DGraph --bindall is insecure by default

[bbhoss]

I noticed that the out of box behavior for dgraph alpha and zero is to bind to 0.0.0.0. Even for just playing around, this is surprising behavior for a database to have. Every database I have installed recently binds to localhost unless you explicitly tell it otherwise. This provides security by default, which I also expect DGraph would provide.

I am no expert on DGraph's security model, but it seems to be designed to have a layer providing user authorization in front of it at all times. This also supports the reasoning of binding to localhost by default.

I propose that the --bindall option be changed to false by default. Happy to contribute a pull request if folks agree. It seems like ratel doesn't support changing the binding from 0.0.0.0, but I can look into providing that as well, and it definitely should be if this is changed.

[srfrog]

I agree with your proposal, but I think this might be considered a breaking change. I'd suggest taking this to our discuss and gather additional support. When enough users find this a good change, then we'll be happy to accept PRs to make this change.

Discuss: https://discuss.dgraph.io/

[bbhoss]

Thanks, will do

[bbhoss]

Discussion available here: https://discuss.dgraph.io/t/breaking-change-proposal-dgraph-bindall-is-insecure-by-default/4108

[martinmr]

Closing since the discuss post is up.