hunterhacker
commented
12 years ago With new support for Corona able to run without the need always for a managed context, we'll have to rethink a bit how security comes in to play.
Open hunterhacker opened 12 years ago
hunterhacker
commented
12 years ago With new support for Corona able to run without the need always for a managed context, we'll have to rethink a bit how security comes in to play.
To secure access to Corona and make sure casual developers don't mess with the internals of the Corona managed context, I envision having three roles: corona-dev, corona-admin, and corona-internal.
Web endpoint access will require corona-dev (for regular endpoints) or corona-admin (for the management endpoints). The corona-admin role will inherit corona-dev.
Document access will require corona-internal, which is a role no actual users should have but which the internal Corona code amps itself to have during document storage and retrieval calls. This keeps regular users, even corona-dev users, from directly accessing the files managed by Corona without going through Corona's "business logic".
Is that good? Well, running a managed context has downsides, true, but bigger upsides I think. It lets us do reliable metadata tracking (is a saved file considered XML or JSON?), auditing, quota enforcement, implicit a consistent hashing distribution, and so on. The list is pretty long. It also means we can keep regular users from seeing JSON files in their raw XML serialization and wrongly issuing XPaths against a format that might change.
Since users should have XQuery-level access to the docs managed by Corona, they'll need XQuery-level APIs. There'll be a corona:doc("foo.json") for example. This knows to fetch the file back as JSON. Internally it's calls like this that will amp to the corona-internal role to allow it to see the raw XML.