couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Samuel Newson <rnew...@apache.org>
Subject Re: Implementing security at url rewriting level, to allow secure use of views withouth list
Date Sat, 09 May 2015 12:01:16 GMT

The CouchDB security model, such as it is, is based around access controls to databases. The
rewrite system, and the view system, were not built to provide additional security features,
and we have had to remind people on a few occasions of the illusion of safety that _rewrite
might give.

It’s also worth noting that show and list functions tend to be slow as they require Javascript
evaluation throughout, whereas calling a view typically does not (it does, for example, if
you have a Javascript reduce function).

B.

> On 9 May 2015, at 07:30, Giovanni Lenzi <g.lenzi@smileupps.com> wrote:
> 
> To detail this better... I mean something to let app devs the chance to
> produce these kind of views and rewriting rules:
> 
> a view emitting such these keys:
> [["bob",...], ...]
> [["bob",...], ...]
> [["alice",...], ...]
> [["alice",...], ...]
> 
> or also
> 
> [["manager",...], ...]
> [["manager",...], ...]
> [["author",...], ...]
> [["author",...], ...]
> 
> where "bob" and "alice" are user docs in the db, while "manager" and
> "author" are roles
> 
> and to define rewriting rules like the following:
> 
> {
>    "from" : "/userdocs",
>    "to" : "_view/userdocs",
>    "query": {
>       "startkey": [
>          ":userCtx.name",
>           {
>           }
>       ],
>       "endkey": [
>          ":userCtx.name",
>       ],
>       "reduce":"false",
>       "descending": "true",
>       "include_docs": "true"
>       }
>  },
> 
> or
> 
> {
>    "from" : "/roledocs",
>    "to" : "_view/roledocs",
>    "query": {
>       "startkey": [
>          ":userCtx.roles[0]",
>           {
>           }
>       ],
>       "endkey": [
>          ":userCtx.roles[0]",
>       ],
>       "reduce":"false",
>       "descending": "true",
>       "include_docs": "true"
>       }
>  },
> 
> where every ":userCtx.name" and ":userCtx.roles[*]" are rewritten by the
> _rewrite engine, or better woudl be overwritten to prevent users from
> providing their own values as query string parameters.
> 
> Benefits could be:
> - security at view-level (withouth touching the view engine?!), so app devs
> won't have to learn a new way of writing views
> - performance?! Is a view only approach effectively faster than view/list?
> 
> 
> 
> 2015-05-08 18:21 GMT+02:00 Giovanni Lenzi <g.lenzi@smileupps.com>:
> 
>> Hi everyone,
>> 
>> I would like to write down some ideas I had, because there is high
>> probability I'm going to forgot them soon :)
>> 
>> This idea targets a way to implement server-side security by using views
>> only, instead of view+list. If possible, It may open up a wide range of new
>> possibilities for app devs.
>> 
>> Given that views know nothing about userCtx, is it possible to enhance the
>> _rewrite engine to create/overwrite a reserved dynamic variable, named
>> ":userCtxName" with the value of userCtx.name? This variable could then be
>> effectively used within the "to" or "query" rewriting rule attributes, as
>> example, to perform read ACL at view level directly.
>> 
>> More generally the question is: can _rewrite engine be improved to include
>> userCtx concepts? Which could be the drawbacks?
>> 
>> Ok, ideas finished. I won't bother you anymore. :)
>> 
>> --
>> Giovanni Lenzi
>> www.smileupps.com
>> Smileupps Cloud App Store
>> 
> 
> 
> 
> -- 
> Giovanni Lenzi
> www.smileupps.com
> Smileupps Cloud App Store


Mime
View raw message