Isolation for Sync Gateway Databases Users


#1

I have two databases(db1, db2) in a sync gateway pointing to same bucket. Database db1 contains 2 users (guest, vk), and db2 conatins 1 user (guest). PFB config:

{
“log”:[“REST”, “Auth”, “CRUD+”, “Events+”, “HTTP+”],
“databases”: {
“db1”: {
“server”: “http://localhost:8091”,
“bucket”: “data_sync1”,
“users”: {
“GUEST”: { “disabled”: true, “admin_channels”: [""] },
“vk”: { “password”:“password”, “disabled”: false, “admin_channels”: ["
"] }
},
“sync”: function(doc, oldDoc) { channel(channels); }
},
“db2”: {
“server”: “http://localhost:8091”,
“bucket”: “data_sync1”,

 "users": { "GUEST": { "disabled": true, "admin_channels": ["*"] } },

“sync”: function(doc, oldDoc) { channel(channels); }
}
}
}

The issue is that I am able to view vk user also for db2 database despite I have not included vk user for db2 database in config. I am also able to view vk user from another sync gateway at different machine which is used for load balancing. How can I isolate users on multiple databases acting on same bucket?


Couchbase Microservice Architecture
#2

I don’t know if there’s a valid use case to define multiple Sync Gateway databases pointing to the same underlying bucket. As you’ve found, they share the same data, including user data.

What’s your functional goal for defining multiple databases pointing to the same bucket within a single Sync Gateway?


#3

We have a multi-tenant application where we store data for multiple tenants in a single bucket. We have created separate database at sync gateway for each tenant in our application for following reasons:

  1. Each tenant has different business logic and data routing logic, so it require separate Sync functions.
  2. Each tenant has separate user accounts and may be different ways of authentications (LDAP or other custom authentication)

We cannot have separate bucket for each tenant as that would be expensive. Please suggest a way to implement above requirement.


#4

You can’t do that. SG’s data model assumes one database per bucket.


#5

Ok, then we have to create one bucket per tenant as we create one database per tenant. Then what should we do if we have more than 10 tenants, as it is not recommended to create more then 10 buckets in a server?


#6

I’m not convinced you can’t store more than one tenant’s data in the same database. For example, you can use a docID prefix to distinguish tenants’ docs, and the sync function can then switch on the prefix to apply different logic for different tenants’ docs.

(I don’t know whether it’s still a problem to have more than ten buckets on a server; I thought that had been overcome in current versions of Couchbase Server, but I’m totally not a server expert.)


#7

There might be one issue with this approach; every time I try to add new Tenant, I need to modify Sync function which requires restart/resync of Sync Gateway which might block currently executing requests. _resync is very expensive too.


#8

same here…
so how to do when we want to implement multi tenant here?


#9

ok.

you can use admin api - User to achieve this

but… poor admin api auth…

only adminInterface there…

I think couchbase not so friendly when i’m trying to implement multi tenant


#10

and, why nobody answer kinds of questions here…


#11

As indicated in the thread above, there are couple of options for dealing with multi-tenancy in Couchbase server. Can you be specific on why these options won’t work for you ?

  • Create a separate bucket for each tenant or
  • Just add something in document that indicates the tenant that the document is associated with

#12

I would have similar use case where I have 1 bucket and multiple databases that simply act as a virtual view over all documents stored in Couchbase. I would like to have a way to filter the documents based on which database user connects to.


#13

By “database”, did you mean “Sync Gateway database” ?
A typical pattern is to use a “type” or equivalent field in the document to group similar documents bucket- you can also use identifier prefix in the doc Id. You can then use import filters to control the subset of documents imported by each database .