traverse in a graph with a restricted cluser throws a security exception rendering traverse unusable

29 views
Skip to first unread message

Neil Dsouza

unread,
Nov 3, 2016, 8:11:24 AM11/3/16
to OrientDB
i have a vertex class called "product" - read to everyone
product has a derrived class "product_secret" - read to only administrators

and there is another vertex class "manufacturing". There are links from product to manufacturing.

Note that the edge class is not role restricted.

now if i am a normal user, I cannot do:
- traverse: will always fail with com.orientechnologies.orient.core.exception.OSecurityAccessException: User 'xxx' has no the permission to execute the operation 'Read' against the resource: ResourceGeneric [name=CLUSTER, legacyName=database.cluster].product_secret
-select without a where condition. Note that if i have a where condition, this will return correct record, empty set if i do a where @class='product_secret'.

Just one restricted cluster in the graph makes the whole graph unusable for me.

The expected behavior would be just to just exclude vertices that are restricted and also paths that include restricted vertices

Is there any workaround or am I using this incorrectly?

alessand...@gmail.com

unread,
Nov 3, 2016, 9:43:16 AM11/3/16
to OrientDB
Hi,
what version are you using ?

Alessandro

Neil Dsouza

unread,
Nov 3, 2016, 11:48:47 AM11/3/16
to orient-...@googlegroups.com
2.1.9, but i also tried with 2.2.12. Same thing.

user.w...@gmail.com

unread,
Nov 3, 2016, 1:27:50 PM11/3/16
to OrientDB
Hi,

can you post the instructions that you've execute, so I can try to reproduce your problem?

Thx in advance

Regards,
Michela 

Neil Dsouza

unread,
Nov 3, 2016, 3:09:12 PM11/3/16
to OrientDB
just pm'ed you the sql

Neil Dsouza

unread,
Nov 3, 2016, 3:20:35 PM11/3/16
to OrientDB
and for anyone else:

after this, login as reader and do
select from product -->  i would expect bananas
or select expand(in('intermediate')) from manufacturing--> i would expect bananas

----
create class product extends V
create class product_secret extends product
create class manufacturing extends V
create class intermediate extends E
alter class OIdentity superclass V
UPDATE ORole PUT rules = "database.class.product_secret", 0 WHERE name = "reader"
UPDATE ORole PUT rules = "database.cluster.product_secret", 0 WHERE name = "reader"


insert into product set name = 'bananas'
insert into manufacturing set name = 'banana growing'
insert into product_secret set name = 'apples'
insert into manufacturing set name = 'apple growing'
create edge intermediate from (select from product where name = 'bananas') to (select from manufacturing where name = 'banana growing')
create edge intermediate from (select from product where name = 'apples') to (select from manufacturing where name = 'apple growing')

----

Oleksandr Gubchenko

unread,
Nov 3, 2016, 5:30:17 PM11/3/16
to OrientDB
Hi,

I've reproduced your issue, can you open a request on github?

Thanks.

Neil Dsouza

unread,
Nov 4, 2016, 3:10:55 AM11/4/16
to OrientDB
Done

--

---
You received this message because you are subscribed to a topic in the Google Groups "OrientDB" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/orient-database/MNzVIoD5J6Q/unsubscribe.
To unsubscribe from this group and all its topics, send an email to orient-databa...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Neil Dsouza

unread,
Nov 4, 2016, 3:11:18 AM11/4/16
to OrientDB
And thank you all for your lightening speed responses.
Reply all
Reply to author
Forward
0 new messages