问题
I just stumbled across CouchDB and PouchDB sync features. Typically web applications have an application server implementing authentication, rights and business logic allowing to limit users access to specific resources/records. This brought up several questions in my mind:
- Is it possible to limit access to records within couch db. Eg. a super-admin sees everything, a department-manager everything of his department and a simple user only his own records or e.g. tasks assigned to him?
- Is CouchDB + PouchDB have the ability to only do partial syncs. e.g. sync all tasks I'm responsible for?
- Would you use CouchDB for user authentication and rights storage (for the above use case)? It seems anyhow weird me since the user DB gonna be accessible from everyone as far as it seems to me.
回答1:
Is it possible to limit access to records within couch db. Eg. a super-admin sees everything, a department-manager everything of his department and a simple user only his own records or e.g. tasks assigned to him?
Nope. You can't do this with a single DB and using only CouchDB. But there are a few ways you can realize this, for instance:
- use a database per project/user group/user. This would probably in most cases be the preferred method. Creating databases is easy in CouchDB. It would also be best for syncing
- create a smart proxy that wraps all documents with the user credentials and filters all results
- encrypt documents on a per user basis
- use validate_doc_read and validate_doc_update functions
More info here: https://wiki.apache.org/couchdb/PerDocumentAuthorization
回答2:
Is it possible to limit access to records within couch db. Eg. an super-admin sees everything, a department-manager everything of his department and a simple user only his own records or e.g. tasks assigned to him?
Off-the-shelf security policies are very basic, but you can do a lot of things with advanced features.
What you want to do could be done simply with a show function that would generate a different output depending on req.userCtx.
In different settings (authorization based on user/method/URI, with or without third party authentication), because CouchDB is fully REST compliant, you can also use an HTTP reverse proxy for security related features.
Is CouchDB + PouchDB have the ability to only to partial syncs. e.g. sync all tasks I'm responsible for?
In CouchDB, this is called "filtered replications".
Seems anyhow weird me since the user DB gonna be accessible from everyone as far as it seems to me.
Of course not. In normal mode (not "admin party"), other users have only access to "public" attributes, and, of course, only the user herself can update her user document (see documentation).
来源:https://stackoverflow.com/questions/36901918/couchdb-pouchdb-partial-syncs-with-limited-rights