Auto-Purge on Channel Access Revocation
Auto-purge behavior on loss of access to document channels
Related Topics: Concepts | How-to | Sync Function | Use XATTRs for Access Grants
Overview
Users may lose access to documents for many reasons, including:
-
The User loses direct access to channel
-
The User is removed from a role
-
A role the user belongs to is revoked access to channel
Sync Gateway will take the configured action whenever this happens. By default:
-
Sync Gateway syncs will auto-purge documents the user has lost access to — see Sync Gateway
-
Inter-Sync Gateway replications will not auto-purge documents the user has lost access to — Inter-Sync Gateway
Sync Gateway
|
Breaking Change
In Sync Gateway 2.x these documents remain in the local database on channel access loss.
|
By default, when a user loses access to a channel, the next Couchbase Lite Pull replication auto-purges all documents in the channel from local Couchbase Lite databases (on devices belonging to the user) unless they belong to any of the user’s other channels — see: Couchbase Lite Replication — Auto Purge on Channel Access Revocation.
Inter-Sync Gateway
Access Revoked
| This behavior is the reverse of that between Sync Gateway and Couchbase Lite — see: Sync Gateway. |
By default, documents are not auto purged on the active sync gateway even if the user on the passive sync gateway loses channel access.
You can opt-in to auto-purge behavior using the replicator level option purge_on_removal in the REST API — see: replication-purge_on_removal.
Documents will then be auto-purged — on active Sync Gateway nodes that have opted-in — if they do not belong to any of the replicating user’s [1] channels — see: Example 1.
If you turn it on during an existing replication, no revocations occurring prior to that point are retro-actively purged. To have this done, execute a reset for ISGR (on Couchbase Lite a reset checkpoint must be carried out).
Access control policies are only enforced at the remote cluster.
Here the Active Sync Gateway (Local) is running as an admin user with purge_on_removal=true
| Direction | Passive Sync Gateway (Remote) | Expected Sync behavior |
|---|---|---|
Pull |
User revoked access to channel |
Previously synced documents are auto purged on local |
Push |
User revoked access to channel |
Revocation has no impact during a 'push'. No purging will occur. |
PushAndPull |
User revoked access to channel |
When access is revoked on remote, the previously synced documents for User2 are auto-purged on local. Local changes continue to be pushed to remote but rejected by remote |
Access Regained
If a user subsequently regains access to a lost channel then any previously auto-purged documents still assigned to any of their channels are automatically pulled down by the active Sync Gateway — see: Example 2.
If you want to control whether to sync previous auto purged versions of documents (rather than pull down purged documents) then you must also move the documents out of all of the users' channels so they are not synced down again.
Access control policies are only enforced at the remote cluster.
Here the Active Sync Gateway (Local) is running as an admin user with purge_on_removal=true
| Direction | Passive Sync Gateway (Remote) | Expected Sync behavior |
|---|---|---|
Pull |
User REASSIGNED access to channel Sync Function includes
|
Previously purged documents are automatically pulled by local |
Push |
User REASSIGNED access to channel Sync Function includes
|
Config option has no impact. Local changes previously rejected by remote are pushed again with reset action on replicator. Subsequent changes to previously rejected documents are automatically pushed up. |
PushAndPull |
User REASSIGNED access to channel Sync Function includes
|
Documents auto purged on local are automatically pulled again Local changes previously rejected by remote can be pushed again with reset action on replicator. Subsequent changes to previously rejected documents are automatically pushed up. |