traverse in a graph with a restricted cluser throws a security exception rendering traverse unusable
29 views
Skip to first unread message
Neil Dsouza
Nov 3, 2016, 8:11:24 AM11/3/16
to OrientDB
i have a vertex class called "product" - read to everyone
product has a derrived class "product_secret" - read to only administrators
and there is another vertex class "manufacturing". There are links from product to manufacturing.
Note that the edge class is not role restricted.
now if i am a normal user, I cannot do:
- traverse: will always fail with com.orientechnologies.orient.core.exception.OSecurityAccessException: User 'xxx' has no the permission to execute the operation 'Read' against the resource: ResourceGeneric [name=CLUSTER, legacyName=database.cluster].product_secret
-select without a where condition. Note that if i have a where condition, this will return correct record, empty set if i do a where @class='product_secret'.
Just one restricted cluster in the graph makes the whole graph unusable for me.
The expected behavior would be just to just exclude vertices that are restricted and also paths that include restricted vertices
Is there any workaround or am I using this incorrectly?
product has a derrived class "product_secret" - read to only administrators
and there is another vertex class "manufacturing". There are links from product to manufacturing.
Note that the edge class is not role restricted.
now if i am a normal user, I cannot do:
- traverse: will always fail with com.orientechnologies.orient.core.exception.OSecurityAccessException: User 'xxx' has no the permission to execute the operation 'Read' against the resource: ResourceGeneric [name=CLUSTER, legacyName=database.cluster].product_secret
-select without a where condition. Note that if i have a where condition, this will return correct record, empty set if i do a where @class='product_secret'.
Just one restricted cluster in the graph makes the whole graph unusable for me.
The expected behavior would be just to just exclude vertices that are restricted and also paths that include restricted vertices
Is there any workaround or am I using this incorrectly?
alessand...@gmail.com
Nov 3, 2016, 9:43:16 AM11/3/16
to OrientDB
Hi,
what version are you using ?
Alessandro
Neil Dsouza
Nov 3, 2016, 11:48:47 AM11/3/16
to orient-...@googlegroups.com
2.1.9, but i also tried with 2.2.12. Same thing.
user.w...@gmail.com
Nov 3, 2016, 1:27:50 PM11/3/16
to OrientDB
Hi,
can you post the instructions that you've execute, so I can try to reproduce your problem?
Thx in advance
Regards,
Michela
Neil Dsouza
Nov 3, 2016, 3:09:12 PM11/3/16
to OrientDB
just pm'ed you the sql
Neil Dsouza
Nov 3, 2016, 3:20:35 PM11/3/16
to OrientDB
and for anyone else:
after this, login as reader and do
select from product --> i would expect bananas
or select expand(in('intermediate')) from manufacturing--> i would expect bananas
----
create class product extends V
create class product_secret extends product
create class manufacturing extends V
create class intermediate extends E
alter class OIdentity superclass V
UPDATE ORole PUT rules = "database.class.product_secret", 0 WHERE name = "reader"
UPDATE ORole PUT rules = "database.cluster.product_secret", 0 WHERE name = "reader"
insert into product set name = 'bananas'
insert into manufacturing set name = 'banana growing'
insert into product_secret set name = 'apples'
insert into manufacturing set name = 'apple growing'
create edge intermediate from (select from product where name = 'bananas') to (select from manufacturing where name = 'banana growing')
create edge intermediate from (select from product where name = 'apples') to (select from manufacturing where name = 'apple growing')
----
after this, login as reader and do
select from product --> i would expect bananas
or select expand(in('intermediate')) from manufacturing--> i would expect bananas
----
create class product extends V
create class product_secret extends product
create class manufacturing extends V
create class intermediate extends E
alter class OIdentity superclass V
UPDATE ORole PUT rules = "database.class.product_secret", 0 WHERE name = "reader"
UPDATE ORole PUT rules = "database.cluster.product_secret", 0 WHERE name = "reader"
insert into product set name = 'bananas'
insert into manufacturing set name = 'banana growing'
insert into product_secret set name = 'apples'
insert into manufacturing set name = 'apple growing'
create edge intermediate from (select from product where name = 'bananas') to (select from manufacturing where name = 'banana growing')
create edge intermediate from (select from product where name = 'apples') to (select from manufacturing where name = 'apple growing')
----
Oleksandr Gubchenko
Nov 3, 2016, 5:30:17 PM11/3/16
to OrientDB
Hi,
I've reproduced your issue, can you open a request on github?
Thanks.
Neil Dsouza
Nov 4, 2016, 3:10:55 AM11/4/16
to OrientDB
Done
--
---
You received this message because you are subscribed to a topic in the Google Groups "OrientDB" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/orient-database/MNzVIoD5J6Q/unsubscribe.
To unsubscribe from this group and all its topics, send an email to orient-databa...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Neil Dsouza
Nov 4, 2016, 3:11:18 AM11/4/16
to OrientDB
And thank you all for your lightening speed responses.
Reply all
Reply to author
Forward
0 new messages