CouchDB-防止未经授权的读取 [英] CouchDB - prevent unauthorized reads
问题描述
CouchDB具有适当的机制来防止未经授权的写入。
CouchDB has a mechanism in place to prevent unauthorized writes.
它还可以防止未经授权的读取吗?
Can it also prevent unauthorized reads?
推荐答案
是的,CouchDB可以防止未经授权的读取。不幸的是,它并不那么简单。
Yes, CouchDB can prevent unauthorized reads. Unfortunately, it is slightly less straightforward.
想象一个秘密拍卖应用程序。您出价$ 20,我出价$ 10;沙发文件中的每个出价Couch让我们可以阅读自己的出价文件,而不能阅读其他文件。 但是,有一个map-reduce视图显示平均值。我加载了该视图,发现平均价格为15美元,因此得出结论,您的出价为20美元,并且我违反了安全政策。 查看输出可能会泄漏部分或全部文档信息。在文档级别上强制执行安全性是不可行的。这就是为什么在数据库级别进行读取访问。
Imagine a secret auction application. You bid $20 and I bid $10; each bid in a couch document. Couch lets us read our own bid documents but no others. However, there is a map-reduce view showing the average. I load the view and see that the average is $15, so I conclude that your bid is $20 and I have broken the security policy. View output can leak some or all of a document's information. It is not feasible to enforce security at the document level. That is why read access is at the database level.
我知道,这很糟糕。但这是唯一正确的,可扩展的答案。
I know, it sucks. But that is the only correct, scalable answer.
这是Couch哲学要为每个用户创建多个数据库(甚至一个(或多个!))的部分原因。在数据库 _security
对象的 readers
值中设置了对数据库的读取权限。 (请注意,在CouchDB主干中,字段读者已重命名为成员)
This is part of the reason the Couch philosophy is to create many databases—even one (or more!) per user. Read permission to a database is set in the readers
value of the database _security
object. (Note, the field readers was renamed to members in CouchDB trunk because it also specifies who may write to the DB.)
该技术的工作原理如下:
The technique works like this:
- 为每个用户创建一个数据库。它将保存用户可能阅读的所有文档。将用户(或用户角色)添加到
_security
对象。 - 在主数据库中,创建实现阅读政策。 (它可以与
validate_doc_update
共享代码。) - 使用
从主数据库复制到用户数据库? filter = my_filter_function
。 - 允许用户加载(或复制)数据库。
- Create a database for each user. It will hold all documents the user may read. Add the user (or the user's role) to the
_security
object. - In the master database, create a filter function which implements the read policy. (It could share code with
validate_doc_update
.) - Replicate from the master database to the user's database with
?filter=my_filter_function
. - Allow the user to load (or replicate from) their database.
当然,这全部是针对纯Couch应用程序的,用户可以直接访问Couch。如果您有中间层(MVC控制器,或只有反向HTTP代理),则可以在用户和沙发之间执行策略。但是要小心。例如, _show
函数或 _rewrite
规则可能允许用户尽管有策略也加载视图或文档。
Of course, this is all for a pure Couch application, where users access Couch directly. If you have a middle layer (MVC controller, or just a reverse HTTP proxy), then you can enforce policy there, between the user and the couch. But be careful. For example, a _show
function or a _rewrite
rule might allow a user to load a view or document despite your policy.
祝你好运!
这篇关于CouchDB-防止未经授权的读取的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!