On Tue, Jan 19, 2010 at 06:40:45AM +0000, Brian Candler wrote:
> If it's desirable that these things *don't* replicate, then I propose the
> following instead.
>
> (1) User has a role "dbname:_admin" if they're a database administrator, and
> "dbname:_reader" if they're a reader.
>
> (2) That's it.
>
> I make the following observations:
>
> * We already must know the roles associated with this user, so
> the checking is cheap
> * It scales (N users each with access to M databases)
> * It doesn't have concurrency issues
> * It doesn't involve a special API nor changes to the on-disk format
> * It easily supports the idea of a separate "db:_manager" role (who can
> add and remove users to a database, except for _admins)
Note that for database admin A to add access for user U, they first need to
be able to read U's user record, as it's a read-modify-write operation.
The _users database is world-readable at the moment anyway.
If in future that gets locked down, then either:
(1) you allow anyone with admin rights to *any* database to be able to read
all users; or
(2) you have a special endpoint for "grant/revoke role X to user B"
