Eventstore Connection

EventStoreDB
#1

Hi,

I’m only using the most basic features of eventstore (reading and writing events) and I’m pretty new to it.

I’m wanting to secure my eventstore streams so that you must provide admin credentials in order to read or write ANY event.

James has pointed me in the direction of ACL’s

“However, in this particular case you’re likely hitting the difference between admin and anonymous operations. There’s an ACL which you can set for “user” streams vs “system” streams: http://docs.geteventstore.com/server/3.0.1/access-control-lists/

I think I need to change the default settings to the settings below. I’m pretty new to eventstore and haven’t got a clue how to go about this.

I’m hoping somebody could confirm I’m on the right lines and also give be a dummy’s guide to doing it.

{

“$userStreamAcl” : {

“$r” : “$admins”,

“$w” : “$admins”,

“$d” : “$admins”,

“$mr” : “$admins”,

“$mw” : “$admins”

},

“$systemStreamAcl” : {

“$r” : “$admins”,

“$w” : “$admins”,

“$d” : “$admins”,

“$mr” : “$admins”,

“$mw” : “$admins”

}

}

#2

So, doing bit of further investigation myself, the documentations says:

There is also a special ACL that is used as the default ACL. This can be found in the stream $settings. This stream controls the default ACLs for streams without ACLs and also controls who can for instance create streams in the system.

I can’t find the $settings stream through the UI or using curl

curl -i -H ‘Accept:application/json’ ‘http://127.0.0.1:2113/streams/$settings’ -u un:pwd

I’m probably asking dumb questions but any pointer in the right direction would be greatly appreciated.

#3

There isn't one by default, you create it :slight_smile:

#4

To be clear post this:

{
    "$userStreamAcl" : {
        "$r" : "$admins",
        "$w" : "$admins",
        "$d" : "$admins",
        "$mr" : "$admins",
        "$mw" : "$admins"
    },
    "$systemStreamAcl" : {
        "$r" : "$admins",
        "$w" : "$admins",
        "$d" : "$admins",
        "$mr" : "$admins",
        "$mw" : "$admins"
    }
}

to /streams/$settings if none is there we use the above as the default.

Greg

#5

The default (if the $settings stream doesn’t exist) is:

{

“$userStreamAcl” : {

“$r” : “$all”,

“$w” : “$all”,

“$d” : “$all”,

“$mr” : “$all”,

“$mw” : “$all”

},

“$systemStreamAcl” : {

“$r” : “$admins”,

“$w” : “$admins”,

“$d” : “$admins”,

“$mr” : “$admins”,

“$mw” : “$admins”

}

}

#6

Thanks Greg/James - posted the JSON provided to the $settings stream and all streams in my store now require admin privlages.

One thing that tripped me up was forgetting to encode the $ using when using curl. So streams/$settings becomes streams/%24settings

#7

Yes it depends on what client you use on url encoding some do it by
default ... I thought for $ we will understand it but will test
tomorrow.

Greg

#8

Hi Greg

Using terminal from a mac using the line below gives a 404:

curl -i -d@settings.json “http://127.0.0.1:2113/streams/$settings” -u admin:changeit -H “Content-Type:application/json” -H “ES-EventType: some-event” -H “ES-EventId: some-guid”

Substituting $ for %24 gives a 201

As you say, it’s nothing to do with eventstore, it’s the client I’m using to do the post.

#9

Marc,

Did it matter what the event type was? I’ve successfully posted the modified default ACL as shown to the $settings stream but it hasn’t changed the default ACL - i.e.: regular users can still create streams, for example. Any other tricks?

Thanks,

Joel

#10

The example here has been updated
http://docs.geteventstore.com/server/3.1.0-pre/access-control-lists/
to make sure it was correct

#11

Thanks Greg.

Using the event type “settings” made the difference.

Joel