Hi Maverick, You're right, there is no documentation for such part. Would you like to contribute on it?
Best Regards, Luca Garulli Founder & CEO OrientDB <http://orientdb.com/> On 21 November 2015 at 15:13, Romain Lalaut <[email protected]> wrote: > Thanks you Maverik, you saved me ! > > Le lundi 31 août 2015 10:31:32 UTC, Maverick a écrit : >> >> Follow-up: >> >> After struggling a lot I ended up copying from OSecurityShared the >> following code, which is used internally to create the "reader" role: >> >> visitor.addRule(ORule.ResourceGeneric.DATABASE, null, ORole. >> PERMISSION_READ); >> >> visitor.addRule(ORule.ResourceGeneric.SCHEMA, null, ORole.PERMISSION_READ >> ); >> >> visitor.addRule(ORule.ResourceGeneric.CLUSTER, OMetadataDefault. >> CLUSTER_INTERNAL_NAME, ORole.PERMISSION_READ); >> >> visitor.addRule(ORule.ResourceGeneric.CLUSTER, "orole", ORole. >> PERMISSION_READ); >> >> visitor.addRule(ORule.ResourceGeneric.CLUSTER, "ouser", ORole. >> PERMISSION_READ); >> >> visitor.addRule(ORule.ResourceGeneric.CLASS, null, ORole.PERMISSION_READ >> ); >> >> visitor.addRule(ORule.ResourceGeneric.CLUSTER, null, ORole. >> PERMISSION_READ); >> >> visitor.addRule(ORule.ResourceGeneric.COMMAND, null, ORole. >> PERMISSION_READ); >> >> visitor.addRule(ORule.ResourceGeneric.RECORD_HOOK, null, ORole. >> PERMISSION_READ); >> >> visitor.addRule(ORule.ResourceGeneric.FUNCTION, null, ORole. >> PERMISSION_READ); >> >> >> Now, for end users this code looks a bit cryptic, and for sure the >> documentation about security ( >> http://orientdb.com/docs/2.0/orientdb.wiki/Security.html) is not enough >> to replicate this. >> I may contribute with some documentation, if needed, but first I have to >> understand myself how it actually works. >> >> Adding visitor.addRule(ORule.ResourceGeneric.CLASS, "Invoice", ORole. >> PERMISSION_READ); doesn't do the magic, while removing >> visitor.addRule(ORule.ResourceGeneric.CLUSTER, >> null, ORole.PERMISSION_READ); prevents reading every class. >> >> Does anybody have any suggestion or had the same problem before? >> >> >> >> On Wednesday, August 26, 2015 at 4:41:47 PM UTC+2, Maverick wrote: >>> >>> While is I specify ALLOW_ALL_BUT, I can open the DB as user. >>> >>> What other security constraint have to be considered? I looked at the >>> documentation but didn't find anything... >>> >>> >>> On Wednesday, August 26, 2015 at 12:50:25 PM UTC+2, Maverick wrote: >>>> >>>> Hi >>>> >>>> I have the piece of code reported below. Basically, I open a graph db >>>> as admin, create a "Visitor" role with permission DENY_ALL_BUT, and grant >>>> all access on the class "Invoice". Then, I create a user "John", which is a >>>> Visitor. >>>> When I open the db again as John, I get this security exception: >>>> >>>> User 'John' has no the permission to execute the operation 'Read' >>>> against the resource: ResourceGeneric [name=DATABASE, >>>> legacyName=database].null >>>> >>>> >>>> Possibly I'm specifying the permissions in a wrong way, but so far I >>>> haven't found how to do it correctly; how should I do? >>>> >>>> >>>> Here is the code: >>>> >>>> >>>> String db_addr = "plocal:testdb"; >>>> >>>> OrientGraphNoTx graph = new OrientGraphFactory( db_addr ).getNoTx(); >>>> >>>> OSecurity security = graph.getRawGraph().getMetadata().getSecurity(); >>>> >>>> ORole admin = security.getRole( "admin" ); >>>> >>>> ORole visitor = security.getRole( "Visitor" ); >>>> >>>> if( visitor == null ) { >>>> >>>> visitor = security.createRole( "Visitor", ALLOW_MODES.DENY_ALL_BUT ); >>>> >>>> visitor.addRule( ORule.ResourceGeneric.COMMAND, "Invoice", >>>> ORole.PERMISSION_ALL); >>>> >>>> visitor.addRule( ORule.ResourceGeneric.CLASS, "Invoice", >>>> ORole.PERMISSION_ALL); >>>> >>>> visitor.addRule( ORule.ResourceGeneric.DATABASE, "Invoice", >>>> ORole.PERMISSION_ALL); >>>> >>>> visitor.addRule( ORule.ResourceGeneric.CLUSTER, "Invoice", >>>> ORole.PERMISSION_ALL); >>>> >>>> visitor.addRule( ORule.ResourceGeneric.FUNCTION, "Invoice", >>>> ORole.PERMISSION_ALL); >>>> >>>> visitor.addRule( ORule.ResourceGeneric.SCHEMA, "Invoice", >>>> ORole.PERMISSION_ALL); >>>> >>>> visitor.addRule( ORule.ResourceGeneric.RECORD_HOOK, "Invoice", >>>> ORole.PERMISSION_ALL); >>>> >>>> visitor.save(); >>>> >>>> visitor = visitor.reload(); >>>> >>>> } >>>> >>>> if( security.getUser( "John" ) == null ) >>>> >>>> security.createUser( "John", "mypwd", visitor ); >>>> >>>> for( Vertex vertex : graph.getVertices() ) { >>>> >>>> graph.removeVertex( vertex ); >>>> >>>> } >>>> >>>> graph.commit(); >>>> >>>> { >>>> >>>> OrientVertex v = graph.addVertex( "class:Invoice" ); >>>> >>>> v.setProperty("amount", 123 ); >>>> >>>> v.save(); >>>> >>>> v = graph.addVertex( "class:Invoice" ); >>>> >>>> v.setProperty("amount", 456 ); >>>> >>>> v.save(); >>>> >>>> } >>>> >>>> for( Vertex vertex : graph.getVertices() ) { >>>> >>>> System.out.println( vertex ); >>>> >>>> } >>>> >>>> graph.getRawGraph().close(); >>>> >>>> System.out.println( "=====" ); >>>> >>>> graph = new OrientGraphFactory( db_addr, "John", "mypwd" ).getNoTx(); >>>> >>>> for( Vertex vertex : graph.getVerticesOfClass( "Invoice" ) ) { >>>> >>>> try { >>>> >>>> vertex.setProperty( "testprop", "testval" ); >>>> >>>> graph.commit(); >>>> >>>> } >>>> >>>> catch( Exception ex ) { >>>> >>>> ex.printStackTrace(); >>>> >>>> } >>>> >>>> System.out.println( vertex + ": " + vertex.getProperty( "testprop" ) ); >>>> >>>> } >>>> >>>> graph.getRawGraph().close(); >>>> >>>> >>>> -- > > --- > You received this message because you are subscribed to the Google Groups > "OrientDB" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "OrientDB" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
