CouchDB-防止未经授权的读取 [英] CouchDB - prevent unauthorized reads

问题描述

CouchDB具有适当的机制来防止未经授权的写入。

CouchDB has a mechanism in place to prevent unauthorized writes.

它还可以防止未经授权的读取吗？

Can it also prevent unauthorized reads?

推荐答案

是的，CouchDB可以防止未经授权的读取。不幸的是，它并不那么简单。

Yes, CouchDB can prevent unauthorized reads. Unfortunately, it is slightly less straightforward.

想象一个秘密拍卖应用程序。您出价$ 20，我出价$ 10；沙发文件中的每个出价Couch让我们可以阅读自己的出价文件，而不能阅读其他文件。 但是，有一个map-reduce视图显示平均值。我加载了该视图，发现平均价格为15美元，因此得出结论，您的出价为20美元，并且我违反了安全政策。 查看输出可能会泄漏部分或全部文档信息。在文档级别上强制执行安全性是不可行的。这就是为什么在数据库级别进行读取访问。

Imagine a secret auction application. You bid $20 and I bid $10; each bid in a couch document. Couch lets us read our own bid documents but no others. However, there is a map-reduce view showing the average. I load the view and see that the average is $15, so I conclude that your bid is $20 and I have broken the security policy. View output can leak some or all of a document's information. It is not feasible to enforce security at the document level. That is why read access is at the database level.

我知道，这很糟糕。但这是唯一正确的，可扩展的答案。

I know, it sucks. But that is the only correct, scalable answer.

这是Couch哲学要为每个用户创建多个数据库（甚至一个（或多个！））的部分原因。在数据库 _security 对象的 readers 值中设置了对数据库的读取权限。 （请注意，在CouchDB主干中，字段读者已重命名为成员）

This is part of the reason the Couch philosophy is to create many databases—even one (or more!) per user. Read permission to a database is set in the readers value of the database _security object. (Note, the field readers was renamed to members in CouchDB trunk because it also specifies who may write to the DB.)

该技术的工作原理如下：

The technique works like this:

1. 为每个用户创建一个数据库。它将保存用户可能阅读的所有文档。将用户（或用户角色）添加到 _security 对象。


2. 在主数据库中，创建实现阅读政策。 （它可以与 validate_doc_update 共享代码。）


3. 使用从主数据库复制到用户数据库？ filter = my_filter_function 。


4. 允许用户加载（或复制）数据库。

1. Create a database for each user. It will hold all documents the user may read. Add the user (or the user's role) to the _security object.
2. In the master database, create a filter function which implements the read policy. (It could share code with validate_doc_update.)
3. Replicate from the master database to the user's database with ?filter=my_filter_function.
4. Allow the user to load (or replicate from) their database.

当然，这全部是针对纯Couch应用程序的，用户可以直接访问Couch。如果您有中间层（MVC控制器，或只有反向HTTP代理），则可以在用户和沙发之间执行策略。但是要小心。例如， _show 函数或 _rewrite 规则可能允许用户尽管有策略也加载视图或文档。

Of course, this is all for a pure Couch application, where users access Couch directly. If you have a middle layer (MVC controller, or just a reverse HTTP proxy), then you can enforce policy there, between the user and the couch. But be careful. For example, a _show function or a _rewrite rule might allow a user to load a view or document despite your policy.

祝你好运！

这篇关于CouchDB-防止未经授权的读取的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！