny all" behaviour being a switch in the .ini
> file, so people will only turn it on once they have users and/or ACLs set
> up.

I don't like the default, io, by default everything should be open and
then you close the door or not .

> Thanks,
> --
 thanks to you :)

- benoit

View raw message