> On 4. Aug 2020, at 16:03, Bessenyei Balázs Donát <bes...@apache.org> wrote:
>
> On Tue, 4 Aug 2020 at 13:10, Jan Lehnardt <j...@apache.org> wrote:
>>
>> Ah, there might be a misconception. Per-doc-access databases are not “more
>> secure”
>> than regular databases. They are a trade-off between additional
>> access-control for
>> additional CPU and disk resources. But it’s not a case of having a regular
>> db-as-
>> we-know-and-use-it-today and enabling per-doc-access and now it is more
>> secure,
>> it behaves differently and your app needs to account for that.
>
> I didn't mean it would make the product more secure out-of-the-box. I
> was just referring to the principle of least privilege ([1]) - as in
> people would not be able to create "free for all" databases by
> accident (forgetting to supply the enable flag). Please let me know if
> I misunderstood the feature somehow.
Happy to clarify ;)
I see where you are coming from, but I think the nature of the feature is more:
- I accept the trade-offs for getting advanced access control feature
rather than
- All new databases should be set up this way
The main thrust of this feature is to make the db-per-user pattern obsolete.
If you use CouchDB without db-per-user, then you won’t get much benefits from
per-doc-access.
Best
Jan
—
>
>> I don’t mind adding a global off switch that overrides the on-when-specified
>> case
>> to disable all per-doc-access creations.
>
> Awesome, thank you!
>
>
> Donat
>
> [1] https://en.wikipedia.org/wiki/Principle_of_least_privilege
