Auto-Purge on Channel Access Revocation

      +

      Auto-purge behavior on loss of access to document channels

      Overview

      Users may lose access to documents for many reasons, including:

      • The User loses direct access to channel

      • The User is removed from a role

      • A role the user belongs to is revoked access to channel

      Sync Gateway will take the configured action whenever this happens. By default:

      • Sync Gateway syncs will auto-purge documents the user has lost access to — see Sync Gateway

      • Inter-Sync Gateway replications will not auto-purge documents the user has lost access to — Inter-Sync Gateway

      Sync Gateway

      Breaking Change
      In Sync Gateway 2.x these documents remain in the local database on channel access loss.

      By default, when a user loses access to a channel, the next Couchbase Lite Pull replication auto-purges all documents in the channel from local Couchbase Lite databases (on devices belonging to the user) unless they belong to any of the user’s other channels — see: Couchbase Lite Replication — Auto Purge on Channel Access Revocation.

      Inter-Sync Gateway

      Access Revoked

      This behavior is the reverse of that between Sync Gateway and Couchbase Lite — see: Sync Gateway.

      By default, documents are not auto purged on the active sync gateway even if the user on the passive sync gateway loses channel access.

      You can opt-in to auto-purge behavior using the replicator level option purge_on_removal in the REST API — see: replication-purge_on_removal.

      Documents will then be auto-purged — on active Sync Gateway nodes that have opted-in — if they do not belong to any of the replicating user’s [1] channels — see: Example 1.

      If you turn it on during an existing replication, no revocations occurring prior to that point are retro-actively purged. To have this done, execute a reset for ISGR (on Couchbase Lite a reset checkpoint must be carried out).

      Example 1. Access Revocation behavior

      Access control policies are only enforced at the remote cluster.

      Here the Active Sync Gateway (Local) is running as an admin user with purge_on_removal=true

      Direction Passive Sync Gateway (Remote) Expected Sync behavior

      Pull

      User revoked access to channel

      Previously synced documents are auto purged on local

      Push

      User revoked access to channel

      Revocation has no impact during a 'push'. No purging will occur.

      PushAndPull

      User revoked access to channel
      Sync Function includes requireAccess(“channel”)

      When access is revoked on remote, the previously synced documents for User2 are auto-purged on local.

      Local changes continue to be pushed to remote but rejected by remote

      Access Regained

      If a user subsequently regains access to a lost channel then any previously auto-purged documents still assigned to any of their channels are automatically pulled down by the active Sync Gateway  — see: Example 2.

      If you want to control whether to sync previous auto purged versions of documents (rather than pull down purged documents) then you must also move the documents out of all of the users' channels so they are not synced down again.

      Example 2. Access Regained behavior

      Access control policies are only enforced at the remote cluster.

      Here the Active Sync Gateway (Local) is running as an admin user with purge_on_removal=true

      Direction Passive Sync Gateway (Remote) Expected Sync behavior

      Pull

      User REASSIGNED access to channel

      Sync Function includes requireAccess( reassignedChannel)

      Previously purged documents are automatically pulled by local

      Push

      User REASSIGNED access to channel

      Sync Function includes requireAccess(“channel”)

      Config option has no impact.

      Local changes previously rejected by remote are pushed again with reset action on replicator.

      Subsequent changes to previously rejected documents are automatically pushed up.

      PushAndPull

      User REASSIGNED access to channel

      Sync Function includes requireAccess(“channel”)

      Documents auto purged on local are automatically pulled again

      Local changes previously rejected by remote can be pushed again with reset action on replicator.

      Subsequent changes to previously rejected documents are automatically pushed up.



      1. The replicating user is the user on the passive sync gateway cluster; the user specified in the replication definition.