Security
User Creation
User is created via the Travel sample web app. When a user is created, a corresponding user profile document is created on Couchbase Server associated with the user. In addition, the web app automatically registers the user with the Sync Gateway via the Sync Gateway user admin REST endpoint
The Sync Gateway user corresponds to users who are authenticated to replicate with the Sync Gateway and are different from the RBAC users created on Couchbase Server. |
Access Control
In this lesson you’ll be introduced to Sync Gateway, our secure web gateway. Sync Gateway is an Internet-facing synchronization mechanism that exposes a web interface which provides - Data Synchronization and Routing - Authorization and Access Control
In this chapter, we will focus on Authorization and Access Control. We will discuss Data Synchronization and Routing in the Sync chapter.
In the "Installation" guide, we walked you through the steps to launch Sync Gateway with a specific config file. The Sync Gateway configuration file determines the runtime behavior of Sync Gateway.
Open the sync-gateway-config-travelsample.json file located at
https://github.com/couchbaselabs/mobile-travel-sample/blob/master/sync-gateway-config-travelsample.json.
The users
section defines the hardcoded list of sync gateway users who are granted access to replicate with the Sync Gateway.
Hardcoding list of users is an alternative to creating Sync Gateway users dynamically as discussed in the User Creation section.
In the config file, we have a hardcoded user named "admin" with password of "password" that is granted access to the "*" channel .
"users": {
"admin": {"password": "password", "admin_channels": ["*"]}
}
-
The
sync function
in the config file is a JavaScript function which implements the access control logic. Theaccess
method is used to grant the current user access to specific channel. We will discuss channels in detail in the Sync section. For now, it is sufficient to note that documents are associated with channel(s). So access to a document is controlled by controlling the access rights to a channel.
// Give user read access to channel
if (!isDelete()) {
// Deletion of user document is essentially deletion of user
access(username,"channel." + username)
}