[
https://issues.apache.org/jira/browse/COUCHDB-661?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12836454#action_12836454
]
Brian Candler commented on COUCHDB-661:
---------------------------------------
Looks like a serious DoS to me, with "only" 7500 databases.
If _all_dbs won't scale, then I think it should be for admins only (ideally
with startkey/limit like _all_docs for efficient pagination, but that's a
different issue)
Or perhaps it should be possible to replace _all_dbs with a view in a 'real'
database for non-admins.
e.g. occasionally you could copy all the _security objects into another
database, and generate a view with keys like
emit(['name',name],db)
emit(['role',role],db)
for efficient querying.
(IMHO this is another reason why _security objects should be real docs: so that
you can follow a _changes feed on them)
> _all_dbs should list only the DBs accessible to the user
> --------------------------------------------------------
>
> Key: COUCHDB-661
> URL: https://issues.apache.org/jira/browse/COUCHDB-661
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 0.11
> Environment: trunk / 0.11
> Reporter: Filipe Manana
> Fix For: 0.11
>
> Attachments: couchdb-_all_dbs-auth-2.patch,
> couchdb-_all_dbs-auth.patch
>
>
> As discussed in the auth roadmap mail, sent by Chris to @dev, the _all_dbs
> URI should only list the DBs that are accessible to the user.
> The following patch is a naive solution. It doesn't scale for CouchDB servers
> with millions of DBs. Regarding this scaling detail, I'll discuss soon in the
> @dev mailing list some ideas.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
