Class OSecurityShared
java.lang.Object
com.orientechnologies.orient.core.metadata.security.OSecurityShared
- All Implemented Interfaces:
OSecurityInternal
Shared security class. It's shared by all the database instances that point to the same storage.
- Author:
- Luca Garulli (l.garulli--(at)--orientdb.com)
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final StringDeprecated.static final StringDeprecated.static final StringDeprecated.static final StringDeprecated.protected Set<OSecurityResourceProperty>set of all the security resources defined on properties (used for optimizations)static final Stringstatic final Stringstatic final Stringstatic final Stringrole name -> class name -> true: has some rules, ie. it's not all allowedprotected Map<String,Map<String, OBooleanExpression>> protected boolean -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionallowIdentity(ODatabaseSession session, ODocument iDocument, String iAllowFieldName, OIdentifiable iId) allowRole(ODatabaseSession session, ODocument iDocument, ORestrictedOperation iOperation, String iRoleName) allowUser(ODatabaseSession session, ODocument iDocument, ORestrictedOperation iOperation, String iUserName) authenticate(ODatabaseSession session, OToken authToken) authenticate(ODatabaseSession session, String iUsername, String iUserPassword) protected Set<OSecurityResourceProperty>static OResultInternalcalculateBefore(ODocument iDocument, ODatabaseSession db) booleancanCreate(ODatabaseSession session, ORecord record) booleancanDelete(ODatabaseSession session, ORecord record) booleancanExecute(ODatabaseSession session, OFunction function) booleancanRead(ODatabaseSession session, ORecord record) booleancanUpdate(ODatabaseSession session, ORecord record) voidclose()booleancouldHaveActivePredicateSecurityRoles(ODatabaseSession session, String className) create(ODatabaseSession session) voidcreateClassTrigger(ODatabaseSession session) static OSecurityRolecreateRole(ODatabaseSession session, OGlobalUser serverUser) createRole(ODatabaseSession session, String iRoleName, ORole iParent, OSecurityRole.ALLOW_MODES iAllowMode) createRole(ODatabaseSession session, String iRoleName, OSecurityRole.ALLOW_MODES iAllowMode) static Map<String,OImmutableSecurityPolicy> createrRootSecurityPolicy(String resource) createSecurityPolicy(ODatabaseSession session, String name) creates and saves an empty security policycreateUser(ODatabaseSession session, String userName, String userPassword, ORole... roles) createUser(ODatabaseSession session, String iUserName, String iUserPassword, String... iRoles) voiddeleteSecurityPolicy(ODatabaseSession session, String name) denyRole(ODatabaseSession session, ODocument iDocument, ORestrictedOperation iOperation, String iRoleName) denyUser(ODatabaseSession session, ODocument iDocument, ORestrictedOperation iOperation, String iUserName) disallowIdentity(ODatabaseSession session, ODocument iDocument, String iAllowFieldName, OIdentifiable iId) booleandropRole(ODatabaseSession session, String iRoleName) booleandropUser(ODatabaseSession session, String iUserName) returns the list of all the filtered properties (for any role defined in the db)getAllRoles(ODatabaseSession session) getAllUsers(ODatabaseSession session) getFilteredProperties(ODatabaseSession session, ODocument document) For property-level security.protected OBooleanExpressiongetPredicateFromCache(String roleName, String key) getRole(ODatabaseSession session, OIdentifiable iRole) getRole(ODatabaseSession session, String iRoleName) getRoleRID(ODatabaseSession session, String iRoleName) getSecurityPolicies(ODatabaseSession session, OSecurityRole role) getSecurityPolicy(ODatabaseSession session, OSecurityRole role, String resource) Returns the security policy policy assigned to a role for a specific resource (not recursive on superclasses, nor on role hierarchy)getSecurityPolicy(ODatabaseSession session, String name) getUser(ODatabaseSession session, ORID iRecordId) getUser(ODatabaseSession session, String username) getUserInternal(ODatabaseSession session, String iUserName) getUserRID(ODatabaseSession session, String userName) longgetVersion(ODatabaseSession session) voidincrementVersion(ODatabaseSession session) protected voidbooleanisAllowed(ODatabaseSession session, Set<OIdentifiable> iAllowAll, Set<OIdentifiable> iAllowOperation) booleanisAllowedWrite(ODatabaseSession session, ODocument document, String propertyName) For property-level securitybooleanisReadRestrictedBySecurityPolicy(ODatabaseSession session, String resource) checks if for current session a resource is restricted by security resources (ie.voidload(ODatabaseSession session) protected voidputPredicateInCache(String roleName, String key, OBooleanExpression predicate) voidremoveSecurityPolicy(ODatabaseSession session, ORole role, String resource) Removes security policy bound to a role for a specific resourcevoidsaveSecurityPolicy(ODatabaseSession session, OSecurityPolicyImpl policy) securityAuthenticate(ODatabaseSession session, OAuthenticationInfo authenticationInfo) securityAuthenticate(ODatabaseSession session, String userName, String password) voidsetSecurityPolicy(ODatabaseSession session, OSecurityRole role, String resource, OSecurityPolicyImpl policy) Sets a security policy for a specific resource on a rolevoidsetSecurityPolicyWithBitmask(ODatabaseSession session, OSecurityRole role, String resource, int legacyPolicy) static ObjectunboxRidbags(Object value) protected voidprotected void
-
Field Details
-
RESTRICTED_CLASSNAME
- See Also:
-
IDENTITY_CLASSNAME
- See Also:
-
roleHasPredicateSecurityForClass
role name -> class name -> true: has some rules, ie. it's not all allowed -
skipRoleHasPredicateSecurityForClassUpdate
protected boolean skipRoleHasPredicateSecurityForClassUpdate -
securityPredicateCache
-
filteredProperties
set of all the security resources defined on properties (used for optimizations) -
ALLOW_ALL_FIELD
Deprecated.Uses the ORestrictedOperation ENUM instead. -
ALLOW_READ_FIELD
Deprecated.Uses the ORestrictedOperation ENUM instead. -
ALLOW_UPDATE_FIELD
Deprecated.Uses the ORestrictedOperation ENUM instead. -
ALLOW_DELETE_FIELD
Deprecated.Uses the ORestrictedOperation ENUM instead. -
ONCREATE_IDENTITY_TYPE
- See Also:
-
ONCREATE_FIELD
- See Also:
-
ALLOW_FIELDS
-
-
Constructor Details
-
OSecurityShared
-
-
Method Details
-
allowRole
public OIdentifiable allowRole(ODatabaseSession session, ODocument iDocument, ORestrictedOperation iOperation, String iRoleName) - Specified by:
allowRolein interfaceOSecurityInternal
-
allowUser
public OIdentifiable allowUser(ODatabaseSession session, ODocument iDocument, ORestrictedOperation iOperation, String iUserName) - Specified by:
allowUserin interfaceOSecurityInternal
-
allowIdentity
public OIdentifiable allowIdentity(ODatabaseSession session, ODocument iDocument, String iAllowFieldName, OIdentifiable iId) - Specified by:
allowIdentityin interfaceOSecurityInternal
-
denyUser
public OIdentifiable denyUser(ODatabaseSession session, ODocument iDocument, ORestrictedOperation iOperation, String iUserName) - Specified by:
denyUserin interfaceOSecurityInternal
-
denyRole
public OIdentifiable denyRole(ODatabaseSession session, ODocument iDocument, ORestrictedOperation iOperation, String iRoleName) - Specified by:
denyRolein interfaceOSecurityInternal
-
disallowIdentity
public OIdentifiable disallowIdentity(ODatabaseSession session, ODocument iDocument, String iAllowFieldName, OIdentifiable iId) - Specified by:
disallowIdentityin interfaceOSecurityInternal
-
isAllowed
public boolean isAllowed(ODatabaseSession session, Set<OIdentifiable> iAllowAll, Set<OIdentifiable> iAllowOperation) - Specified by:
isAllowedin interfaceOSecurityInternal
-
securityAuthenticate
public OSecurityUser securityAuthenticate(ODatabaseSession session, OAuthenticationInfo authenticationInfo) - Specified by:
securityAuthenticatein interfaceOSecurityInternal
-
securityAuthenticate
public OSecurityUser securityAuthenticate(ODatabaseSession session, String userName, String password) - Specified by:
securityAuthenticatein interfaceOSecurityInternal
-
authenticate
- Specified by:
authenticatein interfaceOSecurityInternal
-
authenticate
- Specified by:
authenticatein interfaceOSecurityInternal
-
getUser
- Specified by:
getUserin interfaceOSecurityInternal
-
createUser
public OUser createUser(ODatabaseSession session, String iUserName, String iUserPassword, String... iRoles) - Specified by:
createUserin interfaceOSecurityInternal
-
createUser
public OUser createUser(ODatabaseSession session, String userName, String userPassword, ORole... roles) - Specified by:
createUserin interfaceOSecurityInternal
-
dropUser
- Specified by:
dropUserin interfaceOSecurityInternal
-
getRole
- Specified by:
getRolein interfaceOSecurityInternal
-
getRole
- Specified by:
getRolein interfaceOSecurityInternal
-
getRoleRID
-
createRole
public ORole createRole(ODatabaseSession session, String iRoleName, OSecurityRole.ALLOW_MODES iAllowMode) - Specified by:
createRolein interfaceOSecurityInternal
-
createRole
public ORole createRole(ODatabaseSession session, String iRoleName, ORole iParent, OSecurityRole.ALLOW_MODES iAllowMode) - Specified by:
createRolein interfaceOSecurityInternal
-
dropRole
- Specified by:
dropRolein interfaceOSecurityInternal
-
getAllUsers
- Specified by:
getAllUsersin interfaceOSecurityInternal
-
getAllRoles
- Specified by:
getAllRolesin interfaceOSecurityInternal
-
getSecurityPolicies
public Map<String,OSecurityPolicy> getSecurityPolicies(ODatabaseSession session, OSecurityRole role) - Specified by:
getSecurityPoliciesin interfaceOSecurityInternal
-
getSecurityPolicy
public OSecurityPolicy getSecurityPolicy(ODatabaseSession session, OSecurityRole role, String resource) Description copied from interface:OSecurityInternalReturns the security policy policy assigned to a role for a specific resource (not recursive on superclasses, nor on role hierarchy)- Specified by:
getSecurityPolicyin interfaceOSecurityInternal- Parameters:
session- an active DB sessionrole- the roleresource- the string representation of the security resource, eg. "database.class.Person"- Returns:
-
setSecurityPolicyWithBitmask
public void setSecurityPolicyWithBitmask(ODatabaseSession session, OSecurityRole role, String resource, int legacyPolicy) -
setSecurityPolicy
public void setSecurityPolicy(ODatabaseSession session, OSecurityRole role, String resource, OSecurityPolicyImpl policy) Description copied from interface:OSecurityInternalSets a security policy for a specific resource on a role- Specified by:
setSecurityPolicyin interfaceOSecurityInternal- Parameters:
session- a valid db session to perform the operation (that has permissions to do it)role- The roleresource- the string representation of the security resource, eg. "database.class.Person"policy- The security policy
-
createSecurityPolicy
Description copied from interface:OSecurityInternalcreates and saves an empty security policy- Specified by:
createSecurityPolicyin interfaceOSecurityInternal- Parameters:
session- the session to a DB where the policy has to be createdname- the policy name- Returns:
-
getSecurityPolicy
- Specified by:
getSecurityPolicyin interfaceOSecurityInternal
-
saveSecurityPolicy
- Specified by:
saveSecurityPolicyin interfaceOSecurityInternal
-
deleteSecurityPolicy
- Specified by:
deleteSecurityPolicyin interfaceOSecurityInternal
-
removeSecurityPolicy
Description copied from interface:OSecurityInternalRemoves security policy bound to a role for a specific resource- Specified by:
removeSecurityPolicyin interfaceOSecurityInternal- Parameters:
session- A valid db session to perform the operationrole- the roleresource- the string representation of the security resource, eg. "database.class.Person"
-
create
- Specified by:
createin interfaceOSecurityInternal
-
load
- Specified by:
loadin interfaceOSecurityInternal
-
createClassTrigger
- Specified by:
createClassTriggerin interfaceOSecurityInternal
-
getUserInternal
-
getUser
- Specified by:
getUserin interfaceOSecurityInternal
-
createRole
-
createrRootSecurityPolicy
-
getUserRID
-
close
public void close()- Specified by:
closein interfaceOSecurityInternal
-
getVersion
- Specified by:
getVersionin interfaceOSecurityInternal
-
incrementVersion
- Specified by:
incrementVersionin interfaceOSecurityInternal
-
initPredicateSecurityOptimizations
-
getFilteredProperties
Description copied from interface:OSecurityInternalFor property-level security. Returns the list of the properties that are hidden (ie. not allowed to be read) for current session, regarding a specific document- Specified by:
getFilteredPropertiesin interfaceOSecurityInternal- Parameters:
session- the db sessiondocument- the document to filter- Returns:
- the list of the properties that are hidden (ie. not allowed to be read) on current document for current session
-
isAllowedWrite
Description copied from interface:OSecurityInternalFor property-level security- Specified by:
isAllowedWritein interfaceOSecurityInternaldocument- current document to check for proeprty-level securitypropertyName- the property to check for write access- Returns:
-
canCreate
- Specified by:
canCreatein interfaceOSecurityInternal
-
canRead
- Specified by:
canReadin interfaceOSecurityInternal
-
canUpdate
- Specified by:
canUpdatein interfaceOSecurityInternal
-
calculateBefore
-
unboxRidbags
-
canDelete
- Specified by:
canDeletein interfaceOSecurityInternal
-
canExecute
- Specified by:
canExecutein interfaceOSecurityInternal
-
getPredicateFromCache
-
putPredicateInCache
-
isReadRestrictedBySecurityPolicy
Description copied from interface:OSecurityInternalchecks if for current session a resource is restricted by security resources (ie. READ policies exist, with predicate different from "TRUE", to access the given resource- Specified by:
isReadRestrictedBySecurityPolicyin interfaceOSecurityInternal- Parameters:
session- The session to check for the existece of policiesresource- a resource string, eg. "database.class.Person"- Returns:
- true if a restriction of any type exists for this session and this resource. False otherwise
-
getAllFilteredProperties
Description copied from interface:OSecurityInternalreturns the list of all the filtered properties (for any role defined in the db)- Specified by:
getAllFilteredPropertiesin interfaceOSecurityInternal- Returns:
-
updateAllFilteredProperties
-
updateAllFilteredPropertiesInternal
-
calculateAllFilteredProperties
-
couldHaveActivePredicateSecurityRoles
-