Setting up security on EventStore

Rinat_Abdullin · July 22, 2013, 10:37am

Just a few questions about new security features of EventStore. I couldn’t find answers to them in Security doc.

Basically I’m setting up an EventStore server in Windows Azure and wanted to make it available to a few other azure virtual machines in different subscriptions based on user/pass credentials. Ideally some credentials would have really limited access to some streams.

How do we secure Web UI (2113)? Currently I can connect to this UI and stop server or view information.
How do we prevent unauthorised users from creating streams over TCP? Currently I can connect as non-authenticated user and create a random stream (and start appending to it)?

Best regards,

Rinat

Lars_Riis_Olsen · February 21, 2014, 5:44pm

Any news on this one?. The two scenarios still seem to be possible.

/Lars

jen20 · February 21, 2014, 8:38pm

Both were fixed, the admin operations require authorisation, and default ACLs (see docs) allow preventing stream creation