While CouchDB currently has no authentication or authorization facilities, a general outline of the plans exists here:
It seems databases will have admin accounts. Full stop. No baked-in facility for user accounts. Administrators have two powers:
- manage design documents
- create other admin accounts
The Technical Overview doesn’t say, but I assume admins can also manage all documents.
Documents without a reader list are world-readable. Documents protected by reader lists are viewable only by users who possess one of the reader-names on the list. Read protection on documents applies to view results as well: “Documents that are not allowed to be read by the user are dynamically filtered out of views, keeping the document row and extracted information invisible to non-readers.”
Some interesting points:
- The plans for write access allow developers to write their own authorization schemes, but the planned read access will be hard-coded to use document-based ACLs.
- By default, document names (i.e. DocIds) are 128 bit UUIDs generated by the server. Depending on the algorithm used to generate them, these could be unguessable.
- If the _all_docs view was not available, users would not be able to find any documents without knowledge of the (unguessable) DocIds.
I think we have the germ of a capability system here, even with the inflexible reader access.
Comments? Scathing refutations?