updated to add access function role #909
Conversation
modules/ROOT/pages/_partials/sync-api/sync-function-api-access.adoc
Outdated
Show resolved
Hide resolved
| @@ -32,6 +32,9 @@ This grants access to the specified channel(s) for all users assigned that role. | |||
|
|
|||
| The effects of all access calls by all active documents are effectively combined in a union, so if _any_ document grants a user access to a channel, that user has access to the channel. | |||
|
|
|||
| The `access()` function grants access to users or roles that do not yet exist. | |||
| When you create such users or define roles later, the previous granted access permissions apply to them. | |||
|
|
|||
| NOTE: The sync function `access()` call does not support the wildcard ('***') for granting access to all channels. | |||
| To grant a user access to all channels, use the REST API channel grant endpoint. | |||
There was a problem hiding this comment.
Do you have a link to documentation about this endpoint?
There was a problem hiding this comment.
No, I didn't find one, spoke to a SGW eng (Tor), he's not sure of the links too, i found this.
There was a problem hiding this comment.
Hmm, not sure if that's quite right. Are we sure that an endpoint with that functionality exists? That there is a way to grant a user access to all channels in one go?
There was a problem hiding this comment.
As a slight semantic distinction, this isn't an endpoint so we don't have an API reference for this. This is part of a set of javascript call that Sync Gateway provides. We don't have better documentation for this function, it probably never existed, but this is an attempt to clarify the behavior for users.
The statement as written is correct.
As far as the general concepts. Channel grants via a sync function are referred to as dynamic channel grants. They do not support granting access to all channels, however the following line refers to granting all channels:
NOTE: The sync function
access()call does not support the wildcard ('***') for granting access to all channels.
To grant a user access to all channels, use the REST API channel grant endpoint.
That endpoint is https://docs.couchbase.com/sync-gateway/current/rest-api/rest_api_admin.html#tag/Database-Security/operation/put_db-_user-name
There was a problem hiding this comment.
@torcolvin , to clarify, then, is it incorrect to say that a user could "grant a user access to all channels"? Do we need to word this better?
There was a problem hiding this comment.
This statement is correct to grant a user access to all channels as part of the REST API channel grant endpoint. The page that this PR is addressing is not talking about that endpoint in general, but the behavior of the functions available in the sync function.
I do feel that perhaps I am not understanding the question.
modules/ROOT/pages/_partials/sync-api/sync-function-api-access.adoc
Outdated
Show resolved
Hide resolved
DOC-10950
PR to update the SGW access function
Preview URL
Docs Team credentials.