[DataStore] Detected multiple owner type auth rules with a READ operation

[dnys1]

Describe the bug

The schema below describes the authorization scheme: Every todo can be accessed by its owner and read by precisely one other user if it chooses. This is being used in a customer app to mirror a parent/child relationship where the child is the owner. Using Cognito Groups is not possible due to the fact that you can only have a limited number of groups registered, so these would quickly be exhausted if they were created on a per-parent/child basis.

type Todo @model @auth(rules: [
  { allow: owner }
  { allow: owner, ownerField: "user", operations: [read] }
]) {
    id: ID!
    name: String!
    description: String
    isComplete: Boolean!
    owner: String
    user: String
}

I have verified that the schema works in AppSync, fulfilling the authorization scheme described. However, sync in DataStore is not possible due to the following issue:

[AuthRuleDecorator] Detected multiple owner type auth rules with a READ operation. We currently do not support this use case. Please limit your type to just one owner auth rule with a READ operation restriction.

I have also confirmed that the same issue is present on Android. What is the intended workaround to achieve this authorization scheme?

Steps To Reproduce

1. Log in
2. See subscriptions fail

Expected behavior

This section of the docs presents the same schema, but does not note anything about the behavior of subscriptions.

Amplify Framework Version

1.23.0

Amplify Categories

DataStore

Dependency manager

Cocoapods

Swift version

5.0

CLI version

8.1.0

Xcode version

13.3.1

Relevant log output

2022-05-06 13:07:34.091629-0700 Runner[30849:516958] Metal API Validation Enabled
2022-05-06 13:07:34.456067-0700 Runner[30849:517674] flutter: Observatory listening on http://127.0.0.1:50057/SloU5bGqHB8=/
Amplify configured with DataStore plugin
2022-05-06 13:07:35.730085-0700 Runner[30849:516958] [Amplify] Configuring
2022-05-06 13:07:35.780427-0700 Runner[30849:516958] [awsAPIPlugin] Configure finished
DataStorePlugin successfully initialized
2022-05-06 13:07:36.012454-0700 Runner[30849:517654] fopen failed for data file: errno = 2 (No such file or directory)
2022-05-06 13:07:36.012591-0700 Runner[30849:517654] Errors found! Invalidating cache...
Successfully cleared the store
2022-05-06 13:07:36.495231-0700 Runner[30849:517614] [boringssl] boringssl_metrics_log_metric_block_invoke(153) Failed to log metrics
2022-05-06 13:07:36.965773-0700 Runner[30849:517615] [boringssl] boringssl_metrics_log_metric_block_invoke(153) Failed to log metrics
2022-05-06 13:07:38.073178-0700 Runner[30849:517654] fopen failed for data file: errno = 2 (No such file or directory)
2022-05-06 13:07:38.073306-0700 Runner[30849:517654] Errors found! Invalidating cache...
2022-05-06 13:07:38.271092-0700 Runner[30849:517612] [AuthRuleDecorator] Detected multiple owner type auth rules with a READ operation. We currently do not support this use case. Please limit your type to just one owner auth rule with a READ operation restriction.
2022-05-06 13:07:38.284932-0700 Runner[30849:517612] [AuthRuleDecorator] Detected multiple owner type auth rules with a READ operation. We currently do not support this use case. Please limit your type to just one owner auth rule with a READ operation restriction.
2022-05-06 13:07:38.302545-0700 Runner[30849:517612] [AuthRuleDecorator] Detected multiple owner type auth rules with a READ operation. We currently do not support this use case. Please limit your type to just one owner auth rule with a READ operation restriction.
2022-05-06 13:07:38.304160-0700 Runner[30849:517612] [IncomingAsyncSubscriptionEventToAnyModelMapper] Received subscription: PassthroughSubject
2022-05-06 13:07:38.480366-0700 Runner[30849:517612] [boringssl] boringssl_metrics_log_metric_block_invoke(153) Failed to log metrics
2022-05-06 13:07:38.937477-0700 Runner[30849:517612] ConnectionProviderError.jsonParse; identifier=CD180DC0-4D7A-4826-B44C-E0FCB75EE98F; additionalInfo=Optional(["errors": AppSyncRealTimeClient.AppSyncJSONValue.array([AppSyncRealTimeClient.AppSyncJSONValue.object(["errorType": AppSyncRealTimeClient.AppSyncJSONValue.string("Unauthorized"), "message": AppSyncRealTimeClient.AppSyncJSONValue.string("Not Authorized to access onDeleteTodo on type Todo")])])])
2022-05-06 13:07:38.940054-0700 Runner[30849:517610] ConnectionProviderError.jsonParse; identifier=F4F92A0A-7350-4F17-86FC-7052BD92C62D; additionalInfo=Optional(["errors": AppSyncRealTimeClient.AppSyncJSONValue.array([AppSyncRealTimeClient.AppSyncJSONValue.object(["errorType": AppSyncRealTimeClient.AppSyncJSONValue.string("Unauthorized"), "message": AppSyncRealTimeClient.AppSyncJSONValue.string("Not Authorized to access onCreateTodo on type Todo")])])])
2022-05-06 13:07:38.948506-0700 Runner[30849:517616] [IncomingAsyncSubscriptionEventToAnyModelMapper] Received completion: failure(DataStoreError: Subscription item event failed with error
Caused by:
APIError: Subscription item event failed with error
Caused by:
GraphQLResponseError<MutationSync<AnyModel>>: GraphQL service returned a successful response containing errors: [Amplify.GraphQLError(message: "Not Authorized to access onDeleteTodo on type Todo", locations: nil, path: nil, extensions: Optional(["errorType": Amplify.JSONValue.string("Unauthorized")]))]
Recovery suggestion: The list of `GraphQLError` contains service-specific messages)
2022-05-06 13:07:38.953782-0700 Runner[30849:517612] [AWSInitialSyncOrchestrator] Beginning initial sync
2022-05-06 13:07:38.954748-0700 Runner[30849:517614] ConnectionProviderError.jsonParse; identifier=29FC523A-D8A9-4610-9DC3-8283CFC26AD2; additionalInfo=Optional(["errors": AppSyncRealTimeClient.AppSyncJSONValue.array([AppSyncRealTimeClient.AppSyncJSONValue.object(["message": AppSyncRealTimeClient.AppSyncJSONValue.string("Not Authorized to access onUpdateTodo on type Todo"), "errorType": AppSyncRealTimeClient.AppSyncJSONValue.string("Unauthorized")])])])
2022-05-06 13:07:38.955757-0700 Runner[30849:517614] [InitialSyncOperation] Beginning sync for Todo
2022-05-06 13:07:38.959454-0700 Runner[30849:517614] [AuthRuleDecorator] Detected multiple owner type auth rules with a READ operation. We currently do not support this use case. Please limit your type to just one owner auth rule with a READ operation restriction.
2022-05-06 13:07:39.029111-0700 Runner[30849:517615] [boringssl] boringssl_metrics_log_metric_block_invoke(153) Failed to log metrics
2022-05-06 13:07:39.353411-0700 Runner[30849:517616] [RemoteSyncEngine] Successfully finished sync
Unhandled DataStoreHubEvent: DataStore.syncStarted 
Encoder Foundation.(unknown context at $1105fdab8).__JSONEncoder
Encoder Foundation.(unknown context at $1105fdab8).__JSONEncoder
Encoder Foundation.(unknown context at $1105fdab8).__JSONEncoder
Encoder Foundation.(unknown context at $1105fdab8).__JSONEncoder
Encoder Foundation.(unknown context at $1105fdab8).__JSONEncoder
Encoder Foundation.(unknown context at $1105fdab8).__JSONEncoder

Is this a regression?

No

Regression additional context

No response

Device

iPhone 13 - SImulator

iOS Version

15

Specific to simulators

No response

Additional context

No response

[diegocstn]

@dnys1 thanks for reporting this to us. Unfortunately it's a known issue, I'll close this in favour of #1590