Add some config to sync_gateway to make sync_gateway more flexible and high scalability


#1

I am build a app, the business logic is following:
one user belong to 0-n company, one company have some documents.
I want to deploy couchbase and sync_gateway by company.
so I can manage documents by company. such as cluster deploy, backup and restore by company.
I think it will be more flexible and high scalability.

As I know, sync_gateway will route document and control write/read document by channel, which depend on user and session(access()/requrieUser()). that means user document are coupling with ‘company’ documents
so, If sync_gateway can store user document and session document(may be) alone with other documents as public identity store,It will be possible to deploy sync_gateway and couchbase by company.
the config of sync_gateway database looks like:

"databases": {
  "db": {
    "server": "http://localhost:8091",
    "bucket": "default",
    "identity_server": "http://localhost:8091",
    "identity_bucket": "identity",    
    "users": { "GUEST": { "disabled": false, "admin_channels": ["*"] } }
  }
}

or may be there is a better way to make sync_gateway more flexible and high scalability?


#2

That’s an interesting idea, but has some implications that would be problematic in practice. A few that come to mind are:

  1. Channel assignment is designed to be within the scope of a single database. In this scenario, common channel names across companies would result in shared data access (when that doc is granted to a user)
  2. More importantly, replication is based on Sync Gateway monitoring the set of mutations in a bucket, and generating a channel index based on those mutations. This includes user docs - detection of mutations to user and role documents notify active replications when channels are added or removed.

If you think there’s a performance benefit to splitting your deployment to one CBS cluster per company, the better way to maintain a shared user store would probably be to use a custom authentication implementation for Sync Gateway. You’d end up with user definitions in each Sync Gateway/cluster, but you could manage those users indepedently in your external authentication service.


#3

do you mean that If I implement a custom authentication such as using LDAP to store user and password info, and deploy one CBS cluster per company can share the user store(same userId and password) ?
I want to know that the session info will be store on CBS server per company?
Does means that If a user have more than one company, user will be auth more than one times to access all company docs?
I think there should be a sso solution.


#4

I think I need more details on what problem you’re trying to solve by sharing sessions across Sync Gateway database definitions (whether or not they are defined on one or multiple Sync Gateway nodes).

  • Is it a concern with the number of times your end users needs to authenticate and get a session token (currently once per DB)?

  • Is it a concern with the Couchbase Server disk space used to retain user and session docs for each of the databases? Since user and session management are simple KV operations, I’m wouldn’t expect this to be a performance bottleneck.

  • Is it a concern about the work to define your users for each DB? That’s the use case where custom auth would be the right fix.

Thanks.


#5

for example, user A have 3 company C1,C2,C3. so A can get docs from C1,C2,C3 using SG1,Sg2,SG3. when user A login in SG1,so user A can get docs from C1,Now user A want to get docs from C2, user A need to reauth with same userId and password to login in SG2, this is not a good user experience.