可以在CouchDB中禁用本地文档吗？ [英] Can local documents be disabled in CouchDB?

问题描述

本地文档与普通CouchDB文档的不同之处在于，它们不会被复制，不会在任何视图中显示（包括_all_docs）并且不受验证功能的约束。只能使用必须知道的文档ID进行访问。请参见 http://docs.couchdb.org/en/1.3.x/ api / local.html 。

Local documents differ from ordinary CouchDB documents in that they are not replicated, do not show up in any view (including _all_docs) and are not subject to validation functions. They can only be accessed using their document id which has to be known for retrieval. See http://docs.couchdb.org/en/1.3.x/api/local.html for details.

恶意用户可以在面向公众的CouchDB中滥用此功能，以在服务器上存储任意数据。有趣的是，数据库或服务器管理员除了查看日志文件外，甚至无法以其他任何方式查看这些文档。

A malicious user could abuse this feature in a public facing CouchDB to store arbitrary data on the server. The funny thing is that a database or server admin cannot even see those documents in any other way than viewing the log files.

所以我想知道是否有任何选项可以禁用

So I wonder if there is any option to disable local documents in CouchDB?

推荐答案

不，没有办法做到这一点，对不起。尽管您的评论都是正确的，但是最好在CouchDB中进行改进以避免此问题。随时在 https://issues.apache.org/jira/browse/COUCHDB ，人们肯定会考虑它，或者解释为什么它不实际。

No, there isn't a way to do that, sorry. Your comments are all correct though, and this probably is something that it would be good to improve in CouchDB to avoid this problem. Feel free to file a bug at https://issues.apache.org/jira/browse/COUCHDB and people will certainly consider it, or explain why it's not practical.

另一方面，更实际地讲，授予某人对您的数据库的写访问权需要一定的条件他们不会恶意或存在严重缺陷的信任级别。是的，他们可以偷偷创建本地文档，但是等效地，他们也可以删除数据库中的所有内容，或将其填充到其他普通文档中，并使服务器崩溃，然后您仍然需要仔细检查并逐个删除（甚至是批量删除）删除要求您列出每个文档ID），或者只是删除整个数据库。

On the other hand, more practically, giving somebody write access to your database requires a certain level of trust that they'll not be malicious or hugely defective. Yes, they could sneakily create local documents, but equivalently they could also just delete everything in your database, or fill it with other normal documents and crash the server, which you'd then still have to go through and individually delete (even a bulk delete requires you to list every document id), or just delete the whole DB.

如果您的数据库客户端对此级别不可信，则不应直接给它们访问您的数据库。在这种情况下，您应该在它们与CouchDB（即具有固定形式的网站）之间放置一些服务，以管理这些交互以控制这种事情。

If your database client isn't trustworthy to this level then you should not give them direct access to your database. In that case, you should instead put some service between them and the CouchDB (i.e. a website with fixed forms and whatnot) that manages these interactions to control this sort of thing.

这篇关于可以在CouchDB中禁用本地文档吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！