Thanks you Maverik, you saved me ! Le lundi 31 août 2015 10:31:32 UTC, Maverick a écrit : > > Follow-up: > > After struggling a lot I ended up copying from OSecurityShared the > following code, which is used internally to create the "reader" role: > > visitor.addRule(ORule.ResourceGeneric.DATABASE, null, ORole. > PERMISSION_READ); > > visitor.addRule(ORule.ResourceGeneric.SCHEMA, null, ORole.PERMISSION_READ > ); > > visitor.addRule(ORule.ResourceGeneric.CLUSTER, OMetadataDefault. > CLUSTER_INTERNAL_NAME, ORole.PERMISSION_READ); > > visitor.addRule(ORule.ResourceGeneric.CLUSTER, "orole", ORole. > PERMISSION_READ); > > visitor.addRule(ORule.ResourceGeneric.CLUSTER, "ouser", ORole. > PERMISSION_READ); > > visitor.addRule(ORule.ResourceGeneric.CLASS, null, ORole.PERMISSION_READ); > > visitor.addRule(ORule.ResourceGeneric.CLUSTER, null, ORole.PERMISSION_READ > ); > > visitor.addRule(ORule.ResourceGeneric.COMMAND, null, ORole.PERMISSION_READ > ); > > visitor.addRule(ORule.ResourceGeneric.RECORD_HOOK, null, ORole. > PERMISSION_READ); > > visitor.addRule(ORule.ResourceGeneric.FUNCTION, null, ORole. > PERMISSION_READ); > > > Now, for end users this code looks a bit cryptic, and for sure the > documentation about security ( > http://orientdb.com/docs/2.0/orientdb.wiki/Security.html) is not enough > to replicate this. > I may contribute with some documentation, if needed, but first I have to > understand myself how it actually works. > > Adding visitor.addRule(ORule.ResourceGeneric.CLASS, "Invoice", ORole. > PERMISSION_READ); doesn't do the magic, while removing > visitor.addRule(ORule.ResourceGeneric.CLUSTER, > null, ORole.PERMISSION_READ); prevents reading every class. > > Does anybody have any suggestion or had the same problem before? > > > > On Wednesday, August 26, 2015 at 4:41:47 PM UTC+2, Maverick wrote: >> >> While is I specify ALLOW_ALL_BUT, I can open the DB as user. >> >> What other security constraint have to be considered? I looked at the >> documentation but didn't find anything... >> >> >> On Wednesday, August 26, 2015 at 12:50:25 PM UTC+2, Maverick wrote: >>> >>> Hi >>> >>> I have the piece of code reported below. Basically, I open a graph db as >>> admin, create a "Visitor" role with permission DENY_ALL_BUT, and grant all >>> access on the class "Invoice". Then, I create a user "John", which is a >>> Visitor. >>> When I open the db again as John, I get this security exception: >>> >>> User 'John' has no the permission to execute the operation 'Read' >>> against the resource: ResourceGeneric [name=DATABASE, >>> legacyName=database].null >>> >>> >>> Possibly I'm specifying the permissions in a wrong way, but so far I >>> haven't found how to do it correctly; how should I do? >>> >>> >>> Here is the code: >>> >>> >>> String db_addr = "plocal:testdb"; >>> >>> OrientGraphNoTx graph = new OrientGraphFactory( db_addr ).getNoTx(); >>> >>> OSecurity security = graph.getRawGraph().getMetadata().getSecurity(); >>> >>> ORole admin = security.getRole( "admin" ); >>> >>> ORole visitor = security.getRole( "Visitor" ); >>> >>> if( visitor == null ) { >>> >>> visitor = security.createRole( "Visitor", ALLOW_MODES.DENY_ALL_BUT ); >>> >>> visitor.addRule( ORule.ResourceGeneric.COMMAND, "Invoice", >>> ORole.PERMISSION_ALL); >>> >>> visitor.addRule( ORule.ResourceGeneric.CLASS, "Invoice", >>> ORole.PERMISSION_ALL); >>> >>> visitor.addRule( ORule.ResourceGeneric.DATABASE, "Invoice", >>> ORole.PERMISSION_ALL); >>> >>> visitor.addRule( ORule.ResourceGeneric.CLUSTER, "Invoice", >>> ORole.PERMISSION_ALL); >>> >>> visitor.addRule( ORule.ResourceGeneric.FUNCTION, "Invoice", >>> ORole.PERMISSION_ALL); >>> >>> visitor.addRule( ORule.ResourceGeneric.SCHEMA, "Invoice", >>> ORole.PERMISSION_ALL); >>> >>> visitor.addRule( ORule.ResourceGeneric.RECORD_HOOK, "Invoice", >>> ORole.PERMISSION_ALL); >>> >>> visitor.save(); >>> >>> visitor = visitor.reload(); >>> >>> } >>> >>> if( security.getUser( "John" ) == null ) >>> >>> security.createUser( "John", "mypwd", visitor ); >>> >>> for( Vertex vertex : graph.getVertices() ) { >>> >>> graph.removeVertex( vertex ); >>> >>> } >>> >>> graph.commit(); >>> >>> { >>> >>> OrientVertex v = graph.addVertex( "class:Invoice" ); >>> >>> v.setProperty("amount", 123 ); >>> >>> v.save(); >>> >>> v = graph.addVertex( "class:Invoice" ); >>> >>> v.setProperty("amount", 456 ); >>> >>> v.save(); >>> >>> } >>> >>> for( Vertex vertex : graph.getVertices() ) { >>> >>> System.out.println( vertex ); >>> >>> } >>> >>> graph.getRawGraph().close(); >>> >>> System.out.println( "=====" ); >>> >>> graph = new OrientGraphFactory( db_addr, "John", "mypwd" ).getNoTx(); >>> >>> for( Vertex vertex : graph.getVerticesOfClass( "Invoice" ) ) { >>> >>> try { >>> >>> vertex.setProperty( "testprop", "testval" ); >>> >>> graph.commit(); >>> >>> } >>> >>> catch( Exception ex ) { >>> >>> ex.printStackTrace(); >>> >>> } >>> >>> System.out.println( vertex + ": " + vertex.getProperty( "testprop" ) ); >>> >>> } >>> >>> graph.getRawGraph().close(); >>> >>> >>>
-- --- You received this message because you are subscribed to the Google Groups "OrientDB" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
