On 10.05.2008, at 16:47, Damien Katz wrote:
On May 10, 2008, at 10:09 AM, Christopher Lenz wrote:
On 28.04.2008, at 18:27, Damien Katz wrote:
Here are my thoughts on what we need for before we can get to
CouchDB 1.0. Feedback please.
Must have:
[...]
Security/Document validation: We need a way to control who can
update what documents and to validate the updates are correct.
This is absolutely necessary for offline replication, where
replicated updates to the database do not come through the
application layer.
[...]
Don't Need:
Authentication. We can go to 1.0 without authentication, relying
instead on local proxies to provide authentication.
So how would we provide authorization without authentication? There
needs to be some way to identify who's making a request, and if we
plan to rely on proxies for that, those proxies need to provide a
way to pass on the authentication results (e.g. REMOTE_USER). I
suspect they don't do that, but I may be wrong.
I'm thinking the proxy server will authenticate the users
credentials in the request HTTP header, then let the request pass
normally to the CouchDB server. If it can't authenticate, then it
rejects the request.
Yeah, but how will CouchDB be able to use the authentication results
to provide the "Security/Document validation" feature?
As far as I know, the proxy will keep the auth info to itself, and the
request will look like a standard anonymous request to CouchDB. I
*think* if we don't implement authentication, we can not implement
authorization/security for document validation.
Cheers,
--
Christopher Lenz
cmlenz at gmx.de
http://www.cmlenz.net/
