Return-Path: Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: (qmail 77657 invoked from network); 4 Jan 2010 00:13:05 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 4 Jan 2010 00:13:05 -0000 Received: (qmail 65217 invoked by uid 500); 4 Jan 2010 00:13:04 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 65131 invoked by uid 500); 4 Jan 2010 00:13:04 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 65121 invoked by uid 99); 4 Jan 2010 00:13:04 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Jan 2010 00:13:04 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jchris@gmail.com designates 209.85.216.180 as permitted sender) Received: from [209.85.216.180] (HELO mail-px0-f180.google.com) (209.85.216.180) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Jan 2010 00:12:54 +0000 Received: by pxi10 with SMTP id 10so10447871pxi.13 for ; Sun, 03 Jan 2010 16:12:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type:content-transfer-encoding; bh=Cer+fgZt0nMkCbUZBi0ncyoi30qabNA3PXSjUq+RZJI=; b=DEgc7Botvfw/cogwA3EA6uBFNu5J9dH0bsS/C9eiXiWv075ndOEbMiU47Jc2VnQ9MN xnTGTl/sy2IoEkSCWkcICd9Xr/P1lrGbcYIii8AvQfcerOpQKDjPs6Sy/CXc6Yym01Di Y7QWJeX3YDvai6YvMCfXXr1acicXKmlCnPAjM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=cQ0Bv1lArZ8fY5GZQrGy313/XPB30OQ/kpgvWFnZ4jcT0rIBmBfgMT6bGF07kNCuh9 eslfG+QdACXzNWOF42SzbWrrim3NY+hfkSXIObxYDrgDqJhnKPKWw08Pyc2nHLNQ2+cy oyLBd2Z3QIOFl5SX7TK1aowKAQ92kPvzENYJc= MIME-Version: 1.0 Sender: jchris@gmail.com Received: by 10.142.5.27 with SMTP id 27mr14267803wfe.59.1262563953563; Sun, 03 Jan 2010 16:12:33 -0800 (PST) In-Reply-To: <20100103232151.GD5653@orbital> References: <6adfa88d1001030531r6f853f2cu7d68c7b7e242b7bc@mail.gmail.com> <-2906993493094027579@unknownmsgid> <098DCF08-B9FD-4380-A1F6-38F337A0795D@gmail.com> <20100103200710.GB5653@orbital> <20100103232151.GD5653@orbital> Date: Sun, 3 Jan 2010 16:12:33 -0800 X-Google-Sender-Auth: aeff812bced557ea Message-ID: Subject: Re: Common security pattern? From: Chris Anderson To: user@couchdb.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org On Sun, Jan 3, 2010 at 3:21 PM, Sam Bisbee wrote: > On Sun, Jan 03, 2010 at 01:18:26PM -0800, Chris Anderson wrote: >> On Sun, Jan 3, 2010 at 1:10 PM, Nathan Stott wrote: >> > If a user can access a document via Futon, he can access via the Couch= DB API >> > if he knows what he's doing. =A0The data is exposed one way or the oth= er if >> > you store it in documents that users can access. =A0There is no key-le= vel >> > protection on a document that I am aware of. =A0Correct me if I'm wron= g, >> > someone. >> > >> >> There is key-level write protection. There is not key-level read >> protection, and there are no plans to add it. >> >> Per document read-control turns out to be extremely non-trivial (think >> about information leakage via reduce, etc) such that Lotus Notes never >> even got it right. > > Out of interest, is there some documentation available on the subject (ma= ybe a > CouchDB or Lotus Notes dev's blog post)? Also, I assume that this leakage= would > only happen locally and isn't exposed to remote users? > There might be some discussion in the ML archives. The leakage is to anyone accessing the views. Basically, if you have a doc, with a list of users who are allowed to read it, it's not very hard to enforce. If that doc is in a map view, you can also mark the view rows with the list of allowed readers, and filter at query time to only show valid rows. Also not that hard. However, if you have a reduce function (calculating, say, total account balance) the results can leak private data to other users. The best solution would be to run the reduce on the client (against the filtered map rows) but then you lose all the benefits of reduce. It's not that it's absolutely impossible to do this, it's just that it's hard to think of a way that doesn't cause lots of unanticipated security headaches for devs. There's an alternate line of thought: if the server enforces read access per documents, and doesn't offer views at all, then users can replicate their slice of the database locally and run views on their local CouchDB. I think this isn't much different (in terms of the use cases it can support) from encouraging a database-per-user model, where users have read access to their entire database. Db-per-user is much simpler, and we plan to support it. Chris > Thanks, > > -- > Sam Bisbee > --=20 Chris Anderson http://jchrisa.net http://couch.io