©2015 Couchbase Inc. 1
Couchbase Mobile 102:
Sync GatewayWilliam Hoang | Mobile Developer Advocate |
@sweetiewill
Couchbase Lite
3
Sync Gateway Couchbase ServerCouchbase Lite
Couchbase Peer to Peer …will be introduced in Couchbase Mobile 103
Intro to Couchbase Sync Gateway
©2015 Couchbase Inc. 6
Features: Introduction to Sync Gateway
Key Mobile Data Security Concerns
Security Solutions with Sync Gateway
LIVE Demo
Overview:
How to Add Secure Sync to Mobile Apps
Couchbase Lite Sync Gateway
Replication
Authentication
Data Partitioning
Data Access Control
©2015 Couchbase Inc. 8
Key Mobile Data Security Concerns
User Authentication
Data Read & Write Access
Data Transport on the Wire
Data Storage on Device & In the Cloud
©2015 Couchbase Inc. 9
Key Mobile Data Security Concerns
User Authentication
Data Read & Write Access
Data Transport on the Wire
Data Storage on Device & In the Cloud
©2015 Couchbase Inc. 10
Authentication - Pluggable
Public Providers
Custom Providers
Anonymous Users
©2015 Couchbase Inc. 11
Authentication – Public Providers
Basic Auth
Persona
©2015 Couchbase Inc. 12
Authentication:
Public Provider-Facebook
{
"facebook" : { "register" : false },
"databases": {
"grocery-sync": {
“server”:”http://cbserver:8091”,
“bucket":"grocery-sync",
"users": {"GUEST": {"disabled": true}},
"sync":`function(doc)
{channel(doc.channels);}`
}
}
}
©2015 Couchbase Inc. 13
Authentication:
Custom Provider[1]:-Authentication
[2]:-Valid user Session
[3]:-App to Sync Gateway
©2015 Couchbase Inc. 14
Key Mobile Data Security Concerns
User Authentication
Data Read & Write Access
Data Transport on the Wire
Data Storage on Device & In the Cloud
Couchbase Lite Sync Gateway
Security Policies
Document Level Read Side Permissions
Field Level Write Side Permissions
JavaScript Policy Enforcement
{ … sync func. .. }
©2015 Couchbase Inc. 16
Data Access:
Sync Function-config file
{ "databases": { "grocery-sync": { “server”:"http://walrus:", “bucket":"grocery-sync", "users": {"GUEST": {"disabled": true}},
“sync”:`function(doc,oldDoc) { channel(doc.channels); }`
}
}
}
©2015 Couchbase Inc. 17
Data Access:
Sync Function-Write Permissions { …
o requireUser (username)o requireRole (rolename)o requireAccess (channels)o throw()
… }
©2015 Couchbase Inc. 18
Data Access:
Sync Function-Read Permissions• channel(…)
For documents
• access(…)For users
-Special Channels• *• !
©2015 Couchbase Inc. 19
Couchbase Lite Sync Gateway Couchbase Server
©2015 Couchbase Inc. 20
Grocery Sync App Summary
©2015 Couchbase Inc. 21
Grocery Sync App Summary
©2015 Couchbase Inc. 22
Grocery Sync App Summary
©2015 Couchbase Inc. 23
{
"log" : [“*”],
"databases": {
"grocery-sync": {
“server”:”walrus:”,
“bucket":"grocery-sync",
"users": { "GUEST": {
"disabled": false,
“admin_channels” : [“*”] }
}
}
}
}
Sync Gateway:
Configure-O-Default-All Channels
©2015 Couchbase Inc. 24
{
”log" : [“*”],
"databases": {
"grocery-sync": {
“server”:”walrus:”,
“bucket":"grocery-sync",
"users": {
“alice”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“*”] },
“bob”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“*”] }
}
}
}
Sync Gateway:
Configure-1-Create Users-Remove Guest
©2015 Couchbase Inc. 25
{
”log" : [“*”],
"databases": {
"grocery-sync": {
“server”:”walrus:”,
“bucket":"grocery-sync",
"users": {
“alice”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“*”] },
“bob”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“*”] }
},
“sync” : ‘
function(doc, oldDoc) {
//Add placeholder sync function, add custom read/write
logic here }
‘ }
}
}
Sync Gateway:
Configure-2-Sync Function-Owner Field
©2015 Couchbase Inc. 26
{
”log" : [“*”],
"databases": {
"grocery-sync": {
“server”:”walrus:”,
“bucket":"grocery-sync",
"users": {
“alice”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-alice”] },
“bob”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-bob”] }
},
“sync” : ‘
function(doc, oldDoc) {
//Add placeholder sync function, add custom read/write
logic here }
‘ }
}
}
Sync Gateway:
Configure-3-Private Channel-Remove *
©2015 Couchbase Inc. 27
{
”log" : [“*”],
"databases": {
"grocery-sync": {
“server”:”walrus:”,
“bucket":"grocery-sync",
"users": {
“alice”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-alice”] },
“bob”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-bob”] }
},
“sync” : ‘
function(doc, oldDoc) {
channel(“items-”+doc.owner); }
//Add item document to owner’s items channel
‘ }
}
}
Sync Gateway:
Configure-4-Document to Channel
-Programmatic Access
©2015 Couchbase Inc. 28
{
”log" : [“*”],
"databases": {
"grocery-sync": {
“server”:”walrus:”,
“bucket":"grocery-sync",
"users": {
“alice”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-alice”] },
“bob”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-bob”] }
},
“sync” : ‘
function(doc, oldDoc) {
requireUser(doc.owner); //The owner of the item document must
be the authenticated user
channel(“items-”+doc.owner); } ‘
}
}
}
Sync Gateway:
Configure-5-requireUser-owner property
©2015 Couchbase Inc. 29
{
”log" : [“*”],
"databases": {
"grocery-sync": {
“server”:”walrus:”,
“bucket":"grocery-sync",
"users": {
“alice”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-alice”] },
“bob”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-bob”] }
},
“sync” : ‘
function(doc, oldDoc) {
if (doc.type == “friends”) { //process new friends
document
requireUser(doc.owner); //The owner of the friends
access(doc.friends, “items-”+doc.owner);
channel(“private-”+doc.owner);
access(doc.owner, “private-”+doc.owner)
} else {
requireUser(doc.owner)
channel(“items-”+doc.owner); }
} ‘ }
}
Sync Gateway:
Configure-6-Document Type-Authentication
©2015 Couchbase Inc. 30
{
”log" : [“*”],
"databases": {
"grocery-sync": {
“server”:”walrus:”,
“bucket":"grocery-sync",
"users": {
“alice”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-alice”] },
“bob”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-bob”] }
},
“sync” : ‘
function(doc, oldDoc) { if (doc.type == “friends”) { //process new friends document
requireUser(doc.owner); //The owner of the friends
access(doc.friends, “items-”+doc.owner);
channel(“private-”+doc.owner);
access(doc.owner, “private-”+doc.owner);
} else if (doc.type == “item”) {
requireUser(doc.owner)
channel(“items-”+doc.owner); }
else{ throw({forbidden: “Invalid document
type”}); }
} ‘ }
}
Sync Gateway:
Configure-7-throw()-Other Doc Types
©2015 Couchbase Inc. 31
{
”log" : [“*”],
"databases": {
"grocery-sync": {
“server”:”walrus:”,
“bucket":"grocery-sync",
"users": {
“alice”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-alice”] },
“bob”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-bob”] }
},
“sync” : ‘
function(doc, oldDoc) { if (doc.type == “friends”) { //process new friends document
requireUser(doc.owner); //The owner of the friends
access(doc.friends, “items-”+doc.owner);
channel(“private-”+doc.owner);
access(doc.owner, “private-”+doc.owner);
} else if (doc.type == “item”) {
requireAccess(“items-”+doc.owner)
channel(“items-”+doc.owner); }
else{ throw({forbidden: “Invalid document
type”}); }
} ‘ }
}
Sync Gateway:
Configure-8-requireAccess-friends
©2015 Couchbase Inc. 32
{
”log" : [“*”],
"databases": {
"grocery-sync": {
“server”:”walrus:”,
“bucket":"grocery-sync",
"users": {
“alice”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-alice”] },
“bob”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-bob”] }
},
“sync” : ‘
function(doc, oldDoc) { if (doc.type == “friends”) { //process new friends document
requireUser(doc.owner); //The owner of the friends
access(doc.friends, “items-”+doc.owner);
channel(“private-”+doc.owner);
access(doc.owner, “private-”+doc.owner);
} else if (doc.type == “item”) {
requireAccess(“items-”+doc.owner)
if (oldDoc == null) {
if (doc.check == true) { throw( {forbidden: “new items
cannot be checked”}); }
}
channel(“items-”+doc.owner); }
else { throw( {forbidden: “Invalid document type”}); }
} ‘
}
}
Sync Gateway:
Configure-9-oldDoc-doc.check
©2015 Couchbase Inc. 33
{ ”log" : [“*”],
"databases": {
"grocery-sync": {
“server”:”walrus:”,
“bucket":"grocery-sync",
"users": {
“alice”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-alice”] },
“bob”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-bob”] }
},
“sync” : ‘
function(doc, oldDoc) { if (doc.type == “friends”) { //process new friends document
requireUser(doc.owner); //The owner of the friends
access(doc.friends, “items-”+doc.owner);
channel(“private-”+doc.owner);
access(doc.owner, “private-”+doc.owner);
} else if (doc.type == “item”) {
requireAccess(“items-”+doc.owner)
if (oldDoc == null) {
if (doc.check == true) { throw( {forbidden: “new items
cannot be checked”}); }
else {
if (doc.check != oldDoc.check)
{ requireUser(doc.owner); }
}
}
channel(“items-”+doc.owner); }
else { throw( {forbidden: “Invalid document type”}); }
} ‘
}
}
Sync Gateway:
Configure-10-doc vs oldDoc-requireUser
©2015 Couchbase Inc. 34
{ ”log" : [“*”],
"databases": {
"grocery-sync": {
“server”:”walrus:”,
“bucket":"grocery-sync",
"users": {
“alice”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-alice”] },
“bob”: {
“disabled” : false,
“password”: “password”,
“admin_channels”:[“items-bob”] }
},
“sync” : ‘
function(doc, oldDoc) { if (doc.type == “friends”) { //process new friends document
requireUser(doc.owner); //The owner of the friends
access(doc.friends, “items-”+doc.owner);
channel(“private-”+doc.owner);
access(doc.owner, “private-”+doc.owner);
} else if (doc.type == “item”) {
requireAccess(“items-”+doc.owner)
if (oldDoc == null) {
if (doc.check == true) { throw( {forbidden: “new items
cannot be checked”}); }
else {
if (doc.owner != oldDoc.owner) { throw({forbidden:
“Quits Stealing Items”}); }
if (doc.check != oldDoc.check)
{ requireUser(doc.owner); }
}
}
channel(“items-”+doc.owner); }
else { throw( {forbidden: “Invalid document type”}); }
} ‘
}
}
Sync Gateway:
Configure-11-doc vs oldDoc-Owner Property
©2015 Couchbase Inc. 35
User Authentication
Data Read & Write Access
Data Transport on the Wire
Data Storage on Device & In the Cloud
Key Mobile Data Security Concerns
©2015 Couchbase Inc. 36
Security Concerns:
Data Transport-On the Wire
SSL / TLS
Sync Gateway Config
©2015 Couchbase Inc. 37
Key Mobile Data Security Concerns
User Authentication
Data Read & Write Access
Data Transport on the Wire
Data Storage on Device & In the Cloud
©2015 Couchbase Inc. 38
Security Concerns:
Data Storage-On Device-In Cloud
File System Encryption
Secure Cloud Environment
Configure for File System Encryption
©2015 Couchbase Inc. 39
Getting Started
Documentations on Sync Gateway: bit.ly/sync_gateway
Grocery-Sync-iOS: https://github.com/couchbaselabs/
Grocery-Sync-iOS
Sync Gateway Demo:https://github.com/couchbaselabs/
Downloadbit.ly/couchbase_downloads
Sync Gateway
©2015 Couchbase Inc. 40
Couchbase Peer to Peer – 103 Session
Thank you.@sweetiewill