Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Design: modeling and security – Couchbase Connect 2016

632 views

Published on

In this session you’ll learn how to design applications using Couchbase Mobile, including architecture, data modeling, and security. Adam will take you through designing the data model objects for an app, and the relationships between them. He will also demonstrate how to secure your data model using Couchbase Mobile’s built-in security framework and walk through access control, data validation, and access grants.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Design: modeling and security – Couchbase Connect 2016

  1. 1. ©2016 Couchbase Inc. 1 The Couchbase Connect16 mobile app Take our in-app survey!
  2. 2. ©2016 Couchbase Inc. Design: Modeling and Security 2
  3. 3. ©2016 Couchbase Inc.©2016 Couchbase Inc. Agenda 3 Develop: data, sync & security Today 11:00 AMGreat America 3 Testing & Deploying Couchbase Mobile Today 4:00 PMGreat America 3
  4. 4. ©2016 Couchbase Inc. 4 Design: Modeling and Security
  5. 5. ©2016 Couchbase Inc.©2016 Couchbase Inc. Introduction • Data Modeling • Access Control 5
  6. 6. ©2016 Couchbase Inc. 6 Data Modeling
  7. 7. ©2016 Couchbase Inc.©2016 Couchbase Inc. Task List Application - Features • Users create task lists, share with other users • Owner and users add and modify tasks • Tasks may include images 7
  8. 8. ©2016 Couchbase Inc.©2016 Couchbase Inc. Task List Application - Entities 8 Task List name owner users Task name complete User? username Sync Gateway User username
  9. 9. ©2016 Couchbase Inc.©2016 Couchbase Inc. Tables to JSON 9 Task List name owner users { "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"] } { "type": "task", "name": "Potatoes", "complete": false } Task name complete
  10. 10. ©2016 Couchbase Inc.©2016 Couchbase Inc. Document IDs 10 Task List name owner users { "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"] } { "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false } Task name complete
  11. 11. ©2016 Couchbase Inc.©2016 Couchbase Inc. Entity Relationships 11 { "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"] } { "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false, "task-list": "dk39-4kd9-1w9d" } • 1-to-many relationship between task-list and task • Many-to-many relationship between task-list and user
  12. 12. ©2016 Couchbase Inc.©2016 Couchbase Inc. Task List Application – List Sharing • Share your list with other users 12
  13. 13. ©2016 Couchbase Inc.©2016 Couchbase Inc. Iterate Design: Private List Members • Embedding list members in the list document has problems: • Document size • Document volatility • Privacy – only owners should see full set of list users 13 { "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"] }
  14. 14. ©2016 Couchbase Inc.©2016 Couchbase Inc. { "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1" } { "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"] } Task List Application – List Users 14 Task List User username list id list owner { "_id": "fd23-f3fw-3s9e", "type": "task-list.user", "username": "user2", "taskList": { "id":"dk39-4kd9-1w9d", "owner":"user1" } } Task List name owner users Task List name owner
  15. 15. ©2016 Couchbase Inc.©2016 Couchbase Inc. Task Images 15 { "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false, "task-list": "dk39-4kd9-1w9d", "_attachments": { "image": {...} } } Task name complete task-list image
  16. 16. ©2016 Couchbase Inc.©2016 Couchbase Inc. • Moderator can view and edit all lists and tasks • Moderator documents to identify which users have moderator privileges Moderators 16 Moderator username { "_id": "do9s-a13k-n8sk", "type": "moderator", "username": "user3" }
  17. 17. ©2016 Couchbase Inc.©2016 Couchbase Inc. Entities 17 Task List _id name owner Task _id name complete task list image Task List User _id username task list id list owner Moderator username Sync Gateway User username
  18. 18. ©2016 Couchbase Inc.©2016 Couchbase Inc. Documents 18 Sync Gateway User username { "_id": "do9s-a13k-n8sk", "type": "moderator", "username": "user3" } { "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false, "task-list": "dk39-4kd9-1w9d", "_attachments": { "image": {...} } } { "_id": "fd23-f3fw-3s9e", "type": "task-list.user", "username": "user2", "taskList": { "id":"dk39-4kd9-1w9d", "owner":"user1" } } { "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1" }
  19. 19. ©2016 Couchbase Inc. 19 Access Control
  20. 20. ©2016 Couchbase Inc.©2016 Couchbase Inc. Sync Gateway 20
  21. 21. ©2016 Couchbase Inc.©2016 Couchbase Inc. Access Control • Read Access and Routing • Write Access • DataValidation 21
  22. 22. ©2016 Couchbase Inc.©2016 Couchbase Inc. Channels • Documents are assigned to channels • Lightweight – tags attached to documents • Users and roles are granted access to channels • Static access grants – by admin • Dynamic access grants – by documents • Channels define which documents users can read 22
  23. 23. ©2016 Couchbase Inc.©2016 Couchbase Inc. Channels 23 Channels Users ch 1 ch 2 User 1 User 2 ch 1 Documents ch 3 Roles Role 1 Role 2 Doc 1 Doc 2 Doc 3 Role 2 ch 2 ch 3 ch 1 ch 1 ch 2 ch 2 ch 3 ... ... ...... 1 1 3 2 1 1 3
  24. 24. ©2016 Couchbase Inc.©2016 Couchbase Inc. Determining Channels –The Sync Function • Channels are calculated for a document by the Sync Function • A Javascript function that defines your application logic, that is executed whenever a document is written to Sync Gateway • Defines Access Control for the application • Documents -> Channels • Users and Roles -> Channels • Users -> Roles • Write Security • DataValidation 24
  25. 25. ©2016 Couchbase Inc.©2016 Couchbase Inc. Sync Function 25 • Sync Function has method signature function(doc, oldDoc) • doc: the incoming new version of the document • oldDoc: the previous version of the document • Sync Function operations are based only on the document itself – cannot reference other documents in the system
  26. 26. ©2016 Couchbase Inc.©2016 Couchbase Inc. Routing – Sync Function channel(channels) • Assigns the document to the specified channel(s) 26
  27. 27. ©2016 Couchbase Inc.©2016 Couchbase Inc. Routing –Task Lists 27 { "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1" } { "_id":"dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1" } channels: ["task-list.dk39-4kd9-1w9d"] Sync Function function(doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+doc._id); } } • Create a channel for each task list
  28. 28. ©2016 Couchbase Inc.©2016 Couchbase Inc. Read Access – Sync Function access(name, channel) • Grants the user name access to channel channel 28
  29. 29. ©2016 Couchbase Inc.©2016 Couchbase Inc. Read Access –Task Lists 29 { "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1" } { "_id":"dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1" } channels: ["task-list.dk39-4kd9-1w9d"] Sync Function function (doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+ doc.id); access(doc.owner, "task-list." + doc.id); } } • Task list owner and users have read access to task list User: user1 channels: ["task-list.dk39-4kd9-1w9d"]
  30. 30. ©2016 Couchbase Inc.©2016 Couchbase Inc. Write Access requireUser(username) • Rejects the update if the active user is not username requireRole(role) • Rejects the update if the active user does not have the role role requireAccess(channel) • Rejects the update if the active user does not have access to the channel channel 30
  31. 31. ©2016 Couchbase Inc.©2016 Couchbase Inc. Write Access –Task Lists 31 { "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1" } Sync Function function (doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+ doc.id); access(doc.owner, "task-list." + doc.id); requireUser(doc.owner); } } • Only the owner can modify the task list document
  32. 32. ©2016 Couchbase Inc.©2016 Couchbase Inc. DataValidation throw({forbidden:"error"}) • Rejects the update and returns error message error • Type enforcement • Data validation by type 32
  33. 33. ©2016 Couchbase Inc.©2016 Couchbase Inc. DataValidation –Task Lists 33 { "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1" } Sync Function function (doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+ doc.id); access(doc.owner, "task-list." + doc.id); requireUser(doc.owner); if(!doc.name) { throw({forbidden:"Name is required for task lists."}); } } } • Name is required
  34. 34. ©2016 Couchbase Inc.©2016 Couchbase Inc. Access Control –Tasks 34 Sync Function function (doc, oldDoc) { if (doc.type == "task-list") { … } else if (doc.type == "task") { channel("task-list."+ doc.task-list); requireAccess("task-list." + doc.task-list); } } { "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false, "task-list": "dk39-4kd9-1w9d", "_attachments": { "image": {...} } }
  35. 35. ©2016 Couchbase Inc.©2016 Couchbase Inc. Access Control –Task List Users 35 Sync Function function (doc, oldDoc) { if (doc.type == "task-list") { … access(doc.owner, "task-list." + doc.taskList.id + ".users"); } else if (doc.type == "task") { … } else if (doc.type == "task-list.user") { access(doc.username, "task-list." + doc.taskList.id); requireUser(doc.taskList.owner); channel("task-list."+doc.taskList.id+".users"); access(doc.owner, "task-list." + doc.taskList.id + ".users"); } } { "_id": "fd23-f3fw-3s9e", "type": "task-list.user", "username": "user2", "taskList": { "id":"dk39-4kd9-1w9d", "owner":"user1" } }
  36. 36. ©2016 Couchbase Inc.©2016 Couchbase Inc. Access Control – Moderators 36 Sync Function function (doc, oldDoc) { if (doc.type == "task-list") { … channel("moderators"); } else if (doc.type == "task") { … channel("moderators"); } else if (doc.type == "task-list.user") { … channel("moderators"); } else if (doc.type == "moderator") { requireRole("admin"); access(doc.username, "moderators") } else { throw({forbidden:"Invalid document type."}) } } { "_id": "do9s-a13k-n8sk", "type": "moderator", "username": "user3" }
  37. 37. ©2016 Couchbase Inc.©2016 Couchbase Inc. Sync Function if type = "task-list" { channel(…); access(…); } else if type = "task" { channel(…); } else if type = "task-list.user" { channel(…); access(…); } else if type = "moderator" { role(…); } 37 user1 – client app Channels task-list.A task-list.A.users A Channels –Task List Application Users and Roles user1 user2 A task-list.A task-list.A.users task-list.A user2 – client app A
  38. 38. ©2016 Couchbase Inc.©2016 Couchbase Inc. Next Steps 38 Develop: data, sync & security Today 11:00 AMGreat America 3 Testing & Deploying Couchbase Mobile Today 4:00 PMGreat America 3 developer.couchbase.com/mobile/training github.com/couchbaselabs/mobile-training-todo/
  39. 39. ©2016 Couchbase Inc. 39 Adam Fraser Architect – Sync Gateway adamf@couchbase.com
  40. 40. ©2016 Couchbase Inc. ThankYou! 40
  41. 41. ©2016 Couchbase Inc. 41 The Couchbase Connect16 mobile app Take our in-app survey!
  42. 42. ©2016 Couchbase Inc. 42 Share your opinion on Couchbase 1. Go here: http://gtnr.it/2eRxYWn 2. Create a profile 3. Provide feedback (~15 minutes)

×