couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Candler <B.Cand...@pobox.com>
Subject Re: Auth Roadmap
Date Wed, 10 Feb 2010 22:27:46 GMT
On Wed, Feb 10, 2010 at 07:26:00AM -0800, Chris Anderson wrote:
> The problem with this approach, imho, is that currently users have the
> same set of roles in every db. That is, your userCtx doesn't change
> depending on the db you are accessing. I can see how adding that
> capability increases flexibility. But it's the sort of flexibility
> that I see having a nasty complexity tax. Eg: currently the /_session
> resource is server-wide. As soon as some roles are available on
> certain dbs and not others, we need to make it /db/_session which is
> misleading as you don't actually log into dbs, you log into the
> server.

Yes this could be confusing, especially adding db-roles to system-roles.

Maybe it's clearer to think of it as "groups" and "rights":

* "groups" are what your user is a member of (in your global _session).
* "rights" are what you can do in a particular database.
* "rights" within a db can be assigned to individual users or to groups.
* The "_admin" group picks up "_admin" rights automatically on all dbs.

Regards,

Brian.

Mime
View raw message