incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tiago Freire <tiago.fre...@gmail.com>
Subject Re: Best performing login implementation?
Date Mon, 06 Sep 2010 17:15:49 GMT
'Users can read the entire database' is a big no-no for our design. We store
confidential information from our clients an they cannot see each others'
stuff.
Now, the 'everyone-can-read' model is all the CouchDB authentication system
offers, or it is just a default, and I can restrict reading using the
default authentication scheme?


On Mon, Sep 6, 2010 at 1:38 PM, J Chris Anderson <jchris@apache.org> wrote:

>
> On Sep 6, 2010, at 8:50 AM, Wout Mertens wrote:
>
> > On Sep 6, 2010, at 17:24 , J Chris Anderson wrote:
> >
> >> Also it is worth noting that CouchDB has a builtin authentication system
> that gets this right, and you might just be able to piggyback on it,
> depending on your application:
> >>
> >>
> http://blog.couch.io/post/1027100082/whats-new-in-couchdb-1-0-part-4-securityn-stuff
> >
> > So the security model is:
> > - Admins can do everything on all local databases
> > - Readers can read the entire database
> > - Writes can have any model you like with validation functions
> >
> > So if you want to segment your database readers you have to segment your
> databases.
> >
>
> Yes.
>
> > Furthermore, if you would like to use LDAP authentication, you'd have to
> use an LDAP-to-OAuth server.
> >
>
> It should be a very simple patch to add new Erlang authentication handlers
> for things like LDAP, Kerberos, etc. That might be simpler than adding a
> bunch of glue to speak OAuth.
>
> > Correct?
> >
> > Wout.
>
>


-- 
-----
Tiago Mikhael Pastorello Freire a.k.a. Brazilian Joe

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message