private void assignSchemaFeature(OrienteerWebApplication app, ODatabaseDocument db) { for(ODocument oRoleDoc : db.getMetadata().getSecurity().getAllRoles()) { ORole oRole = new ORole(oRoleDoc); if(oRole.getParentRole()==null) { oRole.grant(OSecurityHelper.FEATURE_RESOURCE, SchemaPage.SCHEMA_FEATURE, OrientPermission.READ.getPermissionFlag()); oRole.grant(OSecurityHelper.FEATURE_RESOURCE, SearchPage.SEARCH_FEATURE, OrientPermission.READ.getPermissionFlag()); oRole.save(); } } }
final OUser adminUser = createMetadata(); final ORole readerRole = createRole("reader", ORole.ALLOW_MODES.DENY_ALL_BUT); readerRole.addRule(ORule.ResourceGeneric.DATABASE, null, ORole.PERMISSION_READ); readerRole.addRule(ORule.ResourceGeneric.SCHEMA, null, ORole.PERMISSION_READ); readerRole.addRule(ORule.ResourceGeneric.CLUSTER, OMetadataDefault.CLUSTER_INTERNAL_NAME, ORole.PERMISSION_READ); readerRole.addRule(ORule.ResourceGeneric.CLUSTER, "orole", ORole.PERMISSION_NONE); readerRole.addRule(ORule.ResourceGeneric.CLUSTER, "ouser", ORole.PERMISSION_NONE); readerRole.addRule(ORule.ResourceGeneric.CLASS, null, ORole.PERMISSION_READ); readerRole.addRule(ORule.ResourceGeneric.CLASS, "OUser", ORole.PERMISSION_NONE); readerRole.addRule(ORule.ResourceGeneric.CLUSTER, null, ORole.PERMISSION_READ); readerRole.addRule(ORule.ResourceGeneric.COMMAND, null, ORole.PERMISSION_READ); readerRole.addRule(ORule.ResourceGeneric.RECORD_HOOK, null, ORole.PERMISSION_READ); readerRole.addRule(ORule.ResourceGeneric.FUNCTION, null, ORole.PERMISSION_READ); readerRole.addRule(ORule.ResourceGeneric.SYSTEM_CLUSTERS, null, ORole.PERMISSION_NONE); readerRole.save(); createUser("reader", "reader", new String[] { readerRole.getName() }); writerRole.addRule(ORule.ResourceGeneric.DATABASE, null, ORole.PERMISSION_READ); writerRole.addRule(ORule.ResourceGeneric.SCHEMA, null, ORole.PERMISSION_READ); writerRole.addRule(ORule.ResourceGeneric.CLUSTER, OMetadataDefault.CLUSTER_INTERNAL_NAME, ORole.PERMISSION_READ); readerRole.addRule(ORule.ResourceGeneric.CLUSTER, "orole", ORole.PERMISSION_NONE); readerRole.addRule(ORule.ResourceGeneric.CLUSTER, "ouser", ORole.PERMISSION_NONE); writerRole.addRule(ORule.ResourceGeneric.CLASS, null, ORole.PERMISSION_ALL); writerRole.addRule(ORule.ResourceGeneric.CLASS, "OUser", ORole.PERMISSION_NONE); writerRole.addRule(ORule.ResourceGeneric.CLUSTER, null, ORole.PERMISSION_ALL); writerRole.addRule(ORule.ResourceGeneric.COMMAND, null, ORole.PERMISSION_ALL); writerRole.addRule(ORule.ResourceGeneric.RECORD_HOOK, null, ORole.PERMISSION_ALL); writerRole.addRule(ORule.ResourceGeneric.FUNCTION, null, ORole.PERMISSION_READ);
public OImmutableRole(ORole role) { if (role.getParentRole() == null) this.parentRole = null; else this.parentRole = new OImmutableRole(role.getParentRole()); this.mode = role.getMode(); this.name = role.getName(); this.rid = role.getIdentity().getIdentity(); this.role = role; for (ORule rule : role.getRuleSet()) rules.put(rule.getResourceGeneric(), rule); }
private void updateReaderPermissions(ODatabaseDocument db, ODocument reader, ODocument perspective) { ORole role = db.getMetadata().getSecurity().getRole("reader"); role.grant(ResourceGeneric.CLASS, PerspectivesModule.OCLASS_ITEM, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, PerspectivesModule.OCLASS_PERSPECTIVE, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, null, 0); role.grant(ResourceGeneric.CLASS, ORole.CLASS_NAME, READ.getPermissionFlag()); role.grant(OSecurityHelper.FEATURE_RESOURCE, SearchPage.SEARCH_FEATURE, 0); role.grant(OSecurityHelper.FEATURE_RESOURCE, SchemaPage.SCHEMA_FEATURE, 0); role.getDocument().field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singletonList(reader)); role.getDocument().field(PerspectivesModule.PROP_PERSPECTIVE, perspective); role.save(); perspective.field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singleton(role.getDocument())); perspective.save(); }
Object loadedRules = document.field("rules"); if (loadedRules instanceof Map) { loadOldVersionOfRules((Map<String, Number>) loadedRules); } else { final Set<ODocument> storedRules = (Set<ODocument>) loadedRules; if (getName().equals("admin") && !hasRule(ORule.ResourceGeneric.BYPASS_RESTRICTED, null)) addRule(ORule.ResourceGeneric.BYPASS_RESTRICTED, null, ORole.PERMISSION_ALL).save(); updateRolesDocumentContent(); save();
public boolean hasRole(final String iRoleName, final boolean iIncludeInherited) { for (Iterator<ORole> it = roles.iterator(); it.hasNext(); ) { final ORole role = it.next(); if (role.getName().equals(iRoleName)) return true; if (iIncludeInherited) { ORole r = role.getParentRole(); while (r != null) { if (r.getName().equals(iRoleName)) return true; r = r.getParentRole(); } } } return false; }
public ORole(final String iName, final ORole iParent, final ALLOW_MODES iAllowMode) { super(CLASS_NAME); document.field("name", iName); parentRole = iParent; document.field("inheritedRole", iParent != null ? iParent.getDocument() : null); setMode(iAllowMode); updateRolesDocumentContent(); }
@Deprecated @Override public OSecurityRole grant(String iResource, int iOperation) { final String specificResource = ORule.mapLegacyResourceToSpecificResource(iResource); final ORule.ResourceGeneric resourceGeneric = ORule.mapLegacyResourceToGenericResource(iResource); if (specificResource == null || specificResource.equals("*")) return grant(resourceGeneric, null, iOperation); return grant(resourceGeneric, specificResource, iOperation); }
public boolean allow(final ORule.ResourceGeneric resourceGeneric, String resourceSpecific, final int iCRUDOperation) { final ORule rule = rules.get(resourceGeneric); if (rule != null) { final Boolean allowed = rule.isAllowed(resourceSpecific, iCRUDOperation); if (allowed != null) return allowed; } if (parentRole != null) // DELEGATE TO THE PARENT ROLE IF ANY return parentRole.allow(resourceGeneric, resourceSpecific, iCRUDOperation); return mode == ALLOW_MODES.ALLOW_ALL_BUT; }
public boolean removeRole(final String iRoleName) { boolean removed = false; for (Iterator<ORole> it = roles.iterator(); it.hasNext(); ) { if (it.next().getName().equals(iRoleName)) { it.remove(); removed = true; } } if (removed) { final HashSet<ODocument> persistentRoles = new HashSet<ODocument>(); for (ORole r : roles) { persistentRoles.add(r.toStream()); } document.field("roles", persistentRoles); } return removed; }
/** * Derived classes can override createRole() to return an extended ORole implementation or null if the role should not be added. */ protected ORole createRole(final ODocument roleDoc) { return new ORole(roleDoc); }
@Override public ODocument getDocument() { return role.getDocument(); } }
@Override public String toString() { return getName(); }
@Deprecated @Override public OSecurityRole addRule(String iResource, int iOperation) { final String specificResource = ORule.mapLegacyResourceToSpecificResource(iResource); final ORule.ResourceGeneric resourceGeneric = ORule.mapLegacyResourceToGenericResource(iResource); if (specificResource == null || specificResource.equals("*")) return addRule(resourceGeneric, null, iOperation); return addRule(resourceGeneric, specificResource, iOperation); }
@Deprecated @Override public OSecurityRole revoke(String iResource, int iOperation) { final String specificResource = ORule.mapLegacyResourceToSpecificResource(iResource); final ORule.ResourceGeneric resourceGeneric = ORule.mapLegacyResourceToGenericResource(iResource); if (specificResource == null || specificResource.equals("*")) return revoke(resourceGeneric, null, iOperation); return revoke(resourceGeneric, specificResource, iOperation); }