You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2018/11/09 17:18:43 UTC

[GitHub] AlexanderKaraberov opened a new issue #1724: [Feature Proposal] Support Erlang-only validate_doc_read functions

AlexanderKaraberov opened a new issue #1724: [Feature Proposal] Support Erlang-only validate_doc_read functions
URL: https://github.com/apache/couchdb/issues/1724
 
 
   This is not really a feature request because we do have this functionality implemented in our CouchDB2.x fork. However I decided that this functionality might be a good fit for upstream repo. CouchDB already has support for [validate_doc_update](http://docs.couchdb.org/en/2.2.0/ddocs/ddocs.html#validatefun) functions which if defined in the ddoc can be used to prevent invalid or unauthorized document update requests from being stored. In other words document-level write security. 
   
   I'm proposing a patch which adds the same type of security but for all document reads. This functionality have been used in our production cluster and proved to be useful. There are a lot of valid use case scenarios akin to "Some particular user may only read documents he created" and so on. This also may alleviate overhead caused by alternative solutions such as per-user DBs. Of course this can lay waste to read performance if `validate_doc_read` functions will be implemented in JS due to notorious external OS query server and serialisation/deserialisation and standard I/O overhead. Thereby I propose to impose limitation on these functions to be implemented only in Erlang and marked as advanced functionality perhaps even available solely by means of some additional config `validate_doc_read = true`. Therefore this **will not** in any case affect default CouchDB setup but might be useful for advanced users. When implemented as Erlang ones potential overhead is negligible but benefits are perceptible. In a nutshell implementation extends `load_validation_funs` to also find, load and parse `validate_doc_read` functions from design documents and then make appropriate calls in the end of `make_doc()`. Unauthorised exception will be thrown and status code 403 returned from the `chttpd` handler when some invariants in `validate_doc_read` logic are violated.
   
   I've decided to create this issue instead of directly sending a PR because at first I would like to gather feedback from core Apache and Cloudant maintainers regarding the usefulness and expediency of this feature. In case of a more or less positive one I would be glad to submit a PR which will shed more light on the technical part (which is pretty straightforward) as well as open a discussion about potential improvements.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services