Security exception when opening a db

92 views
Skip to first unread message

Maverick

unread,
Aug 26, 2015, 6:50:25 AM8/26/15
to OrientDB
Hi

I have the piece of code reported below. Basically, I open a graph db as admin, create a "Visitor" role with permission DENY_ALL_BUT, and grant all access on the class "Invoice". Then, I create a user "John", which is a Visitor.
When I open the db again as John, I get this security exception:

User 'John' has no the permission to execute the operation 'Read' against the resource: ResourceGeneric [name=DATABASE, legacyName=database].null


Possibly I'm specifying the permissions in a wrong way, but so far I haven't found how to do it correctly; how should I do?


Here is the code:


String db_addr = "plocal:testdb";

OrientGraphNoTx graph = new OrientGraphFactory( db_addr ).getNoTx();

OSecurity security = graph.getRawGraph().getMetadata().getSecurity();

ORole admin = security.getRole( "admin" );

ORole visitor = security.getRole( "Visitor" );

if( visitor == null ) {

visitor = security.createRole( "Visitor", ALLOW_MODES.DENY_ALL_BUT );

visitor.addRule( ORule.ResourceGeneric.COMMAND, "Invoice", ORole.PERMISSION_ALL);

visitor.addRule( ORule.ResourceGeneric.CLASS, "Invoice", ORole.PERMISSION_ALL);

visitor.addRule( ORule.ResourceGeneric.DATABASE, "Invoice", ORole.PERMISSION_ALL);

visitor.addRule( ORule.ResourceGeneric.CLUSTER, "Invoice", ORole.PERMISSION_ALL);

visitor.addRule( ORule.ResourceGeneric.FUNCTION, "Invoice", ORole.PERMISSION_ALL);

visitor.addRule( ORule.ResourceGeneric.SCHEMA, "Invoice", ORole.PERMISSION_ALL);

visitor.addRule( ORule.ResourceGeneric.RECORD_HOOK, "Invoice", ORole.PERMISSION_ALL);

visitor.save();

visitor = visitor.reload();

}

if( security.getUser( "John" ) == null )

security.createUser( "John", "mypwd", visitor );

for( Vertex vertex : graph.getVertices() ) {

graph.removeVertex( vertex );

}

graph.commit();

{

OrientVertex v = graph.addVertex( "class:Invoice" );

v.setProperty("amount", 123 );

v.save();

v = graph.addVertex( "class:Invoice" );

v.setProperty("amount", 456 );

v.save();

}

for( Vertex vertex : graph.getVertices() ) {

System.out.println( vertex );

}

graph.getRawGraph().close();

System.out.println( "=====" );

graph = new OrientGraphFactory( db_addr, "John", "mypwd" ).getNoTx();

for( Vertex vertex : graph.getVerticesOfClass( "Invoice" ) ) {

try {

vertex.setProperty( "testprop", "testval" );

graph.commit();

}

catch( Exception ex ) {

ex.printStackTrace();

}

System.out.println( vertex + ": " + vertex.getProperty( "testprop" ) );

}

graph.getRawGraph().close();


Maverick

unread,
Aug 26, 2015, 10:41:47 AM8/26/15
to OrientDB
While is I specify ALLOW_ALL_BUT, I can open the DB as user.

What other security constraint have to be considered? I looked at the documentation but didn't find anything...

Maverick

unread,
Aug 31, 2015, 6:31:32 AM8/31/15
to OrientDB
Follow-up:

After struggling a lot I ended up copying from OSecurityShared the following code, which is used internally to create the "reader" role:

visitor.addRule(ORule.ResourceGeneric.DATABASE, null, ORole.PERMISSION_READ);

visitor.addRule(ORule.ResourceGeneric.SCHEMA, null, ORole.PERMISSION_READ);

visitor.addRule(ORule.ResourceGeneric.CLUSTER, OMetadataDefault.CLUSTER_INTERNAL_NAME, ORole.PERMISSION_READ);

visitor.addRule(ORule.ResourceGeneric.CLUSTER, "orole", ORole.PERMISSION_READ);

visitor.addRule(ORule.ResourceGeneric.CLUSTER, "ouser", ORole.PERMISSION_READ);

visitor.addRule(ORule.ResourceGeneric.CLASS, null, ORole.PERMISSION_READ);

visitor.addRule(ORule.ResourceGeneric.CLUSTER, null, ORole.PERMISSION_READ);

visitor.addRule(ORule.ResourceGeneric.COMMAND, null, ORole.PERMISSION_READ);

visitor.addRule(ORule.ResourceGeneric.RECORD_HOOK, null, ORole.PERMISSION_READ);

visitor.addRule(ORule.ResourceGeneric.FUNCTION, null, ORole.PERMISSION_READ);


Now, for end users this code looks a bit cryptic, and for sure the documentation about security (http://orientdb.com/docs/2.0/orientdb.wiki/Security.html) is not enough to replicate this. 
I may contribute with some documentation, if needed, but first I have to understand myself how it actually works.

Adding visitor.addRule(ORule.ResourceGeneric.CLASS, "Invoice", ORole.PERMISSION_READ); doesn't do the magic, while removing visitor.addRule(ORule.ResourceGeneric.CLUSTER, null, ORole.PERMISSION_READ); prevents reading every class.

Does anybody have any suggestion or had the same problem before?

Romain Lalaut

unread,
Nov 21, 2015, 5:36:13 PM11/21/15
to OrientDB
Thanks you Maverik, you saved me !

Luca Garulli

unread,
Nov 22, 2015, 11:48:55 AM11/22/15
to OrientDB
Hi Maverick,
You're right, there is no documentation for such part. Would you like to contribute on it?

Best Regards,

Luca Garulli
Founder & CEO


--

---
You received this message because you are subscribed to the Google Groups "OrientDB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orient-databa...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Maverick

unread,
Nov 29, 2015, 4:14:10 PM11/29/15
to OrientDB
Hi Luca

In principle I'm still available to contribute. However, I'm unsure how could I do it, because I don't have the knowledge. In fact, the project I'm working on (https://github.com/RISCOSS/riscoss-corporate) is near to its end and we basically dropped all the planned role management stuff because we were loosing too much time in searching for info.
Anyway, if you have any idea you can contact me by mail.

Luca Garulli

unread,
Nov 29, 2015, 4:34:45 PM11/29/15
to OrientDB

Best Regards,

Luca Garulli
Founder & CEO


Reply all
Reply to author
Forward
0 new messages