Access to purge logs

bamatic · April 7, 2022, 11:27pm

Hi there,
We are experimenting troubles with purge function, we have beed advised to upgrade to 3.14.2 version and to monitor purge logs.
We’ve upgrade to 3.14.2 in our dev instance but we are not able to see the logs
https://upgrade-muso-mali.app.medicmobile.org/medic-sentinel/_all_docs?startkey=%22purgelog%22&endkey=%22pw%22
we get

{

error: "forbidden",

reason: "You are not allowed to access this db."

}

How could we get access to this logs ?

kenn · April 7, 2022, 11:33pm

Do you have admin credentials to your instance https://upgrade-muso-mali.app.medicmobile.org? If so, are you using them?

bamatic · April 7, 2022, 11:36pm

Yes, we have admin credentials

kenn · April 8, 2022, 9:37pm

Purge logs (and all sentinel log files) are available to the “couch2pg database administrator” accounts. The user account you’re using (pm_test_muso) is not an admin user, it has the role national_admin - which is a custom role within your app_settings.json file. It has the word admin in the role, but isn’t a db admin.

  "roles": {
    "national_admin": {
      "name": "usertype.national-manager"
    },
    ...
  },

There is an actual admin permissions which is controlled via CouchDB’s security features. 1.5. Security — Apache CouchDB® 3.3 Documentation. To make this account an admin, you’ll need to set its role to _admin in the CouchDB user document.

Hope this helps. Let me know if you are still unclear on how to proceed.

bamatic · April 10, 2022, 2:32am

Sorry but it is no clear for me, at medic database I found user org.couchdb.user:pm_test_muso, and adding the _admin role does just nothing

{
  "_id": "org.couchdb.user:pm_test_muso",
  "_rev": "3-e029e0bb42dc0ef9de0ed3081c7c2837",
  "name": "pm_test_muso",
  "type": "user-settings",
  "fullname": "PM Test Muso",
  "roles": [
    "national_admin",
    "mm-online",
    "_admin"
  ],
  "known": true
}

In your https://docs.couchdb.org/en/3.2.0/intro/security.html#users-documents I can read

roles (array of string): List of user roles. CouchDB doesn’t provide any built-in roles, so you’re free to define your own depending on your needs. However, you cannot set system roles like _admin there. Also, only administrators may assign roles to users - by default all users have no roles

And in this other doc https://docs.couchdb.org/en/3.2.0/intro/security.html#creating-a-new-admin-user

kenn · April 11, 2022, 9:44pm

I think it is me who has misunderstood. But I think we are getting closer.

I went to https://upgrade-muso-mali.app.medicmobile.org/_utils/#database/medic-sentinel/_security and I found that any non-admin user with role sentinel can access the sentinel database.

I added this sentinel role to your user document at https://upgrade-muso-mali.app.medicmobile.org/_utils/#database/_users/org.couchdb.user%3Apm_test_muso.

Can you try now if you can access the sentinel logs at https://upgrade-muso-mali.app.medicmobile.org/medic-sentinel/_all_docs?startkey=%22purgelog%22&endkey=%22pw%22?

bamatic · April 13, 2022, 9:33pm

yes, Now this is working I see it thank you