Graph Access Control

19 views
Skip to first unread message

Michael McIntosh

unread,
Jan 18, 2011, 5:27:23 PM1/18/11
to open...@googlegroups.com
Are there any samples showing how the Graph Access Controls are supposed to work?
Is the implementation dependent on the DB used?

Regards,
Mike McIntosh

Jordi Albornoz Mulligan

unread,
Jan 21, 2011, 4:59:39 PM1/21/11
to open...@googlegroups.com
Hi Mike,

On 1/18/2011 5:27 PM, Michael McIntosh wrote:
> Are there any samples showing how the Graph Access Controls are supposed
> to work?

There are examples of various aspects of using the Anzo API in the
org.openanzo.client.sample project. They are Java examples but almost
all of the concepts translate directly to the Anzo JavaScript API. See

http://svn.openanzo.org/svn/openanzo/openanzo/trunk/org.openanzo.client.sample/

However, the example for access control there isn't very deep. I've
attached an example that goes into more detail to demonstrate and
explain the access control system. The biggest differences when doing a
similar example in JavaScript are the constants such as the
EVERYONE_ROLE, canBeReadBy predicate, etc. Also, in JavaScript many of
the methods used in the example are asynchronous and you'll need to
supply callbacks.

One gotcha that you may possibly be running into is that, in Anzo, you
can configure any user as a 'sysadmin'. If the user is in the group that
denotes them as a sysadmin, then they can do anything they want to any
graph in Anzo. This is sort of like the unix 'root' idea. In the default
configuration for users that is included with Open Anzo, many of the
users there are marked as sysadmins. The only two that aren't are:
'default' and 'defaultNoRights'. If you are using some of the others
like 'tom', 'melissa', etc. you wouldn't see any effect from the access
control statements, since they always have full access no matter what.

> Is the implementation dependent on the DB used?

No. The access control behavior is completely independent of the DB used.

--
Jordi Albornoz Mulligan
Founding Engineer - Cambridge Semantics
jo...@cambridgesemantics.com
(617) 401-7321

GraphPermissions.java

Michael McIntosh

unread,
Jan 21, 2011, 5:36:48 PM1/21/11
to open...@googlegroups.com
Uou are correct, I was mislead by the names of the users. I had not built my own code yet for creating users (until today), so I used built in users for my testing.
One other thing that confused me was that it seems like if a sysadmin user creates a graph, no access control statements are included in that graph's metadata graph.
But if a "normal" user creates a graph, 3 access control statements are added, making only that user able to add/remove/read (that is what lead me today to believe that the Java API returned different results from the JS API).

Thanks for getting back to me.

Regards,
Mike


--
You received this message because you are currently subscribed to the "OpenAnzo" group.

To post to this group, send email to open...@googlegroups.com
To unsubscribe from this group, send email to openanzo-u...@googlegroups.com

For more options, visit this group at http://groups.google.com/group/openanzo?hl=en

Reply all
Reply to author
Forward
0 new messages