Are the Raven/Authorization/Windows/RequiredGroups and Raven/AnonymousAccess config values still supported in v 2.0?

[Adam Spicer]

We are upgrading to build 2230 from 2139 and suddenly we are getting a 403 Forbidden error message.

We are running as a Window Service and have both of the following specified in the config file:

    <add key="Raven/Authorization/Windows/RequiredGroups" value="LSCTallahassee\RavenDB"/>

    <add key="Raven/AnonymousAccess" value="None"/>

Here is the stacktrace:

at System.Net.HttpWebRequest.GetResponse() at Raven.Client.Connection.HttpJsonRequest.ReadJsonInternal(Func`1 getResponse) at Raven.Client.Connection.HttpJsonRequest.ReadResponseJson() at Raven.Client.Connection.ServerClient.DirectGet(String serverUrl, String key) at Raven.Client.Connection.ReplicationInformer.TryOperation[T](Func`2 operation, String operationUrl, Boolean avoidThrowing, T& result) at Raven.Client.Connection.ReplicationInformer.ExecuteWithReplication[T](String method, String primaryUrl, Int32 currentRequest, Int32 currentReadStripingBase, Func`2 operation) at Raven.Client.Connection.ServerClient.ExecuteWithReplication[T](String method, Func`2 operation) at Raven.Client.Document.DocumentSession.Load[T](String id)

I wonder if those config values are still supported. I've tested removing the Raven/Authorization/Windows/RequiredGroups setting and then logged into the Studio and to my surprise, access was granted.

Any ideas?

[Adam Spicer]

I tested changing the AnonymousAccess to the following:

<add key="Raven/AnonymousAccess" value="All"/>

And that is allowing access again, but that isn't what we need. Access needs to be granted ONLY to the users in a specific group, as it was done before.

[Oren Eini (Ayende Rahien)]

This should work, actually. Are you trying to access the RD database?

On Mon, Jan 14, 2013 at 5:53 PM, Adam Spicer <adam....@gmail.com> wrote:

On a whim, I also tried to setup the same config through the system database:

{

  "RequiredGroups": [

    {

      "Name": "LSCTallahassee\\RavenDB",

      "Enabled": true,

      "Databases": [

        {

          "Admin": false,

          "TenantId": "RD",

          "ReadOnly": false

        }

      ]

    }

  ],

  "RequiredUsers": []

}

This didn't work either... still getting a 403!

[Adam Spicer]

Actually I am just trying to access ANY tenant database. There are 2: RD and RDDeployTest.

The security around them is the same, we just need the user to be part of the RavenDB AD group. 

When we upgraded, we replaced all files for the windows service except for our config. I did take a backup of the DB before the backup - just in case.

Any ideas/suggestions?

[Oren Eini (Ayende Rahien)]

What is the identity of the code that is calling RavenDB?

[Adam Spicer]

The app pool is running as LSCTallahassee\AnonInetUsr_RD and is a member of LSCTallahassee\RavenDB.

The connection string used to connect to RD is as follows (obviously pw omitted):

Url=http://sqldb.lsctallahassee.local;Database=RD;User=RavenNucleusRD;Password=;Domain=LSCTallahassee

The RavenNucleusRD user is ALSO a member of LSCTallahassee\RavenDB.

In the website, the executing thread's IIdentity gets set to a custom Identity, but I don't believe that is related as it should be the App Pool Identity that is being used for authentication. I mention that just in case it would be doing something with the thread's IIdentity.

[Oren Eini (Ayende Rahien)]

Are you running in IIS or as a service?

[Adam Spicer]

Service. Running as system. 

[Oren Eini (Ayende Rahien)]

Hm, 

What happens when you try to connect using the group user with the browser?

[Adam Spicer]

Are you asking what happens when going to the Studio tool? My domain account is part of the LSCTallahassee\RavenDB group and when I connect to the Studio, it prompts me for UN and PW and then grants me access.

 

If I remove Raven/Authorization/Windows/RequiredGroups from the config, restart the service and go to the Studio tool, it prompts me for UN and PW but still grants me access. But maybe that is because “everyone” has access by default.

 

Surprisingly though if I set the service’s config as shown below, I am prompted for UN/PW when using the Studio, but I am still granted access!!

<add key="Raven/Authorization/Windows/RequiredGroups" value="LSCTallahassee\SomeOtherSecurityGroup"/>

<add key="Raven/AnonymousAccess" value="None"/>

Where SomeOtherSecurityGroup is a security group that I am not in (or anybody for that matter)

[Oren Eini (Ayende Rahien)]

Is this something that you can reproduce when running in console mode?

[Adam Spicer]

In console (debug) mode, logged in as me (part of the LSCTallahassee\RavenDB group), I get the following behavior:

With Settings:

<add key="Raven/Authorization/Windows/RequiredGroups" value="LSCTallahassee\RavenDB"/>

<add key="Raven/AnonymousAccess" value="None"/>

Behavior: I cannot access the Studio tool or the database though the web application. The studio continually prompts for my credentials and reports the following error:

Could not get authorization for this command.
If you should have access to this operation contact your admin and check the Raven/AnonymousAccess or the Windows Authentication settings in RavenDB 
Server sent:




   at Raven.Studio.Infrastructure.InvocationExtensions.Catch(Task parent, Func`2 func)
   at Raven.Studio.Infrastructure.InvocationExtensions.Catch(Task parent, Action`1 action)
   at Raven.Studio.Infrastructure.InvocationExtensions.Catch(Task parent)
   at Raven.Studio.Models.ServerModel.TimerTickedAsync()
   at Raven.Studio.Models.ServerModel.Initialize()
   at Raven.Studio.Models.ServerModel..ctor(String url)
   at Raven.Studio.Models.ServerModel..ctor()
   at Raven.Studio.Models.ApplicationModel..ctor()
   at Raven.Studio.Models.ApplicationModel..cctor()
   at Raven.Studio.Models.DatabaseSelectionModel..ctor()
   at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck)
   at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache)
   at System.RuntimeType.CreateInstanceDefaultCtor(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache)
   at System.Activator.CreateInstance(Type type, Boolean nonPublic)
   at MS.Internal.XamlManagedRuntimeRPInvokes.CreateInstance(XamlTypeToken inXamlType, XamlQualifiedObject& newObject)
   at MS.Internal.XcpImports.Application_LoadComponentNative(IntPtr pContext, IntPtr pComponent, UInt32 cUriStringLength, String uriString, UInt32 cXamlStrLength, Byte* pXamlStr, UInt32 cAssemblyStrLength, String assemblyStr)
   at MS.Internal.XcpImports.Application_LoadComponent(IManagedPeerBase componentAsDO, String resourceLocator, UnmanagedMemoryStream stream, UInt32 numBytesToRead, String assemblyString)
   at System.Windows.Application.LoadComponent(Object component, Uri resourceLocator)
   at Raven.Studio.Features.Databases.DatabaseSelectionView.InitializeComponent()
   at Raven.Studio.Features.Databases.DatabaseSelectionView..ctor()
   at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck)
   at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache)
   at System.RuntimeType.CreateInstanceDefaultCtor(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache)
   at System.Activator.CreateInstance(Type type, Boolean nonPublic)
   at MS.Internal.XamlManagedRuntimeRPInvokes.CreateInstance(XamlTypeToken inXamlType, XamlQualifiedObject& newObject)
   at MS.Internal.XcpImports.Application_LoadComponentNative(IntPtr pContext, IntPtr pComponent, UInt32 cUriStringLength, String uriString, UInt32 cXamlStrLength, Byte* pXamlStr, UInt32 cAssemblyStrLength, String assemblyStr)
   at MS.Internal.XcpImports.Application_LoadComponent(IManagedPeerBase componentAsDO, String resourceLocator, UnmanagedMemoryStream stream, UInt32 numBytesToRead, String assemblyString)
   at System.Windows.Application.LoadComponent(Object component, Uri resourceLocator)
   at Raven.Studio.MainPage.InitializeComponent()
   at Raven.Studio.App.Application_Startup(Object sender, StartupEventArgs e)
   at MS.Internal.CoreInvokeHandler.InvokeEventHandler(UInt32 typeIndex, Delegate handlerDelegate, Object sender, Object args)
   at MS.Internal.JoltHelper.FireEvent(IntPtr unmanagedObj, IntPtr unmanagedObjArgs, Int32 argsTypeIndex, Int32 actualArgsTypeIndex, String eventName, UInt32 flags)


Client side exception:
System.Net.WebException: [HttpWebRequest_WebException_RemoteServer]
Arguments: NotFound
Debugging resource strings are unavailable. Often the key and arguments provide sufficient information to diagnose the problem. See http://go.microsoft.com/fwlink/?linkid=106663&Version=5.1.10411.0&File=System.Windows.dll&Key=HttpWebRequest_WebException_RemoteServer
   at System.Net.Browser.ClientHttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Func`2.Invoke(T arg)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise)

I've tried other settings like "RequiredUsers" with specifying my account, but that results in the same error when going to the Studio tool.

The only way I can get this to run in console or service mode is if I set the AnonymousAccess to ALL.

[Oren Eini (Ayende Rahien)]

<add key="Raven/Authorization/Windows/RequiredGroups" value="LSCTallahassee\RavenDB"/>

This is NOT meaningful for 2.0

Did you setup the security like shown here:

http://ravendb.net/docs/server/authentication

[Adam Spicer]

Okay, so that setting no longer works in 2.0.

Let me restate our goals and reiterate that this setup was working in build 2139

• ONLY allow access to the Studio (server-side) to users in a particular AD Group.
• ONLY allow access from the Client API to users in a particular AD Group.
• Nobody should have "read only" access unless we explicitly set it from one of the two points above.

So with those goals in mind, we need to be sure that Raven is configured properly. After performing the tests last night, I am now getting NEW behaviors. The example below is an attempt to prove that Raven will deny access if an unauthorized user attempts to access the system. But as you will see, it appears to be granting access instead.

The app.config now looks like this:

  <appSettings>

    <add key="Raven/Port" value="80"/>

    <add key="Raven/AnonymousAccess" value="None"/>

<add key="Raven/DataDir" value="H:\Data"/>

<add key="Raven/IndexStoragePath" value="G:\Indexes"/>

<add key="Raven/Esent/LogsPath" value="I:\Logs"/>

  </appSettings>

Starting the service I log into the Studio and configure the system database's authentication (as discussed here: http://ravendb.net/docs/server/authentication)

{

  "RequiredGroups": [],

  "RequiredUsers": [

    {

      "Name": "LSCTallahassee\\SomeOtherUser",

      "Enabled": true,

      "Databases": [

        {

          "Admin": false,

          "TenantId": "RD",

          "ReadOnly": false

        }

      ]

    }

  ]

}

Question: Correct me if I am wrong, but since I have specified security settings for the RD database, then Anonymous Access from to the RD database from the Studio AND the Client will be denied correct?

With those settings, if I use this ConnectionString (<add name="RavenDB" connectionString="Url=http://sqldb.lsctallahassee.local;Database=RD;" />) then it allows me to access the database from the client api. It is my understanding that I should get a 401 here because:

1. The RD database is configured with LSCTallahassee\\SomeOtherUser as a required user.
2. I am NOT specifying the user LSCTallahassee\\SomeOtherUser in the connection string.
3. The IIS identity is not configured as the user LSCTallahassee\\SomeOtherUser.
   

Thank you for your help thus far. If it would help, I am available to diagnose with someone offline from Skype or some other medium.

[Oren Eini (Ayende Rahien)]

Given the configuration that you have, the following people can access the RD database:

* LSCTallahassee\SomeOtherUser

* Local / Domain Administrators

* Any process running with the _same_ user that RavenDB is running on. 

This is getting too long, and I added a debug endpoint that should help resolve it.

Starting on the next build, we are going to have this:

using (var store = new DocumentStore

{

Url = "http://localhost:8080"

})

{

store.Initialize();

var readResponseJson = ((ServerClient) store.DatabaseCommands).CreateRequest("POST", "/debug/user-info").ReadResponseJson();

Console.WriteLine(readResponseJson);

}

This will give us the ability to get detailed user information.

[Adam Spicer]

I just posted a reply, but it isn't showing up so I'll post it again.

I think you hit the nail on the head. Our AppPool identity for RD is a member of the Domain Admin group (bad practice, I know). I don't recall seeing any mention of this in the documentation and I think others could benefit from having that detail documented.

Thank you for your support.

[Oren Eini (Ayende Rahien)]

You posted it directly to me.

Yes, that is the case, and it is there so you would have a way to access the db for the very first time.

[Oren Eini (Ayende Rahien)]

And as a safety feature if you locked yourself out, and admin can get you still

[Adam Spicer]

Oren, I think I found what may be going on... it seems like the Windows Authentication > Groups are not working properly.

Scenario Setup:

In config for the Raven service, set <add key="Raven/AnonymousAccess" value="None"/>

In AD create a Security Group that will represent users that can connect to Raven DB, say "Domain\RavenGroup". Also create a new user, say "Domain\WebUser" and add them to the "Domain\RavenGroup". (without any admin memberships)

In the Studio Tool, configure the Windows Authentication > Groups settings to grant access to a database for the new group, "Domain\RavenGroup". Do not grant any other Groups or Users access.

Two Examples using Scenario Above

*EXAMPLE 1*

In an MVC website, connect to RavenDB using a connection string that specifies the username and password for "Domain\WebUser". (Note: be sure the app pool for the website doesn't have any admin memberships. Probably better to also isolate the Raven DB and Website on different boxes).

In this example, the website will not be granted access to Raven DB and will get a 401 error.

*EXAMPLE 2*

Attempt to connect to the studio tool using the "Domain\WebUser" account. 

You will get a 401 and eventually a 403 - even if you granted "Admin" rights in the Studio to "Domain\RavenGroup".

Work Around

The workaround that we found to work was to NOT specify Windows Authentication > Group settings and instead specify Windows Authentication > Users. 

I was able to reproduce this issue on 2 different domains between 3 different installations of Raven DB.

On Thursday, January 17, 2013 9:33:28 AM UTC-5, Oren Eini wrote:

[ms007]

If I got it right then the two settings

Raven/Authorization/Windows/RequiredGroups and

Raven/Authorization/Windows/RequiredUsers

are no more supported in version 2.0.

but in the documentation they are still referenced under

http://ravendb.net/docs/2.0/server/administration/configuration#availability-of-configuration-options

printscreen: http://i.snag.gy/lhFHF.jpg

[Barry]

Are you logging into a computer with Domain\WebUser or just attempting to authenticate against the Studio?  Underneath the group checks are using WindowsPrincipal.IsInRole and per the remarks here http://msdn.microsoft.com/en-us/library/fs485fwh.aspx the user needs to login to the domain to ensure token group propagation.

Your workaround makes sense because then it is just a username string match.   If you still have issues, I would suggest creating a local group on the Raven box and use that as the group for testing (i.e. MACHINENAME\TestGroup).  Then add the domain group or domain user to that and see what happens as a sanity check.

[Oren Eini (Ayende Rahien)]

Thanks, this is now fixed.

[Trent Johnson]

Which build is this fixed in?

[Oren Eini (Ayende Rahien)]

Use the current unstable, 2246

--
You received this message because you are subscribed to the Google Groups "ravendb" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.