0

I'm trying to restrict access to our RavenDB to only one user. After altering the settings to secure the DB, I can still access the RavenDB management studio and I'm not sure why. I'm running RavenDB as a windows service, and I'm using build 573.

This is my Raven.Server.exe.config:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <appSettings>
    <add key="Raven/Port" value="*"/>
    <add key="Raven/DataDir" value="~\Data"/>
    <add key="Raven/AnonymousAccess" value="None"/>  <!-- Settings are Get, All, None -->
    <add key="Raven/Authorization/Windows/RequiredUsers" value="FS-6103\PrestoDatabaseUser"/>
    <add key="Raven/MaxPageSize" value="2147483647"/>
  </appSettings>

    <runtime>
        <loadFromRemoteSources enabled="true"/>
        <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
            <probing privatePath="Analyzers"/>
        </assemblyBinding>
    </runtime>
</configuration>

If I'm only allowing FS-6103\PrestoDatabaseUser, why am I able to still connect to the management studio remotely? I'm logged in as my windows AD account. I can even modify documents, which is exactly what I'm trying to prevent. Am I missing a setting?

Matt Johnson-Pint
  • 230,703
  • 74
  • 448
  • 575
Bob Horn
  • 33,387
  • 34
  • 113
  • 219

2 Answers2

3

You say you are on build 573? That's very old. According to the release history it was published on 12/15/2011. There is a commit dated 2/22/2012 that says "Change Authorization to return 403 if user is not in group or users list". That's probably a fix that you need.

I would update to at least the last stable build - 1.0.960 and see if your issue persists.

If you're not in a production environment, now would be a good time to move to 2.0 unstable.

Matt Johnson-Pint
  • 230,703
  • 74
  • 448
  • 575
  • +1 for the suggestion. I'm actually in a production environment. I'll need to figure out the most recent RavenDB that I can safely jump to. Thanks, Matt... I'll accept if that fixes it... – Bob Horn Nov 27 '12 at 21:54
  • I was just able to test this on a test server. That did it! THANKS! – Bob Horn Nov 27 '12 at 22:18
  • Update for future readers - 2.0 is quite stable now, and highly recommended. 2.5 is coming pretty soon too. Point is, you should try out the current stable version. – Matt Johnson-Pint May 12 '13 at 01:43
2

RavenDB doesn't secure the Studio endpoint because that there is no need for you to do so. The Studio itself doesn't let you to do any thing if it doesn't has access to RavenDB.

If you still want to restrict access to the studio also, you can do that using IIS security, like a regular website. But keep in mind that there is no special reason to do so.

Fitzchak Yitzchaki
  • 9,095
  • 12
  • 56
  • 96
  • Does that mean that I can no longer run RavenDB as a windows service. Or are you saying I can leave everything else the way it is and just host the studio via IIS? If so, I'll need to figure that out as I've never done it. – Bob Horn Nov 27 '12 at 17:43
  • Thanks for the help. I don't understand though... You say the Studio won't let me do anything, but I'm able to access the DB via the Studio and I'm not sure why. The only user allowed is the one I specified, and I'm not connecting to the Studio as that user. So I shouldn't be allowed access, right? – Bob Horn Nov 27 '12 at 18:17
  • Note: I'm also able to query the DB with LinqPad. Is it possible that I'm being allowed to do that because my AD account has access to the Data folder? I was hoping RavenDB would reject my request because I'm not that one user that I'm allowing... – Bob Horn Nov 27 '12 at 18:36
  • Btw, +1 for the help. Appreciate it. – Bob Horn Nov 27 '12 at 21:20
  • @FitzchakYitzchaki I am searching for a similar question. But still cant understand. Being new to RavenDb I can't find anything similar to SQL authentication. Please guide me on this, really stuck without ideas. If you need more details pls let me know. – Praveen Jul 26 '13 at 12:22