[jira] [Commented] (COUCHDB-1287) Inbox Database (write-only mode)

2011-09-18 Thread kowsik (JIRA) 

[ 
https://issues.apache.org/jira/browse/COUCHDB-1287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13107602#comment-13107602
 ] 

kowsik commented on COUCHDB-1287:
-

Just a dumb question, that maybe outside the scope of this write-only mode. Is 
there a way to use the update/validate handlers to rate-limit and or restrict 
the writes in some ways? Given the writes are effectively coming from an 
untrusted source, it won't take long to fill the disk *very* quickly. 


 Inbox Database (write-only mode)
 --

 Key: COUCHDB-1287
 URL: https://issues.apache.org/jira/browse/COUCHDB-1287
 Project: CouchDB
  Issue Type: New Feature
  Components: HTTP Interface
Affects Versions: 2.0
Reporter: Jason Smith
Priority: Minor

 Currently, we can only grant combined read+write access in the _security 
 object members section. A user can either do both or neither. This prevents 
 a very common requirement for couch apps: sending private information from 
 less-privileged users to more-privileged users.
 There is no (reasonable) way to make an inbox where anybody may create a 
 doc for me, but only I may read it. An inbox database allows user-to-user, or 
 user-to-admin private messages. (Not only chat messages, but asynchronous 
 notifications--with a per-user inbox, perhaps even service requests and 
 responses.)
 There is no reason _security.members (formerly .readers) should control write 
 access. validate_doc_update() functions do this better.
 I propose a boolean flag, _security.members.allow_anonymous_writes. If it is 
 true, then CouchDB will allow document updates from non-members, giving 
 validate_doc_update() the final word on accepting or rejecting the update.
 Requirements:
 1. Everything about _security stays the same (backward-compatible)
 2. If members.allow_anonymous_writes === true, then most PUT and POSTs may 
 proceed
 3. All updates are still subject to approval by all validate_doc_update 
 functions, same as before.
 The following unit tests cover as much of the functionality as I can think 
 of. (My patch is unfinished but X indicates that I have it working.)
 X Set a database with validate_doc_update, members != []
 X member can write
 X non-member cannot read
 X non-member cannot write
 X non-member cannot write even with .is_ok = true
 X Set inbox mode
 For non-member:
   X cannot update with .is_ok = false (still subject to validator)
   X can create with .is_ok = true
   X can update with .is_ok = true
   X Can store an attachment with _attachments
   X Can store attachments via direct query
   X Can delete an attachment via direct query
   X can delete the doc
   X can create via an _update function
   X can update via an _update function
   * None of these should work:
 X POST a temp view
 X POST a view with {keys:[keys, which, exist, and some which 
 don't]
 * POST /db/exist X-HTTP-Method-Override: GET
 * POST /db/_all_docs
 * POST /db/_changes
 * For _show and _list:
   * POST
   * OPTIONS
   * VARIOUS, NONSTANDARD, METHODS (in case Couch allows them later)
   * These syntax/semantic errors in _security should all fail:
 * .members.required_to_write = null, [missing], , 0, true, 1, false, 
 [false], {false:false}
 * .required_to_write = false
 These are the known changes to the security model. I consider these all to be 
 either very unlikely in practice, or worth the trade-off.
 * If you write to an inbox DB, you know, for a time, a subset of its 
 documents (but that's the point)
 * An _update function could reveal a document to the user, with or without 
 changing it. However, an admin must install such a misguided update function.
 * You can launch timing attacks to learn information about validate_doc_update
   * You might discover whether doc IDs exist in the DB or not
   * You might discover a well-known open source validation function. You can 
 look for bugs in its source code.
 * Zero or more things which Jason can't think of

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Created: (COUCHDB-1093) Exceptions related to _changes + compact

2011-03-18 Thread kowsik (JIRA) 
Exceptions related to _changes + compact


 Key: COUCHDB-1093
 URL: https://issues.apache.org/jira/browse/COUCHDB-1093
 Project: CouchDB
  Issue Type: Bug
  Components: Database Core
Affects Versions: 1.0.2
 Environment: I don't believe this is OS and/or hardware elated, but 
I'm running on a redhat 32-bit linux kernel
Reporter: kowsik


From the last thread on the dev mailing list:

On Fri, Mar 18, 2011 at 10:54 AM, Filipe David Manana fdman...@apache.org 
wrote:
 Ah,

 I think the issue is while we are folding the by sequence btree, we
 are not checking if the database file changed. So if compaction
 finishes before finishing the btree fold, we reach that error.
 I can't see right now any other situation, involving _changes, that
 might cause that issue.


 On Fri, Mar 18, 2011 at 5:40 PM, kowsik kow...@gmail.com wrote:
 Been seeing this on our production CouchDB's (1.0.2) sporadically. We
 are using the _changes feed, background view indexing and automatic
 compaction.

 Uncaught error in HTTP request: {exit,
                                 {noproc,
                                  {gen_server,call,
                                   [0.1478.0,
                                    {pread_iolist,290916},
                                    infinity]}}}

  Stacktrace: [{gen_server,call,3},
             {couch_file,pread_iolist,2},
             {couch_file,pread_binary,2},
             {couch_file,pread_term,2},
             {couch_db,make_doc,5},
             {couch_db,open_doc_int,3},
             {couch_db,open_doc,3},
             {couch_changes,'-make_filter_fun/4-lc$^4/1-3-',2}]

 Not reproducible yet, but it seems compacting while there are active
 _changes listeners seems to trigger this. After the exception the
 _changes listeners are disconnected which then connect back and
 everything goes back to normal. beam itself holds up, though last
 night it terminated with no logs, nothing. Just poof. Any ideas?

 Thanks,

 K.
 ---
 http://blitz.io
 http://twitter.com/pcapr


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (COUCHDB-841) Support WebSockets in continuous changes feeds

2011-03-14 Thread kowsik (JIRA) 

[ 
https://issues.apache.org/jira/browse/COUCHDB-841?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13006556#comment-13006556
 ] 

kowsik commented on COUCHDB-841:


feed=websocket so existing continuous feed types don't break?

 Support WebSockets in continuous changes feeds
 --

 Key: COUCHDB-841
 URL: https://issues.apache.org/jira/browse/COUCHDB-841
 Project: CouchDB
  Issue Type: New Feature
  Components: HTTP Interface
Affects Versions: 1.0
Reporter: Dirkjan Ochtman

 Just wanted to put this on the roadmap: it would be nice if continuous 
 changes feeds (and maybe some other things in CouchDB, not sure) could 
 support WebSockets. WebSockets are an emerging standard (there's no final 
 spec yet) with implementations in both recent Chrome and Firefox (beta) 
 releases that allows servers to push information to the browser without 
 having to do polling (or longpolling).

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (COUCHDB-1089) Let anonymous users access _active_tasks for view generation estimates

2011-03-11 Thread kowsik (JIRA) 

[ 
https://issues.apache.org/jira/browse/COUCHDB-1089?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13005988#comment-13005988
 ] 

kowsik commented on COUCHDB-1089:
-

Bad idea. I've got a bunch of Couch's on EC2 and *do not* want anyone to access 
anything on these Couch's. I have the require_valid_user set to true with the 
assumption that everything's locked down. While EC2 security groups help, I'll 
sleep better knowing that Couch is not going to reveal anything to anyone 
without the required credentials.

 Let anonymous users access _active_tasks for view generation estimates
 --

 Key: COUCHDB-1089
 URL: https://issues.apache.org/jira/browse/COUCHDB-1089
 Project: CouchDB
  Issue Type: Improvement
  Components: HTTP Interface, JavaScript View Server
Reporter: max ogden
Priority: Minor
  Labels: http, view
   Original Estimate: 3h
  Remaining Estimate: 3h

 Currently you have to be a database administrator to access _active_tasks. 
 For UX purposes I would like to allow anyone to see view generation statuses, 
 preferably on a per database level. This solves the problem of the first user 
 to generate a view that then receives no time estimate as to when their 
 process will be completed. I can't think of an application use case for 
 making replication data public.
 I spoke with Volker Mische about the implementation details on this issue and 
 he asserted after a code dive that it appears achievable, though the innards 
 of the view status code were not familiar to him.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira