I played with this for a couple more days and figured out how to get this working. Just in case anyone else wants to see it, I posted my answer on StackOverflow.
OrientDB - How To - Record Level Security with ODocument <http://stackoverflow.com/questions/30515716/orientdb-how-to-record-level-security-with-odocument/30577851#30577851> Thanks! On Friday, May 29, 2015 at 10:41:34 AM UTC-7, Bryan wrote: > > Hello, > > I have been trying to get Record Level Security to work using the document > database API for Java. I'm pretty new to OrientDB (I'm sure my sample code > shows it). I can't seem to get the behavior I'm expecting. > > // Create database. > ODatabaseDocumentTx db = new ODatabaseDocumentTx(path); > db.create(); > > // Create role with no permissions. > db.command(new OCommandSQL("INSERT INTO orole SET name = 'foobar', mode = > 0;")).execute(); > > // Create a user with the new role. > OSecurity sm = db.getMetadata().getSecurity(); > OUser user = sm.createUser("user", "user", "foobar"); > ORole foobarRole = sm.getRole("foobar"); > > // Insert 2 records, one restricted, one is not. > OClass restricted = db.getMetadata().getSchema().getClass("ORestricted"); > OClass docClass = db.getMetadata().getSchema().getOrCreateClass(TABLE_NAME > , restricted); > > ODocument doc1 = new ODocument(docClass); > ODocument doc2 = new ODocument(docClass); > > // The restricted record... > doc1.field("name", TABLE_NAME); > doc1.field("Id", 1, OType.INTEGER); > doc1.field("Message", "Hello 1", OType.STRING); > doc1.save(); > > // The unrestricted record... > doc2.field("name", TABLE_NAME); > doc2.field("Id", 2, OType.INTEGER); > doc2.field("Message", "Hello 2", OType.STRING); > doc2.save(); > > > // Allow "user" with "foobar" role to read record doc2. > String sql = String.format( > "UPDATE %s ADD _allowRead = %s", > doc2.getIdentity().toString(), > foobarRole.getDocument().getIdentity().toString()); > > db.command(new OCommandSQL(sql)).execute(); > > // Give foobar role permission to read from table. > db.command(new OCommandSQL(String.format("GRANT READ ON database.class.%s > TO foobar", TABLE_NAME))).execute(); > > db.close(); > > // Open connection for "user". > ODatabaseDocumentTx userDb = new ODatabaseDocumentTx(path); > userDb.open("user", "user"); > > // Here I would expect to see the message from doc2 but not doc1. > // Nothing gets printed... > for (ODocument odoc : userDb.browseClass(TABLE_NAME)) > { > System.out.println(odoc.field("Message")); > } > > The behavior I'm trying to get is that the "user" with "foobar" role reads > back only the documents it has permissions to see. But browseClass returns > an empty list while the "admin" user sees both documents. > > Any ideas? > > See also: Same question on StackOverflow > <http://stackoverflow.com/questions/30515716/orientdb-how-to-record-level-security-with-odocument> > > Thanks! > -- --- You received this message because you are subscribed to the Google Groups "OrientDB" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
