com.orientechnologies.orient.core.metadata.security

Class OSecurityShared

java.lang.Object

com.orientechnologies.orient.core.metadata.security.OSecurityShared

All Implemented Interfaces:

OSecurityInternal

Direct Known Subclasses:

OSecurityExternal

public class OSecurityShared
extends Object
implements OSecurityInternal

Shared security class. It's shared by all the database instances that point to the same storage.

Author:

Luca Garulli (l.garulli--(at)--orientdb.com)

Field Summary

Fields

Modifier and Type	Field and Description
static String	ALLOW_ALL_FIELD Deprecated.
static String	ALLOW_DELETE_FIELD Deprecated.
static Set<String>	ALLOW_FIELDS
static String	ALLOW_READ_FIELD Deprecated.
static String	ALLOW_UPDATE_FIELD Deprecated.
protected Set<OSecurityResourceProperty>	filteredProperties set of all the security resources defined on properties (used for optimizations)
static String	IDENTITY_CLASSNAME
static String	ONCREATE_FIELD
static String	ONCREATE_IDENTITY_TYPE
static String	RESTRICTED_CLASSNAME
protected Map<String,Map<String,Boolean>>	roleHasPredicateSecurityForClass role name -> class name -> true: has some rules, ie.
protected Map<String,Map<String,OBooleanExpression>>	securityPredicateCache
protected boolean	skipRoleHasPredicateSecurityForClassUpdate

Constructor Summary

Constructors

Constructor and Description
OSecurityShared()

Method Summary

Modifier and Type	Method and Description
OIdentifiable	allowIdentity(ODatabaseSession session, ODocument iDocument, String iAllowFieldName, OIdentifiable iId)
OIdentifiable	allowRole(ODatabaseSession session, ODocument iDocument, ORestrictedOperation iOperation, String iRoleName)
OIdentifiable	allowUser(ODatabaseSession session, ODocument iDocument, ORestrictedOperation iOperation, String iUserName)
OUser	authenticate(ODatabaseSession session, OToken authToken)
OUser	authenticate(ODatabaseSession session, String iUserName, String iUserPassword)
protected Set<OSecurityResourceProperty>	calculateAllFilteredProperties(ODatabaseSession session)
static OResultInternal	calculateBefore(ODocument iDocument, ODatabaseSession db)
boolean	canCreate(ODatabaseSession session, ORecord record)
boolean	canDelete(ODatabaseSession session, ORecord record)
boolean	canExecute(ODatabaseSession session, OFunction function)
boolean	canRead(ODatabaseSession session, ORecord record)
boolean	canUpdate(ODatabaseSession session, ORecord record)
void	close()
boolean	couldHaveActivePredicateSecurityRoles(ODatabaseSession session, String className)
OUser	create(ODatabaseSession session)
void	createClassTrigger(ODatabaseSession session)
OUser	createMetadata(ODatabaseSession session) Repairs the security structure if broken by creating the ADMIN role and user with default password.
ORole	createRole(ODatabaseSession session, String iRoleName, ORole iParent, OSecurityRole.ALLOW_MODES iAllowMode)
ORole	createRole(ODatabaseSession session, String iRoleName, OSecurityRole.ALLOW_MODES iAllowMode)
OSecurityPolicy	createSecurityPolicy(ODatabaseSession session, String name) creates and saves an empty security policy
OUser	createUser(ODatabaseSession session, String userName, String userPassword, ORole... roles)
OUser	createUser(ODatabaseSession session, String iUserName, String iUserPassword, String... iRoles)
void	deleteSecurityPolicy(ODatabaseSession session, String name)
OIdentifiable	denyRole(ODatabaseSession session, ODocument iDocument, ORestrictedOperation iOperation, String iRoleName)
OIdentifiable	denyUser(ODatabaseSession session, ODocument iDocument, ORestrictedOperation iOperation, String iUserName)
OIdentifiable	disallowIdentity(ODatabaseSession session, ODocument iDocument, String iAllowFieldName, OIdentifiable iId)
boolean	dropRole(ODatabaseSession session, String iRoleName)
boolean	dropUser(ODatabaseSession session, String iUserName)
Set<OSecurityResourceProperty>	getAllFilteredProperties(ODatabaseDocumentInternal database) returns the list of all the filtered properties (for any role defined in the db)
List<ODocument>	getAllRoles(ODatabaseSession session)
List<ODocument>	getAllUsers(ODatabaseSession session)
Set<String>	getFilteredProperties(ODatabaseSession session, ODocument document) For property-level security.
protected OBooleanExpression	getPredicateFromCache(String roleName, String key)
ORole	getRole(ODatabaseSession session, OIdentifiable iRole)
ORole	getRole(ODatabaseSession session, String iRoleName)
ORID	getRoleRID(ODatabaseSession session, String iRoleName)
Map<String,OSecurityPolicy>	getSecurityPolicies(ODatabaseSession session, OSecurityRole role)
OSecurityPolicy	getSecurityPolicy(ODatabaseSession session, OSecurityRole role, String resource) Returns the security policy policy assigned to a role for a specific resource (not recursive on superclasses, nor on role hierarchy)
OSecurityPolicy	getSecurityPolicy(ODatabaseSession session, String name)
OUser	getUser(ODatabaseSession session, ORID iRecordId)
OUser	getUser(ODatabaseSession session, String iUserName)
OUser	getUserInternal(ODatabaseSession session, String iUserName)
ORID	getUserRID(ODatabaseSession session, String userName)
long	getVersion(ODatabaseSession session)
void	incrementVersion(ODatabaseSession session)
protected void	initPredicateSecurityOptimizations(ODatabaseSession session)
boolean	isAllowed(ODatabaseSession session, Set<OIdentifiable> iAllowAll, Set<OIdentifiable> iAllowOperation)
boolean	isAllowedWrite(ODatabaseSession session, ODocument document, String propertyName) For property-level security
boolean	isReadRestrictedBySecurityPolicy(ODatabaseSession session, String resource) checks if for current session a resource is restricted by security resources (ie.
void	load(ODatabaseSession session)
protected void	putPredicateInCache(String roleName, String key, OBooleanExpression predicate)
void	removeSecurityPolicy(ODatabaseSession session, ORole role, String resource) Removes security policy bound to a role for a specific resource
void	saveSecurityPolicy(ODatabaseSession session, OSecurityPolicy policy)
void	setSecurityPolicy(ODatabaseSession session, OSecurityRole role, String resource, OSecurityPolicy policy) Sets a security policy for a specific resource on a role
void	setSecurityPolicyWithBitmask(ODatabaseSession session, OSecurityRole role, String resource, int legacyPolicy)
static Object	unboxRidbags(Object value)
protected void	updateAllFilteredProperties(ODatabaseDocumentInternal session)
protected void	updateAllFilteredPropertiesInternal(ODatabaseDocumentInternal session)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

RESTRICTED_CLASSNAME

public static final String RESTRICTED_CLASSNAME

See Also:

Constant Field Values

IDENTITY_CLASSNAME

public static final String IDENTITY_CLASSNAME

See Also:

Constant Field Values

roleHasPredicateSecurityForClass

protected Map<String,Map<String,Boolean>> roleHasPredicateSecurityForClass

role name -> class name -> true: has some rules, ie. it's not all allowed

skipRoleHasPredicateSecurityForClassUpdate

protected boolean skipRoleHasPredicateSecurityForClassUpdate

securityPredicateCache

protected Map<String,Map<String,OBooleanExpression>> securityPredicateCache

filteredProperties

protected Set<OSecurityResourceProperty> filteredProperties

set of all the security resources defined on properties (used for optimizations)

ALLOW_ALL_FIELD

@Deprecated
public static final String ALLOW_ALL_FIELD

Deprecated.

Uses the ORestrictedOperation ENUM instead.

ALLOW_READ_FIELD

@Deprecated
public static final String ALLOW_READ_FIELD

Deprecated.

Uses the ORestrictedOperation ENUM instead.

ALLOW_UPDATE_FIELD

@Deprecated
public static final String ALLOW_UPDATE_FIELD

Deprecated.

Uses the ORestrictedOperation ENUM instead.

ALLOW_DELETE_FIELD

@Deprecated
public static final String ALLOW_DELETE_FIELD

Deprecated.

Uses the ORestrictedOperation ENUM instead.

ONCREATE_IDENTITY_TYPE

public static final String ONCREATE_IDENTITY_TYPE

See Also:

Constant Field Values

ONCREATE_FIELD

public static final String ONCREATE_FIELD

See Also:

Constant Field Values

ALLOW_FIELDS

public static final Set<String> ALLOW_FIELDS

Constructor Detail

OSecurityShared

public OSecurityShared()

Method Detail

allowRole

public OIdentifiable allowRole(ODatabaseSession session,
                               ODocument iDocument,
                               ORestrictedOperation iOperation,
                               String iRoleName)

Specified by:

allowRole in interface OSecurityInternal

allowUser

public OIdentifiable allowUser(ODatabaseSession session,
                               ODocument iDocument,
                               ORestrictedOperation iOperation,
                               String iUserName)

Specified by:

allowUser in interface OSecurityInternal

allowIdentity

public OIdentifiable allowIdentity(ODatabaseSession session,
                                   ODocument iDocument,
                                   String iAllowFieldName,
                                   OIdentifiable iId)

Specified by:

allowIdentity in interface OSecurityInternal

denyUser

public OIdentifiable denyUser(ODatabaseSession session,
                              ODocument iDocument,
                              ORestrictedOperation iOperation,
                              String iUserName)

Specified by:

denyUser in interface OSecurityInternal

denyRole

public OIdentifiable denyRole(ODatabaseSession session,
                              ODocument iDocument,
                              ORestrictedOperation iOperation,
                              String iRoleName)

Specified by:

denyRole in interface OSecurityInternal

disallowIdentity

public OIdentifiable disallowIdentity(ODatabaseSession session,
                                      ODocument iDocument,
                                      String iAllowFieldName,
                                      OIdentifiable iId)

Specified by:

disallowIdentity in interface OSecurityInternal

isAllowed

public boolean isAllowed(ODatabaseSession session,
                         Set<OIdentifiable> iAllowAll,
                         Set<OIdentifiable> iAllowOperation)

Specified by:

isAllowed in interface OSecurityInternal

authenticate

public OUser authenticate(ODatabaseSession session,
                          String iUserName,
                          String iUserPassword)

Specified by:

authenticate in interface OSecurityInternal

authenticate

public OUser authenticate(ODatabaseSession session,
                          OToken authToken)

Specified by:

authenticate in interface OSecurityInternal

getUser

public OUser getUser(ODatabaseSession session,
                     ORID iRecordId)

Specified by:

getUser in interface OSecurityInternal

createUser

public OUser createUser(ODatabaseSession session,
                        String iUserName,
                        String iUserPassword,
                        String... iRoles)

Specified by:

createUser in interface OSecurityInternal

createUser

public OUser createUser(ODatabaseSession session,
                        String userName,
                        String userPassword,
                        ORole... roles)

Specified by:

createUser in interface OSecurityInternal

dropUser

public boolean dropUser(ODatabaseSession session,
                        String iUserName)

Specified by:

dropUser in interface OSecurityInternal

getRole

public ORole getRole(ODatabaseSession session,
                     OIdentifiable iRole)

Specified by:

getRole in interface OSecurityInternal

getRole

public ORole getRole(ODatabaseSession session,
                     String iRoleName)

Specified by:

getRole in interface OSecurityInternal

getRoleRID

public ORID getRoleRID(ODatabaseSession session,
                       String iRoleName)

createRole

public ORole createRole(ODatabaseSession session,
                        String iRoleName,
                        OSecurityRole.ALLOW_MODES iAllowMode)

Specified by:

createRole in interface OSecurityInternal

createRole

public ORole createRole(ODatabaseSession session,
                        String iRoleName,
                        ORole iParent,
                        OSecurityRole.ALLOW_MODES iAllowMode)

Specified by:

createRole in interface OSecurityInternal

dropRole

public boolean dropRole(ODatabaseSession session,
                        String iRoleName)

Specified by:

dropRole in interface OSecurityInternal

getAllUsers

public List<ODocument> getAllUsers(ODatabaseSession session)

Specified by:

getAllUsers in interface OSecurityInternal

getAllRoles

public List<ODocument> getAllRoles(ODatabaseSession session)

Specified by:

getAllRoles in interface OSecurityInternal

getSecurityPolicies

public Map<String,OSecurityPolicy> getSecurityPolicies(ODatabaseSession session,
                                                       OSecurityRole role)

Specified by:

getSecurityPolicies in interface OSecurityInternal

getSecurityPolicy

public OSecurityPolicy getSecurityPolicy(ODatabaseSession session,
                                         OSecurityRole role,
                                         String resource)

Description copied from interface: OSecurityInternal

Returns the security policy policy assigned to a role for a specific resource (not recursive on superclasses, nor on role hierarchy)

Specified by:

getSecurityPolicy in interface OSecurityInternal

Parameters:

session - an active DB session

role - the role

resource - the string representation of the security resource, eg. "database.class.Person"

Returns:

setSecurityPolicyWithBitmask

public void setSecurityPolicyWithBitmask(ODatabaseSession session,
                                         OSecurityRole role,
                                         String resource,
                                         int legacyPolicy)

setSecurityPolicy

public void setSecurityPolicy(ODatabaseSession session,
                              OSecurityRole role,
                              String resource,
                              OSecurityPolicy policy)

Description copied from interface: OSecurityInternal

Sets a security policy for a specific resource on a role

Specified by:

setSecurityPolicy in interface OSecurityInternal

Parameters:

session - a valid db session to perform the operation (that has permissions to do it)

role - The role

resource - the string representation of the security resource, eg. "database.class.Person"

policy - The security policy

createSecurityPolicy

public OSecurityPolicy createSecurityPolicy(ODatabaseSession session,
                                            String name)

Description copied from interface: OSecurityInternal

creates and saves an empty security policy

Specified by:

createSecurityPolicy in interface OSecurityInternal

Parameters:

session - the session to a DB where the policy has to be created

name - the policy name

Returns:

getSecurityPolicy

public OSecurityPolicy getSecurityPolicy(ODatabaseSession session,
                                         String name)

Specified by:

getSecurityPolicy in interface OSecurityInternal

saveSecurityPolicy

public void saveSecurityPolicy(ODatabaseSession session,
                               OSecurityPolicy policy)

Specified by:

saveSecurityPolicy in interface OSecurityInternal

deleteSecurityPolicy

public void deleteSecurityPolicy(ODatabaseSession session,
                                 String name)

Specified by:

deleteSecurityPolicy in interface OSecurityInternal

removeSecurityPolicy

public void removeSecurityPolicy(ODatabaseSession session,
                                 ORole role,
                                 String resource)

Description copied from interface: OSecurityInternal

Removes security policy bound to a role for a specific resource

Specified by:

removeSecurityPolicy in interface OSecurityInternal

Parameters:

session - A valid db session to perform the operation

role - the role

resource - the string representation of the security resource, eg. "database.class.Person"

create

public OUser create(ODatabaseSession session)

Specified by:

create in interface OSecurityInternal

createMetadata

public OUser createMetadata(ODatabaseSession session)

Repairs the security structure if broken by creating the ADMIN role and user with default password.

Returns:

load

public void load(ODatabaseSession session)

Specified by:

load in interface OSecurityInternal

createClassTrigger

public void createClassTrigger(ODatabaseSession session)

Specified by:

createClassTrigger in interface OSecurityInternal

getUser

public OUser getUser(ODatabaseSession session,
                     String iUserName)

Specified by:

getUser in interface OSecurityInternal

getUserInternal

public OUser getUserInternal(ODatabaseSession session,
                             String iUserName)

getUserRID

public ORID getUserRID(ODatabaseSession session,
                       String userName)

close

public void close()

Specified by:

close in interface OSecurityInternal

getVersion

public long getVersion(ODatabaseSession session)

Specified by:

getVersion in interface OSecurityInternal

incrementVersion

public void incrementVersion(ODatabaseSession session)

Specified by:

incrementVersion in interface OSecurityInternal

initPredicateSecurityOptimizations

protected void initPredicateSecurityOptimizations(ODatabaseSession session)

getFilteredProperties

public Set<String> getFilteredProperties(ODatabaseSession session,
                                         ODocument document)

Description copied from interface: OSecurityInternal

For property-level security. Returns the list of the properties that are hidden (ie. not allowed to be read) for current session, regarding a specific document

Specified by:

getFilteredProperties in interface OSecurityInternal

Parameters:

session - the db session

document - the document to filter

Returns:

the list of the properties that are hidden (ie. not allowed to be read) on current document for current session

isAllowedWrite

public boolean isAllowedWrite(ODatabaseSession session,
                              ODocument document,
                              String propertyName)

Description copied from interface: OSecurityInternal

For property-level security

Specified by:

isAllowedWrite in interface OSecurityInternal

document - current document to check for proeprty-level security

propertyName - the property to check for write access

Returns:

canCreate

public boolean canCreate(ODatabaseSession session,
                         ORecord record)

Specified by:

canCreate in interface OSecurityInternal

canRead

public boolean canRead(ODatabaseSession session,
                       ORecord record)

Specified by:

canRead in interface OSecurityInternal

canUpdate

public boolean canUpdate(ODatabaseSession session,
                         ORecord record)

Specified by:

canUpdate in interface OSecurityInternal

calculateBefore

public static OResultInternal calculateBefore(ODocument iDocument,
                                              ODatabaseSession db)

unboxRidbags

public static Object unboxRidbags(Object value)

canDelete

public boolean canDelete(ODatabaseSession session,
                         ORecord record)

Specified by:

canDelete in interface OSecurityInternal

canExecute

public boolean canExecute(ODatabaseSession session,
                          OFunction function)

Specified by:

canExecute in interface OSecurityInternal

getPredicateFromCache

protected OBooleanExpression getPredicateFromCache(String roleName,
                                                   String key)

putPredicateInCache

protected void putPredicateInCache(String roleName,
                                   String key,
                                   OBooleanExpression predicate)

isReadRestrictedBySecurityPolicy

public boolean isReadRestrictedBySecurityPolicy(ODatabaseSession session,
                                                String resource)

Description copied from interface: OSecurityInternal

checks if for current session a resource is restricted by security resources (ie. READ policies exist, with predicate different from "TRUE", to access the given resource

Specified by:

isReadRestrictedBySecurityPolicy in interface OSecurityInternal

Parameters:

session - The session to check for the existece of policies

resource - a resource string, eg. "database.class.Person"

Returns:

true if a restriction of any type exists for this session and this resource. False otherwise

getAllFilteredProperties

public Set<OSecurityResourceProperty> getAllFilteredProperties(ODatabaseDocumentInternal database)

Description copied from interface: OSecurityInternal

returns the list of all the filtered properties (for any role defined in the db)

Specified by:

getAllFilteredProperties in interface OSecurityInternal

Returns:

updateAllFilteredProperties

protected void updateAllFilteredProperties(ODatabaseDocumentInternal session)

updateAllFilteredPropertiesInternal

protected void updateAllFilteredPropertiesInternal(ODatabaseDocumentInternal session)

calculateAllFilteredProperties

protected Set<OSecurityResourceProperty> calculateAllFilteredProperties(ODatabaseSession session)

couldHaveActivePredicateSecurityRoles

public boolean couldHaveActivePredicateSecurityRoles(ODatabaseSession session,
                                                     String className)