©2016 Couchbase Inc. 1
The Couchbase Connect16 mobile appTake our in-app survey!
©2016 Couchbase Inc. 2
Design: Modeling and Security
©2016 Couchbase Inc. 3©2016 Couchbase Inc.
Agenda
Develop: data, sync & security Today 11:00 AMGreat America 3
Testing & Deploying Couchbase Mobile Today 4:00 PMGreat America 3
©2016 Couchbase Inc. 4
Design: Modeling and Security
©2016 Couchbase Inc. 5©2016 Couchbase Inc.
Introduction
• Data Modeling• Access Control
©2016 Couchbase Inc. 6
Data Modeling
©2016 Couchbase Inc. 7©2016 Couchbase Inc.
Task List Application - Features
• Users create task lists, share with other users• Owner and users add and modify tasks• Tasks may include images
©2016 Couchbase Inc. 8©2016 Couchbase Inc.
Task List Application - Entities
Task List
name
owner
users
Task
name
complete
User?
username
Sync Gateway User
username
©2016 Couchbase Inc. 9©2016 Couchbase Inc.
Tables to JSON
Task List
name
owner
users
{ "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"]}
{ "type": "task", "name": "Potatoes", "complete": false}
Task
name
complete
©2016 Couchbase Inc. 10©2016 Couchbase Inc.
Document IDs
Task List
name
owner
users
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"]}
{ "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false}
Task
name
complete
©2016 Couchbase Inc. 11©2016 Couchbase Inc.
Entity Relationships
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"]}
{ "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false, "task-list": "dk39-4kd9-1w9d" }
• 1-to-many relationship between task-list and task• Many-to-many relationship between task-list and user
©2016 Couchbase Inc. 12©2016 Couchbase Inc.
Task List Application – List Sharing
• Share your list with other users
©2016 Couchbase Inc. 13©2016 Couchbase Inc.
Iterate Design: Private List Members
• Embedding list members in the list document has problems:• Document size• Document volatility• Privacy – only owners should see full set of list users
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"]}
©2016 Couchbase Inc. 14©2016 Couchbase Inc.
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"]}
Task List Application – List Users
Task List User
username
list id
list owner
{ "_id": "fd23-f3fw-3s9e", "type": "task-list.user", "username": "user2", "taskList": {
"id":"dk39-4kd9-1w9d","owner":"user1"
}}
Task List
name
owner
users
Task List
name
owner
©2016 Couchbase Inc. 15©2016 Couchbase Inc.
Task Images
{ "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false, "task-list": "dk39-4kd9-1w9d", "_attachments": { "image": {...} }}
Task
name
complete
task-list
image
©2016 Couchbase Inc. 16©2016 Couchbase Inc.
• Moderator can view and edit all lists and tasks• Moderator documents to identify which users have moderator
privileges
Moderators
Moderator
username
{ "_id": "do9s-a13k-n8sk", "type": "moderator", "username": "user3"}
©2016 Couchbase Inc. 17©2016 Couchbase Inc.
Entities
Task List
_id
name
owner
Task
_id
name
complete
task list
image
Task List User
_id
username
task list id
list owner
Moderator
username
Sync Gateway User
username
©2016 Couchbase Inc. 18©2016 Couchbase Inc.
Documents
Sync Gateway User
username
{ "_id": "do9s-a13k-n8sk", "type": "moderator", "username": "user3"}
{ "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false, "task-list": "dk39-4kd9-1w9d", "_attachments": { "image": {...} }}
{ "_id": "fd23-f3fw-3s9e", "type": "task-list.user", "username": "user2", "taskList": {
"id":"dk39-4kd9-1w9d","owner":"user1"
}}
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}
©2016 Couchbase Inc. 19
Access Control
©2016 Couchbase Inc. 20©2016 Couchbase Inc.
Sync Gateway
©2016 Couchbase Inc. 21©2016 Couchbase Inc.
Access Control
• Read Access and Routing•Write Access•Data Validation
©2016 Couchbase Inc. 22©2016 Couchbase Inc.
Channels
•Documents are assigned to channels• Lightweight – tags attached to documents
•Users and roles are granted access to channels• Static access grants – by admin•Dynamic access grants – by documents
• Channels define which documents users can read
©2016 Couchbase Inc. 23©2016 Couchbase Inc.
Channels
Channels
Users
ch 1
ch 2
User 1
User 2
ch 1Documents
ch 3Roles
Role 1
Role 2
Doc 1
Doc 2
Doc 3
Role 2
ch 2
ch 3
ch 1 ch 1 ch 2
ch 2
ch 3
...
...
... ...
1
1
3
2
1
1 3
©2016 Couchbase Inc. 24©2016 Couchbase Inc.
Determining Channels – The Sync Function
• Channels are calculated for a document by the Sync Function• A Javascript function that defines your application logic,
that is executed whenever a document is written to Sync Gateway• Defines Access Control for the application• Documents -> Channels• Users and Roles -> Channels• Users -> Roles• Write Security• Data Validation
©2016 Couchbase Inc. 25©2016 Couchbase Inc.
Sync Function
• Sync Function has method signature function(doc, oldDoc) • doc: the incoming new version of the document• oldDoc: the previous version of the document
• Sync Function operations are based only on the document itself – cannot reference other documents in the system
©2016 Couchbase Inc. 26©2016 Couchbase Inc.
Routing – Sync Function
channel(channels) • Assigns the document to the specified channel(s)
©2016 Couchbase Inc. 27©2016 Couchbase Inc.
Routing – Task Lists
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}
{ "_id":"dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}channels:["task-list.dk39-4kd9-1w9d"]
Sync Function
function(doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+doc._id); }}
• Create a channel for each task list
©2016 Couchbase Inc. 28©2016 Couchbase Inc.
Read Access – Sync Function
access(name, channel)•Grants the user name access to channel channel
©2016 Couchbase Inc. 29©2016 Couchbase Inc.
Read Access – Task Lists
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}
{ "_id":"dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}channels:["task-list.dk39-4kd9-1w9d"]
Sync Function
function (doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+ doc.id); access(doc.owner, "task-list." + doc.id); }}
• Task list owner and users have read access to task list
User: user1channels:["task-list.dk39-4kd9-1w9d"]
©2016 Couchbase Inc. 30©2016 Couchbase Inc.
Write Access
requireUser(username)• Rejects the update if the active user is not
username
requireRole(role)• Rejects the update if the active user does not have
the role role
requireAccess(channel)• Rejects the update if the active user does not have
access to the channel channel
©2016 Couchbase Inc. 31©2016 Couchbase Inc.
Write Access – Task Lists
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}
Sync Function
function (doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+ doc.id); access(doc.owner, "task-list." + doc.id); requireUser(doc.owner); }}
• Only the owner can modify the task list document
©2016 Couchbase Inc. 32©2016 Couchbase Inc.
Data Validation
throw({forbidden:"error"})• Rejects the update and returns error message error
• Type enforcement• Data validation by type
©2016 Couchbase Inc. 33©2016 Couchbase Inc.
Data Validation – Task Lists
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}
Sync Function
function (doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+ doc.id); access(doc.owner, "task-list." + doc.id); requireUser(doc.owner); if(!doc.name) { throw({forbidden:"Name is required for task lists."}); } }}
• Name is required
©2016 Couchbase Inc. 34©2016 Couchbase Inc.
Access Control – Tasks
Sync Function
function (doc, oldDoc) { if (doc.type == "task-list") { … } else if (doc.type == "task") { channel("task-list."+ doc.task-list); requireAccess("task-list." + doc.task-list); }}
{ "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false, "task-list": "dk39-4kd9-1w9d", "_attachments": { "image": {...} }}
©2016 Couchbase Inc. 35©2016 Couchbase Inc.
Access Control – Task List Users
Sync Function
function (doc, oldDoc) { if (doc.type == "task-list") { … access(doc.owner, "task-list." + doc.taskList.id + ".users"); } else if (doc.type == "task") { … } else if (doc.type == "task-list.user") { access(doc.username, "task-list." + doc.taskList.id); requireUser(doc.taskList.owner); channel("task-list."+doc.taskList.id+".users"); access(doc.owner, "task-list." + doc.taskList.id + ".users"); }}
{ "_id": "fd23-f3fw-3s9e", "type": "task-list.user", "username": "user2", "taskList": {
"id":"dk39-4kd9-1w9d","owner":"user1"
}}
©2016 Couchbase Inc. 36©2016 Couchbase Inc.
Access Control – Moderators
Sync Functionfunction (doc, oldDoc) { if (doc.type == "task-list") { … channel("moderators"); } else if (doc.type == "task") { … channel("moderators"); } else if (doc.type == "task-list.user") { … channel("moderators"); } else if (doc.type == "moderator") { requireRole("admin"); access(doc.username, "moderators") } else { throw({forbidden:"Invalid document type."}) }}
{ "_id": "do9s-a13k-n8sk", "type": "moderator", "username": "user3"}
©2016 Couchbase Inc. 37©2016 Couchbase Inc.
Sync Functionif type = "task-list" { channel(…); access(…);} else if type = "task" { channel(…);} else if type = "task-list.user" { channel(…); access(…);} else if type = "moderator" { role(…);}
user1 – client appChannels
task-list.A
task-list.A.usersA
Channels – Task List Application
Users and Roles
user1
user2
A
task-list.A task-list.A.users
task-list.A
user2 – client app
A
©2016 Couchbase Inc. 38©2016 Couchbase Inc.
Next Steps
Develop: data, sync & security Today 11:00 AMGreat America 3
Testing & Deploying Couchbase Mobile Today 4:00 PMGreat America 3
developer.couchbase.com/mobile/training
github.com/couchbaselabs/mobile-training-todo/
©2016 Couchbase Inc. 39
Adam FraserArchitect – Sync [email protected]
©2016 Couchbase Inc. 40
Thank You!
©2016 Couchbase Inc. 41
The Couchbase Connect16 mobile appTake our in-app survey!
©2016 Couchbase Inc. 42
Share your opinion on Couchbase
1. Go here: http://gtnr.it/2eRxYWn
2. Create a profile
3. Provide feedback (~15 minutes)