Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rights to read OUser for reader and writer #4906

Closed
PhantomYdn opened this issue Sep 2, 2015 · 5 comments
Closed

Rights to read OUser for reader and writer #4906

PhantomYdn opened this issue Sep 2, 2015 · 5 comments
Assignees
@luigidellaquila
Labels
enhancement
Milestone
3.0.x

Comments

@PhantomYdn
Copy link
Contributor

Guys,

I do know, that in 2.1.1 you disallow for reader's and writers to read OUser. Also I know that it can be reverted back by application. But please, could you make that in other way? User have to have access at least to his record. Otherwise it's the mess for web app which use OrientDB users for authentication. At least db.getUser() doesn't work properly and a lot of other not so good side-effects...

Unfortunately, we need to rollback to 2.1.0:( Hope that will be resolved in 2.1.2...
@PhantomYdn
Copy link
Contributor Author

Guys,

Any thoughts on this?
Example: OUser class is being used for users for a site. User after login, of course, should have access to his name, avatar and etc.

PhantomYdn added a commit to OrienteerBAP/wicket-orientdb that referenced this issue Sep 3, 2015
@PhantomYdn
Move to OrientDB 2.1.1
0172c1e 
Contains hack for workaround issue orientechnologies/orientdb#4906
@PhantomYdn
Copy link
Contributor Author

Guys,

What do you think about idea to use JAAS approach for security in OrientDB?
What do I mean:
security checks "assembled" from several layers:

Layer1: If user is admin (has "bypass") action imidiatly granted
Layer2: Check for rights according to ORole rules
Layer3: Check for additional rules on ORestricted

Layers should be plugable not only on db side, but on app side. For example, application can insert additional layer for checking trial period and so on.

Also it will help to solve this problem: if user wants access to his record - just grant it!

Layers can have flags like in JAAS: required, requiresite, optional, sifficient and so on.

And even more! Validation can be also treated as "security layer". Validation layer is interested in CREATE and UPDATE and grant operation only if document match validation criterias.

Actually all of that can even be "packed" as RecordHooks. And I guess that redesign of this area has been already discussed several times. For example: #3429

@nagarajasr
Copy link
Contributor

👍

@giastfader
Copy link
Contributor

Hi guys,
I have the same problem too.
And it is present in v.2.1.2 as well.

You have changed the permissions to access the OUser class but this change has not been reported in change log or into the migration page of the documentation (as far as I know)
Please, can you advice on how to access to the OUser class using the "reader" account?

Here is how to reproduce the problem:

OrientDB console v.1.7.9 (build UNKNOWN@r; 2014-09-22 14:46:19+0200) www.orientechnologies.com
Type 'help' to display all the commands supported.
Installing extensions for GREMLIN language v.2.5.0

orientdb> connect remote:localhost/GratefulDeadConcerts reader reader
orientdb {db=GratefulDeadConcerts}> select from ouser

----+----+------+----------------------+------+-----
#   |@RID|name  |password      |status|roles
----+----+------+----------------------+------+-----
0   |#5:0|admin |{SHA-256}8C6.......918|ACTIVE|[1]  
1   |#5:1|reader|{SHA-256}3D0.......B30|ACTIVE|[1]  
2   |#5:2|writer|{SHA-256}B93.......BA5|ACTIVE|[1]  
----+----+------+----------------------+------+-----

3 item(s) found. Query executed in 0.004 sec(s).


-------------------------


OrientDB console v.2.1.2 (build UNKNOWN@r; 2015-09-09 21:41:27+0000) www.orientdb.com
Type 'help' to display all the supported commands.
Installing extensions for GREMLIN language v.2.6.0

orientdb> connect remote:localhost/GratefulDeadConcerts reader reader

Connecting to database [remote:localhost/GratefulDeadConcerts] with user 'reader'...OK
orientdb {db=GratefulDeadConcerts}> select from ouser

Error: com.orientechnologies.orient.core.exception.OSecurityAccessException: User 'reader' has no the permission to execute the operation 'Read' against the resource: ResourceGeneric [name=CLASS, legacyName=database.class].ouser

@giastfader
Copy link
Contributor

Here are the statements I used to fix the problem on my schema:

update orole put rules = "database.cluster.ouser", 2 where @rid=#4:1 
update orole put rules = "database.cluster.orole", 2 where @rid=#4:1 
update orole put rules = "database.cluster.ouser", 2 where @rid=#4:2 
update orole put rules = "database.cluster.orole", 2 where @rid=#4:2
update orole put rules = "database.class.ouser", 2 where @rid=#4:1 
update orole put rules = "database.class.orole", 2 where @rid=#4:1 
update orole put rules = "database.class.ouser", 2 where @rid=#4:2 
update orole put rules = "database.class.orole", 2 where @rid=#4:2

@PhantomYdn PhantomYdn mentioned this issue Jul 14, 2017
Closed
@lvca lvca added this to the 3.0 milestone Aug 3, 2017
@lvca lvca modified the milestones: 3.0.0, 3.0.x Apr 9, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@luigidellaquila luigidellaquila

Labels
enhancement
Milestone
3.0.x
Development

No branches or pull requests
6 participants
@andrii0lomakin @lvca @luigidellaquila @PhantomYdn @giastfader @nagarajasr