Admin_channels do not work as expected

JulianBuss · December 2, 2021, 7:49am

Using Sync Gateway 2.8: I wonder if I misunderstood the logic of admin_channels property in Sync Gateway’s user config?

I defined this for the users section of a database config:

"users": {
				"GUEST": {"disabled": true, "admin_channels": []},
				"mtmsuser": {"password": "xxx", "admin_roles": ["mtms"], "admin_channels": ["config", "tickets_open", "deletions"]}
			},

So I expect that the user “mtmsuser” has access to the channels config, tickets_open and deletions without any further action.

In the sync function there is code like this:

if (doc.ticketstatusalias && doc.ticketstatusalias < "10") {			
						channel("tickets_open");
					}

But although I configured the CBL iOS replicator to use these channels I didn’t received documents.

Only after I added an access() call to the sync function:

if (doc.ticketstatusalias && doc.ticketstatusalias < "10") {			
						access("mtmsuser", "tickets_open");
						channel("tickets_open");
					}

the replicator got the documents.

Questions:

Is this the intended behavior?
Is it a difference to define channel access via admin_channels property or via sync function’s access() in terms of performance?
Is there a limit how many channels a user might get access to?

Thanks!

adamf · December 2, 2021, 5:43pm

admin_channels work in the way you’ve described - you don’t need to do a dynamic channel grant (via access in the sync function). You can issue a GET for the user via the REST API to verify that the admin channels have been set properly. I can’t tell from the information you’ve provided what’s been misconfigured in your original attempt, but you can check the Sync Gateway logs to see the set of channels being used for a given replication.

JulianBuss · December 3, 2021, 7:59am

Thank you, adam. My troubles were caused by a configuration error on my side: I had two CSG databases pointing to the same bucket and having the same CSG user configuration.

In the meantime I understood that user data is saved in the Couchbase bucket, therefore the userdata was messed up with different channels all the time.

Now I have different usernames for each CSG database definition and it works as expected.

JulianBuss · December 3, 2021, 9:38am

I just made another observation: After adding channels to admin_channels and restart of the Sync Gateway these channels have not been added to the user data in Couch (checked with select * from stammdaten use keys “_sync:user:mtmsuser_stammdaten”).

I needed to remove the user using

delete from ticketingsystem use keys "_sync:user:mtmsuser_ticketingsystem"

(which I would have could done via the Admin REST API, but it was easier for me this way).

Is this intended behavior?

adamf · December 3, 2021, 6:37pm

This is the intended behaviour - admin_channels are only initialized from the config file if the user does not already exist. This is related to what you mention - the user’s admin_channels may have been modified via the REST API, and simply restarting Sync Gateway shouldn’t invalidate the changes made via the REST API.

Topic		Replies	Views
Strange behavior with sync gateway and channels Sync Gateway	9	856	March 23, 2021
How to use the channels attribute and dynamically subscribing to channels Mobile	2	838	June 11, 2019
Public access to channels Sync Gateway	10	3048	April 3, 2016
Sync Gateway Function Creating user Sync Gateway	1	799	February 22, 2019
Get a list of all channels that a given user have access Sync Gateway	1	1593	November 11, 2016

Admin_channels do not work as expected

Related topics