Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

1,626 views

Published on

Bring your laptops! In this session, Adam and Andy will show you how to build a mobile app using Couchbase Sync Gateway with a live demo. Topics will include: authentication, data partitioning, data access control, and data validation. By the end of this session, you will understand how to add secure sync to your Couchbase Mobile app using Sync Gateway.

Published in: Technology
  • Be the first to comment

Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

  1. 1. COUCHBASE  MOBILE  102:
 HOW  TO  ADD  SECURE  SYNC  TO  YOUR  MOBILE  APPS Adam  Fraser  and  Andrew  Reslan,  Couchbase  
  2. 2. ©2015 Couchbase Inc. ‹#› Overview ▪ Introduction  to  Couchbase  Sync  Gateway   ▪ Key  mobile  data  security  concerns   ▪ How  Sync  Gateway  addresses  these  concerns  for  your   application   ▪ Live  Demo   ▪ Q&A
  3. 3. Intro  to  Couchbase  Sync  Gateway
  4. 4. ©2015 Couchbase Inc. ‹#› Couchbase  Mobile Couchbase Lite Embedded NoSQL database Sync Gateway Secure Synchronization Couchbase Server Cloud NoSQL Database
  5. 5. ©2015 Couchbase Inc. ‹#› Sync  Gateway Sync Gateway Replication Authentication Data Partitioning Data Access Control
  6. 6. ©2015 Couchbase Inc. ‹#› Getting  Started ▪ Download  Sync  Gateway   ▪ http://www.couchbase.com/nosql-­‐databases/downloads   ▪ https://github.com/couchbase/sync_gateway   ▪ Install     ▪ Run  sync_gateway  from  /bin
  7. 7. Key  Mobile  Data  Security  Concerns
  8. 8. ©2015 Couchbase Inc. ‹#› Key  Mobile  Data  Security  concerns ▪ User  Authentication   ▪ Data  Read/Write  Access   ▪ Data  transport  on  the  Wire   ▪ Data  Storage  -­‐  on  device  and  in  the  cloud
  9. 9. Authentication
  10. 10. ©2015 Couchbase Inc. ‹#› Authentication ▪ Pluggable  Authentication   ▪ Public  Providers   ▪ Custom  Providers   ▪ Anonymous  Users
  11. 11. ©2015 Couchbase Inc. ‹#› Authentication  -­‐  Public  Providers ▪ Basic  Auth   ▪ Facebook   ▪ Persona
  12. 12. ©2015 Couchbase Inc. ‹#› Authentication  -­‐  Sync  Gateway  Configuration { "facebook" : { "register" : false }, "databases": { "grocery-sync": { “server”:”http://cbserver:8091”, “bucket":"grocery-sync", "users": {"GUEST": {"disabled": true}}, "sync":`function(doc) {channel(doc.channels);}` } } }
  13. 13. ©2015 Couchbase Inc. ‹#› Authentication  -­‐  Custom  Providers 1 3 2 Sync Gateway Auth Server
  14. 14. Data  Read/Write  Access
  15. 15. ©2015 Couchbase Inc. ‹#› Data  Read/Write  Access   ▪ Fine-­‐grained  security  policies   ▪ Document  level  read  side  permissions   ▪ Field  level  write  side  permissions   ▪ JavaScript  policy  enforcement
  16. 16. ©2015 Couchbase Inc. ‹#› Sync  Function   ▪ JavaScript  function  that  is  executed  when  any  document  is   written  to  Sync  Gateway   ▪ Is  where  the  majority  of  Sync  Gateway’s  data  access  rules  get   defined   ▪ Defined  in  the  Sync  Gateway  config { "databases": { "grocery-sync": { “server”:"http://walrus:", “bucket":"grocery-sync", "users": {"GUEST": {"disabled": true}}, “sync”:`function(doc,oldDoc) { channel(doc.channels); }` } } }
  17. 17. ©2015 Couchbase Inc. ‹#› Write  Permissions ▪ Functions  available  for  use  in  the  Sync  Function  to  apply   write-­‐side  security   ▪ requireUser(…)   ▪ requireRole(…)   ▪ requireAccess(…)   ▪ throw()
  18. 18. ©2015 Couchbase Inc. ‹#› Read  Permissions ▪ Read  permissions  are  managed  using  channels   ▪ Data  partitioning  using  the  channel(…)  primitive   ▪ Read  permissions  granted  using  access(…)  primitive
  19. 19. ©2015 Couchbase Inc. ‹#› Channels ▪ Every  document  is  associated  with  a  set  of  channels   ▪ Every  user  and  role  has  a  set  of  channels  that  they  can  read   ▪ Channel  definitions  are  just  the  channel  name     ▪ Special  channels   ▪ *  -­‐  every  document  is  added  to  the  *  channel   ▪ !  -­‐  every  user  is  granted  access  to  the  !  channel
  20. 20. ©2015 Couchbase Inc. ‹#› Channels Sync Function friends ow ner private-fran items-alice items-bob private-bob private-alice alice bob Grocery Item function(doc, oldDoc) { requireUser(doc.owner); channel(“items-“ + doc.owner); channel(“items-“ + doc.friends); … }
  21. 21. ©2015 Couchbase Inc. ‹#› Assigning  Documents  to  Channels function(doc,oldDoc) { channel(“items-“ + doc.owner); } ▪ The  channel(…)  function  assigns  the  current  document  to   the  specified  channel(s)
  22. 22. ©2015 Couchbase Inc. ‹#› Granting  Channel  Access  to  Users function(doc,oldDoc) { access(doc.owner, “items-" + doc.owner); } ▪ The  access(…)  function  grants  a  user  access  to  the  specified   channel(s)
  23. 23. ©2015 Couchbase Inc. ‹#› Removing  channel  assignments  and  grants ▪ The  channel()  assignments  and  access()  grants  made  by  the   sync  function  are  specific  to  that  revision  of  the  document   ▪ Future  revisions  of  the  document  (or  deletion  of  the   document)  can  revoke  these  assignments  and  grants function(doc,oldDoc) { channel(“items-“ + doc.owner); access(doc.owner, “items-“ + doc.owner); } doc1, rev-1: {“owner”:”alice”} doc1, rev-2: {“owner”:”bob”}
  24. 24. Securing  Sync  Gateway  -­‐  Demo https://github.com/couchbaselabs/sg-­‐live-­‐demo
  25. 25. ©2015 Couchbase Inc. ‹#› Grocery Sync App Summary
  26. 26. ©2015 Couchbase Inc. ‹#› Takeaway Exercises ▪ Prevent friends from changing the text of any items on a users list. ▪ Let friends know that they have been added to a list without having to add any items to that list. ▪ SeeToDoLite sample apps for a more complete example of a shared to-do list. ▪ https://github.com/couchbaselabs/ToDoLite-iOS ▪ https://github.com/couchbaselabs/ToDoLite-Android
  27. 27. Next  Steps
  28. 28. ©2015 Couchbase Inc. ‹#› Data  Transport  on  the  Wire  -­‐  SSL/TLS ▪ Sync  Gateway  supports  SSL  (TLS  v1.0  and  higher)     ▪ Configure  SSL  in  the  Sync  Gateway  config   ▪ https://github.com/couchbase/sync_gateway/tree/master/ examples/ssl
  29. 29. ©2015 Couchbase Inc. ‹#› Data  Storage  on  the  Device ▪ File  System  Encryption
  30. 30. ©2015 Couchbase Inc. ‹#› Data  Storage  in  the  Cloud ▪ Secure  cloud  environment   ▪ Configure  for  File  System  Encryption
  31. 31. Q&A
  32. 32. Thank  you

×