Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CCE327514 for ; Sat, 27 Aug 2011 03:02:55 +0000 (UTC) Received: (qmail 50942 invoked by uid 500); 27 Aug 2011 03:02:53 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 50547 invoked by uid 500); 27 Aug 2011 03:02:43 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 50539 invoked by uid 99); 27 Aug 2011 03:02:41 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 27 Aug 2011 03:02:41 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [74.125.82.180] (HELO mail-wy0-f180.google.com) (74.125.82.180) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 27 Aug 2011 03:02:33 +0000 Received: by wyj26 with SMTP id 26so4303330wyj.11 for ; Fri, 26 Aug 2011 20:02:12 -0700 (PDT) Received: by 10.227.7.70 with SMTP id c6mr1558857wbc.74.1314414132357; Fri, 26 Aug 2011 20:02:12 -0700 (PDT) MIME-Version: 1.0 Received: by 10.227.155.210 with HTTP; Fri, 26 Aug 2011 20:01:51 -0700 (PDT) In-Reply-To: References: <111A4F0F-6055-435B-8FF9-8D48CC058E4D@apache.org> From: Jason Smith Date: Sat, 27 Aug 2011 10:01:51 +0700 Message-ID: Subject: Re: The _security object should be versioned To: dev@couchdb.apache.org Content-Type: text/plain; charset=UTF-8 X-Virus-Checked: Checked by ClamAV on apache.org On Sat, Aug 27, 2011 at 9:09 AM, Randall Leeds wrote: >> The issue here is that adding a revision tree most likely means a >> requirement that the HTTP API changes to use MVCC tokens. > > _local docs already do. They just don't support ?new_edits, or > revs_info/revs/open_revs/meta, though I'd have to check.. It's not a hard > requirement that we support this stuff. And certainly the old /_security > endpoint could completely paper over this if we just make it clobber (which > no one on vanilla couch should care about). I propose there is no more /_security HTTP endpoint. Instead, _local docs get full MVCC support. You can post conflicts with ?new_edits=false and resolve them normally. The API becomes smaller and also more consistent. Next, _local/security is special to CouchDB. Upon an update, the current winning revision is cached in the DB header. This allows couch to quickly confirm read or admin permission when using the DB, and send secObj to validate_doc_update. Does this sound reasonable? I see two bonuses: 1. Full MVCC for _local would be nice for users, who are using _local more. If it's worth storing, it's worth storing in MVCC. 2. Design docs can validate the security policy. I can think of two issues: 1. Does this require updating the replicator to update _local docs correctly? 2. Only admins can change _security. But anybody with read access can change _local/*. Does couch special-case _local/security? -- Iris Couch