Hi Luca In principle I'm still available to contribute. However, I'm unsure how could I do it, because I don't have the knowledge. In fact, the project I'm working on (https://github.com/RISCOSS/riscoss-corporate) is near to its end and we basically dropped all the planned role management stuff because we were loosing too much time in searching for info. Anyway, if you have any idea you can contact me by mail.
On Sunday, November 22, 2015 at 5:48:55 PM UTC+1, l.garulli wrote: > > Hi Maverick, > You're right, there is no documentation for such part. Would you like to > contribute on it? > > Best Regards, > > Luca Garulli > Founder & CEO > OrientDB <http://orientdb.com/> > > > On 21 November 2015 at 15:13, Romain Lalaut <[email protected] > <javascript:>> wrote: > >> Thanks you Maverik, you saved me ! >> >> Le lundi 31 août 2015 10:31:32 UTC, Maverick a écrit : >>> >>> Follow-up: >>> >>> After struggling a lot I ended up copying from OSecurityShared the >>> following code, which is used internally to create the "reader" role: >>> >>> visitor.addRule(ORule.ResourceGeneric.DATABASE, null, ORole. >>> PERMISSION_READ); >>> >>> visitor.addRule(ORule.ResourceGeneric.SCHEMA, null, ORole. >>> PERMISSION_READ); >>> >>> visitor.addRule(ORule.ResourceGeneric.CLUSTER, OMetadataDefault. >>> CLUSTER_INTERNAL_NAME, ORole.PERMISSION_READ); >>> >>> visitor.addRule(ORule.ResourceGeneric.CLUSTER, "orole", ORole. >>> PERMISSION_READ); >>> >>> visitor.addRule(ORule.ResourceGeneric.CLUSTER, "ouser", ORole. >>> PERMISSION_READ); >>> >>> visitor.addRule(ORule.ResourceGeneric.CLASS, null, ORole.PERMISSION_READ >>> ); >>> >>> visitor.addRule(ORule.ResourceGeneric.CLUSTER, null, ORole. >>> PERMISSION_READ); >>> >>> visitor.addRule(ORule.ResourceGeneric.COMMAND, null, ORole. >>> PERMISSION_READ); >>> >>> visitor.addRule(ORule.ResourceGeneric.RECORD_HOOK, null, ORole. >>> PERMISSION_READ); >>> >>> visitor.addRule(ORule.ResourceGeneric.FUNCTION, null, ORole. >>> PERMISSION_READ); >>> >>> >>> Now, for end users this code looks a bit cryptic, and for sure the >>> documentation about security ( >>> http://orientdb.com/docs/2.0/orientdb.wiki/Security.html) is not enough >>> to replicate this. >>> I may contribute with some documentation, if needed, but first I have to >>> understand myself how it actually works. >>> >>> Adding visitor.addRule(ORule.ResourceGeneric.CLASS, "Invoice", ORole. >>> PERMISSION_READ); doesn't do the magic, while removing >>> visitor.addRule(ORule.ResourceGeneric.CLUSTER, >>> null, ORole.PERMISSION_READ); prevents reading every class. >>> >>> Does anybody have any suggestion or had the same problem before? >>> >>> >>> >>> On Wednesday, August 26, 2015 at 4:41:47 PM UTC+2, Maverick wrote: >>>> >>>> While is I specify ALLOW_ALL_BUT, I can open the DB as user. >>>> >>>> What other security constraint have to be considered? I looked at the >>>> documentation but didn't find anything... >>>> >>>> >>>> On Wednesday, August 26, 2015 at 12:50:25 PM UTC+2, Maverick wrote: >>>>> >>>>> Hi >>>>> >>>>> I have the piece of code reported below. Basically, I open a graph db >>>>> as admin, create a "Visitor" role with permission DENY_ALL_BUT, and grant >>>>> all access on the class "Invoice". Then, I create a user "John", which is >>>>> a >>>>> Visitor. >>>>> When I open the db again as John, I get this security exception: >>>>> >>>>> User 'John' has no the permission to execute the operation 'Read' >>>>> against the resource: ResourceGeneric [name=DATABASE, >>>>> legacyName=database].null >>>>> >>>>> >>>>> Possibly I'm specifying the permissions in a wrong way, but so far I >>>>> haven't found how to do it correctly; how should I do? >>>>> >>>>> >>>>> Here is the code: >>>>> >>>>> >>>>> String db_addr = "plocal:testdb"; >>>>> >>>>> OrientGraphNoTx graph = new OrientGraphFactory( db_addr ).getNoTx(); >>>>> >>>>> OSecurity security = graph.getRawGraph().getMetadata().getSecurity(); >>>>> >>>>> ORole admin = security.getRole( "admin" ); >>>>> >>>>> ORole visitor = security.getRole( "Visitor" ); >>>>> >>>>> if( visitor == null ) { >>>>> >>>>> visitor = security.createRole( "Visitor", ALLOW_MODES.DENY_ALL_BUT ); >>>>> >>>>> visitor.addRule( ORule.ResourceGeneric.COMMAND, "Invoice", >>>>> ORole.PERMISSION_ALL); >>>>> >>>>> visitor.addRule( ORule.ResourceGeneric.CLASS, "Invoice", >>>>> ORole.PERMISSION_ALL); >>>>> >>>>> visitor.addRule( ORule.ResourceGeneric.DATABASE, "Invoice", >>>>> ORole.PERMISSION_ALL); >>>>> >>>>> visitor.addRule( ORule.ResourceGeneric.CLUSTER, "Invoice", >>>>> ORole.PERMISSION_ALL); >>>>> >>>>> visitor.addRule( ORule.ResourceGeneric.FUNCTION, "Invoice", >>>>> ORole.PERMISSION_ALL); >>>>> >>>>> visitor.addRule( ORule.ResourceGeneric.SCHEMA, "Invoice", >>>>> ORole.PERMISSION_ALL); >>>>> >>>>> visitor.addRule( ORule.ResourceGeneric.RECORD_HOOK, "Invoice", >>>>> ORole.PERMISSION_ALL); >>>>> >>>>> visitor.save(); >>>>> >>>>> visitor = visitor.reload(); >>>>> >>>>> } >>>>> >>>>> if( security.getUser( "John" ) == null ) >>>>> >>>>> security.createUser( "John", "mypwd", visitor ); >>>>> >>>>> for( Vertex vertex : graph.getVertices() ) { >>>>> >>>>> graph.removeVertex( vertex ); >>>>> >>>>> } >>>>> >>>>> graph.commit(); >>>>> >>>>> { >>>>> >>>>> OrientVertex v = graph.addVertex( "class:Invoice" ); >>>>> >>>>> v.setProperty("amount", 123 ); >>>>> >>>>> v.save(); >>>>> >>>>> v = graph.addVertex( "class:Invoice" ); >>>>> >>>>> v.setProperty("amount", 456 ); >>>>> >>>>> v.save(); >>>>> >>>>> } >>>>> >>>>> for( Vertex vertex : graph.getVertices() ) { >>>>> >>>>> System.out.println( vertex ); >>>>> >>>>> } >>>>> >>>>> graph.getRawGraph().close(); >>>>> >>>>> System.out.println( "=====" ); >>>>> >>>>> graph = new OrientGraphFactory( db_addr, "John", "mypwd" ).getNoTx(); >>>>> >>>>> for( Vertex vertex : graph.getVerticesOfClass( "Invoice" ) ) { >>>>> >>>>> try { >>>>> >>>>> vertex.setProperty( "testprop", "testval" ); >>>>> >>>>> graph.commit(); >>>>> >>>>> } >>>>> >>>>> catch( Exception ex ) { >>>>> >>>>> ex.printStackTrace(); >>>>> >>>>> } >>>>> >>>>> System.out.println( vertex + ": " + vertex.getProperty( "testprop" ) ); >>>>> >>>>> } >>>>> >>>>> graph.getRawGraph().close(); >>>>> >>>>> >>>>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "OrientDB" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "OrientDB" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
