Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B52466561 for ; Tue, 19 Jul 2011 20:24:21 +0000 (UTC) Received: (qmail 37054 invoked by uid 500); 19 Jul 2011 20:24:20 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 36957 invoked by uid 500); 19 Jul 2011 20:24:19 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 36946 invoked by uid 99); 19 Jul 2011 20:24:19 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Jul 2011 20:24:19 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of robert.newson@gmail.com designates 209.85.210.180 as permitted sender) Received: from [209.85.210.180] (HELO mail-iy0-f180.google.com) (209.85.210.180) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Jul 2011 20:24:12 +0000 Received: by iyh42 with SMTP id 42so8040328iyh.11 for ; Tue, 19 Jul 2011 13:23:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=1ru4RRQEO8en7fC6GTWaOgbwGFEe4qcMn+f5OscLd0I=; b=ot0/b3G2+f1LUEphKXuCLHDrlNVsWv7QgRf4Y67kpCcb9w8WrFGWWrS4Dh9Y9pueWR /5bWDAVg9TVIiO9fCu3mClfVZfFk/9Famw73f2WxhL5e3v0kBcbnEwpueRMfSZSHhX7e eCPs1UK8X2KoPNeEt21RTAshRSI25+RS2CPQ0= MIME-Version: 1.0 Received: by 10.231.180.156 with SMTP id bu28mr6911095ibb.134.1311107030862; Tue, 19 Jul 2011 13:23:50 -0700 (PDT) Received: by 10.231.145.67 with HTTP; Tue, 19 Jul 2011 13:23:50 -0700 (PDT) In-Reply-To: References: Date: Tue, 19 Jul 2011 21:23:50 +0100 Message-ID: Subject: Re: no 'writers' section in _security killing me From: Robert Newson To: user@couchdb.apache.org Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org there is a wiki page for this with only one reasonable solution (db per use= r). The trick is solve read access for reduce views without violating common sense notions of read security. Everything else is easy by comparison. B. On 19 July 2011 21:11, Randall Leeds wrote: > 2011/7/19 Javier Rodr=EDguez Escolar : >> Hello, >> >> I have been reading for a while about the existing possibilities to rest= rict >> the read access to a database in which different users write. I mean, al= l >> users should be able to write, but they should only read what they have >> written. =A0As far as I can read a common workaround to carry out this i= ssue >> is to create a =932.1 layer architecture=94 as follows: >> >> =A0 - There is a database per user. The user's name will be added to the >> =A0 _security object. >> =A0 - There is a private master database. The admin=92s name will be add= ed to >> =A0 the _security object. >> =A0 - There is a public database. >> =A0 - There is an external server in charge of copying the data from the >> =A0 public database to the private one. >> >> >> A very common way to proceed is to let the users write in a public datab= ase >> and use an external server (NodeJS) to listen for changes on the public >> database, move the data to the private master database and remove it fro= m >> the public database. To my mind, this approach doesn=92t seem to be very >> secure since any other external server might be monitoring the changes i= n >> the public database so the security of critical data might be compromise= d. >> Wouldn=92t be better to have a middle layer when managing critical data?= I=92m >> newbie to Couchdb so I=92m probably missing something. > > Yes. A middle layer is the way to go if you really want to get data > straight into a private database. > Thanks everyone for suffering through these workarounds. > > The community has been discussing more access control features for a > long time. It's a delicate balance of trying to fulfill everyone's > needs (or at least 80% of them), not destroying performance in the > process of adding more controls, and keeping the API simple and > elegant. I think the mailing list is no longer the place to discuss > these things because conversations go for a while, stall, and then > resurface with the same issues re-hashed. Perhaps a wiki page about it > could serve as a working, evolving draft? > > -R > >> >> Thanks and best regards, >> >> Javi >> >> >> 2011/7/11 Jason Smith >> >>> On Mon, Jul 11, 2011 at 12:17 PM, Jonathan Geddes >>> wrote: >>> >> Fortunately, users with write access are not admins. They may not >>> >> modify design documents. All of their changes are subject to design >>> >> documents' validate_doc_update() function. >>> > >>> > I would be *overjoyed* to hear that you are right and the documentati= on >>> at >>> > [0] is wrong: >>> >> database admins - Defined per database. They have all the privileges >>> > readers have plus the privileges: write (and edit) design documents, >>> > add/remove database admins and readers, set the database revisions li= mit >>> > >>> > (/somedb/_revs_limit API) and execute temporary views against the >>> database >>> > (/somedb/_temp_view API). They can not create a database and neither >>> delete >>> > a database. >>> >>> D'oh, Marcello posted a pithy and timely answer while I had lunch. >>> I'll send anyway. >>> >>> The typical setup is: >>> >>> * 1 server admin >>> * 0 or more database admins (name or roles in _security.admins) >>> * An admin deploys a design document >>> * Several normal users (name or roles in _security.readers but *not* >>> admins) >>> >>> "readers" is a misnomer. It really means "members." Read access is >>> database-wide, write access is at the pleasure of >>> validate_doc_update(). >>> >>> To that end, Chris changed CouchDB so that future releases will use >>> the "members" field. He committed his change last Thanksgiving >>> weekend. Thanks, Chris! >>> >>> > I'm gonna set up a little experiment in the morning (when I can think >>> > clearly) to find out for myself. The _revs_limit PI and temporary vie= ws >>> are >>> > scary too. >>> >>> I strongly encourage an experiment. 15 or 20 minutes of poking around >>> will make things very clear. >>> >>> Cloudant has a brilliant UI to impose more intuitive and traditional >>> security policies for exactly this reason. >>> >>> >> I call it a 2.5-layer architecture >>> >> because there is no middleware, but it still requires a third >>> >> component, to watch over things. The drop box would be amazing; >>> >> however I am still happy with my architecture because bugs or crashe= s >>> >> in the third component are not so devastating to the user experience= . >>> > >>> > The great thing about this architecture is that you can easily have >>> CouchDB >>> > monitor the third party stuff and keep it running with external OS >>> processes >>> > [1]. I like the term '2.5-layer' :D. >>> >>> Is it too late to change the name to "2.1-layer"? >>> >>> * Hints that the extra step is not going to break your back >>> * Kind of like 5.1 surround sound >>> >>> > By the way, why hasn't this been implimented before? It seems strange= to >>> me. >>> > Is there something inherent in the architecture of CouchDB that makes >>> this >>> > difficult? >>> >>> I think it is a matter of time. The people in a position to implement >>> it have not felt quite enough pressure. >>> >>> /me whistles innocently. >>> >>> -- >>> Iris Couch >>> >> >