PhantomYdn
commented
9 years ago Guys,
Any thoughts on this? Example: OUser class is being used for users for a site. User after login, of course, should have access to his name, avatar and etc.
Closed PhantomYdn closed 3 years ago
PhantomYdn
commented
9 years ago Guys,
Any thoughts on this? Example: OUser class is being used for users for a site. User after login, of course, should have access to his name, avatar and etc.
PhantomYdn
commented
9 years ago Guys,
What do you think about idea to use JAAS approach for security in OrientDB? What do I mean: security checks "assembled" from several layers:
Layer1: If user is admin (has "bypass") action imidiatly granted Layer2: Check for rights according to ORole rules Layer3: Check for additional rules on ORestricted
Layers should be plugable not only on db side, but on app side. For example, application can insert additional layer for checking trial period and so on.
Also it will help to solve this problem: if user wants access to his record - just grant it!
Layers can have flags like in JAAS: required, requiresite, optional, sifficient and so on.
And even more! Validation can be also treated as "security layer". Validation layer is interested in CREATE and UPDATE and grant operation only if document match validation criterias.
Actually all of that can even be "packed" as RecordHooks. And I guess that redesign of this area has been already discussed several times. For example: https://github.com/orientechnologies/orientdb/issues/3429
nagarajasr
commented
9 years ago :+1:
giastfader
commented
9 years ago Hi guys, I have the same problem too. And it is present in v.2.1.2 as well.
You have changed the permissions to access the OUser class but this change has not been reported in change log or into the migration page of the documentation (as far as I know) Please, can you advice on how to access to the OUser class using the "reader" account?
Here is how to reproduce the problem:
OrientDB console v.1.7.9 (build UNKNOWN@r; 2014-09-22 14:46:19+0200) www.orientechnologies.com
Type 'help' to display all the commands supported.
Installing extensions for GREMLIN language v.2.5.0
orientdb> connect remote:localhost/GratefulDeadConcerts reader reader
orientdb {db=GratefulDeadConcerts}> select from ouser
----+----+------+----------------------+------+-----
# |@RID|name |password |status|roles
----+----+------+----------------------+------+-----
0 |#5:0|admin |{SHA-256}8C6.......918|ACTIVE|[1]
1 |#5:1|reader|{SHA-256}3D0.......B30|ACTIVE|[1]
2 |#5:2|writer|{SHA-256}B93.......BA5|ACTIVE|[1]
----+----+------+----------------------+------+-----
3 item(s) found. Query executed in 0.004 sec(s).
-------------------------
OrientDB console v.2.1.2 (build UNKNOWN@r; 2015-09-09 21:41:27+0000) www.orientdb.com
Type 'help' to display all the supported commands.
Installing extensions for GREMLIN language v.2.6.0
orientdb> connect remote:localhost/GratefulDeadConcerts reader reader
Connecting to database [remote:localhost/GratefulDeadConcerts] with user 'reader'...OK
orientdb {db=GratefulDeadConcerts}> select from ouser
Error: com.orientechnologies.orient.core.exception.OSecurityAccessException: User 'reader' has no the permission to execute the operation 'Read' against the resource: ResourceGeneric [name=CLASS, legacyName=database.class].ouser
Here are the statements I used to fix the problem on my schema:
update orole put rules = "database.cluster.ouser", 2 where @rid=#4:1
update orole put rules = "database.cluster.orole", 2 where @rid=#4:1
update orole put rules = "database.cluster.ouser", 2 where @rid=#4:2
update orole put rules = "database.cluster.orole", 2 where @rid=#4:2
update orole put rules = "database.class.ouser", 2 where @rid=#4:1
update orole put rules = "database.class.orole", 2 where @rid=#4:1
update orole put rules = "database.class.ouser", 2 where @rid=#4:2
update orole put rules = "database.class.orole", 2 where @rid=#4:2
Guys,
I do know, that in 2.1.1 you disallow for reader's and writers to read OUser. Also I know that it can be reverted back by application. But please, could you make that in other way? User have to have access at least to his record. Otherwise it's the mess for web app which use OrientDB users for authentication. At least db.getUser() doesn't work properly and a lot of other not so good side-effects...
Unfortunately, we need to rollback to 2.1.0:( Hope that will be resolved in 2.1.2...