newbie question - how to manage groups of users <-> databases in couchdb

[Herman Chan <he...@gmail.com>]

Hi all,

I am new to couchdb so bear with me if this is really easy.

I am trying to prototype a system where there is group of user who can
share everything within a database to each other. For example, think of a
message board system that once a user is allow into a particular board,
they can view/update/delete anything in that message board. Also, a user
can join multiple boards.

>From what I read so far, the way I am thinking to achieve this is to have
multiple database within the couchdb server. Each database represents a
board and since board doesn't need to talk to each other, this give a nice
separation between boards.

My question is about user authorization. I know that I can create user in
couchdb and assign them ACL within one "database", but is there a way in
couchdb that it controls user access in a "database" level? ie. which
database can a user read/write/update?

the only way I see now is to have another table in a "application" database
can control user access, basically a mapping from user to database.

Re: newbie question - how to manage groups of users <-> databases in couchdb

[Robert Newson <rn...@apache.org>]

it's "members" now, actually (though "readers" will work for backward
compatibility).

B.

On 13 June 2012 23:00, Herman Chan <he...@gmail.com> wrote:
> cool, i believe you mean readers instead of members.
>
> I guess I'll need another document store in the main database to keep track
> of which user have access to with database, or is there a way to transverse
> all database in the server to see which database a particular user has
> access to?
>
>
> On Wed, Jun 13, 2012 at 5:30 PM, Ryan Ramage <ry...@gmail.com> wrote:
>
>> Your model of one db per 'board' is correct. To limit users, you can
>> use the /db/_security object.
>>
>> see here:
>> http://wiki.apache.org/couchdb/Security_Features_Overview#Authorization
>>
>> Basically, looks like this:
>>
>> {
>>  "admins" : {
>>     "names" : ["joe", "phil"],
>>     "roles" : ["boss"]
>>   },
>>   "members" : {
>>     "names" : ["dave", "bill"],
>>     "roles" : []
>>   }
>> }
>>
>> Basically, put all the usernames of those you want access to the board
>> in the members names.
>>
>> Just to be clear...this is for each db inside you can do this, which
>> seems to support what you are trying to do.
>>
>>
>> On Wed, Jun 13, 2012 at 1:52 PM, Herman Chan <he...@gmail.com> wrote:
>> > Hi all,
>> >
>> > I am new to couchdb so bear with me if this is really easy.
>> >
>> > I am trying to prototype a system where there is group of user who can
>> > share everything within a database to each other. For example, think of a
>> > message board system that once a user is allow into a particular board,
>> > they can view/update/delete anything in that message board. Also, a user
>> > can join multiple boards.
>> >
>> > From what I read so far, the way I am thinking to achieve this is to have
>> > multiple database within the couchdb server. Each database represents a
>> > board and since board doesn't need to talk to each other, this give a
>> nice
>> > separation between boards.
>> >
>> > My question is about user authorization. I know that I can create user in
>> > couchdb and assign them ACL within one "database", but is there a way in
>> > couchdb that it controls user access in a "database" level? ie. which
>> > database can a user read/write/update?
>> >
>> > the only way I see now is to have another table in a "application"
>> database
>> > can control user access, basically a mapping from user to database.
>>

Re: newbie question - how to manage groups of users <-> databases in couchdb

[Herman Chan <he...@gmail.com>]

cool, i believe you mean readers instead of members.

I guess I'll need another document store in the main database to keep track
of which user have access to with database, or is there a way to transverse
all database in the server to see which database a particular user has
access to?


On Wed, Jun 13, 2012 at 5:30 PM, Ryan Ramage <ry...@gmail.com> wrote:

> Your model of one db per 'board' is correct. To limit users, you can
> use the /db/_security object.
>
> see here:
> http://wiki.apache.org/couchdb/Security_Features_Overview#Authorization
>
> Basically, looks like this:
>
> {
>  "admins" : {
>     "names" : ["joe", "phil"],
>     "roles" : ["boss"]
>   },
>   "members" : {
>     "names" : ["dave", "bill"],
>     "roles" : []
>   }
> }
>
> Basically, put all the usernames of those you want access to the board
> in the members names.
>
> Just to be clear...this is for each db inside you can do this, which
> seems to support what you are trying to do.
>
>
> On Wed, Jun 13, 2012 at 1:52 PM, Herman Chan <he...@gmail.com> wrote:
> > Hi all,
> >
> > I am new to couchdb so bear with me if this is really easy.
> >
> > I am trying to prototype a system where there is group of user who can
> > share everything within a database to each other. For example, think of a
> > message board system that once a user is allow into a particular board,
> > they can view/update/delete anything in that message board. Also, a user
> > can join multiple boards.
> >
> > From what I read so far, the way I am thinking to achieve this is to have
> > multiple database within the couchdb server. Each database represents a
> > board and since board doesn't need to talk to each other, this give a
> nice
> > separation between boards.
> >
> > My question is about user authorization. I know that I can create user in
> > couchdb and assign them ACL within one "database", but is there a way in
> > couchdb that it controls user access in a "database" level? ie. which
> > database can a user read/write/update?
> >
> > the only way I see now is to have another table in a "application"
> database
> > can control user access, basically a mapping from user to database.
>

Re: newbie question - how to manage groups of users <-> databases in couchdb

[Ryan Ramage <ry...@gmail.com>]

Your model of one db per 'board' is correct. To limit users, you can
use the /db/_security object.

see here:
http://wiki.apache.org/couchdb/Security_Features_Overview#Authorization

Basically, looks like this:

{
  "admins" : {
     "names" : ["joe", "phil"],
     "roles" : ["boss"]
   },
   "members" : {
     "names" : ["dave", "bill"],
     "roles" : []
   }
}

Basically, put all the usernames of those you want access to the board
in the members names.

Just to be clear...this is for each db inside you can do this, which
seems to support what you are trying to do.


On Wed, Jun 13, 2012 at 1:52 PM, Herman Chan <he...@gmail.com> wrote:
> Hi all,
>
> I am new to couchdb so bear with me if this is really easy.
>
> I am trying to prototype a system where there is group of user who can
> share everything within a database to each other. For example, think of a
> message board system that once a user is allow into a particular board,
> they can view/update/delete anything in that message board. Also, a user
> can join multiple boards.
>
> From what I read so far, the way I am thinking to achieve this is to have
> multiple database within the couchdb server. Each database represents a
> board and since board doesn't need to talk to each other, this give a nice
> separation between boards.
>
> My question is about user authorization. I know that I can create user in
> couchdb and assign them ACL within one "database", but is there a way in
> couchdb that it controls user access in a "database" level? ie. which
> database can a user read/write/update?
>
> the only way I see now is to have another table in a "application" database
> can control user access, basically a mapping from user to database.

Re: newbie question - how to manage groups of users <-> databases in couchdb

[Quang Van <qu...@gmail.com>]

I think from a management stand-point, you're better off using one database
for your whole application.

This way you can use views/index composing of data from different types...
for example and index from all members who belong to group X.

You could use a "type" field, I believe that's common practice, but maybe a
more experience CouchDBer could help you out. :)



On Wed, Jun 13, 2012 at 3:52 PM, Herman Chan <he...@gmail.com> wrote:

> Hi all,
>
> I am new to couchdb so bear with me if this is really easy.
>
> I am trying to prototype a system where there is group of user who can
> share everything within a database to each other. For example, think of a
> message board system that once a user is allow into a particular board,
> they can view/update/delete anything in that message board. Also, a user
> can join multiple boards.
>
> From what I read so far, the way I am thinking to achieve this is to have
> multiple database within the couchdb server. Each database represents a
> board and since board doesn't need to talk to each other, this give a nice
> separation between boards.
>
> My question is about user authorization. I know that I can create user in
> couchdb and assign them ACL within one "database", but is there a way in
> couchdb that it controls user access in a "database" level? ie. which
> database can a user read/write/update?
>
> the only way I see now is to have another table in a "application" database
> can control user access, basically a mapping from user to database.
>