void createUser(final ODatabase<?> database) { database.getMetadata().getSecurity().createUser( userName, new String(password), database.getMetadata().getSecurity().getRole(ORole.ADMIN) ); } }
/** * @param name {@link String} role name * @return {@link Optional<ORole>} role */ public static Optional<ORole> getRoleByName(String name) { return DBClosure.sudo(db -> ofNullable(db.getMetadata().getSecurity().getRole(name))); }
@Override protected ORole load() { return getDatabase().getMetadata().getSecurity().getRole(ORoleSecurityWidget.this.getModelObject()); } };
sb.append(ROLE_FIELD_NAME); sb.append(" IN ["); OSecurity security = ctx.getDatabase().getMetadata().getSecurity(); for (int i = 0; i < this.roles.size(); ++i) { String roleName = this.roles.get(i).getStringValue();
/** * Changes current connection user. See {@link #executeWithTxUser( *com.orientechnologies.orient.core.metadata.security.OSecurityUser, SpecificUserAction)}. * <p> * LIMITATION: current user must have read right on users table. * * @param user user login * @param userAction logic to execute with specific user * @param <T> type of returned result (may be Void) * @return action result (may be null) */ public <T> T executeWithTxUser(final String user, final SpecificUserAction<T> userAction) { final boolean userChanged = checkSpecificUserConditions(user); final ODatabaseDocument db = connectionProvider.get(); final T res; if (userChanged) { // this may cause security exception if current user has no access rights to users table final OUser specificUser = db.getMetadata().getSecurity().getUser(user); Preconditions.checkState(specificUser != null, "User '%s' not found", user); res = executeWithTxUser(specificUser, userAction); } else { res = executeWithTxUser(db.getUser(), userAction); } return res; }
private void updateDefaultOrienteerUsers(ODatabaseDocument db) { OSecurity security = db.getMetadata().getSecurity(); final ODocument admin = security.getUser("admin").getDocument(); admin.field(OrienteerUser.PROP_ID, UUID.randomUUID().toString()); admin.field(OrienteerUser.PROP_EMAIL, "admin@gmail.com"); admin.save(); final ODocument reader = security.getUser("reader").getDocument(); reader.field(OrienteerUser.PROP_ID, UUID.randomUUID().toString()); reader.field(OrienteerUser.PROP_EMAIL, "reader@gmail.com"); reader.save(); final ODocument writer = security.getUser("writer").getDocument(); writer.field(OrienteerUser.PROP_ID, UUID.randomUUID().toString()); writer.field(OrienteerUser.PROP_EMAIL, "writer@gmail.com"); writer.save(); }
/** * {@inheritDoc} */ public void setUser(final OSecurityUser user) { checkIfActive(); if (user instanceof OUser) { OMetadata metadata = getMetadata(); if (metadata != null) { final OSecurity security = metadata.getSecurity(); this.user = new OImmutableUser(security.getVersion(), (OUser) user); } else this.user = new OImmutableUser(-1, (OUser) user); } else this.user = (OImmutableUser) user; }
private void assignSchemaFeature(OrienteerWebApplication app, ODatabaseDocument db) { for(ODocument oRoleDoc : db.getMetadata().getSecurity().getAllRoles()) { ORole oRole = new ORole(oRoleDoc); if(oRole.getParentRole()==null) { oRole.grant(OSecurityHelper.FEATURE_RESOURCE, SchemaPage.SCHEMA_FEATURE, OrientPermission.READ.getPermissionFlag()); oRole.grant(OSecurityHelper.FEATURE_RESOURCE, SearchPage.SEARCH_FEATURE, OrientPermission.READ.getPermissionFlag()); oRole.save(); } } }
role = database.getMetadata().getSecurity().getRole(roleName); if (role == null) throw new OCommandSQLParsingException("Invalid role: " + roleName);
private void updateReaderPermissions(ODatabaseDocument db, ODocument reader, ODocument perspective) { ORole role = db.getMetadata().getSecurity().getRole("reader"); role.grant(ResourceGeneric.CLASS, PerspectivesModule.OCLASS_ITEM, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, PerspectivesModule.OCLASS_PERSPECTIVE, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, null, 0); role.grant(ResourceGeneric.CLASS, ORole.CLASS_NAME, READ.getPermissionFlag()); role.grant(OSecurityHelper.FEATURE_RESOURCE, SearchPage.SEARCH_FEATURE, 0); role.grant(OSecurityHelper.FEATURE_RESOURCE, SchemaPage.SCHEMA_FEATURE, 0); role.getDocument().field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singletonList(reader)); role.getDocument().field(PerspectivesModule.PROP_PERSPECTIVE, perspective); role.save(); perspective.field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singleton(role.getDocument())); perspective.save(); }
@Test public void testOQueryProvider() { OQueryDataProvider<OUser> provider = new OQueryDataProvider<OUser>("select from OUser where name <> :other", OUser.class); provider.setSort("name", SortOrder.ASCENDING); provider.setParameter("other", Model.of("blalba")); Iterator<OUser> it = provider.iterator(0, -1); List<ODocument> allUsers = wicket.getTester().getMetadata().getSecurity().getAllUsers(); assertTrue(provider.size()==allUsers.size()); while(it.hasNext()) { OUser oUser = it.next(); assertTrue(allUsers.contains(provider.model(oUser).getObject().getDocument())); } provider.detach(); assertTrue(provider.size()==allUsers.size()); }
public void reloadUser() { if (user != null) { activateOnCurrentThread(); if (user.checkIfAllowed(ORule.ResourceGeneric.CLASS, OUser.CLASS_NAME, ORole.PERMISSION_READ) != null) { OMetadata metadata = getMetadata(); if (metadata != null) { final OSecurity security = metadata.getSecurity(); OUser secGetUser = security.getUser(user.getName()); if (secGetUser != null) user = new OImmutableUser(security.getVersion(), secGetUser); else user = new OImmutableUser(-1, new OUser()); } else user = new OImmutableUser(-1, new OUser()); } } }
@Test public void testDocumentWrapper() throws Exception { ORID orid = new ORecordId("#5:0"); //Admin ORID ODocument adminDocument = orid.getRecord(); OUser admin = wicket.getTester().getMetadata().getSecurity().getUser("admin"); DocumentWrapperTransformer<OUser> transformer = new DocumentWrapperTransformer<OUser>(OUser.class); assertEquals(admin, transformer.apply(adminDocument)); }
/** * Required for explicit update of rights due to changes in OrientDB 2.2.23 * Related issue: https://github.com/orientechnologies/orientdb/issues/7549 * @param db - database to apply fix on */ public void fixOrientDBRights(ODatabase<?> db) { OSecurity security = db.getMetadata().getSecurity(); ORole readerRole = security.getRole("reader"); readerRole.grant(ResourceGeneric.CLUSTER, "orole", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.CLUSTER, "ouser", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.CLASS, "orole", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.CLASS, "ouser", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.SYSTEM_CLUSTERS, null, ORole.PERMISSION_READ); readerRole.save(); ORole writerRole = security.getRole("writer"); writerRole.grant(ResourceGeneric.CLUSTER, "orole", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.CLUSTER, "ouser", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.CLASS, "orole", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.CLASS, "ouser", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.SYSTEM_CLUSTERS, null, ORole.PERMISSION_READ); writerRole.save(); }
/** * Required for explicit update of rights due to changes in OrientDB 2.2.23 * Related issue: https://github.com/orientechnologies/orientdb/issues/7549 * @param db - database to apply fix on */ public void fixOrientDBRights(ODatabase<?> db) { OSecurity security = db.getMetadata().getSecurity(); ORole readerRole = security.getRole("reader"); readerRole.grant(ResourceGeneric.CLUSTER, "orole", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.CLUSTER, "ouser", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.CLASS, "orole", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.CLASS, "ouser", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.SYSTEM_CLUSTERS, null, ORole.PERMISSION_READ); readerRole.save(); ORole writerRole = security.getRole("writer"); writerRole.grant(ResourceGeneric.CLUSTER, "orole", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.CLUSTER, "ouser", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.CLASS, "orole", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.CLASS, "ouser", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.SYSTEM_CLUSTERS, null, ORole.PERMISSION_READ); writerRole.save(); }
@Test public void testDBClosure() throws Exception { DBClosure<OSecurityUser> adminClosure = new DBClosure<OSecurityUser>() { private static final long serialVersionUID = 1L; @Override protected OSecurityUser execute(ODatabaseDocument db) { assertEquals(db, ODatabaseRecordThreadLocal.instance().get()); return db.getUser(); } }; assertEquals(wicket.getTester().getMetadata().getSecurity().getUser("admin").getIdentity(), adminClosure.execute().getIdentity()); DBClosure<OSecurityUser> readerClosure = new DBClosure<OSecurityUser>("reader", "reader") { private static final long serialVersionUID = 1L; @Override protected OSecurityUser execute(ODatabaseDocument db) { assertEquals(db, ODatabaseRecordThreadLocal.instance().get()); return db.getUser(); } }; assertEquals(wicket.getTester().getMetadata().getSecurity().getUser("reader").getIdentity(), readerClosure.execute().getIdentity()); }
private void updateOrienteerUserRoleDoc(ODatabaseDocument db, ODocument perspective) { OSecurity security = db.getMetadata().getSecurity(); ORole role = security.getRole(ORIENTEER_USER_ROLE); if (role == null) { ORole reader = security.getRole("reader"); role = security.createRole(ORIENTEER_USER_ROLE, reader, OSecurityRole.ALLOW_MODES.DENY_ALL_BUT); } role.grant(ResourceGeneric.CLASS, OWidgetsModule.OCLASS_WIDGET, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, OWidgetsModule.OCLASS_DASHBOARD, READ.getPermissionFlag()); // TODO: remove this after release with fix for roles in OrientDB: https://github.com/orientechnologies/orientdb/issues/8338 role.grant(ResourceGeneric.CLASS, PerspectivesModule.OCLASS_ITEM, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, PerspectivesModule.OCLASS_PERSPECTIVE, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, ORole.CLASS_NAME, READ.getPermissionFlag()); role.grant(ResourceGeneric.SCHEMA, null, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLUSTER, "internal", READ.getPermissionFlag()); role.grant(ResourceGeneric.RECORD_HOOK, "", READ.getPermissionFlag()); role.grant(ResourceGeneric.DATABASE, null, READ.getPermissionFlag()); role.grant(ResourceGeneric.DATABASE, "systemclusters", READ.getPermissionFlag()); role.grant(ResourceGeneric.DATABASE, "function", READ.getPermissionFlag()); role.grant(ResourceGeneric.DATABASE, "command", READ.getPermissionFlag()); role.grant(OSecurityHelper.FEATURE_RESOURCE, SearchPage.SEARCH_FEATURE, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, OrienteerUser.CLASS_NAME, OrientPermission.combinedPermission(READ, UPDATE)); role.grant(ResourceGeneric.DATABASE, "cluster", OrientPermission.combinedPermission(READ, UPDATE)); role.getDocument().field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singletonList(role.getDocument())); role.getDocument().field(PerspectivesModule.PROP_PERSPECTIVE, perspective); role.save(); perspective.field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singletonList(role.getDocument())); perspective.save(); }