You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by sftf <sf...@mail.ru> on 2009/11/18 06:35:17 UTC
Per document attributes authorization
Are there plans to implement authorization at document's attributes granularity,
or it should be implemented at the application level?
In the current version I see only one version of access control at attribute granularity -
create personal views for each application user with the emitting permitted fields only.
But adding user in this scheme requires the creation of the new views and leads to
time-consuming indexing of potentially large volumes of data.
Re: Per document attributes authorization
Posted by Chris Anderson <jc...@apache.org>.
On Wed, Nov 18, 2009 at 7:31 AM, Ning Tan <ni...@gmail.com> wrote:
> On Wed, Nov 18, 2009 at 12:35 AM, sftf <sf...@mail.ru> wrote:
>> Are there plans to implement authorization at document's attributes granularity,
>> or it should be implemented at the application level?
>>
>> In the current version I see only one version of access control at attribute granularity -
>> create personal views for each application user with the emitting permitted fields only.
>> But adding user in this scheme requires the creation of the new views and leads to
>> time-consuming indexing of potentially large volumes of data.
>
> Haven't put much thought into this, but from your problem description,
> I guess one way to alleviate the problem is to have views based on
> groups and assign users to a certain group.
>
you can use the user's name as a key in a single large view. so
instead of a key like [tag, date] you could have [user, tag, date] and
require user's to prefix their queries with their own name.
Of course this doesn't help with the the huge on disk index (depending
on your # of users)
For write access of course the validation function is what you are looking for.
--
Chris Anderson
http://jchrisa.net
http://couch.io
Re: Per document attributes authorization
Posted by Ning Tan <ni...@gmail.com>.
On Wed, Nov 18, 2009 at 12:35 AM, sftf <sf...@mail.ru> wrote:
> Are there plans to implement authorization at document's attributes granularity,
> or it should be implemented at the application level?
>
> In the current version I see only one version of access control at attribute granularity -
> create personal views for each application user with the emitting permitted fields only.
> But adding user in this scheme requires the creation of the new views and leads to
> time-consuming indexing of potentially large volumes of data.
Haven't put much thought into this, but from your problem description,
I guess one way to alleviate the problem is to have views based on
groups and assign users to a certain group.