couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Anderson <jch...@apache.org>
Subject Reader ACLs
Date Sun, 17 Jan 2010 21:45:32 GMT
Devs,

We've had reader ACLs on the roadmap for a long time, and this morning
I took the time to implement.

The API is copied from the database admins API.

There are a list of readers for each database.

GET /db/_readers to see the list

PUT /db/_readers to change the list

The list is a JSON array like ["top-secret", "jan", "editors"]

If a users name or any of their roles is in the list, they have read
access to the db.

If the _readers list is empty, the db is public.

This code still needs review. It's the first I've written that
upgrades the disk format on the fly. Only use it on test data until it
is merged to trunk. There is no code that will downgrade the new
format back to trunk. Once it is committed it should upgrade
seamlessly.

I've only done a little bit of testing, but I think the implementation
is fairly solid (eg I can't see how someone could get access to a
private db).

The code is available here:

http://github.com/jchris/couchdb/tree/readeracl

tests: http://github.com/jchris/couchdb/blob/readeracl/share/www/script/test/reader_acl.js

I plan to commit it once I've had some more eyes on it, hopefully
early this week.

Known issue: the reader ACLs inherit from the db-admins list the flat
namespace of users and roles.

This means there's a potential exploit where a user signs up with the
username "doctor" and thus can write prescriptions.

I think this is worth fixing before 1.0, b/c otherwise anyone who ever
deploys Couch has to learn about the flat namespace and figure out how
to discourage the exploit.

Chris


-- 
Chris Anderson
http://jchrisa.net
http://couch.io

Mime
View raw message