Access to RavenDB studio does not seem to be secured

Hi,

At the moment anybody seems to have access to RavenDB studio. Is there a way of restricting the access either to Admins or at least localhost ?

Thanks

Pawel

Hi Pawel,

RavenDB is on port 10930 - the easiest thing to do is to add a Windows Firewall rule to block external access to that port.

Paul

Sent from my Windows Phone


From: Pawel Pabich
Sent: 30/08/2012 04:44
To: Paul Stovell
Subject: Access to RavenDB studio does not seem to be secured [Problems #610]

Hi,

This sounds like a good enough work around but would it be possible to make implement an option that is safe by default? Something like Sql Server, the server listens on a port but to do anything you need to be authenticated. Windows Authentication would be the best, at least in my particular scenario :slight_smile:

Hi Pawel,

The embedded instance does already require Windows authentication - what version of Octopus are you using?

Paul

The latest version.

I think I was not precise enough. What I was thinking about was authorization. So RavenDB database is not accessible to everybody who has a AD account. In the same way Octopus works. By default you are a regular user and you don’t have access to the configuration section and can’t create projects.

For the time being I’ve added this to the Octopus Server config.

I could not get Raven to accept NetworkService so I configured Octopus Portal to run under Local System.
I asked on RavenDB group if there is a way of limiting access to local Admins and NetworkService.

Thanks

Pawel

Trying to add my config settings. Now with a back tick :slight_smile:

<add key="Raven/Authorization/Windows/RequiredGroups" value=".\Administrators"/>
<add key="Raven/AnonymousAccess" value="None"/>

Hey Pawel,

Yeah, this is the reason I hadn’t set any expected groups/users out of the box (and just assumed people wouldn’t open that port - I’ll add a note to the install guide). Though now that I think about it, perhaps during install I could create a specially named local group, and add Network Service + Administrators to that by default.

Paul

Just tried it and Windows does not support nested local groups :(. http://support.microsoft.com/kb/974815
Let’s if the RavenDB guys can find a solution.

For reference, here is the question on the RavenDB user group: https://groups.google.com/forum/?fromgroups#!topic/ravendb/Aluv9YYRcTQ