Best Practices: Troubleshooting Your Couchbase Application: Couchbase Connect 2015
Design: modeling and security – Couchbase Connect 2016
Transcript of Design: modeling and security – Couchbase Connect 2016
![Page 1: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/1.jpg)
©2016 Couchbase Inc. 1
The Couchbase Connect16 mobile appTake our in-app survey!
![Page 2: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/2.jpg)
©2016 Couchbase Inc. 2
Design: Modeling and Security
![Page 3: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/3.jpg)
©2016 Couchbase Inc. 3©2016 Couchbase Inc.
Agenda
Develop: data, sync & security Today 11:00 AMGreat America 3
Testing & Deploying Couchbase Mobile Today 4:00 PMGreat America 3
![Page 4: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/4.jpg)
©2016 Couchbase Inc. 4
Design: Modeling and Security
![Page 5: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/5.jpg)
©2016 Couchbase Inc. 5©2016 Couchbase Inc.
Introduction
• Data Modeling• Access Control
![Page 6: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/6.jpg)
©2016 Couchbase Inc. 6
Data Modeling
![Page 7: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/7.jpg)
©2016 Couchbase Inc. 7©2016 Couchbase Inc.
Task List Application - Features
• Users create task lists, share with other users• Owner and users add and modify tasks• Tasks may include images
![Page 8: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/8.jpg)
©2016 Couchbase Inc. 8©2016 Couchbase Inc.
Task List Application - Entities
Task List
name
owner
users
Task
name
complete
User?
username
Sync Gateway User
username
![Page 9: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/9.jpg)
©2016 Couchbase Inc. 9©2016 Couchbase Inc.
Tables to JSON
Task List
name
owner
users
{ "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"]}
{ "type": "task", "name": "Potatoes", "complete": false}
Task
name
complete
![Page 10: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/10.jpg)
©2016 Couchbase Inc. 10©2016 Couchbase Inc.
Document IDs
Task List
name
owner
users
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"]}
{ "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false}
Task
name
complete
![Page 11: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/11.jpg)
©2016 Couchbase Inc. 11©2016 Couchbase Inc.
Entity Relationships
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"]}
{ "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false, "task-list": "dk39-4kd9-1w9d" }
• 1-to-many relationship between task-list and task• Many-to-many relationship between task-list and user
![Page 12: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/12.jpg)
©2016 Couchbase Inc. 12©2016 Couchbase Inc.
Task List Application – List Sharing
• Share your list with other users
![Page 13: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/13.jpg)
©2016 Couchbase Inc. 13©2016 Couchbase Inc.
Iterate Design: Private List Members
• Embedding list members in the list document has problems:• Document size• Document volatility• Privacy – only owners should see full set of list users
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"]}
![Page 14: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/14.jpg)
©2016 Couchbase Inc. 14©2016 Couchbase Inc.
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1", "users": ["user2", "user3"]}
Task List Application – List Users
Task List User
username
list id
list owner
{ "_id": "fd23-f3fw-3s9e", "type": "task-list.user", "username": "user2", "taskList": {
"id":"dk39-4kd9-1w9d","owner":"user1"
}}
Task List
name
owner
users
Task List
name
owner
![Page 15: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/15.jpg)
©2016 Couchbase Inc. 15©2016 Couchbase Inc.
Task Images
{ "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false, "task-list": "dk39-4kd9-1w9d", "_attachments": { "image": {...} }}
Task
name
complete
task-list
image
![Page 16: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/16.jpg)
©2016 Couchbase Inc. 16©2016 Couchbase Inc.
• Moderator can view and edit all lists and tasks• Moderator documents to identify which users have moderator
privileges
Moderators
Moderator
username
{ "_id": "do9s-a13k-n8sk", "type": "moderator", "username": "user3"}
![Page 17: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/17.jpg)
©2016 Couchbase Inc. 17©2016 Couchbase Inc.
Entities
Task List
_id
name
owner
Task
_id
name
complete
task list
image
Task List User
_id
username
task list id
list owner
Moderator
username
Sync Gateway User
username
![Page 18: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/18.jpg)
©2016 Couchbase Inc. 18©2016 Couchbase Inc.
Documents
Sync Gateway User
username
{ "_id": "do9s-a13k-n8sk", "type": "moderator", "username": "user3"}
{ "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false, "task-list": "dk39-4kd9-1w9d", "_attachments": { "image": {...} }}
{ "_id": "fd23-f3fw-3s9e", "type": "task-list.user", "username": "user2", "taskList": {
"id":"dk39-4kd9-1w9d","owner":"user1"
}}
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}
![Page 19: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/19.jpg)
©2016 Couchbase Inc. 19
Access Control
![Page 20: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/20.jpg)
©2016 Couchbase Inc. 20©2016 Couchbase Inc.
Sync Gateway
![Page 21: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/21.jpg)
©2016 Couchbase Inc. 21©2016 Couchbase Inc.
Access Control
• Read Access and Routing•Write Access•Data Validation
![Page 22: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/22.jpg)
©2016 Couchbase Inc. 22©2016 Couchbase Inc.
Channels
•Documents are assigned to channels• Lightweight – tags attached to documents
•Users and roles are granted access to channels• Static access grants – by admin•Dynamic access grants – by documents
• Channels define which documents users can read
![Page 23: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/23.jpg)
©2016 Couchbase Inc. 23©2016 Couchbase Inc.
Channels
Channels
Users
ch 1
ch 2
User 1
User 2
ch 1Documents
ch 3Roles
Role 1
Role 2
Doc 1
Doc 2
Doc 3
Role 2
ch 2
ch 3
ch 1 ch 1 ch 2
ch 2
ch 3
...
...
... ...
1
1
3
2
1
1 3
![Page 24: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/24.jpg)
©2016 Couchbase Inc. 24©2016 Couchbase Inc.
Determining Channels – The Sync Function
• Channels are calculated for a document by the Sync Function• A Javascript function that defines your application logic,
that is executed whenever a document is written to Sync Gateway• Defines Access Control for the application• Documents -> Channels• Users and Roles -> Channels• Users -> Roles• Write Security• Data Validation
![Page 25: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/25.jpg)
©2016 Couchbase Inc. 25©2016 Couchbase Inc.
Sync Function
• Sync Function has method signature function(doc, oldDoc) • doc: the incoming new version of the document• oldDoc: the previous version of the document
• Sync Function operations are based only on the document itself – cannot reference other documents in the system
![Page 26: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/26.jpg)
©2016 Couchbase Inc. 26©2016 Couchbase Inc.
Routing – Sync Function
channel(channels) • Assigns the document to the specified channel(s)
![Page 27: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/27.jpg)
©2016 Couchbase Inc. 27©2016 Couchbase Inc.
Routing – Task Lists
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}
{ "_id":"dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}channels:["task-list.dk39-4kd9-1w9d"]
Sync Function
function(doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+doc._id); }}
• Create a channel for each task list
![Page 28: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/28.jpg)
©2016 Couchbase Inc. 28©2016 Couchbase Inc.
Read Access – Sync Function
access(name, channel)•Grants the user name access to channel channel
![Page 29: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/29.jpg)
©2016 Couchbase Inc. 29©2016 Couchbase Inc.
Read Access – Task Lists
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}
{ "_id":"dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}channels:["task-list.dk39-4kd9-1w9d"]
Sync Function
function (doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+ doc.id); access(doc.owner, "task-list." + doc.id); }}
• Task list owner and users have read access to task list
User: user1channels:["task-list.dk39-4kd9-1w9d"]
![Page 30: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/30.jpg)
©2016 Couchbase Inc. 30©2016 Couchbase Inc.
Write Access
requireUser(username)• Rejects the update if the active user is not
username
requireRole(role)• Rejects the update if the active user does not have
the role role
requireAccess(channel)• Rejects the update if the active user does not have
access to the channel channel
![Page 31: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/31.jpg)
©2016 Couchbase Inc. 31©2016 Couchbase Inc.
Write Access – Task Lists
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}
Sync Function
function (doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+ doc.id); access(doc.owner, "task-list." + doc.id); requireUser(doc.owner); }}
• Only the owner can modify the task list document
![Page 32: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/32.jpg)
©2016 Couchbase Inc. 32©2016 Couchbase Inc.
Data Validation
throw({forbidden:"error"})• Rejects the update and returns error message error
• Type enforcement• Data validation by type
![Page 33: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/33.jpg)
©2016 Couchbase Inc. 33©2016 Couchbase Inc.
Data Validation – Task Lists
{ "_id": "dk39-4kd9-1w9d", "type": "task-list", "name": "Groceries", "owner": "user1"}
Sync Function
function (doc, oldDoc) { if (doc.type == "task-list") { channel("task-list."+ doc.id); access(doc.owner, "task-list." + doc.id); requireUser(doc.owner); if(!doc.name) { throw({forbidden:"Name is required for task lists."}); } }}
• Name is required
![Page 34: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/34.jpg)
©2016 Couchbase Inc. 34©2016 Couchbase Inc.
Access Control – Tasks
Sync Function
function (doc, oldDoc) { if (doc.type == "task-list") { … } else if (doc.type == "task") { channel("task-list."+ doc.task-list); requireAccess("task-list." + doc.task-list); }}
{ "_id": "de30-5d54-75b4", "type": "task", "name": "Potatoes", "complete": false, "task-list": "dk39-4kd9-1w9d", "_attachments": { "image": {...} }}
![Page 35: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/35.jpg)
©2016 Couchbase Inc. 35©2016 Couchbase Inc.
Access Control – Task List Users
Sync Function
function (doc, oldDoc) { if (doc.type == "task-list") { … access(doc.owner, "task-list." + doc.taskList.id + ".users"); } else if (doc.type == "task") { … } else if (doc.type == "task-list.user") { access(doc.username, "task-list." + doc.taskList.id); requireUser(doc.taskList.owner); channel("task-list."+doc.taskList.id+".users"); access(doc.owner, "task-list." + doc.taskList.id + ".users"); }}
{ "_id": "fd23-f3fw-3s9e", "type": "task-list.user", "username": "user2", "taskList": {
"id":"dk39-4kd9-1w9d","owner":"user1"
}}
![Page 36: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/36.jpg)
©2016 Couchbase Inc. 36©2016 Couchbase Inc.
Access Control – Moderators
Sync Functionfunction (doc, oldDoc) { if (doc.type == "task-list") { … channel("moderators"); } else if (doc.type == "task") { … channel("moderators"); } else if (doc.type == "task-list.user") { … channel("moderators"); } else if (doc.type == "moderator") { requireRole("admin"); access(doc.username, "moderators") } else { throw({forbidden:"Invalid document type."}) }}
{ "_id": "do9s-a13k-n8sk", "type": "moderator", "username": "user3"}
![Page 37: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/37.jpg)
©2016 Couchbase Inc. 37©2016 Couchbase Inc.
Sync Functionif type = "task-list" { channel(…); access(…);} else if type = "task" { channel(…);} else if type = "task-list.user" { channel(…); access(…);} else if type = "moderator" { role(…);}
user1 – client appChannels
task-list.A
task-list.A.usersA
Channels – Task List Application
Users and Roles
user1
user2
A
task-list.A task-list.A.users
task-list.A
user2 – client app
A
![Page 38: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/38.jpg)
©2016 Couchbase Inc. 38©2016 Couchbase Inc.
Next Steps
Develop: data, sync & security Today 11:00 AMGreat America 3
Testing & Deploying Couchbase Mobile Today 4:00 PMGreat America 3
developer.couchbase.com/mobile/training
github.com/couchbaselabs/mobile-training-todo/
![Page 40: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/40.jpg)
©2016 Couchbase Inc. 40
Thank You!
![Page 41: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/41.jpg)
©2016 Couchbase Inc. 41
The Couchbase Connect16 mobile appTake our in-app survey!
![Page 42: Design: modeling and security – Couchbase Connect 2016](https://reader036.fdocuments.us/reader036/viewer/2022062503/5874f6201a28ab917a8b7ed9/html5/thumbnails/42.jpg)
©2016 Couchbase Inc. 42
Share your opinion on Couchbase
1. Go here: http://gtnr.it/2eRxYWn
2. Create a profile
3. Provide feedback (~15 minutes)