Look at: https://github.com/lvca
Best Regards, Luca Garulli Founder & CEO OrientDB <http://orientdb.com/> On 29 November 2015 at 22:14, Maverick <[email protected]> wrote: > Hi Luca > > In principle I'm still available to contribute. However, I'm unsure how > could I do it, because I don't have the knowledge. In fact, the project I'm > working on (https://github.com/RISCOSS/riscoss-corporate) is near to its > end and we basically dropped all the planned role management stuff because > we were loosing too much time in searching for info. > Anyway, if you have any idea you can contact me by mail. > > > On Sunday, November 22, 2015 at 5:48:55 PM UTC+1, l.garulli wrote: >> >> Hi Maverick, >> You're right, there is no documentation for such part. Would you like to >> contribute on it? >> >> Best Regards, >> >> Luca Garulli >> Founder & CEO >> OrientDB <http://orientdb.com/> >> >> >> On 21 November 2015 at 15:13, Romain Lalaut <[email protected]> wrote: >> >>> Thanks you Maverik, you saved me ! >>> >>> Le lundi 31 août 2015 10:31:32 UTC, Maverick a écrit : >>>> >>>> Follow-up: >>>> >>>> After struggling a lot I ended up copying from OSecurityShared the >>>> following code, which is used internally to create the "reader" role: >>>> >>>> visitor.addRule(ORule.ResourceGeneric.DATABASE, null, ORole. >>>> PERMISSION_READ); >>>> >>>> visitor.addRule(ORule.ResourceGeneric.SCHEMA, null, ORole. >>>> PERMISSION_READ); >>>> >>>> visitor.addRule(ORule.ResourceGeneric.CLUSTER, OMetadataDefault. >>>> CLUSTER_INTERNAL_NAME, ORole.PERMISSION_READ); >>>> >>>> visitor.addRule(ORule.ResourceGeneric.CLUSTER, "orole", ORole. >>>> PERMISSION_READ); >>>> >>>> visitor.addRule(ORule.ResourceGeneric.CLUSTER, "ouser", ORole. >>>> PERMISSION_READ); >>>> >>>> visitor.addRule(ORule.ResourceGeneric.CLASS, null, ORole. >>>> PERMISSION_READ); >>>> >>>> visitor.addRule(ORule.ResourceGeneric.CLUSTER, null, ORole. >>>> PERMISSION_READ); >>>> >>>> visitor.addRule(ORule.ResourceGeneric.COMMAND, null, ORole. >>>> PERMISSION_READ); >>>> >>>> visitor.addRule(ORule.ResourceGeneric.RECORD_HOOK, null, ORole. >>>> PERMISSION_READ); >>>> >>>> visitor.addRule(ORule.ResourceGeneric.FUNCTION, null, ORole. >>>> PERMISSION_READ); >>>> >>>> >>>> Now, for end users this code looks a bit cryptic, and for sure the >>>> documentation about security ( >>>> http://orientdb.com/docs/2.0/orientdb.wiki/Security.html) is not >>>> enough to replicate this. >>>> I may contribute with some documentation, if needed, but first I have >>>> to understand myself how it actually works. >>>> >>>> Adding visitor.addRule(ORule.ResourceGeneric.CLASS, "Invoice", ORole. >>>> PERMISSION_READ); doesn't do the magic, while removing >>>> visitor.addRule(ORule.ResourceGeneric.CLUSTER, >>>> null, ORole.PERMISSION_READ); prevents reading every class. >>>> >>>> Does anybody have any suggestion or had the same problem before? >>>> >>>> >>>> >>>> On Wednesday, August 26, 2015 at 4:41:47 PM UTC+2, Maverick wrote: >>>>> >>>>> While is I specify ALLOW_ALL_BUT, I can open the DB as user. >>>>> >>>>> What other security constraint have to be considered? I looked at the >>>>> documentation but didn't find anything... >>>>> >>>>> >>>>> On Wednesday, August 26, 2015 at 12:50:25 PM UTC+2, Maverick wrote: >>>>>> >>>>>> Hi >>>>>> >>>>>> I have the piece of code reported below. Basically, I open a graph db >>>>>> as admin, create a "Visitor" role with permission DENY_ALL_BUT, and grant >>>>>> all access on the class "Invoice". Then, I create a user "John", which >>>>>> is a >>>>>> Visitor. >>>>>> When I open the db again as John, I get this security exception: >>>>>> >>>>>> User 'John' has no the permission to execute the operation 'Read' >>>>>> against the resource: ResourceGeneric [name=DATABASE, >>>>>> legacyName=database].null >>>>>> >>>>>> >>>>>> Possibly I'm specifying the permissions in a wrong way, but so far I >>>>>> haven't found how to do it correctly; how should I do? >>>>>> >>>>>> >>>>>> Here is the code: >>>>>> >>>>>> >>>>>> String db_addr = "plocal:testdb"; >>>>>> >>>>>> OrientGraphNoTx graph = new OrientGraphFactory( db_addr ).getNoTx(); >>>>>> >>>>>> OSecurity security = graph.getRawGraph().getMetadata().getSecurity(); >>>>>> >>>>>> ORole admin = security.getRole( "admin" ); >>>>>> >>>>>> ORole visitor = security.getRole( "Visitor" ); >>>>>> >>>>>> if( visitor == null ) { >>>>>> >>>>>> visitor = security.createRole( "Visitor", ALLOW_MODES.DENY_ALL_BUT ); >>>>>> >>>>>> visitor.addRule( ORule.ResourceGeneric.COMMAND, "Invoice", >>>>>> ORole.PERMISSION_ALL); >>>>>> >>>>>> visitor.addRule( ORule.ResourceGeneric.CLASS, "Invoice", >>>>>> ORole.PERMISSION_ALL); >>>>>> >>>>>> visitor.addRule( ORule.ResourceGeneric.DATABASE, "Invoice", >>>>>> ORole.PERMISSION_ALL); >>>>>> >>>>>> visitor.addRule( ORule.ResourceGeneric.CLUSTER, "Invoice", >>>>>> ORole.PERMISSION_ALL); >>>>>> >>>>>> visitor.addRule( ORule.ResourceGeneric.FUNCTION, "Invoice", >>>>>> ORole.PERMISSION_ALL); >>>>>> >>>>>> visitor.addRule( ORule.ResourceGeneric.SCHEMA, "Invoice", >>>>>> ORole.PERMISSION_ALL); >>>>>> >>>>>> visitor.addRule( ORule.ResourceGeneric.RECORD_HOOK, "Invoice", >>>>>> ORole.PERMISSION_ALL); >>>>>> >>>>>> visitor.save(); >>>>>> >>>>>> visitor = visitor.reload(); >>>>>> >>>>>> } >>>>>> >>>>>> if( security.getUser( "John" ) == null ) >>>>>> >>>>>> security.createUser( "John", "mypwd", visitor ); >>>>>> >>>>>> for( Vertex vertex : graph.getVertices() ) { >>>>>> >>>>>> graph.removeVertex( vertex ); >>>>>> >>>>>> } >>>>>> >>>>>> graph.commit(); >>>>>> >>>>>> { >>>>>> >>>>>> OrientVertex v = graph.addVertex( "class:Invoice" ); >>>>>> >>>>>> v.setProperty("amount", 123 ); >>>>>> >>>>>> v.save(); >>>>>> >>>>>> v = graph.addVertex( "class:Invoice" ); >>>>>> >>>>>> v.setProperty("amount", 456 ); >>>>>> >>>>>> v.save(); >>>>>> >>>>>> } >>>>>> >>>>>> for( Vertex vertex : graph.getVertices() ) { >>>>>> >>>>>> System.out.println( vertex ); >>>>>> >>>>>> } >>>>>> >>>>>> graph.getRawGraph().close(); >>>>>> >>>>>> System.out.println( "=====" ); >>>>>> >>>>>> graph = new OrientGraphFactory( db_addr, "John", "mypwd" ).getNoTx(); >>>>>> >>>>>> for( Vertex vertex : graph.getVerticesOfClass( "Invoice" ) ) { >>>>>> >>>>>> try { >>>>>> >>>>>> vertex.setProperty( "testprop", "testval" ); >>>>>> >>>>>> graph.commit(); >>>>>> >>>>>> } >>>>>> >>>>>> catch( Exception ex ) { >>>>>> >>>>>> ex.printStackTrace(); >>>>>> >>>>>> } >>>>>> >>>>>> System.out.println( vertex + ": " + vertex.getProperty( "testprop" ) >>>>>> ); >>>>>> >>>>>> } >>>>>> >>>>>> graph.getRawGraph().close(); >>>>>> >>>>>> >>>>>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "OrientDB" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "OrientDB" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "OrientDB" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
