couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Candler <B.Cand...@pobox.com>
Subject Re: Reader ACLs
Date Tue, 19 Jan 2010 09:56:26 GMT
On Tue, Jan 19, 2010 at 06:40:45AM +0000, Brian Candler wrote:
> If it's desirable that these things *don't* replicate, then I propose the
> following instead.
> 
> (1) User has a role "dbname:_admin" if they're a database administrator, and
> "dbname:_reader" if they're a reader.
> 
> (2) That's it.
> 
> I make the following observations:
> 
> * We already must know the roles associated with this user, so
>   the checking is cheap
> * It scales (N users each with access to M databases)
> * It doesn't have concurrency issues
> * It doesn't involve a special API nor changes to the on-disk format
> * It easily supports the idea of a separate "db:_manager" role (who can
>   add and remove users to a database, except for _admins)

Note that for database admin A to add access for user U, they first need to
be able to read U's user record, as it's a read-modify-write operation.

The _users database is world-readable at the moment anyway.

If in future that gets locked down, then either:

(1) you allow anyone with admin rights to *any* database to be able to read
    all users; or

(2) you have a special endpoint for "grant/revoke role X to user B"

Mime
View raw message