incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sgoto <samuelg...@gmail.com>
Subject Re: What are the contents of userCtx in validators ?
Date Sat, 21 Aug 2010 04:31:56 GMT
On Wed, Aug 4, 2010 at 7:01 AM, J Chris Anderson <jchris@apache.org> wrote:

>
> On Aug 3, 2010, at 8:30 PM, sgoto wrote:
>
> > Hey everyone,
> >
> >   According to this page:
> >
> > http://books.couchdb.org/relax/design-documents/validation-functions
> >
> >   An administrator could write validation function to ensure the data
> that
> > gets written to couchdb is validated. I'm interested in adding some
> PGP-like
> > signing of documents for authentication. I'm also interested in md5ing
> the
> > contents of the message to ensure integrity, but i'll leave that for
> later.
> >
> >  This leads me to the following question:
> >
> >  What are the contents of userCtx in the validator's signature ?
> >
> > function(newDoc, oldDoc, userCtx) {
> >  throw({forbidden : 'no way'});
> > }
> >
>
> the best way to learn this is to do
>
> log(userCtx) inside your function.
>
> the contents of the userCtx are minimal, just name and roles. The idea
> behind this is to make a narrow lowest common denominator so LDAP, kerberos,
> etc can all work with existing apps.
>
> >
> > would it be the contents of the authentication database ?
> >
> > http://wiki.apache.org/couchdb/Security_Features_Overview
> > http://wiki.apache.org/couchdb/Authentication_and_Authorization
> >
> > {
> >  "_id"          : "org.couchdb.user:joe",
> >  "type"         : "user",
> >  "name"         : "joe",
> >  "roles"        : ["erlanger"],
> >  "password_sha" : "fe95df1ca59a9b567bdca5cbaf8412abd6e06121",
> >  "salt"         : "4e170ffeb6f34daecfd814dfb4001a73"
> > }
> >
> >
> > any existing work/library/method (eg CA vs web of trust, storing
> encrypted
> > documents, signing, integrity, etc) that I should be aware of ?
> >
>
> Hard part is getting something to sign. I have started this project here:
>
> http://github.com/jchris/canonical-json
>
>
this is a very interesting library @jchris. i'm not sure a canonical
representation of a json is absolutely necessary, if you are signing binary
base64 data for example.

i am interesting in having authentication and authorization to be done with
PGP/GPG certificates (to make sure replication works with untrusted nodes).
how far have you gotten with parsing/extracting/verifying  PGP certificates
(you seem to be using the same library i am to parse/extract/verify PGP
certificates
http://github.com/jchris/canonical-json/tree/master/www.hanewin.net/) ?


> (plz ignore the name)
>
> Chris
>
> > --
> > f u cn rd ths u cn b a gd prgmr !
>
>


-- 
f u cn rd ths u cn b a gd prgmr !

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message