Auto-Purge on Channel Access Revocation

    +

    Auto-purge behavior on loss of access to document channels

    Overview

    Users may lose access to documents for many reasons, including:

    • The User loses direct access to channel

    • The User is removed from a role

    • A role the user belongs to is revoked access to channel

    Sync Gateway will take the configured action whenever this happens. By default:

    • Sync Gateway syncs will auto-purge documents the user has lost access to — see Sync Gateway

    • Inter-Sync Gateway replications will not auto-purge documents the user has lost access to — Inter-Sync Gateway

    Sync Gateway

    Breaking Change
    In Sync Gateway 2.x these documents remain in the local database on channel access loss.

    By default, when a user loses access to a channel, the next Couchbase Lite Pull replication auto-purges all documents in the channel from local Couchbase Lite databases (on devices belonging to the user) unless they belong to any of the user’s other channels — see: Couchbase Lite Replication — Auto Purge on Channel Access Revocation.

    Inter-Sync Gateway

    Access Revoked

    This behavior is the reverse of that between Sync Gateway and Couchbase Lite — see: Sync Gateway.

    By default, documents are not auto purged on the active sync gateway even if the user on the passive sync gateway loses channel access.

    You can opt-in to auto-purge behavior using the replicator level option purge_on_removal in the REST API — see: replication-purge_on_removal.

    Documents will then be auto-purged — on active Sync Gateway nodes that have opted-in — if they do not belong to any of the replicating user’s [1] channels — see: Example 1.

    If you turn it on during an existing replication, no revocations occurring prior to that point are retro-actively purged. To have this done, execute a reset for ISGR (on Couchbase Lite a reset checkpoint must be carried out).

    Example 1. Access Revocation behavior

    Access control policies are only enforced at the remote cluster.

    Here the Active Sync Gateway (Local) is running as an admin user with purge_on_removal=true

    Direction Passive Sync Gateway (Remote) Expected Sync behavior

    Pull

    User revoked access to channel

    Previously synced documents are auto purged on local

    Push

    User revoked access to channel

    Revocation has no impact during a 'push'. No purging will occur.

    PushAndPull

    User revoked access to channel
    Sync Function includes requireAccess(“channel”)

    When access is revoked on remote, the previously synced documents for User2 are auto-purged on local.

    Local changes continue to be pushed to remote but rejected by remote

    Access Regained

    If a user subsequently regains access to a lost channel then any previously auto-purged documents still assigned to any of their channels are automatically pulled down by the active Sync Gateway  — see: Example 2.

    If you want to control whether to sync previous auto purged versions of documents (rather than pull down purged documents) then you must also move the documents out of all of the users' channels so they are not synced down again.

    Example 2. Access Regained behavior

    Access control policies are only enforced at the remote cluster.

    Here the Active Sync Gateway (Local) is running as an admin user with purge_on_removal=true

    Direction Passive Sync Gateway (Remote) Expected Sync behavior

    Pull

    User REASSIGNED access to channel

    Sync Function includes requireAccess( reassignedChannel)

    Previously purged documents are automatically pulled by local

    Push

    User REASSIGNED access to channel

    Sync Function includes requireAccess(“channel”)

    Config option has no impact.

    Local changes previously rejected by remote are pushed again with reset action on replicator.

    Subsequent changes to previously rejected documents are automatically pushed up.

    PushAndPull

    User REASSIGNED access to channel

    Sync Function includes requireAccess(“channel”)

    Documents auto purged on local are automatically pulled again

    Local changes previously rejected by remote can be pushed again with reset action on replicator.

    Subsequent changes to previously rejected documents are automatically pushed up.



    1. The replicating user is the user on the passive sync gateway cluster; the user specified in the replication definition.