Possible to disable Windows auth for Studio in production environments (api key only)
48 views
Skip to first unread message
jacob schuetze
Jan 17, 2017, 2:35:25 AM1/17/17
to RavenDB - 2nd generation document database
I've spent a lot of the day reading (and re-reading) the documentation for authentication and authorization, and trying various things through test code, but I'm still not clear on how this works in practice.
I have tried this with and without the RequiredGroups and RequiredUsers.
We are currently using build 3.0.3800. We have a product that gets installed which starts an embedded db and also starts the embedded HTTP server. This application is deployed to a number of different customer networks that we don't have access to. What we would like to do is have a way for our tech support people to guide a customer admin user through connecting to the studio to help diagnose issues, but we don't want all of the customers to have easy access to Studio by default. Based on my reading, I've tried the following:
var systemDb = new EmbeddableDocumentStore{ DataDirectory = ".\\", UseEmbeddedHttpServer = true, Configuration = { Port = 8901, AnonymousUserAccessMode = AnonymousUserAccessMode.None, AllowLocalAccessWithoutAuthorization = false, DatabaseName = "testDb" },};
systemDb.Configuration.Settings["Raven/Authorization/Windows/RequiredGroups"] = "no_groups_allowed";systemDb.Configuration.Settings["Raven/Authorization/Windows/RequiredUsers"] = "no_windows_auth_allowed";systemDb.Configuration.Settings["Raven/License"] = @"our license...";
systemDb.Initialize();
Console.WriteLine("running...");Console.ReadKey();
I have tried this with and without the RequiredGroups and RequiredUsers.
I have created an api key in the database:
{
"Databases": [
{
"Admin": true,
"TenantId": "<system>",
"ReadOnly": false
},
{
"Admin": true,
"TenantId": "*",
"ReadOnly": false
}
],
"Enabled": true,
"Name": "app_admin",
"Secret": "a1ysLelyXzrimGjlD53D5CSe3cWlzuqq"
}
After starting this app, pulling up http://localhost:8901 immediately allows me into Studio without challenging me. After opening the port in the firewall and trying from another machine, I was prompted for username password. Entering my domain credentials let me in immediately. Clearing all browser state and opening Studio from the remote computer again using the URL from the API key setup page (with the #api-key fragment) allowed me in and gave me a logout button in the upper right (the expected and desired behavior).
Thinking this may be related to the process running as me, I also installed the test app as a windows service running as Local System and tried again, but was again immediately allowed in.
Is there a way to set this up so that studio is only available with a particular user/password or particular API key - and doesn't automatically allow anyone based on windows credentials?
Oren Eini (Ayende Rahien)
Jan 17, 2017, 2:54:05 AM1/17/17
to ravendb
There is no way to do that easily.
The idea is that an admin is always granted access (because they would be able to gain one anyway, and to make it easier to admin).
Hibernating Rhinos Ltd
Oren Eini l CEO l Mobile: + 972-52-548-6969
Office: +972-4-622-7811 l Fax: +972-153-4-622-7811
--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Tobi
Jan 17, 2017, 3:15:37 AM1/17/17
to rav...@googlegroups.com
We have a similar scenario with embedded devices. We need the embedded
http/RavenDB.Studio only for maintenance.
Our application has a maintainence function which starts the embedded
HTTP-Server/RavenDb.Studio. This function is protected by an application
specific admin password (we usually use this only via remote control
software).
Tobias
On 17.01.2017 08:53, Oren Eini (Ayende Rahien) wrote:
> There is no way to do that easily.
> The idea is that an admin is always granted access (because they would be
> able to gain one anyway, and to make it easier to admin).
>
>
>
> */Hibernating Rhinos Ltd /*____
>
> Oren Eini* l CEO l *Mobile: + 972-52-548-6969
>
> Office: +972-4-622-7811 *l *Fax: +972-153-4-622-7811
>
> __
>
> __
> an email to ravendb+u...@googlegroups.com
> <mailto:ravendb+u...@googlegroups.com>.
> <mailto:ravendb+u...@googlegroups.com>.
http/RavenDB.Studio only for maintenance.
Our application has a maintainence function which starts the embedded
HTTP-Server/RavenDb.Studio. This function is protected by an application
specific admin password (we usually use this only via remote control
software).
Tobias
On 17.01.2017 08:53, Oren Eini (Ayende Rahien) wrote:
> There is no way to do that easily.
> The idea is that an admin is always granted access (because they would be
> able to gain one anyway, and to make it easier to admin).
>
>
>
>
> Oren Eini* l CEO l *Mobile: + 972-52-548-6969
>
> Office: +972-4-622-7811 *l *Fax: +972-153-4-622-7811
>
> __
>
> __
> <mailto:ravendb+u...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "RavenDB - 2nd generation document database" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ravendb+u...@googlegroups.com
>
> --
> You received this message because you are subscribed to the Google Groups
> "RavenDB - 2nd generation document database" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> <mailto:ravendb+u...@googlegroups.com>.
jacob schuetze
Jan 17, 2017, 11:47:22 AM1/17/17
to RavenDB - 2nd generation document database
What is the recommended way to start and stop the Studio http services on an existing database? In my tests, I had tried just disposing the DB and re-initializing it with http turned on, which works fine, but that could be problematic in a running application that exposes external APIs.
-Jacob
jacob schuetze
Jan 17, 2017, 11:51:13 AM1/17/17
to RavenDB - 2nd generation document database
What is it that makes a person an admin? There were no windows auth entries added to the database. Is it because I'm part of the Administrator's group on the computer running the application? I am not a domain admin, but I am also an admin on the other computer I used as a client.
-Jacob
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
Oren Eini (Ayende Rahien)
Jan 17, 2017, 1:29:24 PM1/17/17
to ravendb
a) It is admin on the machine
b) It is the user that is running ravendb itself.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.
jacob schuetze
Jan 17, 2017, 2:23:21 PM1/17/17
to RavenDB - 2nd generation document database
Thank you
Tobi
Jan 17, 2017, 4:21:38 PM1/17/17
to rav...@googlegroups.com
You should not dispose the whole database. Something like this should work
with 3.5:
public void StartHttpServer()
{
if (_serverIsRunning) return;
DocumentStore.ServerIfEmbedded.EnableHttpServer();
_serverIsRunning = true;
}
public void StopHttpServer()
{
if (!_serverIsRunning) return;
DocumentStore.ServerIfEmbedded.DisableHttpServer();
_serverIsRunning = false;
}
You might need to catch exceptions there if the server can't be started
(netsh issues etc.)
Tobias
with 3.5:
public void StartHttpServer()
{
if (_serverIsRunning) return;
DocumentStore.ServerIfEmbedded.EnableHttpServer();
_serverIsRunning = true;
}
public void StopHttpServer()
{
if (!_serverIsRunning) return;
DocumentStore.ServerIfEmbedded.DisableHttpServer();
_serverIsRunning = false;
}
You might need to catch exceptions there if the server can't be started
(netsh issues etc.)
Tobias
Reply all
Reply to author
Forward
0 new messages