couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Smith <...@iriscouch.com>
Subject Re: The replicator needs a superuser mode
Date Wed, 17 Aug 2011 02:23:18 GMT
On Wed, Aug 17, 2011 at 7:03 AM, Adam Kocoloski <kocolosk@apache.org> wrote:
> On Aug 16, 2011, at 5:46 PM, Randall Leeds wrote:
>
>> -1 on _skip_validation and new role
>>
>> One can always write a validation document that considers the role, no? Why
>> can't users who need this functionality craft a validation function for this
>> purpose? This sounds like a blog post and not a database feature.
>
> Blech, really?
>
> Q: What request do I issue to guarantee all my documents are stored in this other database?
>
> A: Unpossible.
>
> Practically speaking we need it at Cloudant because we use replication to move users'
databases between clusters.  If it's not seen as generally useful that's ok, just surprising.
 Best,

Adam, I'm conflicted. It feels presumptuous to disagree with you and
the developers, which I've done a lot recently.

Also, I too struggle with migrating data, verbatim, between servers
(between couches, and also between Linux boxes).

But to "guarantee all my documents are stored in this other database"
is actually incoherent. It is IMHO anti-CouchDB.

Validation functions, user accounts (which change from couch to
couch), and security objects (which also change from db to db, and
couch to couch) all come together to decide whether a change is
approved (valid). That is very powerful, and very fundamental.
Providing this "guarantee" betrays the promise that Couch makes to
developers.

People are using validation functions for government compliance, to
meet regulatory requirements (SOX, HIPAA). IIRC, you are proposing a
query parameter for Couch to disregard those instructions.

Validation functions confirm not only authorization, but also
well-formedness of the documents. So, again, in the real world, where
many people use _admin accounts, adding a ?force=true parameter sounds
dangerous.

Do you worry whether, in the wild, people will use it more and more,
like logging in to your workstation as root/Administrator? It
eliminates daily annoyances but it is actually very risky behavior.

Finally, yes, an admin can ultimately circumvent validation functions.
But to me, that is the checks and balances of real life. If you forget
your BIOS password, you can physically open the box and move a jumper.

I do agree about the need to move opaque data around. I disagree that
a query parameter should allow it. I feel the hosting provider pain.
The customer creates _design/angry with validate_doc_update:

    function(newDoc, oldDoc, userCtx, secObj) {
        throw {forbidden: "I am _design/angry and I hate all documents!"};
    }

And now I am responsible for replicating their data, unmolested, all
over the place.

-- 
Iris Couch

Mime
View raw message