incubator-couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randall Leeds <randall.le...@gmail.com>
Subject Re: Per Document Filtering/Authorization
Date Fri, 03 Dec 2010 21:37:47 GMT
On Thu, Dec 2, 2010 at 21:31, David Pratt <fairwinds.dp@gmail.com> wrote:
> Hi Randall. Am not opposed to this either, however we are currently
> two dbs with _users at present and see per document authorization as
> an opportunity to extend current authorization policy.
>

_users are separate from the rules in my mind.
A typical use case in my imagination would have the access rules in
the application's db, acting on roles.
Then individual _users on any Couch that replicated the app could give
themselves the appropriate role.
Think of how on many linux systems users with the audio group can
access sound devices, but simply installing
audio related software sets up the group. Roles referenced by
validation/access functions are implicitly generated
groups and then individual instances that have replicated the app can
set up the membership for that role for any
local users who should use the app.

>
> If not a separate db, can you elaborate on your ideas and how you
> would reconcile with _users with roles, and with Admins and Readers
> groups. What sort of mechanism are you suggesting?
>

We'll have to see how performance goes, but I'd encourage any efforts
for design-doc level read validations.

Mime
View raw message