couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Goodlad <da...@goodlad.ca>
Subject Re: auth polishing
Date Sun, 17 Jan 2010 10:07:49 GMT
On Sun, Jan 17, 2010 at 8:52 PM, Chris Anderson <jchris@apache.org> wrote:
> I'm thinking maybe:
>
> _local/security:_design/foo
>
> where _design/foo is the name of the ddoc that contains the current
> validation function.
>
> local means it doesn't replicate. hmm, we also need to make sure the
> security doc can only be updated by admins (so maybe _security makes
> sense)
>
> That's nice and clean:
>
> _security/foo to go with _design/foo

I like the naming, but not the 'only be updated by admins' part. If
there were the concept of admins for individual dbs, I would be fine
with it, though.

> I have some code open in my editor: couch_db:check_is_admin()
>
> I'm planning to copy this and call it check_is_reader()
>
> So readers is a flat list of names and roles, per db.
>
> If the list is empty, anyone can read. If not, then only readers can
> read. A reader is someone who's name or roles matches the db readers
> list. This means a private db is just a db where the reader list has
> one member, the db-admin.
>
> I think this level of reader ACL is the simplest thing that could
> possibly work, and pretty flexible too.
>
> Everything is readable by server admins.

Where is this list stored? As a document in the database?

Perhaps it could be part of the _security/* namespace - eg _security/readers ?

Dave

Mime
View raw message