[orientdb] HowTo - Record Level Security with ODocument

Fri, 29 May 2015 10:42:13 -0700 

Hello,

I have been trying to get Record Level Security to work using the document 
database API for Java. I'm pretty new to OrientDB (I'm sure my sample code 
shows it). I can't seem to get the behavior I'm expecting.

// Create database.
ODatabaseDocumentTx db = new ODatabaseDocumentTx(path);
db.create();

// Create role with no permissions.
db.command(new OCommandSQL("INSERT INTO orole SET name = 'foobar', mode = 
0;")).execute();

// Create a user with the new role.
OSecurity sm = db.getMetadata().getSecurity();
OUser user = sm.createUser("user", "user", "foobar");
ORole foobarRole = sm.getRole("foobar");

// Insert 2 records, one restricted, one is not.
OClass restricted = db.getMetadata().getSchema().getClass("ORestricted");
OClass docClass = db.getMetadata().getSchema().getOrCreateClass(TABLE_NAME, 
restricted);

ODocument doc1 = new ODocument(docClass);
ODocument doc2 = new ODocument(docClass);

// The restricted record...
doc1.field("name", TABLE_NAME);
doc1.field("Id", 1, OType.INTEGER);
doc1.field("Message", "Hello 1", OType.STRING);
doc1.save();

// The unrestricted record...
doc2.field("name", TABLE_NAME);
doc2.field("Id", 2, OType.INTEGER);
doc2.field("Message", "Hello 2", OType.STRING);
doc2.save();


// Allow "user" with "foobar" role to read record doc2.
String sql = String.format(
  "UPDATE %s ADD _allowRead = %s",
  doc2.getIdentity().toString(),
  foobarRole.getDocument().getIdentity().toString());

db.command(new OCommandSQL(sql)).execute();

// Give foobar role permission to read from table.
db.command(new OCommandSQL(String.format("GRANT READ ON database.class.%s 
TO foobar", TABLE_NAME))).execute();

db.close();

// Open connection for "user".
ODatabaseDocumentTx userDb = new ODatabaseDocumentTx(path);
userDb.open("user", "user");

// Here I would expect to see the message from doc2 but not doc1.
// Nothing gets printed...
for (ODocument odoc : userDb.browseClass(TABLE_NAME))
{
  System.out.println(odoc.field("Message"));
}

The behavior I'm trying to get is that the "user" with "foobar" role reads 
back only the documents it has permissions to see. But browseClass returns 
an empty list while the "admin" user sees both documents.

Any ideas?

See also: Same question on StackOverflow 
<http://stackoverflow.com/questions/30515716/orientdb-how-to-record-level-security-with-odocument>

Thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"OrientDB" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to