thoughts on making the studio accessible only via localhost?

157 views
Skip to first unread message

aaron navaro

unread,
Mar 7, 2012, 11:03:09 PM3/7/12
to rav...@googlegroups.com
I have a relatively simple scenario where I am happy to use the coarse-grained security provided by the windows Service install to control 
access to the HTTP api. readonly GET access is perfect for my needs. That said, since the studio is available to anyone, there is little point
in the readonly restriction. Is there any way to make access to the studio only accessible via localhost? I understand that one can use IIS
to this relatively easily, but what's the point of having the windows service authentication modes at all if anyone can access the studio regardless of the mode?

Cheers,
Aaron

Oren Eini (Ayende Rahien)

unread,
Mar 8, 2012, 2:50:40 AM3/8/12
to rav...@googlegroups.com
That wouldn't give you any security. It would merely make it slightly harder, but everything is accessible via the HTTP API.
You can setup Windows Auth and then limit it to specific users or groups, though.

aaron navaro

unread,
Mar 9, 2012, 2:48:20 AM3/9/12
to rav...@googlegroups.com
Ok, I did not fully understand how raven was working, but I still have a problem.
I will quickly recap what I did not understand to make this thread more useful and then explain the current problem.

I had assumed incorrectly that I was using anonymous authentication because the raven config said
 <add key="Raven/AnonymousAccess" value="Get"/>
I did not realize that Windows Authentication would be on by default (if browser supported) and required no configuration because it uses the NTFS permissions on the /Data and /Tenants folders (see http://stackoverflow.com/questions/8672237/ravendb-network-access).
I also assumed incorrectly that the studio may have been using some special form of access but I now see that it just calls the HTTP API anyway using the same permissions as if I called the HTTP API directly.

Now, assuming the above is correct, and I am accessing Raven using Windows Authentication, and that my config regarding anonymous
access is still set to  <add key="Raven/AnonymousAccess" value="Get"/>. Then what I would expect, is that if a user is denied NTFS write permissions on the Raven/Data and Raven/Tenants folders (i.e. they cannot create a file in that folder, even when logged on locally to the machine) that the same user should not be able to create any documents in Raven via the HTTP API or the Studio. However, this seems not to be the case and this user can create document in Raven just fine. Am I missing something obvious here? I have tried restarting Raven in between requests as well.

Regards,
Aaron

Mauro Servienti

unread,
Mar 9, 2012, 3:07:38 AM3/9/12
to rav...@googlegroups.com
as far as I have understood windows authentication is used only for its basic purpose of...well...authentication :-) not authorization. Given that the result is that if the calling user exists in the configured storage and the calling user can be authenticated the user is granted full access. The server executes operations using the identity that the server is running with, it does not impersonate the calling user, so the only requirement is that the server user has correct permissions on the data folders.

.m
_____________________
it's all about trust...

From: aaron navaro
Sent: 09/03/2012 08:48
To: rav...@googlegroups.com
Subject: Re: [RavenDB] thoughts on making the studio accessible only via localhost?

Oren Eini (Ayende Rahien)

unread,
Mar 9, 2012, 4:13:13 AM3/9/12
to rav...@googlegroups.com
Aaron,
we don't use NTFS permissions to check for access.

You can use:
- Raven/Authorization/Windows/RequiredGroups
- Raven/Authorization/Windows/RequiredUsers

To limit who can log in.

aaron navaro

unread,
Mar 11, 2012, 10:53:20 PM3/11/12
to rav...@googlegroups.com

Thanks for the reply,  

Using the windows service,

>>- Raven/Authorization/Windows/RequiredGroups

>>- Raven/Authorization/Windows/RequiredUsers

does give me the ability to authenticate against windows groups/users.

But what I really wanted was the coarse-grained authorization like you have for anonymous users where you can set  <add key="Raven/AnonymousAccess" value="Get"/>

but for windows groups/users.

 

In the end I decided to run it as an IIS Application which made it easy for me to do that type of authorization at the verb level in the web.config due to raven’s adherence to proper use of HTTP verbs. For others who may want to do the same, heres my config

<system.webServer>

. . .

        <security>

            <authentication>

                <anonymousAuthentication enabled="false" />

                <windowsAuthentication enabled="true" />

            </authentication>

            <authorization>

                <remove users="*" roles="" verbs="" />

                <add accessType="Allow" roles="CORP\Xapp - Data Administrators" verbs="GET,PUT,DELETE,POST,CONNECT" />

                <add accessType="Allow" roles="CORP\Xapp - Site Representatives" verbs="GET" />

                <add accessType="Allow" roles="CORP\Xapp - Graduate Managers" verbs="GET,PUT" />

                <add accessType="Allow" roles="Administrators" verbs="GET,POST,PUT,DELETE,CONNECT" />

            </authorization> 

        </security>

. . .

</system.webServer>

Oren Eini (Ayende Rahien)

unread,
Mar 12, 2012, 3:33:28 AM3/12/12
to rav...@googlegroups.com
Glad that you were able to find a satisfactory solution.
Reply all
Reply to author
Forward
0 new messages