Ayende @ Rahien

Hi!
My name is Oren Eini
Founder of Hibernating Rhinos LTD and RavenDB.
You can reach me by phone or email:

ayende@ayende.com

+972 52-548-6969

, @ Q c

Posts: 18 | Comments: 65

filter by tags archive

System Users and Application Users

time to read 3 min | 485 words

This is a question that comes up relatively often in the RavenDB mailing list. How do I handle multiple users with RavenDB? Does it support multiple users? Does it supports the Membership Provider?

Those questions usually confuse a very key concept regarding users. Whose users are they?

In particular, we need to make a distinction between System Users and Application Users. Despite using the same term for both, there is actually very little connection between the two.

Here is an example of a System User:

<connectionStrings>
    <add name="RavenDB" connectionString="Url=http://scotty.ravendb.net;user=beam;password=up"/>
</connectionStrings>

As you can probably surmise, this is a connection string, and the user is ‘beam’. This user is a System User, if you call the Ops Team and ask them why the password expired, they can help you there.

This is a system user, it controls access to external resources, and usually you have very few of those. Usually they control things like what parts of the disk you can write to, what databases you can connect to, etc. For the most part, they aren’t in your control, you don’t manage them and neither does you application

In contrast to that, here is a great example of an Application User:

image

An Application User is unique to its application. It is usually manifested as a document (or a database row) and doesn’t have any existence beyond that. If you called the Twitter Team Ops and told them that the RavenDB account password need resetting, they would be pissed that you are wasting their time.

This distinction is important, because it implies a lot about how we use those two different types of users.

System Users are used… well, for the system. Application Users are the actual users using the system. Very rarely are they one and the same. Usually our application use service accounts, and any security checks for what an Application User can do are implemented as part of the business logic, not by setting ACLs.

Don’t confuse the two, despite the common name.

And coming back all the way to the original question. RavenDB comes with the notion of System Users via Windows Auth and OAuth, and it helps with Application Users using the Authorization Bundle. But you really don’t want to use the membership API, regardless of the underlying storage.


Comments

Daniel Lang

Ayende, what is the problem with the membership API?

I find it quite useful to implement at least a few methods of both providers, so that the Authorize attribute works on controllers and actions.

Ayende Rahien

Daniel, It is a huge API, it makes a lot of assumptions and it is really not nice to work with in terms of what it gives you and what you have to implement

Andrew Rimmer

The membership API is pretty awful. The cons really do outweigh the pros...

Daniel - you can just implement IPrincipal to get the out-of-the-box Authorize attribute to work.

I usually do this and use forms authentication vs using the membership provider.

Daniel Lang

Ayende and Andrew, thanks, I see your point. I will take a look at implementing IPrincipal instead or writing a custom authorization filter.

Justin Adler

@Daniel Lang - keep well away from the evil Membership API. Ayende and Andrew summed it up nicely.

In fact, when I get a chance, I'll try and complete my facebook integration/authorization into RavenOverflow so you can see how you can have application users in an application, easily and without having to have passwords also. watch this space (in a week or so).

Scott Scowden

Justin, I am looking forward to your sample.

Are there any other good samples out there of integrating IPrincipal with MVC?

Adrian Lanning

One of the little-known benefits of the MembershipAPI is that there is a very thorough administration section available for it up on codeplex: http://mywsat.codeplex.com/

Hunzonian, the author, really outdid himself putting that together and it has saved me a lot of time over the years. I have used it in a production MVC site since 2008.

Recently I needed an admin section for an MVC site that uses Mongo so I made a port (the MyWSAT project is heavily tied to SQL Server - see project page for details): http://www.nuget.org/List/Packages/MongoWSAT

It should be fairly straightforward to make a RavenDB version. If anyone wants to attempt it and would like pointers, hit me up via nuget or github.

Comment preview

Comments have been closed on this topic.

FUTURE POSTS

  1. RavenDB 3.0 New Stable Release - 9 hours from now
  2. Production postmortem: The case of the lying configuration file - about one day from now
  3. Production postmortem: The industry at large - 2 days from now
  4. The insidious cost of allocations - 3 days from now
  5. Buffer allocation strategies: A possible solution - 6 days from now

And 4 more posts are pending...

There are posts all the way to Sep 11, 2015

RECENT SERIES

  1. Find the bug (5):
    20 Apr 2011 - Why do I get a Null Reference Exception?
  2. Production postmortem (10):
    31 Aug 2015 - The case of the memory eater and high load
  3. What is new in RavenDB 3.5 (7):
    12 Aug 2015 - Monitoring support
  4. Career planning (6):
    24 Jul 2015 - The immortal choices aren't
View all series

Syndication

Main feed Feed Stats
Comments feed   Comments Feed Stats