2

I have a cosmos db system with a user table. Now I'm develop a client app that connects to cosmos db directly by cosmos sdk (iOS).
I'd like to add a security layer to make sure a user can't access other user records, some like select * from User c
Is there anyway to do this?

Thanks!

Nick Chapsas
  • 6,872
  • 1
  • 20
  • 29
ductran
  • 10,043
  • 19
  • 82
  • 165

1 Answers1

2

As we know from this link, Cosmos db has two types of keys:

enter image description here

For your need, you need to give up master keys, use resource tokens instead. It could provide access to specific document.

So my idea is:

When you create every row of data, you need to generate resource token which maps this user and store it as an additional column. Then when a user query data, he should provide his resource token (as security layer) to authenticate his permission of filtering data. Not every one uses master keys, it can't control the data isolation. Please refer to the model listed in above link:

enter image description here

halfer
  • 19,824
  • 17
  • 99
  • 186
Jay Gong
  • 23,163
  • 2
  • 27
  • 32
  • Thanks, it looks like that I need to generate the partition key for each user record and set the resource token permission tie to partition key to prevent query on other rows? – ductran Jul 30 '19 at 07:54
  • @R4j Yeah,that's what i mean.Then the user can't query data without providing properly resource token.Hope it could give you some clues. – Jay Gong Jul 30 '19 at 08:03
  • Great, thanks for you help. I found this example https://github.com/adamhockemeyer/Azure-Functions---CosmosDB-ResourceToken-Broker that uses your suggestion. I'll try now – ductran Jul 30 '19 at 08:18