couchbase mobile 102: how to add secure sync to your mobile apps: couchbase connect 2015
TRANSCRIPT
COUCHBASE MOBILE 102: HOW TO ADD SECURE SYNC TO YOUR MOBILE APPS
Adam Fraser and Andrew Reslan, Couchbase
©2015 Couchbase Inc. ‹#›
Overview
▪ Introduction to Couchbase Sync Gateway ▪ Key mobile data security concerns ▪How Sync Gateway addresses these concerns for your application ▪ Live Demo ▪Q&A
Intro to Couchbase Sync Gateway
©2015 Couchbase Inc. ‹#›
Couchbase Mobile
Couchbase Lite Embedded NoSQL database
Sync Gateway Secure Synchronization
Couchbase Server Cloud NoSQL Database
©2015 Couchbase Inc. ‹#›
Sync Gateway
Sync Gateway
Replication
Authentication
Data Partitioning
Data Access Control
©2015 Couchbase Inc. ‹#›
Getting Started
▪Download Sync Gateway ▪ http://www.couchbase.com/nosql-‐databases/downloads ▪ https://github.com/couchbase/sync_gateway ▪ Install ▪ Run sync_gateway from /bin
Key Mobile Data Security Concerns
©2015 Couchbase Inc. ‹#›
Key Mobile Data Security concerns
▪User Authentication ▪Data Read/Write Access ▪Data transport on the Wire ▪Data Storage -‐ on device and in the cloud
Authentication
©2015 Couchbase Inc. ‹#›
Authentication
▪ Pluggable Authentication ▪ Public Providers ▪ Custom Providers ▪ Anonymous Users
©2015 Couchbase Inc. ‹#›
Authentication -‐ Public Providers
▪ Basic Auth ▪ Facebook ▪ Persona
©2015 Couchbase Inc. ‹#›
Authentication -‐ Sync Gateway Configuration
{ "facebook" : { "register" : false }, "databases": { "grocery-sync": { “server”:”http://cbserver:8091”, “bucket":"grocery-sync", "users": {"GUEST": {"disabled": true}}, "sync":`function(doc) {channel(doc.channels);}` } } }
©2015 Couchbase Inc. ‹#›
Authentication -‐ Custom Providers
1
3
2Sync Gateway
Auth Server
Data Read/Write Access
©2015 Couchbase Inc. ‹#›
Data Read/Write Access
▪ Fine-‐grained security policies ▪Document level read side permissions ▪ Field level write side permissions ▪ JavaScript policy enforcement
©2015 Couchbase Inc. ‹#›
Sync Function
▪ JavaScript function that is executed when any document is written to Sync Gateway ▪ Is where the majority of Sync Gateway’s data access rules get defined ▪Defined in the Sync Gateway config
{ "databases": { "grocery-sync": { “server”:"http://walrus:", “bucket":"grocery-sync", "users": {"GUEST": {"disabled": true}}, “sync”:`function(doc,oldDoc) { channel(doc.channels);
}` } } }
©2015 Couchbase Inc. ‹#›
Write Permissions
▪ Functions available for use in the Sync Function to apply write-‐side security ▪ requireUser(…) ▪ requireRole(…) ▪ requireAccess(…) ▪ throw()
©2015 Couchbase Inc. ‹#›
Read Permissions
▪ Read permissions are managed using channels ▪Data partitioning using the channel(…) primitive ▪ Read permissions granted using access(…) primitive
©2015 Couchbase Inc. ‹#›
Channels
▪ Every document is associated with a set of channels ▪ Every user and role has a set of channels that they can read ▪ Channel definitions are just the channel name ▪ Special channels ▪ * -‐ every document is added to the * channel ▪ ! -‐ every user is granted access to the ! channel
©2015 Couchbase Inc. ‹#›
Channels
Sync Function
frien
ds
owne
r
private-fran
items-alice
items-bob
private-bob
private-alice
alice
bob
Grocery Item
function(doc, oldDoc) { requireUser(doc.owner); channel(“items-“ + doc.owner); channel(“items-“ + doc.friends); …}
©2015 Couchbase Inc. ‹#›
Assigning Documents to Channels
function(doc,oldDoc) { channel(“items-“ + doc.owner); }
▪ The channel(…) function assigns the current document to the specified channel(s)
©2015 Couchbase Inc. ‹#›
Granting Channel Access to Users
function(doc,oldDoc) { access(doc.owner, “items-" + doc.owner);
}
▪ The access(…) function grants a user access to the specified channel(s)
©2015 Couchbase Inc. ‹#›
Removing channel assignments and grants
▪ The channel() assignments and access() grants made by the sync function are specific to that revision of the document ▪ Future revisions of the document (or deletion of the document) can revoke these assignments and grants
function(doc,oldDoc) { channel(“items-“ + doc.owner); access(doc.owner, “items-“ + doc.owner); }
doc1, rev-1: {“owner”:”alice”} doc1, rev-2: {“owner”:”bob”}
Securing Sync Gateway -‐ Demohttps://github.com/couchbaselabs/sg-‐live-‐demo
©2015 Couchbase Inc. ‹#›
Grocery Sync App Summary
©2015 Couchbase Inc. ‹#›
Takeaway Exercises
▪ Prevent friends from changing the text of any items on a users list.▪ Let friends know that they have been added to a list without
having to add any items to that list.▪ See ToDoLite sample apps for a more complete example of a
shared to-do list.▪ https://github.com/couchbaselabs/ToDoLite-iOS▪ https://github.com/couchbaselabs/ToDoLite-Android
Next Steps
©2015 Couchbase Inc. ‹#›
Data Transport on the Wire -‐ SSL/TLS
▪ Sync Gateway supports SSL (TLS v1.0 and higher) ▪ Configure SSL in the Sync Gateway config ▪ https://github.com/couchbase/sync_gateway/tree/master/examples/ssl
©2015 Couchbase Inc. ‹#›
Data Storage on the Device
▪ File System Encryption
©2015 Couchbase Inc. ‹#›
Data Storage in the Cloud
▪ Secure cloud environment ▪ Configure for File System Encryption
Q&A
Thank you