While is I specify ALLOW_ALL_BUT, I can open the DB as user.
What other security constraint have to be considered? I looked at the
documentation but didn't find anything...
On Wednesday, August 26, 2015 at 12:50:25 PM UTC+2, Maverick wrote:
>
> Hi
>
> I have the piece of code reported below. Basically, I open a graph db as
> admin, create a "Visitor" role with permission DENY_ALL_BUT, and grant all
> access on the class "Invoice". Then, I create a user "John", which is a
> Visitor.
> When I open the db again as John, I get this security exception:
>
> User 'John' has no the permission to execute the operation 'Read' against
> the resource: ResourceGeneric [name=DATABASE, legacyName=database].null
>
>
> Possibly I'm specifying the permissions in a wrong way, but so far I
> haven't found how to do it correctly; how should I do?
>
>
> Here is the code:
>
>
> String db_addr = "plocal:testdb";
>
> OrientGraphNoTx graph = new OrientGraphFactory( db_addr ).getNoTx();
>
> OSecurity security = graph.getRawGraph().getMetadata().getSecurity();
>
> ORole admin = security.getRole( "admin" );
>
> ORole visitor = security.getRole( "Visitor" );
>
> if( visitor == null ) {
>
> visitor = security.createRole( "Visitor", ALLOW_MODES.DENY_ALL_BUT );
>
> visitor.addRule( ORule.ResourceGeneric.COMMAND, "Invoice",
> ORole.PERMISSION_ALL);
>
> visitor.addRule( ORule.ResourceGeneric.CLASS, "Invoice",
> ORole.PERMISSION_ALL);
>
> visitor.addRule( ORule.ResourceGeneric.DATABASE, "Invoice",
> ORole.PERMISSION_ALL);
>
> visitor.addRule( ORule.ResourceGeneric.CLUSTER, "Invoice",
> ORole.PERMISSION_ALL);
>
> visitor.addRule( ORule.ResourceGeneric.FUNCTION, "Invoice",
> ORole.PERMISSION_ALL);
>
> visitor.addRule( ORule.ResourceGeneric.SCHEMA, "Invoice",
> ORole.PERMISSION_ALL);
>
> visitor.addRule( ORule.ResourceGeneric.RECORD_HOOK, "Invoice",
> ORole.PERMISSION_ALL);
>
> visitor.save();
>
> visitor = visitor.reload();
>
> }
>
> if( security.getUser( "John" ) == null )
>
> security.createUser( "John", "mypwd", visitor );
>
> for( Vertex vertex : graph.getVertices() ) {
>
> graph.removeVertex( vertex );
>
> }
>
> graph.commit();
>
> {
>
> OrientVertex v = graph.addVertex( "class:Invoice" );
>
> v.setProperty("amount", 123 );
>
> v.save();
>
> v = graph.addVertex( "class:Invoice" );
>
> v.setProperty("amount", 456 );
>
> v.save();
>
> }
>
> for( Vertex vertex : graph.getVertices() ) {
>
> System.out.println( vertex );
>
> }
>
> graph.getRawGraph().close();
>
> System.out.println( "=====" );
>
> graph = new OrientGraphFactory( db_addr, "John", "mypwd" ).getNoTx();
>
> for( Vertex vertex : graph.getVerticesOfClass( "Invoice" ) ) {
>
> try {
>
> vertex.setProperty( "testprop", "testval" );
>
> graph.commit();
>
> }
>
> catch( Exception ex ) {
>
> ex.printStackTrace();
>
> }
>
> System.out.println( vertex + ": " + vertex.getProperty( "testprop" ) );
>
> }
>
> graph.getRawGraph().close();
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"OrientDB" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
