CouchDB read authorization
In couchdb website -> technical overview -> security and validation - http://couchdb.apache.org/docs/overview.html - it writes that (on reader access part) "To p开发者_JAVA百科rotect document contents, CouchDB documents can have a reader list. This is an optional list of reader-names allowed to read the document. When a reader list is used, protected documents are only viewable by listed users." I searched about how to use it but i found nothing. So is it actually used and if it is how?
Thanks.
-- Mustafa
You are right, it is confusing. Please see the 0.11 "breaking" changes for more information.
Per-document read control is not possible; the readers
field is for access to the entire DB. For more information, load your database in Futon and click the Security...
link at the top.
The reason read control is not possible is because views (map and reduce) can draw information from all documents in the database, so it is generally impossible to prevent users from seeing private data in some form.
For detailed access control, you have two major choices:
- Have an application between your users and the DB. 99% of web applications using MySQL do this already (e.g. Ruby on Rails). Keep ACL information in the DB and your application grants/rejects access based on the ACL.
- Keep a dedicated database per user. You may have to modify your architecture but maybe not. You can use replication with a filter to copy only a user's data into his database. Then he reads from his database and writes to the central database.
- Login to the CouchDB as admin.
- Open a particular database you want to secure
- Click on Security button of that particular database.
- Add users to Members names who can read. (At least add admins username) as string element of an array.
Ex. Names: ["username1", "username2"] - Click on update button
Click here to see the image
精彩评论