[Breaking change proposal] DGraph --bindall is insecure by default

I noticed that the out of box behavior for dgraph alpha and zero is to bind to Even for just playing around, this is surprising behavior for a database to have. Every database I have installed recently binds to localhost unless you explicitly tell it otherwise. This provides security by default, which I also expect DGraph would provide.

I am no expert on DGraph’s security model, but it seems to be designed to have a layer providing user authorization in front of it at all times. This also supports the reasoning of binding to localhost by default.

I propose that the --bindall option be changed to false by default. Happy to contribute a pull request if folks agree. It seems like ratel doesn’t support changing the binding from, but I can look into providing that as well, and it definitely should be if this is changed.

Gus (srfrog) mentioned that it would be a breaking change and should be discussed here, so here I am. Here’s the Github issue

For discussion, let’s say Dgraph is successful enough to warrant its own conference with hundreds of people. The odds are very high that a simple portscan of the wifi network for port 8000 would pick up a ton of ratel instances, since it doesn’t offer the ability to change the binding. It’s also pretty likely that you could find zero/alpha instances as well, and connect to them to do what you wish.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.