Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@couchdb.apache.org
MIME-Version: 1.0
In-Reply-To: 
 <CAJNb-9rzUzj6bMQkBQZLGswQPn=AXPgRz7ri45KdypJungk3Tw@mail.gmail.com>
References: 
 <CALp38EM8oUraQ3dP3QVynSOJwgK1wnGXJdYcMcHsNGywGe5i_Q@mail.gmail.com>
	<CABvT1DFxOK=bJ8YJGJRq-jiY3ZMYgD21KfwwK6mqRSDHDkkppQ@mail.gmail.com>
	<CAJNb-9rzUzj6bMQkBQZLGswQPn=AXPgRz7ri45KdypJungk3Tw@mail.gmail.com>
Date: Mon, 28 May 2012 14:12:55 +0100
Message-ID: 
 <CABvT1DH3xtdE_vVwJ_26WkBbTLpp5_cvynzGhbsRs2oXdmcDzQ@mail.gmail.com>
Subject: Re: Request object in validate_doc_update
From: Robert Newson <rnewson@apache.org>
To: user@couchdb.apache.org
Content-Type: text/plain; charset=ISO-8859-1

I disagree that "ip address" should be part of the user context since
it's clearly part of the request. As for adding selected parts of the
request into the user context in general, I don't see any logic to
that and it doesn't seem tidier (the opposite, in fact).

Dave asks a great question, should a VDU function be idempotent?
Perhaps, but it isn't today anyway. It can vary in its result on
different databases and servers based on local security settings (the
user doesn't have a role on server A that it does on server B). Given
that, it seems fair to allow for a VDU to vary based on any other
property of the request (instead of, or in addition to, any properties
of the authenticated user, if there is one).

Benoit also makes a good point where he urges caution about making VDU
a security feature, whereas it has always been intended to ensure you
have valid documents (for whatever meaning of 'valid' applies to you).
Since this request is in response to a security request (the ability
to reject writes from blacklisted IP address or the like) I think that
caution is warranted.

Perhaps there are two proposals in one here. If we passed the req
object to VDU's, we might allow users to build richer applications,
but we must be clear that this is not a security mechanism (we've had
at least one bug where VDU's were not evaluated after a compaction,
for example). The other proposal might be to allow the granting of
rights by IP address, much as MySQL does. In fact, I believe this idea
is part of the Summit proposal to enhance our security model. I should
be able to grant _admin rights to a user if and only if they come from
127.0.0.1, for example. I might also like to exclude all requests from
certain IP or IP blocks. I suspect that goes beyond our remit and
should be handled by a firewall instead, though.

B.

On 28 May 2012 14:03, Benoit Chesneau <bchesneau@gmail.com> wrote:
> On Fri, May 25, 2012 at 1:49 PM, Robert Newson <rnewson@apache.org> wrote:
>> I can't think of a solid objection to this idea. The result of a
>> validate_doc_update can already vary based on the local security
>> object. Being able to inspect not only the new document, but any other
>> property of the request seems useful.
>>
>
> Imo any security things should be distinct from authorization. So
> someone can also athenticate itself wh
>
> We could eventually add some extra data like proposed in my previous
> mail, but rather I think having a role given to a user depending on
> its IP would work better. And most of systems are working like this
> today anyway.
>
> - benoit