Return-Path: 
 <user-return-13879-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org>
Delivered-To: apmail-couchdb-user-archive@www.apache.org
Received: (qmail 74546 invoked from network); 23 Nov 2010 06:21:02 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 23 Nov 2010 06:21:02 -0000
Received: (qmail 24319 invoked by uid 500); 23 Nov 2010 06:21:33 -0000
Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org
Received: (qmail 24084 invoked by uid 500); 23 Nov 2010 06:21:32 -0000
Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@couchdb.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@couchdb.apache.org>
List-Post: <mailto:user@couchdb.apache.org>
List-Id: <user.couchdb.apache.org>
Reply-To: user@couchdb.apache.org
Delivered-To: mailing list user@couchdb.apache.org
Received: (qmail 24076 invoked by uid 99); 23 Nov 2010 06:21:31 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Nov 2010 06:21:31 +0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of mrtrick@gmail.com designates
 209.85.214.180 as permitted sender)
Received: from [209.85.214.180] (HELO mail-iw0-f180.google.com)
 (209.85.214.180)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Nov 2010 06:21:24 +0000
Received: by iwn37 with SMTP id 37so9255082iwn.11
        for <user@couchdb.apache.org>; Mon, 22 Nov 2010 22:21:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from
         :user-agent:mime-version:to:subject:references:in-reply-to
         :content-type:content-transfer-encoding;
        bh=TJFg9/+KJAxXAk1lamfX9lmHi3YRVmDJ1WQ30PUfZa0=;
        b=uyVvP6gz7Ov4DiK+7rVPgKsHrEkULLjUFRqmdHu8/aSdPwazCfYVTAhuaf64utuadW
         B6Qy5NUaO1dKH6lE6YQsxL+/2WjXDIWT4Iv+f+xyw8DPcbqEkMeylAVPgFHHg1GrF2U0
         qzc/4GG6uA2O+2PN2m2bBlWmR5Qkpb2PSlUyY=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-type:content-transfer-encoding;
        b=u2uOZInWNc42E9hkRWo2t+yfFOuzVS5HZpQ/68YytphC9rfgF5D3RVHuP198XcYrZk
         yHou2MzUP5XbBki7Z0z6QQmpc5XUanrI77A83SfyE7kiZgsMQFeebc05v9uJ5jLJO4fQ
         MJa514sjk/PcIywDa+UIBoGoxwzazFOHHwBzU=
Received: by 10.231.14.140 with SMTP id g12mr7908025iba.84.1290493263417;
        Mon, 22 Nov 2010 22:21:03 -0800 (PST)
Received: from [127.0.0.1] (eng047215.eng.uts.edu.au [138.25.47.215])
        by mx.google.com with ESMTPS id i16sm6178390ibl.12.2010.11.22.22.21.00
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Mon, 22 Nov 2010 22:21:02 -0800 (PST)
Message-ID: <4CEB5D42.5030307@gmail.com>
Date: Tue, 23 Nov 2010 17:20:50 +1100
From: Patrick Barnes <mrtrick@gmail.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
 rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6
MIME-Version: 1.0
To: user@couchdb.apache.org
Subject: Re: Creating databases on demand
References: <1CE29F2F-7669-414C-9D02-D75B7BF2AA06@gmail.com>
In-Reply-To: <1CE29F2F-7669-414C-9D02-D75B7BF2AA06@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi Jeff,

On 23/11/2010 5:10 PM, Jeff Gorder wrote:
> I have a case where there is a main public database that serves my application and then will need to have a private database for each user. I've gotten this to work manually and automatically when logged in as a server admin.
>
> I understand that there are server admins that have full control over the installation and that they are managed by making entries into the .ini file and that there are database admins as well. In the "Definitive Guide" it's made clear that only admin users are allowed to create databases and design documents but it's not clear if those are server admins, database admins, or both.
>
> How do I create the database/design doc for a new user? It's not practical to require someone who is a server admin to log on to Futon to do it. If a user is a database admin in the main application database, does that give them permission to create a new database?

Someone having database-level admin access only has it on that database, 
even if it's the main application database. Only a server admin can 
create a new database.

Some sort of privilege escalation is necessary, I guess. Maybe have a 
server-side script that can be triggered by main-application database 
admins, that has a stored set of server admin credentials and can create 
the database for them.

> The second question is how to access the database ACL. I have found that it's stored at dbasename/_security but haven't found any documentation about an API to it. Is there one?

See here: http://wiki.apache.org/couchdb/Complete_HTTP_API_Reference

I'm guessing it's just GET or PUT in its entirety.
[ Hmm - how are race conditions resolved on _security? :-) ]


Hope that helps,
-Patrick