32
COUCHBASE MOBILE 102: HOW TO ADD SECURE SYNC TO YOUR MOBILE APPS Adam Fraser and Andrew Reslan, Couchbase

Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

Embed Size (px)

Citation preview

Page 1: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

COUCHBASE  MOBILE  102: HOW  TO  ADD  SECURE  SYNC  TO  YOUR  MOBILE  APPS

Adam  Fraser  and  Andrew  Reslan,  Couchbase  

Page 2: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Overview

▪ Introduction  to  Couchbase  Sync  Gateway  ▪ Key  mobile  data  security  concerns  ▪How  Sync  Gateway  addresses  these  concerns  for  your  application  ▪ Live  Demo  ▪Q&A

Page 3: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

Intro  to  Couchbase  Sync  Gateway

Page 4: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Couchbase  Mobile

Couchbase Lite Embedded NoSQL database

Sync Gateway Secure Synchronization

Couchbase Server Cloud NoSQL Database

Page 5: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Sync  Gateway

Sync Gateway

Replication

Authentication

Data Partitioning

Data Access Control

Page 6: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Getting  Started

▪Download  Sync  Gateway  ▪ http://www.couchbase.com/nosql-­‐databases/downloads  ▪ https://github.com/couchbase/sync_gateway  ▪ Install    ▪ Run  sync_gateway  from  /bin

Page 7: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

Key  Mobile  Data  Security  Concerns

Page 8: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Key  Mobile  Data  Security  concerns

▪User  Authentication  ▪Data  Read/Write  Access  ▪Data  transport  on  the  Wire  ▪Data  Storage  -­‐  on  device  and  in  the  cloud

Page 9: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

Authentication

Page 10: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Authentication

▪ Pluggable  Authentication  ▪ Public  Providers  ▪ Custom  Providers  ▪ Anonymous  Users

Page 11: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Authentication  -­‐  Public  Providers

▪ Basic  Auth  ▪ Facebook  ▪ Persona

Page 12: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Authentication  -­‐  Sync  Gateway  Configuration

{ "facebook" : { "register" : false }, "databases": { "grocery-sync": { “server”:”http://cbserver:8091”, “bucket":"grocery-sync", "users": {"GUEST": {"disabled": true}}, "sync":`function(doc) {channel(doc.channels);}` } } }

Page 13: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Authentication  -­‐  Custom  Providers

1

3

2Sync Gateway

Auth Server

Page 14: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

Data  Read/Write  Access

Page 15: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Data  Read/Write  Access  

▪ Fine-­‐grained  security  policies  ▪Document  level  read  side  permissions  ▪ Field  level  write  side  permissions  ▪ JavaScript  policy  enforcement

Page 16: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Sync  Function  

▪ JavaScript  function  that  is  executed  when  any  document  is  written  to  Sync  Gateway  ▪ Is  where  the  majority  of  Sync  Gateway’s  data  access  rules  get  defined  ▪Defined  in  the  Sync  Gateway  config

{ "databases": { "grocery-sync": { “server”:"http://walrus:", “bucket":"grocery-sync", "users": {"GUEST": {"disabled": true}}, “sync”:`function(doc,oldDoc) { channel(doc.channels);

}` } } }

Page 17: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Write  Permissions

▪ Functions  available  for  use  in  the  Sync  Function  to  apply  write-­‐side  security  ▪ requireUser(…)  ▪ requireRole(…)  ▪ requireAccess(…)  ▪ throw()

Page 18: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Read  Permissions

▪ Read  permissions  are  managed  using  channels  ▪Data  partitioning  using  the  channel(…)  primitive  ▪ Read  permissions  granted  using  access(…)  primitive

Page 19: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Channels

▪ Every  document  is  associated  with  a  set  of  channels  ▪ Every  user  and  role  has  a  set  of  channels  that  they  can  read  ▪ Channel  definitions  are  just  the  channel  name    ▪ Special  channels  ▪ *  -­‐  every  document  is  added  to  the  *  channel  ▪ !  -­‐  every  user  is  granted  access  to  the  !  channel

Page 20: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Channels

Sync Function

frien

ds

owne

r

private-fran

items-alice

items-bob

private-bob

private-alice

alice

bob

Grocery Item

function(doc, oldDoc) { requireUser(doc.owner); channel(“items-“ + doc.owner); channel(“items-“ + doc.friends); …}

Page 21: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Assigning  Documents  to  Channels

function(doc,oldDoc) { channel(“items-“ + doc.owner); }

▪ The  channel(…)  function  assigns  the  current  document  to  the  specified  channel(s)

Page 22: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Granting  Channel  Access  to  Users

function(doc,oldDoc) { access(doc.owner, “items-" + doc.owner);

}

▪ The  access(…)  function  grants  a  user  access  to  the  specified  channel(s)

Page 23: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Removing  channel  assignments  and  grants

▪ The  channel()  assignments  and  access()  grants  made  by  the  sync  function  are  specific  to  that  revision  of  the  document  ▪ Future  revisions  of  the  document  (or  deletion  of  the  document)  can  revoke  these  assignments  and  grants

function(doc,oldDoc) { channel(“items-“ + doc.owner); access(doc.owner, “items-“ + doc.owner); }

doc1, rev-1: {“owner”:”alice”} doc1, rev-2: {“owner”:”bob”}

Page 24: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

Securing  Sync  Gateway  -­‐  Demohttps://github.com/couchbaselabs/sg-­‐live-­‐demo

Page 25: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Grocery Sync App Summary

Page 26: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Takeaway Exercises

▪ Prevent friends from changing the text of any items on a users list.▪ Let friends know that they have been added to a list without

having to add any items to that list.▪ See ToDoLite sample apps for a more complete example of a

shared to-do list.▪ https://github.com/couchbaselabs/ToDoLite-iOS▪ https://github.com/couchbaselabs/ToDoLite-Android

Page 27: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

Next  Steps

Page 28: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Data  Transport  on  the  Wire  -­‐  SSL/TLS

▪ Sync  Gateway  supports  SSL  (TLS  v1.0  and  higher)    ▪ Configure  SSL  in  the  Sync  Gateway  config  ▪ https://github.com/couchbase/sync_gateway/tree/master/examples/ssl

Page 29: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Data  Storage  on  the  Device

▪ File  System  Encryption

Page 30: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

©2015 Couchbase Inc. ‹#›

Data  Storage  in  the  Cloud

▪ Secure  cloud  environment  ▪ Configure  for  File  System  Encryption

Page 31: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

Q&A

Page 32: Couchbase Mobile 102: How to Add Secure Sync to Your Mobile Apps: Couchbase Connect 2015

Thank  you