couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Kocoloski <kocol...@apache.org>
Subject Re: [DISCUSS] Per-doc access control
Date Wed, 27 Feb 2019 00:26:48 GMT

> On Feb 26, 2019, at 7:12 PM, Michael Fair <michael@daclubhouse.net> wrote:
> 
> On Tue, Feb 26, 2019 at 3:38 PM Adam Kocoloski <kocolosk@apache.org> wrote:
> 
>> Mike,
>> 
>> If I’m reading you correctly you’re concerned about cross-domain
>> authentication. A good problem and worth discussing, but I think it’s
>> cleanly decoupled from the per-doc access control work, which is focused on
>> *authorization*.
>> 
>> 
> 
> I don't think I'm talking about the same cross domain authentication you
> are talking about.  I think you are talking about a web page from Domain
> (B) attempting to access Couch resource in domain (A) (Cross site scripting
> access). That's not what I'm talking about.
> 
> I'm talking about what ought to happen with the authorization control
> definitions when you have two Couch servers, one running in Domain (A) and
> one running in Domain (B) with different sets of system users, such that
> the authorized entities in the bidirectionally replicated database don't
> exist in both server instances (the two distinct domains share the same
> document database but have disparate sets of authenticated system users).
> 
> In other words the ("sam", "pete", and "joe") users on domain/machine A are
> not the same thing as the ("mary", "betty", and "sue")  users on
> domain/machine B; yet the replicated database between the two machines has
> the same access control document authorization descriptors in both places.


Thanks Mike, I did understand you correctly the first time. I still maintain that’s in the
realm of authentication, not authorization, and should be cleanly separable from the problem
of implementing per-document access controls. Cheers,

Adam
Mime
View raw message