design: modeling and security – couchbase connect 2016

©2016 Couchbase Inc. 1

The Couchbase Connect16 mobile appTake our in-app survey!


Design: Modeling and Security

©2016 Couchbase Inc. 3©2016 Couchbase Inc.

Agenda

Develop: data, sync & security Today 11:00 AMGreat America 3

Testing & Deploying Couchbase Mobile Today 4:00 PMGreat America 3


Design: Modeling and Security


Introduction

• Data Modeling• Access Control


Data Modeling


Task List Application - Features

• Users create task lists, share with other users• Owner and users add and modify tasks• Tasks may include images


Task List Application - Entities

Task List

name

owner

users

Task

name

complete

User?

username

Sync Gateway User

username


Tables to JSON

Task List

name

owner

users

{ "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"]}

{ "type": "task", "name": "Potatoes", "complete": false}

Task

name

complete


Document IDs

Task List

name

owner

users

{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"]}

{ "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false}

Task

name

complete


Entity Relationships


{ "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false, "task-list": "dk39-4kd9-1w9d" }

• 1-to-many relationship between task-list and task• Many-to-many relationship between task-list and user


Task List Application – List Sharing

• Share your list with other users


Iterate Design: Private List Members

• Embedding list members in the list document has problems:• Document size• Document volatility• Privacy – only owners should see full set of list users



{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}


Task List Application – List Users

Task List User

username

list id

list owner

{ "_id": "fd23-f3fw-3s9e", "type": "task-list.user", "username": "user2", "taskList": {

"id":"dk39-4kd9-1w9d","owner":"user1"

}}

Task List

name

owner

users

Task List

name

owner


Task Images

{ "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false, "task-list": "dk39-4kd9-1w9d", "_attachments": { "image": {...} }}

Task

name

complete

task-list

image


• Moderator can view and edit all lists and tasks• Moderator documents to identify which users have moderator

privileges

Moderators

Moderator

username

{ "_id": "do9s-a13k-n8sk", "type": "moderator", "username": "user3"}


Entities

Task List

_id

name

owner

Task

_id

name

complete

task list

image

Task List User

_id

username

task list id

list owner

Moderator

username

Sync Gateway User

username


Documents

Sync Gateway User

username





}}



Access Control


Sync Gateway


Access Control

• Read Access and Routing•Write Access•Data Validation


Channels

•Documents are assigned to channels• Lightweight – tags attached to documents

•Users and roles are granted access to channels• Static access grants – by admin•Dynamic access grants – by documents

• Channels define which documents users can read


Channels

Channels

Users

ch 1

ch 2

User 1

User 2

ch 1Documents

ch 3Roles

Role 1

Role 2

Doc 1

Doc 2

Doc 3

Role 2

ch 2

ch 3

ch 1 ch 1 ch 2

ch 2

ch 3

...

...

... ...

1

1

3

2

1

1 3


Determining Channels – The Sync Function

• Channels are calculated for a document by the Sync Function• A Javascript function that defines your application logic,

that is executed whenever a document is written to Sync Gateway• Defines Access Control for the application• Documents -> Channels• Users and Roles -> Channels• Users -> Roles• Write Security• Data Validation


Sync Function

• Sync Function has method signature function(doc, oldDoc) • doc: the incoming new version of the document• oldDoc: the previous version of the document

• Sync Function operations are based only on the document itself – cannot reference other documents in the system


Routing – Sync Function

channel(channels) • Assigns the document to the specified channel(s)


Routing – Task Lists


{ "_id":"dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}channels:["task-list.dk39-4kd9-1w9d"]

Sync Function

function(doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+doc._id); }}

• Create a channel for each task list


Read Access – Sync Function

access(name, channel)•Grants the user name access to channel channel


Read Access – Task Lists


{ "_id":"dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}channels:["task-list.dk39-4kd9-1w9d"]

Sync Function

function (doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+ doc.id); access(doc.owner, "task-list." + doc.id); }}

• Task list owner and users have read access to task list

User: user1channels:["task-list.dk39-4kd9-1w9d"]


Write Access

requireUser(username)• Rejects the update if the active user is not

username

requireRole(role)• Rejects the update if the active user does not have

the role role

requireAccess(channel)• Rejects the update if the active user does not have

access to the channel channel


Write Access – Task Lists


Sync Function

function (doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+ doc.id); access(doc.owner, "task-list." + doc.id); requireUser(doc.owner); }}

• Only the owner can modify the task list document


Data Validation

throw({forbidden:"error"})• Rejects the update and returns error message error

• Type enforcement• Data validation by type


Data Validation – Task Lists


Sync Function

function (doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+ doc.id); access(doc.owner, "task-list." + doc.id); requireUser(doc.owner); if(!doc.name) { throw({forbidden:"Name is required for task lists."}); } }}

• Name is required


Access Control – Tasks

Sync Function

function (doc, oldDoc) { if (doc.type == "task-list") { … } else if (doc.type == "task") { channel("task-list."+ doc.task-list); requireAccess("task-list." + doc.task-list); }}



Access Control – Task List Users

Sync Function

function (doc, oldDoc) { if (doc.type == "task-list") { … access(doc.owner, "task-list." + doc.taskList.id + ".users"); } else if (doc.type == "task") { … } else if (doc.type == "task-list.user") { access(doc.username, "task-list." + doc.taskList.id); requireUser(doc.taskList.owner); channel("task-list."+doc.taskList.id+".users"); access(doc.owner, "task-list." + doc.taskList.id + ".users"); }}



}}


Access Control – Moderators

Sync Functionfunction (doc, oldDoc) { if (doc.type == "task-list") { … channel("moderators"); } else if (doc.type == "task") { … channel("moderators"); } else if (doc.type == "task-list.user") { … channel("moderators"); } else if (doc.type == "moderator") { requireRole("admin"); access(doc.username, "moderators") } else { throw({forbidden:"Invalid document type."}) }}



Sync Functionif type = "task-list" { channel(…); access(…);} else if type = "task" { channel(…);} else if type = "task-list.user" { channel(…); access(…);} else if type = "moderator" { role(…);}

user1 – client appChannels

task-list.A

task-list.A.usersA

Channels – Task List Application

Users and Roles

user1

user2

A

task-list.A task-list.A.users

task-list.A

user2 – client app

A


Next Steps

Develop: data, sync & security Today 11:00 AMGreat America 3

Testing & Deploying Couchbase Mobile Today 4:00 PMGreat America 3

developer.couchbase.com/mobile/training

github.com/couchbaselabs/mobile-training-todo/


Adam FraserArchitect – Sync [email protected]


Thank You!


The Couchbase Connect16 mobile appTake our in-app survey!


Share your opinion on Couchbase

1. Go here: http://gtnr.it/2eRxYWn

2. Create a profile

3. Provide feedback (~15 minutes)

http://gtnr.it/2eRxYWn



design: modeling and security – couchbase connect 2016

Software