incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johan Liseborn" <johan.liseb...@gmail.com>
Subject Re: Status of security features
Date Sun, 14 Sep 2008 11:23:11 GMT
On Sun, Sep 14, 2008 at 12:52, Noah Slater <nslater@apache.org> wrote:
> On Sun, Sep 14, 2008 at 12:41:44PM +0200, Michele Sciabarra wrote:
>> As Jan told in the recent FLOSS weekly podcast, "there is no security in
>> CouchDB".

Thanks, I had missed the FLOSS podcast; I am downloading it as I write.


> But as CouchDB speaks HTTP, you can take advantage of REST architecture by
> layering reverse proxies that implement your chosen security restrictions.

Absolutely. It also seems quite possible to implement some "security"
(maybe not the best word to use) measures yourself, by creating a
small wrapper around your chosen method to access CouchDB and
leveraging the flexibility of CouchDB documents and databases (for
example by adding similar items already mentioned above, such as lists
of users and/or groups that are allowed to access a certain document).
I haven't really thought this through though, so I may be wrong... but
it seems pretty close to what is described in the CouchDB
documentation, except there the code is put in the document (and/or in
a design document) and it gets automatically called when you try to
access a document...

I should also clarify that what I am (at the moment) mostly interested
in is the ability to do document-level authorization (for example
saying that "user a, b, and c are allowed to read and write this
document" or "group d is allowed to read this document").

I guess what I am trying *not* to do is duplicate work already been
done, or in the pipeline.

Anyway, thanks for your input guys!


johan

Mime
View raw message