Uploaded image for project: 'Couchbase Documentation'
  1. Couchbase Documentation
  2. DOC-8425

Revise potentially misleading public and wildcard channel coverage

    XMLWordPrintable

Details

    Description

      Potentially misleading Star Channel documentation

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          Ian.bridge Ian Bridge added a comment -

          Adam Fraser / Ben Brooks / James Flather I'd like to get this published this week.

          It's a small fix to content, arising from CBSE-10029. Can you check that the revised text addresses the issue appropriately?

          It is staged here: https://ibsoln.github.io/stage/stage282/sync-gateway/2.8/channels.html#channel-wildcards 

          Ian.bridge Ian Bridge added a comment - Adam Fraser  / Ben Brooks  / James Flather  I'd like to get this published this week. It's a small fix to content, arising from CBSE-10029. Can you check that the revised text addresses the issue appropriately? It is staged here: https://ibsoln.github.io/stage/stage282/sync-gateway/2.8/channels.html#channel-wildcards  
          adamf Adam Fraser added a comment -

          There are a couple of things in there that are still not quite right, I don't think, which is reasonable because the concepts are a bit overloaded at the moment.

          It's correct that all documents are implicitly assigned to a "*" channel, which can be considered an 'all docs' channel. This channel isn't automatically created when Sync Gateway starts, though - channels aren't 'created' in that way, they are just attributes associated with documents and users.

          However, when "*" is used in a user grant, it's being used as a wildcard to say that the user has access to all channels. That includes the 'all docs' channel. So Note 2 isn't correct as written. In particular, a user can be granted access to "*", and then replicate a specific named channel.

          The existing docs make a good point, though: that requireAccess() behaves differently today. requireAccess('foo') requires that the user has explicitly been granted access to 'foo', not via a channel grant. I think that's actually an oversight, and have filed CBG-1422 to fix that.

          adamf Adam Fraser added a comment - There are a couple of things in there that are still not quite right, I don't think, which is reasonable because the concepts are a bit overloaded at the moment. It's correct that all documents are implicitly assigned to a "*" channel, which can be considered an 'all docs' channel. This channel isn't automatically created when Sync Gateway starts, though - channels aren't 'created' in that way, they are just attributes associated with documents and users. However, when "*" is used in a user grant, it's being used as a wildcard to say that the user has access to all channels. That includes the 'all docs' channel. So Note 2 isn't correct as written. In particular, a user can be granted access to "*", and then replicate a specific named channel. The existing docs make a good point, though: that requireAccess() behaves differently today. requireAccess('foo') requires that the user has explicitly been granted access to 'foo', not via a channel grant. I think that's actually an oversight, and have filed CBG-1422 to fix that.
          Ian.bridge Ian Bridge added a comment -

          That's great, thanks Adam Fraser. I'll get those items corrected.

          Ian.bridge Ian Bridge added a comment - That's great, thanks Adam Fraser . I'll get those items corrected.
          Ian.bridge Ian Bridge added a comment - - edited

          hi, Adam Fraser Can I check ...

          if user.channels = "*" ... the user can access any doc in any channel

          if role.channels = "*" ... any user with that role can access any doc in any channel

          if a doc.channel = "!" ... it is public and any user can access it.

          So, the following grants the user access to any documents in 'any' channel at all  

           

          access(doc.username, '*')
          

          But ... if a channels filter = "*" ... it means any docs in any channel the user/role can access (explicitly or inherited)

          I think that's what I take from the ExpandWildcardChannel in auth/user.go 
          https://github.com/couchbase/sync_gateway/blob/a716a6d2e3f7e8517865780f18d526684276952c/auth/user.go#L298

          // If a channel list contains the all-channel wildcard, replace it with all the user's accessible channels.
          func (user *userImpl) ExpandWildCardChannel(channels base.Set) base.Set {
           if channels.Contains(ch.AllChannelWildcard) {
           channels = user.InheritedChannels().AsSet()
           }
           return channels
          }

          Ian.bridge Ian Bridge added a comment - - edited hi,  Adam Fraser Can I check ... if user.channels = "*" ... the user can access any doc in any channel if role.channels = "*" ... any user with that role can access any doc in any channel if a doc.channel = "!" ... it is public and any user can access it. So, the following grants the user access to  any  documents in 'any' channel at all     access(doc.username, '*' ) But ... if a channels filter = "*" ... it means any docs in any channel the user/role can access (explicitly or inherited) I think that's what I take from the ExpandWildcardChannel in auth/user.go  https://github.com/couchbase/sync_gateway/blob/a716a6d2e3f7e8517865780f18d526684276952c/auth/user.go#L298 // If a channel list contains the all-channel wildcard, replace it with all the user's accessible channels. func (user *userImpl) ExpandWildCardChannel(channels base.Set) base.Set { if channels.Contains(ch.AllChannelWildcard) { channels = user.InheritedChannels().AsSet() } return channels }
          Ian.bridge Ian Bridge added a comment - - edited

          Hi Adam Fraser. I reworded that text incorporating the feedback. Is this good to go now? https://ibsoln.github.io/stage/stage282/sync-gateway/2.8/channels.html 

          Would like to publish today.

          Ian.bridge Ian Bridge added a comment - - edited Hi Adam Fraser . I reworded that text incorporating the feedback. Is this good to go now? https://ibsoln.github.io/stage/stage282/sync-gateway/2.8/channels.html   Would like to publish today.
          adamf Adam Fraser added a comment -

          The staged version isn't updated for me, but I had a look at the PR and it looks good to me - thanks!

          adamf Adam Fraser added a comment - The staged version isn't updated for me, but I had a look at the PR and it looks good to me - thanks!
          Ian.bridge Ian Bridge added a comment - Thanks Adam Fraser   PR: https://github.com/couchbase/docs-sync-gateway/pull/490 Commit:  dc76432 Ported to 3.0  https://github.com/couchbase/docs-sync-gateway/pull/491  

          People

            Ian.bridge Ian Bridge
            Ian.bridge Ian Bridge
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty