incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Samuel Wan <...@samuelwan.com>
Subject Re: security and validation API?
Date Fri, 10 Apr 2009 23:40:07 GMT
Following up on this...

I couldn't find any details on the userCtx parameter. All google
searches led to Chris Anderson's post
(http://jchrisa.net/drl/_design/sofa/_show/post/couchdb_edge__security_and_vali),
which doesn't go into details.

Google led me to the Erlang code that generates the userCtx parameter
(http://svn.apache.org/viewvc/couchdb/branches/rep_security/src/couchdb/couch_db.erl?view=markup).
I don't have the Erlang fluency to decipher the purpose of the first
three definitions of validate_doc_update, but the fourth definition
seems to create a json string with the properties of db, name, and
roles.

validate_doc_update(#db{user_ctx=UserCtx, admins=Admins},
        #doc{id= <<"_design/",_/binary>>}, _GetDiskDocFun) ->
    UserNames = [UserCtx#user_ctx.name | UserCtx#user_ctx.roles],
    % if the user is a server admin or db admin, allow the save
    case length(UserNames -- [<<"_admin">> | Admins]) == length(UserNames) of
    true ->
        % not an admin
        {unauthorized, <<"You are not a server or database admin.">>};
    false ->
        ok
    end;
validate_doc_update(#db{validate_doc_funs=[]}, _Doc, _GetDiskDocFun) ->
    ok;
validate_doc_update(_Db, #doc{id= <<"_local/",_/binary>>}, _GetDiskDocFun) ->
    ok;
validate_doc_update(#db{name=DbName,user_ctx=Ctx}=Db, Doc, GetDiskDocFun) ->
    DiskDoc = GetDiskDocFun(),
    JsonCtx =  {[{<<"db">>, DbName},
            {<<"name">>,Ctx#user_ctx.name},
            {<<"roles">>,Ctx#user_ctx.roles}]},
    try [case Fun(Doc, DiskDoc, JsonCtx) of
            ok -> ok;
            Error -> throw(Error)
        end || Fun <- Db#db.validate_doc_funs],
        ok
    catch
        throw:Error ->
            Error
    end.

I logged a for-n loop over userCtx in the "validate_doc_update" view
function and got these names, values, and types:
db=test_database (string)
name=null (object) <--
roles=_admin (object) <-- probably an array?

Anyone know where the value for "name" comes from, and how the "roles"
values are generated?

-Sam


On Fri, Apr 10, 2009 at 2:46 PM, Samuel Wan <sam@samuelwan.com> wrote:
> Oops, replied before receiving your answer. Thanks for explaining!
>
> -Sam
>
> On Fri, Apr 10, 2009 at 2:45 PM, Samuel Wan <sam@samuelwan.com> wrote:
>> I found the answer on the Safari Books Online website:
>>
>> http://my.safaribooksonline.com/9780596158156/I_section3_d1e2107
>>
>> "The validate_doc_update function gets executed for each document you
>> want to create or update [....] If you have multiple design documents
>> each with a validate_doc_update function, all of those functions are
>> called upon each incoming write request."
>>
>> -Sam
>>
>>
>> On Fri, Apr 10, 2009 at 2:31 PM, Samuel Wan <sam@samuelwan.com> wrote:
>>> Thanks for the pointers, Patrick!
>>>
>>> Is the "validate_doc_update" a special function that CouchDB looks for
>>> when processing a PUT request? If the design document contains the
>>> validation function, but you're updating a regular document, how will
>>> CouchDB know which design document contains the validation function to
>>> run?
>>>
>>> -Sam
>>>
>>> On Fri, Apr 10, 2009 at 12:27 PM, Patrick Antivackis
>>> <patrick.antivackis@gmail.com> wrote:
>>>> Hi Samuel,
>>>> No real doc nor wiki yet.
>>>> What is implemented already is administrator acces and update validation.
>>>> Reader access nothing yet.
>>>>
>>>> About update validation, the only reliable source is the test suite :
>>>> http://svn.apache.org/viewvc/couchdb/trunk/share/www/script/test/security_validation.js?view=markup
>>>>
>>>> About administrator you have a light wiki info there :
>>>> http://wiki.apache.org/couchdb/Setting_up_an_Admin_account
>>>>
>>>> Hope you fill find what you need
>>>>
>>>>
>>>> 2009/4/10 Samuel Wan <sam@samuelwan.com>
>>>>
>>>>> Hi all,
>>>>>
>>>>> I waited for security support in CouchDB 0.9 before jumping back in,
>>>>> and saw Administrator Access, Reader Access, and Update Validation
>>>>> features mentioned at http://couchdb.apache.org/docs/overview.html.
>>>>> Where can I find the most recent information on CouchDB's security
>>>>> support, and ways to implement authentication and authorization?
>>>>>
>>>>> I found a 5-month old post here, but wasn't sure how much had changed:
>>>>>
>>>>> http://jchrisa.net/drl/_design/sofa/_show/post/couchdb_edge__security_and_vali
>>>>>
>>>>> Any hints on where to look would be much appreciated.
>>>>>
>>>>> -Sam
>>>>>
>>>>
>>>
>>
>

Mime
View raw message