User permission problems

16 views

Skip to first unread message

Andreas Melcher

unread,

Apr 20, 2020, 2:28:24 PM4/20/20

to Event Store

I want to have a user with

the right to read from $all
create/read/write own streams

After creating the user (adb-service) it can do (2) but not (1). Giving the user admin rights he can do both but I want to achieve it without being admin.

So I tried to send post requests to $all/metadata and $settings but now it seems like it can't write to own streams.

..to $settings

[
    {
        "eventId": "adb171af-aa12-469f-a18b-bae5f11b9962",
        "eventType": "$user-updated",
        "data": {
            "$userStreamAcl" : {
		      "$r"  : ["$admin", "$ops", "adb-service"],
		      "$w"  : ["$admin", "$ops", "adb-service"],
		      "$d"  : ["$admin", "$ops", "adb-service"],
		      "$mr" : ["$admin", "$ops", "adb-service"],
		      "$mw" : ["$admin", "$ops", "adb-service"]
		    },
		    "$systemStreamAcl" : {
		      "$r"  : ["$admin", "adb-service"],
		      "$w"  : "$admins",
		      "$d"  : "$admins",
		      "$mr" : "$admins",
		      "$mw" : "$admins"
		    }        
    	}
    }
]

...to $all/metadata

[
    {
        "eventId": "edbc71af-aa22-469f-a58b-bae5f57b9962",
        "eventType": "update-all-acl",
        "metadata": {
            "$acl": {
                "$r": ["$admins","adb-service"]
            }
        }
    }
]

After those requests, it can't even write to user streams even if it has admin rights!!

The requests were both successful: Response "201 Created" and I can see it by GET requests and in the admin GUI.

Any idea what's wrong with my requests?

Andreas Melcher

unread,

Apr 26, 2020, 6:29:26 AM4/26/20

to Event Store

Research still ongoing...some more info:

Seems like I can't give my user read permissions to the $all stream but not to the other system streams...have to investigate later...for now I skip the request to $all/metadata (mentioned above) as I set the ACL for all system streams in $settings.

Sending just this to $settings works

[
    {
        "eventId": "adb171af-aa12-469f-a18b-bae5f11b9962",
        "eventType": "$user-updated",
        "data": {

              "$systemStreamAcl" : {
                    "$r"  : ["$admin", "adb-service"]
             }        
           }
    }
]

adb-service can read $all
adb-service can create,read,write his own streams

But: as the default ACL for userStreams is

{
    "$r": "$all",
    "$w": "$all",
    "$d": "$all",
    "$mr": "$all",
    "$mw": "$all"
}

..I would prefer to only allow adb-service to do user streams but adb-service can't write his own streams when I set it like this:

[
    {
        "eventId": "adb171af-aa12-469f-a18b-bae5f11b9962",
        "eventType": "$user-updated",
        "data": {
            "$userStreamAcl" : {

		      "$r"  : ["$admin", "adb-service"],
		      "$w"  : ["$admin", "adb-service"],
		      "$d"  : ["$admin", "adb-service"],
		      "$mr" : ["$admin", "adb-service"],
		      "$mw" : ["$admin", "adb-service"]

		    },
		    "$systemStreamAcl" : {
		      "$r"  : ["$admin", "adb-service"]
		    }        
    	}
    }

reading from $all still works with this request.

I have always used a fresh store for each test to ensure that I really just test specific requests.

Reply all

Reply to author

Forward

0 new messages