I'm trying to restrict access to our RavenDB to only one user. After altering the settings to secure the DB, I can still access the RavenDB management studio and I'm not sure why. I'm running RavenDB as a windows service, and I'm using build 573.
This is my Raven.Server.exe.config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<add key="Raven/Port" value="*"/>
<add key="Raven/DataDir" value="~\Data"/>
<add key="Raven/AnonymousAccess" value="None"/> <!-- Settings are Get, All, None -->
<add key="Raven/Authorization/Windows/RequiredUsers" value="FS-6103\PrestoDatabaseUser"/>
<add key="Raven/MaxPageSize" value="2147483647"/>
</appSettings>
<runtime>
<loadFromRemoteSources enabled="true"/>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<probing privatePath="Analyzers"/>
</assemblyBinding>
</runtime>
</configuration>
If I'm only allowing FS-6103\PrestoDatabaseUser, why am I able to still connect to the management studio remotely? I'm logged in as my windows AD account. I can even modify documents, which is exactly what I'm trying to prevent. Am I missing a setting?
You say you are on build 573? That's very old. According to the release history it was published on 12/15/2011. There is a commit dated 2/22/2012 that says "Change Authorization to return 403 if user is not in group or users list". That's probably a fix that you need.
I would update to at least the last stable build - 1.0.960 and see if your issue persists.
If you're not in a production environment, now would be a good time to move to 2.0 unstable.
RavenDB doesn't secure the Studio endpoint because that there is no need for you to do so. The Studio itself doesn't let you to do any thing if it doesn't has access to RavenDB.
If you still want to restrict access to the studio also, you can do that using IIS security, like a regular website. But keep in mind that there is no special reason to do so.
来源:https://stackoverflow.com/questions/13588064/securing-the-raven-database