Why security ACLs not effected?


I want to security the user-defined stream, and only user ‘service-a-user’ can create and write/read the stream.
I use the method witch mentioned in the docs like below:

curl -i “
–user admin:changeit
-H “Content-Type: application/vnd.eventstore.events+json”
-d $’[{
“eventId”: “7c314750-05e1-439f-b2eb-f5b0e019be72”,
“eventType”: “update-default-acl”,
“data”: {
“$userStreamAcl” : {
“$r” : “service-a-user”,
“$w” : “service-a-user”,
“$d” : “service-a-user”,
“$mr” : “service-a-user”,
“$mw” : “service-a-user”
“$systemStreamAcl” : {
“$r” : “$admins”,
“$w” : “$admins”,
“$d” : “$admins”,
“$mr” : “$admins”,
“$mw” : “$admins”

but when I use gRPC client to write/read the stream, it can do the operation even I don’t input the authentication info. seems the ACLs not effected.

Also I login in the dashboard web page, and try to edit the ACLs for one stream, it is also not effected.

anyone can tell me what’s wrong here? thanks.

@jimmy0010, are you using the secured connection in the gRPC? If you’re using an insecure connection, then ACLs are not verified. Credentials are ignored, as it’s not safe to send them with the regular HTTP.

See more in https://developers.eventstore.com/server/v21.6/docs/security/configuration.html#running-without-security.