couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <>
Subject auth per db - thoughts and question
Date Sun, 01 Nov 2009 11:33:59 GMT

I'm working on a authentification per db for couchdb. I failed to find
a right system actually and trashed my code this morning. Suggested by
Jan, I post here my thoughts about it. Main goals are :

- Set permission read or write for users on a db
- Since dbs are replicated, permissions on these dbs should be
replicated too in a relatively untrusted environment.

For now I see 2 possibilities :

- one would be having couchdb node acting as provider : a user would
be identified by its username and node hostname : user@nodehostename.
Auuthentification is done on the provider hosting the user. Each db
have a list of capababilities and owner:

   "_id" : "_acl/username",
  "read": true,
  "write": true,
  "owner": true

An owner could set permissions of others users on a db. This process
is similar to XMPP / Wave system but it imply that all nodes stay
online to authenticate a user.

- another possibility would be using a system of pub/private key. Each
db have a list of users + their public key which would be replicated
with the db :

   "_id" : "_acl/username",
  "read": true,
  "write": true,
  "owner": true,
  "key": publickey

ssl could be use for that. Each users connect to a database with its
private key, and CouchDB get rights for this db. This process have one
advantage compared to the one above because it allow to decentralize
authentication. One other way to do it could be to store a secret key
instead of using private/public key system but using ssl would allow
any browser/http client to connect automatically and add some trust to
the system. An admin could eventually revoke some users on its node

I would be for the last one to keep all the p2p replication system.
Any other ideas? Damien how works the auth system on Notes ?

- benoƮt

View raw message