public ORole createRole(final String iRoleName, final ORole iParent, final ORole.ALLOW_MODES iAllowMode) { final ORole role = new ORole(iRoleName, iParent, iAllowMode); return role.save(); }
@SuppressWarnings("deprecation") @Override public void unselect() { ORole oRole = roleModel.getObject(); oRole.revoke(rowModel.getObject(), permission.getPermissionFlag()); oRole.save(); }
@SuppressWarnings("deprecation") @Override public void select() { ORole oRole = roleModel.getObject(); oRole.grant(rowModel.getObject(), permission.getPermissionFlag()); oRole.save(); }
/** * Execute the GRANT. */ public Object execute(final Map<Object, Object> iArgs) { if (role == null) throw new OCommandExecutionException("Cannot execute the command because it has not been parsed yet"); role.grant(resource, privilege); role.save(); return role; }
/** * Execute the command. */ public Object execute(final Map<Object, Object> iArgs) { if (role == null) throw new OCommandExecutionException("Cannot execute the command because it has not yet been parsed"); role.revoke(resource, privilege); role.save(); return role; }
@Override public void select() { ORole oRole = rowModel.getObject(); oRole.grant(ORule.ResourceGeneric.CLUSTER, getSecurityResourceSpecific(), permission.getPermissionFlag()); oRole.save(); }
@Override public void unselect() { ORole oRole = rowModel.getObject(); oRole.revoke(ORule.ResourceGeneric.CLUSTER, getSecurityResourceSpecific(), permission.getPermissionFlag()); oRole.save(); }
@Override public void select() { ORole oRole = rowModel.getObject(); oRole.grant(ORule.ResourceGeneric.CLASS, getSecurityResourceSpecific(), permission.getPermissionFlag()); oRole.grant(ORule.ResourceGeneric.CLUSTER, getSecurityResourceSpecific(), permission.getPermissionFlag()); oRole.save(); }
@Override public void unselect() { ORole oRole = rowModel.getObject(); oRole.revoke(ORule.ResourceGeneric.CLASS, getSecurityResourceSpecific(), permission.getPermissionFlag()); oRole.revoke(ORule.ResourceGeneric.CLUSTER, getSecurityResourceSpecific(), permission.getPermissionFlag()); oRole.save(); }
private void assignSchemaFeature(OrienteerWebApplication app, ODatabaseDocument db) { for(ODocument oRoleDoc : db.getMetadata().getSecurity().getAllRoles()) { ORole oRole = new ORole(oRoleDoc); if(oRole.getParentRole()==null) { oRole.grant(OSecurityHelper.FEATURE_RESOURCE, SchemaPage.SCHEMA_FEATURE, OrientPermission.READ.getPermissionFlag()); oRole.grant(OSecurityHelper.FEATURE_RESOURCE, SearchPage.SEARCH_FEATURE, OrientPermission.READ.getPermissionFlag()); oRole.save(); } } }
/** * Required for explicit update of rights due to changes in OrientDB 2.2.23 * Related issue: https://github.com/orientechnologies/orientdb/issues/7549 * @param db - database to apply fix on */ public void fixOrientDBRights(ODatabase<?> db) { OSecurity security = db.getMetadata().getSecurity(); ORole readerRole = security.getRole("reader"); readerRole.grant(ResourceGeneric.CLUSTER, "orole", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.CLUSTER, "ouser", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.CLASS, "orole", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.CLASS, "ouser", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.SYSTEM_CLUSTERS, null, ORole.PERMISSION_READ); readerRole.save(); ORole writerRole = security.getRole("writer"); writerRole.grant(ResourceGeneric.CLUSTER, "orole", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.CLUSTER, "ouser", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.CLASS, "orole", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.CLASS, "ouser", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.SYSTEM_CLUSTERS, null, ORole.PERMISSION_READ); writerRole.save(); }
/** * Required for explicit update of rights due to changes in OrientDB 2.2.23 * Related issue: https://github.com/orientechnologies/orientdb/issues/7549 * @param db - database to apply fix on */ public void fixOrientDBRights(ODatabase<?> db) { OSecurity security = db.getMetadata().getSecurity(); ORole readerRole = security.getRole("reader"); readerRole.grant(ResourceGeneric.CLUSTER, "orole", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.CLUSTER, "ouser", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.CLASS, "orole", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.CLASS, "ouser", ORole.PERMISSION_READ); readerRole.grant(ResourceGeneric.SYSTEM_CLUSTERS, null, ORole.PERMISSION_READ); readerRole.save(); ORole writerRole = security.getRole("writer"); writerRole.grant(ResourceGeneric.CLUSTER, "orole", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.CLUSTER, "ouser", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.CLASS, "orole", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.CLASS, "ouser", ORole.PERMISSION_READ); writerRole.grant(ResourceGeneric.SYSTEM_CLUSTERS, null, ORole.PERMISSION_READ); writerRole.save(); }
private void updateReaderPermissions(ODatabaseDocument db, ODocument reader, ODocument perspective) { ORole role = db.getMetadata().getSecurity().getRole("reader"); role.grant(ResourceGeneric.CLASS, PerspectivesModule.OCLASS_ITEM, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, PerspectivesModule.OCLASS_PERSPECTIVE, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, null, 0); role.grant(ResourceGeneric.CLASS, ORole.CLASS_NAME, READ.getPermissionFlag()); role.grant(OSecurityHelper.FEATURE_RESOURCE, SearchPage.SEARCH_FEATURE, 0); role.grant(OSecurityHelper.FEATURE_RESOURCE, SchemaPage.SCHEMA_FEATURE, 0); role.getDocument().field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singletonList(reader)); role.getDocument().field(PerspectivesModule.PROP_PERSPECTIVE, perspective); role.save(); perspective.field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singleton(role.getDocument())); perspective.save(); }
@Override public OResultSet executeSimple(OCommandContext ctx) { ORole role = getDatabase().getMetadata().getSecurity().getRole(actor.getStringValue()); if (role == null) throw new OCommandExecutionException("Invalid role: " + actor.getStringValue()); String resourcePath = toResourcePath(resourceChain, ctx); role.revoke(resourcePath, toPrivilege(permission.permission)); role.save(); OInternalResultSet rs = new OInternalResultSet(); OResultInternal result = new OResultInternal(); result.setProperty("operation", "grant"); result.setProperty("role", actor.getStringValue()); result.setProperty("permission", permission.toString()); result.setProperty("resource", resourcePath); rs.add(result); return rs; }
@Override public OResultSet executeSimple(OCommandContext ctx) { ORole role = getDatabase().getMetadata().getSecurity().getRole(actor.getStringValue()); if (role == null) throw new OCommandExecutionException("Invalid role: " + actor.getStringValue()); String resourcePath = toResourcePath(resourceChain, ctx); role.grant(resourcePath, toPrivilege(permission.permission)); role.save(); OInternalResultSet rs = new OInternalResultSet(); OResultInternal result = new OResultInternal(); result.setProperty("operation", "grant"); result.setProperty("role", actor.getStringValue()); result.setProperty("permission", permission.toString()); result.setProperty("resource", resourcePath); rs.add(result); return rs; }
readerRole.addRule(ORule.ResourceGeneric.FUNCTION, null, ORole.PERMISSION_READ); readerRole.addRule(ORule.ResourceGeneric.SYSTEM_CLUSTERS, null, ORole.PERMISSION_NONE); readerRole.save(); writerRole.addRule(ORule.ResourceGeneric.FUNCTION, null, ORole.PERMISSION_READ); writerRole.addRule(ORule.ResourceGeneric.SYSTEM_CLUSTERS, null, ORole.PERMISSION_NONE); writerRole.save();
if (adminRole == null) { adminRole = createRole(ORole.ADMIN, ORole.ALLOW_MODES.ALLOW_ALL_BUT); adminRole.addRule(ORule.ResourceGeneric.BYPASS_RESTRICTED, null, ORole.PERMISSION_ALL).save();
readerRole.addRule(ORule.ResourceGeneric.FUNCTION, null, ORole.PERMISSION_READ); readerRole.addRule(ORule.ResourceGeneric.SYSTEM_CLUSTERS, null, ORole.PERMISSION_NONE); readerRole.save(); writerRole.addRule(ORule.ResourceGeneric.CLASS, "OSchedule", ORole.PERMISSION_READ); writerRole.addRule(ORule.ResourceGeneric.SYSTEM_CLUSTERS, null, ORole.PERMISSION_NONE); writerRole.save();
private void updateOrienteerUserRoleDoc(ODatabaseDocument db, ODocument perspective) { OSecurity security = db.getMetadata().getSecurity(); ORole role = security.getRole(ORIENTEER_USER_ROLE); if (role == null) { ORole reader = security.getRole("reader"); role = security.createRole(ORIENTEER_USER_ROLE, reader, OSecurityRole.ALLOW_MODES.DENY_ALL_BUT); } role.grant(ResourceGeneric.CLASS, OWidgetsModule.OCLASS_WIDGET, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, OWidgetsModule.OCLASS_DASHBOARD, READ.getPermissionFlag()); // TODO: remove this after release with fix for roles in OrientDB: https://github.com/orientechnologies/orientdb/issues/8338 role.grant(ResourceGeneric.CLASS, PerspectivesModule.OCLASS_ITEM, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, PerspectivesModule.OCLASS_PERSPECTIVE, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, ORole.CLASS_NAME, READ.getPermissionFlag()); role.grant(ResourceGeneric.SCHEMA, null, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLUSTER, "internal", READ.getPermissionFlag()); role.grant(ResourceGeneric.RECORD_HOOK, "", READ.getPermissionFlag()); role.grant(ResourceGeneric.DATABASE, null, READ.getPermissionFlag()); role.grant(ResourceGeneric.DATABASE, "systemclusters", READ.getPermissionFlag()); role.grant(ResourceGeneric.DATABASE, "function", READ.getPermissionFlag()); role.grant(ResourceGeneric.DATABASE, "command", READ.getPermissionFlag()); role.grant(OSecurityHelper.FEATURE_RESOURCE, SearchPage.SEARCH_FEATURE, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, OrienteerUser.CLASS_NAME, OrientPermission.combinedPermission(READ, UPDATE)); role.grant(ResourceGeneric.DATABASE, "cluster", OrientPermission.combinedPermission(READ, UPDATE)); role.getDocument().field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singletonList(role.getDocument())); role.getDocument().field(PerspectivesModule.PROP_PERSPECTIVE, perspective); role.save(); perspective.field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singletonList(role.getDocument())); perspective.save(); }