'Users can read the entire database' is a big no-no for our design. We store confidential information from our clients an they cannot see each others' stuff. Now, the 'everyone-can-read' model is all the CouchDB authentication system offers, or it is just a default, and I can restrict reading using the default authentication scheme?
On Mon, Sep 6, 2010 at 1:38 PM, J Chris Anderson <[email protected]> wrote: > > On Sep 6, 2010, at 8:50 AM, Wout Mertens wrote: > > > On Sep 6, 2010, at 17:24 , J Chris Anderson wrote: > > > >> Also it is worth noting that CouchDB has a builtin authentication system > that gets this right, and you might just be able to piggyback on it, > depending on your application: > >> > >> > http://blog.couch.io/post/1027100082/whats-new-in-couchdb-1-0-part-4-securityn-stuff > > > > So the security model is: > > - Admins can do everything on all local databases > > - Readers can read the entire database > > - Writes can have any model you like with validation functions > > > > So if you want to segment your database readers you have to segment your > databases. > > > > Yes. > > > Furthermore, if you would like to use LDAP authentication, you'd have to > use an LDAP-to-OAuth server. > > > > It should be a very simple patch to add new Erlang authentication handlers > for things like LDAP, Kerberos, etc. That might be simpler than adding a > bunch of glue to speak OAuth. > > > Correct? > > > > Wout. > > -- ----- Tiago Mikhael Pastorello Freire a.k.a. Brazilian Joe
