owner-centric-datastore
Proof of concept for a serverless datastore that allows data owners to manage access
Concept
- Data belongs to the owner
- Owner controls access to data by group
In scope
- Optimized for data generated over time (health data, etc.)
- Minimize performance degradation as the number of data increases
Out of scope
- User authentication (using OAuth2)
- Decentralized data store
- Relations between data
Architecture overview
- Data are created under the user.
- These data can only be accessed by the user himself.
- If the user belongs to a group as a provider, a duplicate is created for each group at creation time.
- This process is triggered by DynamoDB Stream.
- This method is adopted to avoid N + 1 query problem and access control complexity.
- When a user is removed from a group to which they belong as a provider, or when a group is removed, all duplicate data will be removed.
- Therefore, users who belonged to the group as consumers cannot access the data.
TBD
- Conditions for data to be duplicated for a group (specific type, etc.)
- Duplicate past data when joining a group
- Change the created data
- Reflect user data changes in duplicated data
- Leave a group or delete a group
- Delete duplicate data when excluding a user from a group or deleting a group
API
User
GET /user
Get the authenticated user
POST /user
Create the authenticated user
Data
GET /user/data
List data for the authenticated user
POST /user/data
Create a data for the authenticated user
PATCH /user/data/:data_id
Update the data for the authenticated user
DELETE /user/data/:data_id
Delete the data for the authenticated user
GET /user/data/types/:type
List data of specific type for the authenticated user
GET /groups/:group_id/data
List group data
Authenticated user must be a consumer of the group
GET /groups/:group_id/data/types/:type
List group data of specfic type
Authenticated user must be a consumer of the group
Groups
POST /groups
Create a group owned by an authenticated user
GET /groups/:group_id
Get a group
Authenticated user must be a member of the group
Members
GET /user/members
List group members for the authenticated user
DELETE /groups/:group_id/members/:member_id
Delete a group member
Authenticated user must be a owner of the group
Invitations
GET /groups/:group_id/invitations
List group invitations
Authenticated user must be a owner of the group
POST /groups/:group_id/invitations
Create a group invitation
Authenticated user must be a owner of the group
POST /groups/:group_id/invitations/:invitation_id/accept
Accept the invitation
POST /groups/:group_id/invitations/:invitation_id/decline
Decline the invitation
GET /user/invitations
List invitations for the authenticated user