Follow-up: After struggling a lot I ended up copying from OSecurityShared the following code, which is used internally to create the "reader" role:
visitor.addRule(ORule.ResourceGeneric.DATABASE, null, ORole.PERMISSION_READ ); visitor.addRule(ORule.ResourceGeneric.SCHEMA, null, ORole.PERMISSION_READ); visitor.addRule(ORule.ResourceGeneric.CLUSTER, OMetadataDefault. CLUSTER_INTERNAL_NAME, ORole.PERMISSION_READ); visitor.addRule(ORule.ResourceGeneric.CLUSTER, "orole", ORole. PERMISSION_READ); visitor.addRule(ORule.ResourceGeneric.CLUSTER, "ouser", ORole. PERMISSION_READ); visitor.addRule(ORule.ResourceGeneric.CLASS, null, ORole.PERMISSION_READ); visitor.addRule(ORule.ResourceGeneric.CLUSTER, null, ORole.PERMISSION_READ); visitor.addRule(ORule.ResourceGeneric.COMMAND, null, ORole.PERMISSION_READ); visitor.addRule(ORule.ResourceGeneric.RECORD_HOOK, null, ORole. PERMISSION_READ); visitor.addRule(ORule.ResourceGeneric.FUNCTION, null, ORole.PERMISSION_READ ); Now, for end users this code looks a bit cryptic, and for sure the documentation about security (http://orientdb.com/docs/2.0/orientdb.wiki/Security.html) is not enough to replicate this. I may contribute with some documentation, if needed, but first I have to understand myself how it actually works. Adding visitor.addRule(ORule.ResourceGeneric.CLASS, "Invoice", ORole. PERMISSION_READ); doesn't do the magic, while removing visitor.addRule(ORule.ResourceGeneric.CLUSTER, null, ORole.PERMISSION_READ); prevents reading every class. Does anybody have any suggestion or had the same problem before? On Wednesday, August 26, 2015 at 4:41:47 PM UTC+2, Maverick wrote: > > While is I specify ALLOW_ALL_BUT, I can open the DB as user. > > What other security constraint have to be considered? I looked at the > documentation but didn't find anything... > > > On Wednesday, August 26, 2015 at 12:50:25 PM UTC+2, Maverick wrote: >> >> Hi >> >> I have the piece of code reported below. Basically, I open a graph db as >> admin, create a "Visitor" role with permission DENY_ALL_BUT, and grant all >> access on the class "Invoice". Then, I create a user "John", which is a >> Visitor. >> When I open the db again as John, I get this security exception: >> >> User 'John' has no the permission to execute the operation 'Read' against >> the resource: ResourceGeneric [name=DATABASE, legacyName=database].null >> >> >> Possibly I'm specifying the permissions in a wrong way, but so far I >> haven't found how to do it correctly; how should I do? >> >> >> Here is the code: >> >> >> String db_addr = "plocal:testdb"; >> >> OrientGraphNoTx graph = new OrientGraphFactory( db_addr ).getNoTx(); >> >> OSecurity security = graph.getRawGraph().getMetadata().getSecurity(); >> >> ORole admin = security.getRole( "admin" ); >> >> ORole visitor = security.getRole( "Visitor" ); >> >> if( visitor == null ) { >> >> visitor = security.createRole( "Visitor", ALLOW_MODES.DENY_ALL_BUT ); >> >> visitor.addRule( ORule.ResourceGeneric.COMMAND, "Invoice", >> ORole.PERMISSION_ALL); >> >> visitor.addRule( ORule.ResourceGeneric.CLASS, "Invoice", >> ORole.PERMISSION_ALL); >> >> visitor.addRule( ORule.ResourceGeneric.DATABASE, "Invoice", >> ORole.PERMISSION_ALL); >> >> visitor.addRule( ORule.ResourceGeneric.CLUSTER, "Invoice", >> ORole.PERMISSION_ALL); >> >> visitor.addRule( ORule.ResourceGeneric.FUNCTION, "Invoice", >> ORole.PERMISSION_ALL); >> >> visitor.addRule( ORule.ResourceGeneric.SCHEMA, "Invoice", >> ORole.PERMISSION_ALL); >> >> visitor.addRule( ORule.ResourceGeneric.RECORD_HOOK, "Invoice", >> ORole.PERMISSION_ALL); >> >> visitor.save(); >> >> visitor = visitor.reload(); >> >> } >> >> if( security.getUser( "John" ) == null ) >> >> security.createUser( "John", "mypwd", visitor ); >> >> for( Vertex vertex : graph.getVertices() ) { >> >> graph.removeVertex( vertex ); >> >> } >> >> graph.commit(); >> >> { >> >> OrientVertex v = graph.addVertex( "class:Invoice" ); >> >> v.setProperty("amount", 123 ); >> >> v.save(); >> >> v = graph.addVertex( "class:Invoice" ); >> >> v.setProperty("amount", 456 ); >> >> v.save(); >> >> } >> >> for( Vertex vertex : graph.getVertices() ) { >> >> System.out.println( vertex ); >> >> } >> >> graph.getRawGraph().close(); >> >> System.out.println( "=====" ); >> >> graph = new OrientGraphFactory( db_addr, "John", "mypwd" ).getNoTx(); >> >> for( Vertex vertex : graph.getVerticesOfClass( "Invoice" ) ) { >> >> try { >> >> vertex.setProperty( "testprop", "testval" ); >> >> graph.commit(); >> >> } >> >> catch( Exception ex ) { >> >> ex.printStackTrace(); >> >> } >> >> System.out.println( vertex + ": " + vertex.getProperty( "testprop" ) ); >> >> } >> >> graph.getRawGraph().close(); >> >> >> -- --- You received this message because you are subscribed to the Google Groups "OrientDB" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
