User roles (a la CouchDB)

[snej]

It would be useful to be able to assign users to groups/roles, and then be able to grant roles access to channels. That would make access control more flexible and reduce the amount of work that access() calls need to do.

[ghost]

As an extension to this I'd like to be able to create public channels, which all users can access the content.

But I think the replication filters will need to be updated to make this functionality useful.

1. A filter value that maps to "ALL_EXPLICITLY_ASSIGNED_CHANNELS_FOR_CURRENT_USER"

This would sync the content of all channels that are mapped to the user vi direct access() or ROLE access()

2. Ability to disable "*" as a valid filter value on the server

This might sound counter intuitive but in my app I have many public chanels from which anyone can read but a user needs to know the name of the channel on order to access it, the channels should not be discoverable by passing "*" ( of course at the moment I can't enforce this).

3. Or change the meaning of filter value "*" to be the same as 1) and require users to access public channels by explicit name. This means users must discover public channel names by some external mechanism.

For example an app may create a public channel for each users person email address, then if a user is in your contact list you can lookup their public channels by name.

[jchris]

I wrote about this on the mailing list, I've pasted my message below to capture those thoughts. Sorry they aren't super well formed but they should be enough to help with implementation.

In your sync function you'd call roleAccess("_all", "mychannelname")

All users would automatically be granted the "_all" role.

You'd be able to also give users other roles, either by directly accessing the user document and sticking something in an "admin_roles" array, or by calling something like this in your sync function:

grantRole("[email protected]", "foobar")

[snej]

I started working on this yesterday. The first part is the object model for roles, which obviously share a lot of behavior with users.

To avoid code duplication, it might be better to stick with a single access() function and distinguish roles from users by namespacing. For instance, maybe role names start with a "+"?

[jchris]

We thought about this with CouchDB but decide two namespaces is better.
Especially imagine interacting with legacy ldap systems etc...

On Tuesday, March 12, 2013, Jens Alfke wrote:

I started working on this yesterday. The first part is the object model
for roles, which obviously share a lot of behavior with users.

To avoid code duplication, it might be better to stick with a single
access() function and distinguish roles from users by namespacing. For
instance, maybe role names start with a "+"?

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/35#issuecomment-14785685
.

Chris Anderson
http://jchrisa.net
http://www.couchbase.com

[ghost]

Jens

Hi, any suggestions for go dev environment setup (MAC OS X), I have not looked at the go codebase, I'm going to be playing catchup but if there is a piece I can take on without holding you up let me know.

In addition to coding I can help with testing and documentation.

Andy

[snej]

If you're already running the gateway, you should have what you need. Just go into its source folder and start editing. You may find the "test.sh" script useful, which builds and tests the packages.

For editing, I really like Sublime Text with the GoSublime plugin. It has some nice autocomplete features and it reformats your source every time you save. There's a Go bundle for TextMate too.

[ghost]

Jens

Apologies, I've been offline due to illness, I will be catching up over the next couple of days, looks like there is a lot of new functionality to test. I will now try to create pull requests rather than issues where I can.

Andy

[snej]

Role implementation was checked in a few weeks ago.