You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@couchdb.apache.org by Adam Kocoloski <ad...@gmail.com> on 2008/12/03 19:55:09 UTC

Re: New Security and Validation Features

On Nov 21, 2008, at 5:12 PM, Damien Katz wrote:

> -Authorization/Validation-
>
> Each design document can contain a document update validation  
> function. Like views, these can be in any language. The language is  
> set at the design document level.
>
> On document update -- either via interactive update or via  
> replication -- each is run in succession. These validation functions  
> are responsible for enforcing document constraints or schemas, and  
> to enforce security.
>
> Validation functions are provided the new document, previous  
> revision of the document on disk, and the user context. The user  
> context has the users name and roles.
>
> If the document values don't pass validation, a forbidden exception  
> is returned If the user isn't allow to update the document, a  
> unauthorized exception is returned.
>
> This scheme can be used for signature based security (is the update  
> signed by an authorized user) or user based security (is the user  
> currently writing the update an authorized user).
>
> This user based example ensures that every document has an authors  
> field and when updating an existing document, you are an allowed  
> author, or a moderator:
>
> function(newDocument, previousDocument, userCtx) {
>  if (!newDocument._deleted && !newDocument.author) {
> 	throw {forbidden, "All documents must have an author specified."}
>  }
>  if (previousDocument &&
> 	previousDocument.author != userCtx.name &&
> 	userCtx.roles.indexOf("Discussion Moderator") == -1) {
> 	throw {unauthorized, "You are not the author of this document."}
>  }
> }
>
> The validation works with replication too, all updates, whether  
> interactive or replicated are validated. But the replication still  
> needs testing and might be buggy on update failures.
>
> That's all for now. Question and comments please.
>
> -Damien

Hi Damien, cool stuff.  Could we have it so that the user context  
passed to the validation function includes a role of "_admin" if the  
user's name is in the DB admins list?  Maybe something as simple as

diff --git a/trunk/src/couchdb/couch_db.erl b/trunk/src/couchdb/ 
couch_db.erl
index 7de5b8d..4eed8bc 100644
--- a/trunk/src/couchdb/couch_db.erl
+++ b/trunk/src/couchdb/couch_db.erl
@@ -231,9 +231,14 @@ validate_doc_update(_Db, #doc{id= <<"_local/",_/ 
binary>>}=Doc, _GetDiskDocFun) -
      Doc;
  validate_doc_update(#db{name=DbName,user_ctx=Ctx}=Db, Doc,  
GetDiskDocFun) ->
      DiskDoc = GetDiskDocFun(),
+    UserName = Ctx#user_ctx.name,
+    Roles = Ctx#user_ctx.roles ++ case lists:member(UserName,  
Db#db.admins) of
+        true -> [<<"_admin">>];
+        false -> []
+    end,
      JsonCtx =  {[{<<"db">>, DbName},
-            {<<"name">>,Ctx#user_ctx.name},
-            {<<"roles">>,Ctx#user_ctx.roles}]},
+            {<<"name">>,UserName},
+            {<<"roles">>,Roles}]},
      [case Fun(Doc, DiskDoc, JsonCtx) of
          ok -> ok;
          Error -> throw(Error)

Best, Adam

Re: New Security and Validation Features

Posted by Adam Kocoloski <ad...@gmail.com>.

On Dec 3, 2008, at 8:01 PM, Chris Anderson wrote:

> On Wed, Dec 3, 2008 at 10:55 AM, Adam Kocoloski
> <ad...@gmail.com> wrote:
>>
>> Hi Damien, cool stuff.  Could we have it so that the user context  
>> passed to
>> the validation function includes a role of "_admin" if the user's  
>> name is in
>> the DB admins list?
>
> Why not just go all the way and include the full list of the user's  
> roles?

Hi Chris, that's the goal.  All the other roles are already being  
included in the context passed to the validation function.  DB admin  
is a bit of a special case since its a calculated quantity --  
specifically, a user is a DBA if there's a non-zero intersection  
between [#user_ctx.name | #user_ctx.roles] and #db.admins.

In the patch I appended _admin to the list of roles.  I didn't replace  
the existing ones.  Best,

Adam

Re: New Security and Validation Features

Posted by Chris Anderson <jc...@apache.org>.

On Wed, Dec 3, 2008 at 10:55 AM, Adam Kocoloski
<ad...@gmail.com> wrote:
>
> Hi Damien, cool stuff.  Could we have it so that the user context passed to
> the validation function includes a role of "_admin" if the user's name is in
> the DB admins list?

Why not just go all the way and include the full list of the user's roles?

-- 
Chris Anderson
http://jchris.mfdz.com