incubator-couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From eric casteleijn <eric.castele...@canonical.com>
Subject Re: Per-DB Auth Ideas and Proposal
Date Mon, 14 Sep 2009 19:53:26 GMT
> I played around with read & write access lists but write can be
> handled by the validation function so it's not necessary. 

I'm not entirely convinced the current validation functions, living in 
more or less as content in the database are sufficient for anything but 
very simple permission models.

I foresee a lot of problems if two users have very broad permissions 
(say what is currently known as 'admin') in the same database, but one 
shouldn't be able to modify certain design documents. Any way of 
modelling that with validation functions seems very tricky to me:

User 1, whom we shall call 'super_admin', creates a design document, 
with a validator function restricting all write access to any document 
with id prefix '_design/special_view_' to user 'super_admin'. The 
validator function itself should not be modifiable by user 2 
'regular_admin' or it is worthless, of course. This would work, except 
there is nothing stopping 'regular_admin' from adding their own 
validator, restricting 'super_admin' similarly from those 
design_documents, and from the design_document this validator is in, and 
now everybody is locked out.

Currently, I see no other possibility to model this (very real) use 
case, where you  want a user to be able to write to almost every 
document (by replication from their machine), except for a few views 
(because we'll be executing those on our cloud server node) without 
ending up with a variant on the above cold war arms race scenario.

The simplest way to solve this that I see is if the permissions live in 
a place that regular_admin simply does not have any access to (i.e. the 
global _user db) but where a global admin can grant or restrict 
permissions at will.


-- 
- eric casteleijn
https://launchpad.net/~thisfred
http://www.canonical.com

Mime
View raw message