Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C6AB7D28D for ; Thu, 13 Sep 2012 14:14:27 +0000 (UTC) Received: (qmail 33644 invoked by uid 500); 13 Sep 2012 14:14:26 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 33607 invoked by uid 500); 13 Sep 2012 14:14:25 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 33598 invoked by uid 99); 13 Sep 2012 14:14:25 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Sep 2012 14:14:25 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=FSL_RCVD_USER,RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [209.85.216.180] (HELO mail-qc0-f180.google.com) (209.85.216.180) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Sep 2012 14:14:18 +0000 Received: by qcmv28 with SMTP id v28so1962296qcm.11 for ; Thu, 13 Sep 2012 07:13:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:content-type:x-gm-message-state; bh=w66CnF72jLS7aDWc1jVAogdCZhLaHY9zXGLKh9RwyqY=; b=KAtYcD5C320xoEU8oKBvqXCPawq5tJUMCVeC3AfcCej6NB5mS0E//U9qfBloxE+/Hg rz4zEylFHXaEe78HzFAY3Ktdcwd+w+UXZjLEF2/M4rN1GDSbbKuxTprhjReR63o0usyn vd5B02ucA6G53ABT4ZOzjb3Pp0+IPz9YjjIpLN4Kg0/6djZNBMnyfSMN3UGKAX3Ok6Q9 k+9dSyXptWs4Arf5g8dWtMdX5WGiTMpgCRw+65tdpFiB7a1llfNxk1YEQJOBaEnIoN3p F6fMJ/CoIas1iU5LBu10KafZRcpif6iwXECPoI8NSM6KmVIQDZ2QAd88PECCOeu9Rh5X blUA== MIME-Version: 1.0 Received: by 10.229.134.205 with SMTP id k13mr1214798qct.153.1347545637076; Thu, 13 Sep 2012 07:13:57 -0700 (PDT) Received: by 10.49.86.74 with HTTP; Thu, 13 Sep 2012 07:13:56 -0700 (PDT) X-Originating-IP: [84.112.19.176] In-Reply-To: <20120913161733.471ef706@eee-az> References: <20120913161733.471ef706@eee-az> Date: Thu, 13 Sep 2012 16:13:56 +0200 Message-ID: Subject: Re: use case: replication of many databases, with/by many users From: Dave Cottlehuber To: user@couchdb.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQmTEnPw4Pist5fkQ/JfmxRI6n0BuAYEfwgUz5Kzn8E12/Im2iBXTHgoTDJocXGwlbGvY1vE On 13 September 2012 08:17, svilen wrote: > g'day > this is about per-user authentication of replication. (similar to the > thread "App layer on top of replication" but that's not exactly my > use-case). > > imagine a chat-room. each message is a document. each chat room is a > database. no conflicts. Each user can participate in many chat rooms > (=databases) and have them replicated to and from localy, continuosly > (on as many devices he wants). > > the question is: how to make the authentication/security properly? > > so far i'm guessing i should have a separate user-account layer/module > to know who is who on server. > > how to allow users to use only chat-rooms they're registered in? > in case all couchdb-user's credential live in database, and hence are > replicated, that is not usable.. > > how about replication itself? wrap it in some user-authenticated > api-call/url-rewrite (and disable it for external world)? or something > else? > > ciao > svil Assuming you have a hub node that has all user accounts and a db per chat room, that all external users replicate from/to, you could simply use DB roles. When you join a chat room, you'd need to be added to the role list for that DB (by some process external to couch that knows if you are allowed to access it), and then you could set up replication on the endpoint node. Would that be sufficient? A+ Dave