ACLs - Help!
Yaron Goland
For the Thali project we need to implement record level ACLs. I'm trying to figure out the right place to put in our ACL control points and I really need some advice.
There are three obvious places to put in this control:
Place #1 - Create a new middleware - We could create our own middleware that would catch requests before they go to Express-PouchDB and responses after they leave Express-PouchDB.
Place #2 - Create hooks in Express-PouchDB - We could put hooks into Express-PouchDB to let us catch requests and responses inside of Express-PouchDB. The main benefit here is that we don't have to parse everything twice (both incoming and outgoing) and we get the benefit of built in functions in Express-PouchDB that handle things like database resolution, parsing lousy JSON, etc. But this would require an update to Express-PouchDB (which we would submit as a PR). The hooks would be generic so any ACL system should be able to use them. The idea is that we would define some callback that could be passed in with the Express-PouchDB configuration that if present would be called by the ACL hooks.
Place #3 - Create hooks in PouchDB - Conceptually this isn't terribly different than creating hooks in Express-PouchDB, but in practice it means putting in generic choke points in PouchDB to allow someone to do the same kind of ACL hooks discussed above. This one is just "tighter" because it runs all the way down at PouchDB level and so could be used for ACLs without Express-PouchDB.
The kind of processing we are talking about isn't trivial. Two examples will help to explain:
Example #1 - Changes - If someone asks for a list of changes our ACL layer has to review every document that PouchDB returns to determine if the requester has the right ACL to know about that change. If they do not then our code has excise that change from the change response.
Example #2 - Bulk Docs - If someone asks to alter a doc they don't have permission to then we have to excise that document from the bulk docs request and make sure to stick in an error on the bulk docs response.
Just to be painfully clear - I am not suggesting putting a specific ACL system into PouchDB. What I'm suggesting is figuring out where to put hooks that would allow any document level ACL system to function as a plugin to PouchDB. The three "places" are approaches that could enable this.
Which place makes most sense? Is there a better option I'm missing?
Thanks!
Yaron
Yaron Goland
BTW, for whatever it's worth I'm going through all the Express endpoints now and figuring out exactly what Express-PouchDB supports on the wire and then writing up a spec on what our ACL framework needs to be able to do about it. Hopefully this will make it clearer which of the three places make the most sense.
I also realized that there is a place 3 and 4. 3 should really be a wrapper around PouchDB (which we can then give to Express-PouchDb) and 4 would be hooks directly in PouchDB.
Once I've finishing going through all the endpoints I should have a better idea of where we need hooks.
Thanks,
Yaron
Sent: Monday, July 27, 2015 2:18 PM
To: pou...@googlegroups.com; Nolan Lawson
Cc: Matthew Podwysocki; Sreejumon Purayil
Subject: ACLs - Help!
You received this message because you are subscribed to the Google Groups "PouchDB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pouchdb+u...@googlegroups.com.
To post to this group, send email to pou...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pouchdb/BY1PR0301MB0904697FA91808F0357B4BACCD8E0%40BY1PR0301MB0904.namprd03.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.
Yaron Goland
Also for whatever it's worth I strongly suspect that we will at least initially only try to secure pull replication. So we will only try to secure endpoints that are used by the pull replication logic in PouchDB. That will hopefully further reduce the surface area we have to attach to. Obviously we would like to eventually secure everything but we want to start with the smallest useful work and go from there.
For those who are curious you can track our work figuring out what we have to do in order to add document level ACLs to Express-PouchDB at https://github.com/thaliproject/thali/blob/gh-pages/pouchdb_acl_enforcement.md
Thanks,
Yaron
Sent: Monday, July 27, 2015 4:11 PM