Hi,
I currently try to not use the “admin” user anymore to connect from my service to the EventStore but an own user.
First I tried to add read rights for that user
- first in the default ACL setting ($systemStreamAcl -> $r)
- later in the metadata of the $all stream directly ($acl -> $r).
For both I set ["$admins",“myuser”]
I got an
“AccessDeniedError: Read access denied for stream ‘$all’.”
So I tried what happens when I set the user as admin in the EventStore GUI and still get the same error.
When I change one character of the username intentionally the error message changes to
“Error: Authentication error: Not Authenticated” so it seems I really use that user.
Any idea what I am doing wrong?
What other info could I provide to get some help on that?
Did you add the user directly to the ACL or are you using a group?
The exact events I sent were
[
{
“eventId”: “edbc71af-aa22-469f-a58b-bae5f17b9962”,
“eventType”: “$user-updated”,
“data”: {
“$systemStreamAcl” : {
“$r” : ["$admins", “adb-service”]
}
}
}
]
``
and
[
{
“eventId”: “edbc71af-aa22-469f-a58b-bae5f17b9962”,
“eventType”: “update-all-acl”,
“metadata”: {
“$acl”: {
“$r”: ["$admins",“adb-service”]
}
}
}
]
``
First to $settings/metadata, second to $all/metadata
Maybe that messes the ACL up in a way not event admin rights work anymore?! Connecting with the admin user still works though.
Both requests came back with “201 Created”
Hmm,
- I started up a fresh EventStore
- added the new user and gave him admin right immediately
- now the can read the $all stream
Seems like my requests above were wrong.
Any idea how to change them?
Sounds like this is the same problem I had: https://groups.google.com/forum/#!topic/event-store/W8HmlXWHqQI
Updates to a user’s group simply get ignored!
You got to delete and re-create the user if you want to change the groups.
Also check this problem: https://groups.google.com/forum/#!topic/event-store/wBZufSWk6yI
The Access Control on this thing is bonkers.
Alternatively I’ve found out you can change a user’s password (can be the same) after an update to a user’s ACL.
This for some reason makes the previous ACL update stick (no joke!).
No clue what happens in the background, probably the password-change clears a cache or something.
You are right. I removed the admin rights from the user and could still read $all.
After “changing” the password to the same value, I could not connect anymore.
Unfortunately, this does not solve my problem with my probably wrong requests above. Also after pulling the password-change trigger I can still not read $all if not in the admin group.
So, still my open questions to you guys. Whats wrong with sending
[
{
“eventId”: “edbc71af-aa22-469f-a58b-bae5f17b9962”,
“eventType”: “$user-updated”,
“data”: {
“$systemStreamAcl” : {
“$r” : ["$admins", “adb-service”]
}
}
}
]
``
to $settings/metadata for letting the adb-service user read the $all stream?
Or
[
{
“eventId”: “acbc71af-ba22-469f-a58b-bae5f17b9962”,
“eventType”: “update-all-acl”,
“metadata”: {
“$acl”: {
“$r”: ["$admins",“adb-service”]
}
}
}
]
``
both are not working
Is somebody here that has managed to change the ACL of a stream?
If not, do you connect with the admin user or don’t read the $all stream?
Thanks a lot for your reply!!
I was not successful after restarting the eventstore but I found the problem!!
I sent the requests to the metadata of $settings. In my opinion it’s easy for a ES noob to mix things up in the docs here. ACL for a stream are set in the metadata of that stream…but not default ACL, they are set in the $settings stream main data. It absolutely makes sense now that I found the problem but it could be emphasized more in the docs imho.
Thanks to everyone that tried to help!!