Summary
Currently the config warns, that if no roles or members are configured, the database will be publicly accessible.
If you just PUT {} into <db>/_security, the database will be public.
But in a database it should be very hard to release something to the public and data should be private by default.
The motivation behind this could be a scenario like this:
The database holds sensitive data, e.g. from health care. An issue comes up that requires immediate action, e.g. a leak in a client application which allows to get database account data. Now the admin currently on duty at 4am thinks:
"okay, if i just kick all roles with access from the db, I should be fine".
If you're doing everything right, your database remains private with the current implementation. Things don't always go right however and CouchDB should help the user here to avoid mistakes.
Desired Behaviour
If there is no access configured, only admins should have access, not everyone.
If needed, a config option can be added, that imitates the old behavior. (This should NOT be the default)
Possible Solution
I added a andalso false as POC in
|
Names =:= [] andalso Roles =:= []. |
This worked in a simple test and denied access, when no roles or members were set, thus the false could be replaced with a config option. The config option should default to false and if true behaves like the current CouchDB.
Summary
Currently the config warns, that if no roles or members are configured, the database will be publicly accessible.
If you just PUT
{}into<db>/_security, the database will be public.But in a database it should be very hard to release something to the public and data should be private by default.
The motivation behind this could be a scenario like this:
The database holds sensitive data, e.g. from health care. An issue comes up that requires immediate action, e.g. a leak in a client application which allows to get database account data. Now the admin currently on duty at 4am thinks:
"okay, if i just kick all roles with access from the db, I should be fine".
If you're doing everything right, your database remains private with the current implementation. Things don't always go right however and CouchDB should help the user here to avoid mistakes.
Desired Behaviour
If there is no access configured, only admins should have access, not everyone.
If needed, a config option can be added, that imitates the old behavior. (This should NOT be the default)
Possible Solution
I added a
andalso falseas POC incouchdb/src/couch/src/couch_db.erl
Line 700 in 0059b8f
This worked in a simple test and denied access, when no roles or members were set, thus the false could be replaced with a config option. The config option should default to false and if true behaves like the current CouchDB.