AccessDeniedError: Read access denied for stream '$all'.

EventStoreDB
#1

Hi,

I currently try to not use the “admin” user anymore to connect from my service to the EventStore but an own user.

First I tried to add read rights for that user

  • first in the default ACL setting ($systemStreamAcl -> $r)
  • later in the metadata of the $all stream directly ($acl -> $r).
    For both I set ["$admins",“myuser”]

I got an

“AccessDeniedError: Read access denied for stream ‘$all’.”

So I tried what happens when I set the user as admin in the EventStore GUI and still get the same error.

When I change one character of the username intentionally the error message changes to

“Error: Authentication error: Not Authenticated” so it seems I really use that user.

Any idea what I am doing wrong?
What other info could I provide to get some help on that?

#2

Did you add the user directly to the ACL or are you using a group?

#3

The exact events I sent were

[
{
“eventId”: “edbc71af-aa22-469f-a58b-bae5f17b9962”,
“eventType”: “$user-updated”,
“data”: {
“$systemStreamAcl” : {
“$r” : ["$admins", “adb-service”]

    }        
}
}

]

``

and

[
{
“eventId”: “edbc71af-aa22-469f-a58b-bae5f17b9962”,
“eventType”: “update-all-acl”,
“metadata”: {
“$acl”: {
“$r”: ["$admins",“adb-service”]
}
}
}
]

``

First to $settings/metadata, second to $all/metadata

Maybe that messes the ACL up in a way not event admin rights work anymore?! Connecting with the admin user still works though.

#4

Both requests came back with “201 Created”

#5

Hmm,

  • I started up a fresh EventStore
  • added the new user and gave him admin right immediately
  • now the can read the $all stream
    Seems like my requests above were wrong.

Any idea how to change them?

#6

Sounds like this is the same problem I had: https://groups.google.com/forum/#!topic/event-store/W8HmlXWHqQI

Updates to a user’s group simply get ignored!

You got to delete and re-create the user if you want to change the groups.

Also check this problem: https://groups.google.com/forum/#!topic/event-store/wBZufSWk6yI

The Access Control on this thing is bonkers.

#7

Alternatively I’ve found out you can change a user’s password (can be the same) after an update to a user’s ACL.

This for some reason makes the previous ACL update stick (no joke!).

No clue what happens in the background, probably the password-change clears a cache or something.

#8

You are right. I removed the admin rights from the user and could still read $all.
After “changing” the password to the same value, I could not connect anymore.

Unfortunately, this does not solve my problem with my probably wrong requests above. Also after pulling the password-change trigger I can still not read $all if not in the admin group.

So, still my open questions to you guys. Whats wrong with sending

[
{
“eventId”: “edbc71af-aa22-469f-a58b-bae5f17b9962”,
“eventType”: “$user-updated”,
“data”: {
“$systemStreamAcl” : {
“$r” : ["$admins", “adb-service”]

    }        
}
}

]

``

to $settings/metadata for letting the adb-service user read the $all stream?

#9

Or
[
{
“eventId”: “acbc71af-ba22-469f-a58b-bae5f17b9962”,
“eventType”: “update-all-acl”,
“metadata”: {
“$acl”: {
“$r”: ["$admins",“adb-service”]
}
}
}
]

``

both are not working

#10

Is somebody here that has managed to change the ACL of a stream?
If not, do you connect with the admin user or don’t read the $all stream?

#11

I’d guess your issue is related to this PR:

https://github.com/EventStore/EventStore/pull/1667

#12

Thanks a lot for your reply!!

I was not successful after restarting the eventstore but I found the problem!!

I sent the requests to the metadata of $settings. In my opinion it’s easy for a ES noob to mix things up in the docs here. ACL for a stream are set in the metadata of that stream…but not default ACL, they are set in the $settings stream main data. It absolutely makes sense now that I found the problem but it could be emphasized more in the docs imho.

Thanks to everyone that tried to help!!