CouchDB - prevent unauthorized reads
CouchDB has a mechanism in pla开发者_开发知识库ce to prevent unauthorized writes.
Can it also prevent unauthorized reads?
Yes, CouchDB can prevent unauthorized reads. Unfortunately, it is slightly less straightforward.
Imagine a secret auction application. You bid $20 and I bid $10; each bid in a couch document. Couch lets us read our own bid documents but no others. However, there is a map-reduce view showing the average. I load the view and see that the average is $15, so I conclude that your bid is $20 and I have broken the security policy. View output can leak some or all of a document's information. It is not feasible to enforce security at the document level. That is why read access is at the database level.
I know, it sucks. But that is the only correct, scalable answer.
This is part of the reason the Couch philosophy is to create many databases—even one (or more!) per user. Read permission to a database is set in the readers
value of the database _security
object. (Note, the field readers was renamed to members in CouchDB trunk because it also specifies who may write to the DB.)
The technique works like this:
- Create a database for each user. It will hold all documents the user may read. Add the user (or the user's role) to the
_security
object. - In the master database, create a filter function which implements the read policy. (It could share code with
validate_doc_update
.) - Replicate from the master database to the user's database with
?filter=my_filter_function
. - Allow the user to load (or replicate from) their database.
Of course, this is all for a pure Couch application, where users access Couch directly. If you have a middle layer (MVC controller, or just a reverse HTTP proxy), then you can enforce policy there, between the user and the couch. But be careful. For example, a _show
function or a _rewrite
rule might allow a user to load a view or document despite your policy.
Good luck!
精彩评论