couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Anderson <jch...@apache.org>
Subject Re: Reader ACLs
Date Mon, 18 Jan 2010 02:22:11 GMT
On Sun, Jan 17, 2010 at 1:45 PM, Chris Anderson <jchris@apache.org> wrote:
> Devs,
>
> We've had reader ACLs on the roadmap for a long time, and this morning
> I took the time to implement.
>
> The API is copied from the database admins API.
>

I've since updated both APIs to solve the flat-namespace issue. Now it
looks more like:

GET /db/_readers

{
"names":["jchris"],
"roles": ["dev"]
}

PUT /db/_readers

{
"names":["jchris", "nslater"],
"roles": ["dev","robots"]
}


>
> If the _readers list is empty, the db is public.

if both the names and roles lists are empty, the db is public.

>
> This code still needs review. It's the first I've written that
> upgrades the disk format on the fly. Only use it on test data until it
> is merged to trunk. There is no code that will downgrade the new
> format back to trunk. Once it is committed it should upgrade
> seamlessly.

I've done more testing, but the code still needs review.

http://github.com/jchris/couchdb/tree/readeracl

Thanks,
Chris

>
> I've only done a little bit of testing, but I think the implementation
> is fairly solid (eg I can't see how someone could get access to a
> private db).
>
> The code is available here:
>
> http://github.com/jchris/couchdb/tree/readeracl
>
> tests: http://github.com/jchris/couchdb/blob/readeracl/share/www/script/test/reader_acl.js
>
> I plan to commit it once I've had some more eyes on it, hopefully
> early this week.
>
> Known issue: the reader ACLs inherit from the db-admins list the flat
> namespace of users and roles.
>
> This means there's a potential exploit where a user signs up with the
> username "doctor" and thus can write prescriptions.
>
> I think this is worth fixing before 1.0, b/c otherwise anyone who ever
> deploys Couch has to learn about the flat namespace and figure out how
> to discourage the exploit.
>
> Chris
>
>
> --
> Chris Anderson
> http://jchrisa.net
> http://couch.io
>



-- 
Chris Anderson
http://jchrisa.net
http://couch.io

Mime
View raw message