How can I reduce the number of calls to a MongoDB instance when using a role-based application?

Question

How can I reduce the number of calls to a MongoDB instance when using a role-based application?

I'm specifically talking about NodeJS with MongoDB (I know MongoDB is schema-less, but let's be realistic about the importance of structuring data for a moment).

Is there some magic solution to minimising the number of queries to a database in regards to authenticating users? For example, if the business logic of my application needs to ensure that a user has the necessary privileges to update/retrieve data from a certain Document or Collection, is there any way of doing this without two calls to the database? One to check the user has the rights, and the other to retrieve the necessary data?

EDIT:

Another question closed by the trigger-happy SO moderators. I agree the question is abstract, but I don't see how it is "not a real question". To put it simply:

What is the best way to reduce the number of calls to a database in role-based applications, specifically in the context of NodeJS + MongoDB? Can it be done? Or is role-based access control for NodeJS + MongoDB inefficient and clumsy?

node.js
mongodb

Answer 1

Obviously, you know wich document holds which rigths. I would guess that it is a field in the document, like :

{ 'foo':'bar'
  'canRead':'sales' }

At the start of the session you could query the roles a user has. Say

{ 'user':'shennan',
  'roles':[ 'users','west coast','sales'] }

You could store that list of roles in the user's session. With that in hand, all that's left to do is add the roles with an $in operator, like this :

db.test.find({'canRead':{'$in':['users','west coast','sales']})

Where the value for the $in operator is taken from the user's session. Here is code to try it out on your own, in the mongo console :

db.test.insert(  { 'foo':'bar', 'canRead':'sales' })
db.test.insert(  { 'foo2':'bar2', 'canRead':['hr','sales'] })
db.test.insert(  { 'foo3':'bar3', 'canRead':'hr' })

> db.test.find({}, {_id:0})
{ "foo" : "bar", "canRead" : "sales" }
{ "foo2" : "bar2", "canRead" : [  "hr",  "sales" ] }
{ "foo3" : "bar3", "canRead" : "hr" }

Document with 'foo3' can't be read by someone in sales :

> db.test.find({'canRead':{'$in':['users','west coast','sales']}}, {_id:0})
{ "foo" : "bar", "canRead" : "sales" }
{ "foo2" : "bar2", "canRead" : [  "hr",  "sales" ] }

Answer 2

Definitely do-able, but w/o more context it's hard to determine what's best.

One simple solution that comes to mind is to cache users and their permissions in memory so no DB lookup is required. At this point you can just issue the query for documents where permission match and...

Let me know if you need a few more ideas.