Why OUser / ORole are not subclasses of ORestricted ??

[Gaurav Dhiman]

Hi,

As OUser / ORole are not sub classes of ORestricted, all records of these classes can be fetched by any system user by default and no record level access be restricted for records in these classes. Is that understanding right ? If so, any user of system can see details of other users (including username and hashed passwords), is that not a security concern ?

To overcome this, wont it be good if all classes are derived from ORestricted, including OIdentity. As per my short understanding of OrientDB security, I think it will be good to have below class structure

ORestricted --> OIdentity --> OUser

ORestricted --> OIdentity --> ORole

ORestricted --> Other developer defined classes

Is it advisable to delete the default classes OUser, ORole, OIdentity and ORestricted and re-create them to arrange them in above structure ? Will OrientDB be still following the security rules ?

Regards,

Gaurav

[Andrey Lomakin]

Hi Gaurav,

You are right.

We have this in the pool of our tasks to complete and I think it even will be good to have in final 1.7 version.

Could you kindly create issue in bug tracker to make this possible ?

--

---
You received this message because you are subscribed to the Google Groups "OrientDB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orient-databa...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--

Best regards,
Andrey Lomakin.

Orient Technologies
the Company behind OrientDB

[Gaurav Dhiman]

Thanks Andrey for confirming.

Created an issue in bug tracker, here is the link - https://github.com/orientechnologies/orientdb/issues/2095

Regards,

Gaurav

[Gaurav Dhiman]

Till the time, this change is not done, what are the available options to restrict access to OUser and ORole classes ?

If we define a role with no access (not even read) to OUser and ORole classes and put non-admin users in that role, will those users be able to change their password and other user related details ?

Regards,

Gaurav

--

---
You received this message because you are subscribed to a topic in the Google Groups "OrientDB" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/orient-database/M-4-DXJ2gcg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to orient-databa...@googlegroups.com.

[Andrey Lomakin]

You can do the same yourself for your db instance login as root, drop class OUser and recreate it, then add existing users records and you will have this feature.

For more options, visit https://groups.google.com/d/optout.

[Gaurav Dhiman]

Andrey, I tried doing it before posting my last message, but as soon as I delete OUser class, all users of DB are gone and thereafter even the logged-in user is not able to do anything (delete OIdentity, re-create OIdentity, OUser and ORole classes).

How can I do it ?

Regards,

Gaurav

For more options, visit https://groups.google.com/d/optout.

[Andrey Lomakin]

That is because you are not logged in as root on server. 

I mean root user from server configuration xml.

[Gaurav Dhiman]

Hi Andrey,

I was logged-in as root user (server user), but as explained earlier after deleting OUser class, things do not work.

Attached are the snapshots for your reference. Do you have any suggestions ? Thanks for helping out !

Best Regards,

Gaurav

[Luca Garulli]

Hi,
Have you already tried just:

Alter class OUser superclass ORestricted

?

Lvc@

Sent from Mobile device

[Gaurav Dhiman]

Thanks Luca, that helped.

It was easy one but did not strike me :-)

Regards,

Gaurav