ArangoDB password doesn't seem to do anything

2
votes

I'm testing out ArangoDB for a project.

I've installed ArangoDB through homebrew and I'm able to run it fine without any problem, it's pretty good actually.

I've got a small concern about security that I'm trying to address.

When I create a new database (I'm using the Web Interface) i'm asked for the db name, and a username & password.

It doesn't seem to matter what I put in the username and password, i'm always able to login to it without any prompting for password.

For example, i've created a database with the default user root and some random password and I can login to fine with arangosh, no questions asked.

arangosh --server.database test1

                                       _     
  __ _ _ __ __ _ _ __   __ _  ___  ___| |__  
 / _` | '__/ _` | '_ \ / _` |/ _ \/ __| '_ \ 
| (_| | | | (_| | | | | (_| | (_) \__ \ | | |
 \__,_|_|  \__,_|_| |_|\__, |\___/|___/_| |_|
                       |___/                 

arangosh (ArangoDB 2.7.1 [darwin] 64bit, using ICU 54.1, V8 4.3.61, OpenSSL 1.0.2d 9 Jul 2015)
Copyright (c) ArangoDB GmbH

Pretty printing values.
Connected to ArangoDB 'tcp://127.0.0.1:8529' version: 2.7.1 [standalone], database: 'test1', username: 'root'

I've tried to create another database with a different user and password (bob was the user) and it still doesn't make any difference (and still logs in as root):

arangosh --server.database test2

                                       _     
  __ _ _ __ __ _ _ __   __ _  ___  ___| |__  
 / _` | '__/ _` | '_ \ / _` |/ _ \/ __| '_ \ 
| (_| | | | (_| | | | | (_| | (_) \__ \ | | |
 \__,_|_|  \__,_|_| |_|\__, |\___/|___/_| |_|
                       |___/                 

arangosh (ArangoDB 2.7.1 [darwin] 64bit, using ICU 54.1, V8 4.3.61, OpenSSL 1.0.2d 9 Jul 2015)
Copyright (c) ArangoDB GmbH

Pretty printing values.
Connected to ArangoDB 'tcp://127.0.0.1:8529' version: 2.7.1 [standalone], database: 'test2', username: 'root'

In both cases I can do anything I want, create collections, add documents, etc.

Why is the credential system seemingly not doing what it should? (protecting the system).

I'm using the default homebrew installation version on OS X.

I am not root (as in system root), but I am the user manually starting the DB instance from Terminal – so maybe in that regard I am the internal DB root (the user who starts the system) but that's just a wild guess.

Am I missing anything?

1
arangodb

1 Answers

3
votes

By default the server will start with authentication disabled. This is to make trying out ArangoDB as easy as possible, but from a security point of view it's (at least) debatable.

To make the server use authentication for all incoming requests you can edit the server's configuration file arangod.conf. The config file should be located in /usr/local/etc/arangodb/arangod.conf when using homebrew.

The following directive in the config file can be used to toggle authentication on the server:

# disable authentication for the admin frontend
disable-authentication = yes

Note that the arangod process needs to be restarted after changing the config file, otherwise the changes will have no effect.

Note that even though authentication is disabled by default, the server will bind to 127.0.0.1 only by default. So incoming requests from other hosts will not be accepted. In order to make your ArangoDB instance available to requests from other IP address, you may also want to change the server's endpoint configuration to something else than tcp://127.0.0.1:8529. The option for this is located in the same config file.