Return-Path: Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: (qmail 55307 invoked from network); 14 Sep 2009 19:54:01 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 14 Sep 2009 19:54:01 -0000 Received: (qmail 73172 invoked by uid 500); 14 Sep 2009 19:54:00 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 73099 invoked by uid 500); 14 Sep 2009 19:54:00 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 73089 invoked by uid 99); 14 Sep 2009 19:54:00 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Sep 2009 19:54:00 +0000 X-ASF-Spam-Status: No, hits=-1.0 required=10.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [91.189.90.139] (HELO adelie.canonical.com) (91.189.90.139) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Sep 2009 19:53:49 +0000 Received: from hutte.canonical.com ([91.189.90.181]) by adelie.canonical.com with esmtp (Exim 4.69 #1 (Debian)) id 1MnHc8-0001Se-JP for ; Mon, 14 Sep 2009 20:53:28 +0100 Received: from c-68-34-107-76.hsd1.md.comcast.net ([68.34.107.76] helo=[192.168.1.5]) by hutte.canonical.com with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1MnHc8-0001YI-EQ for dev@couchdb.apache.org; Mon, 14 Sep 2009 20:53:28 +0100 Message-ID: <4AAE9F36.50000@canonical.com> Date: Mon, 14 Sep 2009 15:53:26 -0400 From: eric casteleijn User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: dev@couchdb.apache.org Subject: Re: Per-DB Auth Ideas and Proposal References: <8F048321-4C3C-424C-8FC4-0C99354AB728@jasondavies.com> <8989606E-3CAF-42C9-9935-FCAC0FAD81D3@apache.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org > I played around with read & write access lists but write can be > handled by the validation function so it's not necessary. I'm not entirely convinced the current validation functions, living in more or less as content in the database are sufficient for anything but very simple permission models. I foresee a lot of problems if two users have very broad permissions (say what is currently known as 'admin') in the same database, but one shouldn't be able to modify certain design documents. Any way of modelling that with validation functions seems very tricky to me: User 1, whom we shall call 'super_admin', creates a design document, with a validator function restricting all write access to any document with id prefix '_design/special_view_' to user 'super_admin'. The validator function itself should not be modifiable by user 2 'regular_admin' or it is worthless, of course. This would work, except there is nothing stopping 'regular_admin' from adding their own validator, restricting 'super_admin' similarly from those design_documents, and from the design_document this validator is in, and now everybody is locked out. Currently, I see no other possibility to model this (very real) use case, where you want a user to be able to write to almost every document (by replication from their machine), except for a few views (because we'll be executing those on our cloud server node) without ending up with a variant on the above cold war arms race scenario. The simplest way to solve this that I see is if the permissions live in a place that regular_admin simply does not have any access to (i.e. the global _user db) but where a global admin can grant or restrict permissions at will. -- - eric casteleijn https://launchpad.net/~thisfred http://www.canonical.com