使用CouchDB高级权限 [英] Advanced permissions with couchdb
问题描述
我们有多个用户的应用couchapp和权限的复杂系统。
我们的模型有两种:Foo和酒吧
We have a couchapp application with multiple users and a complex system of permissions. Our models are of two kinds: Foo and bar.
用户有自己的Foo和Bar管理员权限,并且可以获准看,更改和删除其他人的Foo和酒吧。
Users have admin access to their own Foo and Bar, and can be given permission to see, change and delete other people's Foo and bar.
例如:
用户萨布丽娜有这些模型:
User Sabrina has these models:
Foo {
_id: 1
}
Foo {
_id: 2
}
Bar {
_id:1
}
Bar {
_id:2
}
当然,真正的模型是较大的文档。
Of course the real models are larger documents.
她想给朱读访问给她FOOS,和读写访问她的第一条。她还希望朱利亚没有能够看到她的第二个栏。
She wants to give Giulia read access to her Foos, and read and write access to her first bar. She also wants Giulia not to be able to see her second Bar.
我们怎样才能在CouchDB中这种权限模型?
How can we model this kind of permissions in couchdb?
这是我们正在使用的解决方案,但它似乎有很多复杂的,我们不知道是否有更简单的一种:
This is the solution we are using, but it seems a lot complex and we wonder if there's a simpler one:
我们有一个选择的角色: {用户名}:系统管理员:可以读,写,每次与用户数据库中删除一切 {用户名}:FOOS:读:可以在与用户FOOS数据库中读取每个文档 {用户名}:FOOS:写:可以在与用户数据库FOOS写每个文档 {用户名} {}吧:读:可以读取与用户的数据库吧 {用户名} {}吧:写:可以写与用户的数据库吧。
We have a selection of roles:
{username}:admin: can read, write, delete everything on every database related to the user
{username}:foos:read: can read every document in the foos database related to the user
{username}:foos:write: can write every document in the foos database related to the user
{username}:{bar}:read: can read the Bar database related to the user
{username}:{bar}:write: can write the Bar database related to the user
当萨布丽娜注册到应用程序,我们创建了一个新的萨布丽娜-FOOS 数据库,我们给用户塞布丽娜的作用萨布丽娜:管理员。
When Sabrina register to the app, we create a new sabrina-foos database, and we give to the user Sabrina the role sabrina:admin.
的萨布丽娜-FOOS 数据库与 _security 文件授予访问角色创建萨布丽娜:系统管理员,萨布丽娜:FOOS:读,萨布丽娜:FOOS:写
The sabrina-foos database is created with a _security document granting access to roles sabrina:admin, sabrina:foos:read, sabrina:foos:write.
的萨布丽娜-FOOS 数据库与验证功能,可写权限的角色创建萨布丽娜:管理员 ,萨布丽娜:FOOS:写
The sabrina-foos database is created with a validation function which allows write access to the roles sabrina:admin, sabrina:foos:write.
当萨布丽娜决定让朱见她FOOS,我们给朱利亚的作用萨布丽娜:FOOS:读
When Sabrina decides to let Giulia see her foos, we give Giulia the role sabrina:foos:read
当萨布丽娜创建一个名为吧1新的酒吧,我们创建了一个新的萨布丽娜-bar_1 数据库。
When Sabrina creates a new Bar called 'Bar 1', we create a new sabrina-bar_1 database.
的萨布丽娜-bar_1 数据库与_security文件授予访问角色萨布丽娜创建C $ C>萨布丽娜:bar_1:读,萨布丽娜:bar_1:写
The sabrina-bar_1 database is created with a _security document granting access to roles sabrina:admin, sabrina:bar_1:read, sabrina:bar_1:write
的萨布丽娜-bar_1 数据库与验证功能,可写权限的角色创建萨布丽娜:管理员 ,萨布丽娜:bar_1:写
The sabrina-bar_1 database is created with a validation function which allows write access to the roles sabrina:admin, sabrina:bar_1:write.
当然,作为这样的CouchApp,数据库和用户模型编辑创建由节点进程处理。
Of course, being this a CouchApp, the creation of databases and editing of user models is handled by a Node Process.
推荐答案
您的设计是好的。从你的问题,它看起来像你想要的文件级认证。
CouchDB的提供个人证件所以没有保护
唯一的选择左边是由数据库分区的文件,并设置读取和他们写权限。
Your design is good. From your question it looks like you want document level authentication. couchdb offers no protection on individual documents so the only choice left is to partition the documents by databases and set read and write permissions on them.
有两种选择。最简单的一种是使用
在 rcouch的validate文档阅读。我不是太
肯定,但我认为,在沙发上DB 2.0所有企及的功能已被合并,所以如果你愿意稍等一下,你可以使用CouchDB的2.0(应该是任何时候了!)来代替。
There are two alternatives. The easiest one is to use rcouch's validate docs on read. I am not too sure but I think in couch db 2.0 all of rouch's features have been merged so if you are willing to wait a bit you can use couchdb 2.0 (it should be out any time now!) instead.
另一种方法就是做你正在做的事情,但在 _users 数据库。在 _users 数据库可以
创建用户和 _sessions API验证他们的身份。因此,这里是它如何工作的。
Another method is to do what you are doing but in a _users database. In a _users database you can
create users and authenticate them with _sessions api. So here is how it will work.
- 您创建将在
_users数据库去每一个新用户。 - 在用户的文档,你可以存储的哪些文件允许用户查看列表或者如果你是
担心单个用户的文件将增长过大,不只是一个指针存储可能包含一个数据库
实际列表用户可以查看。 - 首先使用
_sessionsAPI来验证用户,然后获得用户授权的文档列表
阅读或编辑。 - 最后获取这些文件和
显示它给用户。
- Every new user that you create will go in a
_usersdatabase. - Within the user document you can store a list of what documents the user is allowed to view or if you are worried that a single user document will grow too big then just store a pointer to maybe a database that contains the actual list the user can view.
- Use the
_sessionsapi first to authenticate the user and then to get a list of docs that the user is authorized to read or edit. - Finally fetch those documents and
showit to the user.
此方法的优点是,你将需要至少2个和最多3 HTTP查询。一认证,并获得一个指针清单。第二获取的文件的实际列表获取。第三获取这些文档。作为回报,你的架构大大简化。
The advantage of this method is that you will need a minimum of 2 and at most 3 http queries. One to authenticate and get a pointer to the list. Second to get the actual list of documents to be fetched. Third to fetch those documents. In return your architecture is greatly simplified.
的一个非常酷的特性 _users 数据库是可以增加权威性缓存大小在配置持有 _user 在存储器对象,因此访问时间会非常快。
A very cool property of _users database is that you can increase the auth cache size in the config to hold the _user objects in the memory so the access times will be very fast.
如果我有十个万份文件,但我只能检索其中之一吗?请问函数被调用近万次?
What If I have ten thousand documents but I can only retrieve one of them? Would the function be called ten thousand times?
我没有安装此刻rcouch但有一个简单的方法通过日志记录,以测试: -
I don't have rcouch installed at the moment but there is an easy way to test this by logging:-
function(doc, userCtx) {
log("function called");
if ((typeof doc.name !== 'undefined') && (doc.name != userCtx.name)) {
throw({unauthorized: userCtx.name + ' cannnot read ' + doc._id});
}
}
日志功能会在日志文件打印日志信息,并在控制台CouchDB是上运行,所以你可以看到自己多少次更新功能被调用。将是很好,如果你能分享成果:)
The log function will print a log message in the log files and also on the console couchdb is running on so you can see for yourself how many times the update function is being called. Would be nice if you could share the results :)
这篇关于使用CouchDB高级权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
