I've spent a lot of the day reading (and re-reading) the documentation for authentication and authorization, and trying various things through test code, but I'm still not clear on how this works in practice.
We are currently using build 3.0.3800. We have a product that gets installed which starts an embedded db and also starts the embedded HTTP server. This application is deployed to a number of different customer networks that we don't have access to. What we would like to do is have a way for our tech support people to guide a customer admin user through connecting to the studio to help diagnose issues, but we don't want all of the customers to have easy access to Studio by default. Based on my reading, I've tried the following:
var systemDb = new EmbeddableDocumentStore
{
DataDirectory = ".\\",
UseEmbeddedHttpServer = true,
Configuration =
{
Port = 8901,
AnonymousUserAccessMode = AnonymousUserAccessMode.None,
AllowLocalAccessWithoutAuthorization = false,
DatabaseName = "testDb"
},
};
systemDb.Configuration.Settings["Raven/Authorization/Windows/RequiredGroups"] = "no_groups_allowed";
systemDb.Configuration.Settings["Raven/Authorization/Windows/RequiredUsers"] = "no_windows_auth_allowed";
systemDb.Configuration.Settings["Raven/License"] = @"our license...";
systemDb.Initialize();
Console.WriteLine("running...");
Console.ReadKey();
I have tried this with and without the RequiredGroups and RequiredUsers.
I have created an api key in the database:
{
"Databases": [
{
"Admin": true,
"TenantId": "<system>",
"ReadOnly": false
},
{
"Admin": true,
"TenantId": "*",
"ReadOnly": false
}
],
"Enabled": true,
"Name": "app_admin",
"Secret": "a1ysLelyXzrimGjlD53D5CSe3cWlzuqq"
}
After starting this app, pulling up
http://localhost:8901 immediately allows me into Studio without challenging me. After opening the port in the firewall and trying from another machine, I was prompted for username password. Entering my domain credentials let me in immediately. Clearing all browser state and opening Studio from the remote computer again using the URL from the API key setup page (with the #api-key fragment) allowed me in and gave me a logout button in the upper right (the expected and desired behavior).
Thinking this may be related to the process running as me, I also installed the test app as a windows service running as Local System and tried again, but was again immediately allowed in.
Is there a way to set this up so that studio is only available with a particular user/password or particular API key - and doesn't automatically allow anyone based on windows credentials?