couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Candler (JIRA)" <>
Subject [jira] Commented: (COUCHDB-661) _all_dbs should list only the DBs accessible to the user
Date Sun, 21 Feb 2010 21:55:27 GMT


Brian Candler commented on COUCHDB-661:

Looks like a serious DoS to me, with "only" 7500 databases.

If _all_dbs won't scale, then I think it should be for admins only (ideally with startkey/limit
like _all_docs for efficient pagination, but that's a different issue)

Or perhaps it should be possible to replace _all_dbs with a view in a 'real' database for

e.g. occasionally you could copy all the _security objects into another database, and generate
a view with keys like
for efficient querying.

(IMHO this is another reason why _security objects should be real docs: so that you can follow
a _changes feed on them)

> _all_dbs should list only the DBs accessible to the user
> --------------------------------------------------------
>                 Key: COUCHDB-661
>                 URL:
>             Project: CouchDB
>          Issue Type: Bug
>          Components: HTTP Interface
>    Affects Versions: 0.11
>         Environment: trunk / 0.11
>            Reporter: Filipe Manana
>             Fix For: 0.11
>         Attachments: couchdb-_all_dbs-auth-2.patch, couchdb-_all_dbs-auth.patch
> As discussed in the auth roadmap mail, sent by Chris to @dev, the _all_dbs URI should
only list the DBs that are accessible to the user.
> The following patch is a naive solution. It doesn't scale for CouchDB servers with millions
of DBs. Regarding this scaling detail, I'll discuss soon in the @dev mailing list some ideas.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message