Syncgateway missing channel access

Sebastian_Single · February 5, 2020, 1:56pm

Hi,

I’m facing issues with some large documents that have this format:

 "members": [<user_name_1>, ..., <user_name_n"],
"type": "group"

I create a channel for each group-document and allow access for each user that is listed in the members-array.
There is one document that contains about 1500 members and therefore grants lots of doc accesses resulting in this warning

access and role grants count: 1462 exceeds 50 for grants per doc warning threshold

This is what i get from the admin-api:

GET /{db}/_all_docs access=true channels=true

{
  "rows": [
    {
      "key": "test.group:test_channel",
      "id": "test.group:test_channel",
      "value": {
        "rev": "1-49feb57cd8dbf4fe5a8ebf3645bd1814",
        "channels": [
          "group:test_channel"
        ],
        "access": {
          "testmail@couchbase.de": [
            "group:test_channel"
          ],
          ... 1462 access-objects
        }
      }
    },
    {
      "key": "org.couchbase.user:testmail@couchbase.de",
      "id": "org.couchbase.user:testmail@couchbase.de",
      "value": {
        "rev": "1-f9e1af0746a1f8b2520d214d1a47fea1",
        "channels": [
          "user:testmail@couchbase.de"
        ],
        "access": {
          "testmail@couchbase.de": [
            "user:testmail@couchbase.de"
          ]
        }
      }
    },
.... other group-channels
  ],
"total_rows": 4,
 "update_seq": 8
}

My user “testmail@couchbase.de” has access to the channel “group:test_channel” and to his private user-document channel.
However the public api delivers another response as you can see here:

GET /{db}/_all_docs access=true channels=true

{
  "rows": [
    {
      "key": "org.couchbase.user:testmail@couchbase.de",
      "id": "org.couchbase.user:testmail@couchbase.de",
      "value": {
        "rev": "1-f9e1af0746a1f8b2520d214d1a47fea1",
        "channels": [
          "user:testmail@couchbase.de"
        ]
      }
    }
  ],
  "total_rows": 2,
  "update_seq": 8
}

The “group:test_channel” is missing and therefore i cannot see documents that are in this channel. This issue only occurs with this large group-document - 45k. I have tried different database configurations by setting enable_shared_bucket_access to false and to true, but it does not solve my issue. I don’t think that my metadata size exceeds the limit of 1MB or 20MB (depending on shared-bucket config).

This is my database config:

'test': {
            server: 'couchbase://server',
            bucket: 'test',
            username: '***'',
            password: '***',
            enable_shared_bucket_access: false,
            num_index_replicas: 0,
            users: {
              GUEST: {
                disabled: true,
                admin_channels: [],
              },
            },
            allow_conflicts: true,
            revs_limit: 20,
            sync,
          },
        }

Any hints whats wrong? Does this conecpt of group-documents play well with couchbase? How can I debug such issues?

Thanks

priya.rajagopal · February 6, 2020, 4:27pm

What is your intent with the group documents ? Why exactly is your end goal with the config. Maybe a use case example would clarify. There may be an alternate way to get to what you want to do.

Also, how are you creating the channels and granting access. Your sync function seems empty.

The issue is likely that your sync metadata config is exceeding how much metadata is available to each document. What does your the output of the _raw endpoint show corresponding to the group type document.

That config is unrelated to the issue. But I noticed that your final sync gateway config has it false. That won’t work (once you have resolved the main issue).
You must enable shared bucket access and set import docs to true as described here to be able to have any server side changes replicate to the clients.

Sebastian_Single · February 7, 2020, 7:29am

Thanks for your response.
ok I will describe our current permission system and our documents.
We’re having about 1500 users in our system and lots of asset-documents that can be displayed by our app. Each user may see only a small subset of these documents depending on the granted permissions. This means each asset-document may have different reading access.
A user can get access to a document by adding the user directly to an asset-document by adding this:

{
   "type": "asset",
   "title": "Sample Pdf",
   ... more document sepecific fields

   // access
   "permissions": [
       "user": <user-name-1>,
       "read": true
    ]
}

If each of the 1500 users has access to this document we have to add each user to the permission-array.
We have the concept of a group-document to allow a more flexible permission-handling and to avoid redundancy. A group-document has this format:

{
  "type": "group",
  "members": [
    <user-name-1>,
   ...
  ],
  "name": <group-name>
}

The members array may contain lots of users, as I described earlier I’m facing issues if a group contains more than 1400 users.

Access for assets-document is realised by this format:
{
“type”: “asset”,
“title”: “Sample Pdf”,
… more document sepecific fields

   // access
   "permissions": [
       "group": <group-name>,
       "read": true
    ]
}

My sync function is very large (300 lines), this is the part that grants access to the groups and assets-documents:

if (isGroupDocument(doc)) {
  // -- Group Document ACCESS --
  const groupChannel = `group:${doc.name}`;
  channel(groupChannel);
  channel(channelsForOwner(doc));
  access(doc.members, groupChannel);
  role(doc.members, groupRoles);
}
else if (isAssetDocument(doc)) {
  // -- Asset Document ACCESS --
  channel(channelsForOwner(doc));
  channel(channelsForPermissions(doc, 'read'));
}

So each user of the group-members array gets access to the “groupChannel”. Access for an asset-document is realised in the function “channelsForPermission”. This function reads the “permissions”-arry of the document and in case of a group-permission will return the same channel name like the “groupChannel”.

Ok I have tried the call /{db}/_raw/{doc} and getting {“error”:“not_found”,“reason”:“missing”}. This is the only document that leads to thid error message.

I’f I call
/{db}/{doc} I can get the document.

Thanks

priya.rajagopal · February 7, 2020, 11:09pm

Can’t you use the logic that drives the creation of the “permissions” entry in the asset documents to instead trigger update to the user via the user REST API. Assign users access to particular channels via this call.
That way, you wouldn’t have to embed permissions Information in the asset document. You only include information in the asset document that can be used to derive the channel that the asset document belongs to. Explore the possibility of modeling your data so you can derive that information from the content of the doc instead of having to explicitly add a property just for that purpose.

Beware that access() is a fairy expensive operation and unless you craft your sync function carefully, you will likely end up with a number of calls that grant a user redundant access to a channel.

You can also explore the use of sync gateway roles to logically group users . Roles are assigned access to channels and users in specific roles will have access to the docs in those channels. You could have a role for “all-users” for instance.