Like RDBMS, OrientDB also provides security based on well-known concepts, users, and roles. Each database has its own users and each user has one or more roles. Roles are the combination of working modes and set of permissions.
Users
By default OrientDB maintains three different users for all database in the server −
- Admin − This user has access to all functions on the database without limitation.
- Reader − This user is a read-only user. The reader can query any records in the database, but can’t modify or delete them. It has no access to internal information, such as the users and roles themselves.
- Writer − This user is the same as the user reader, but it can also create, update, and delete records.
Working with Users
When you are connected to a database, you can query the current users on the database by using SELECT queries on the OUser class.
orientdb> SELECT RID, name, status FROM OUser
If the above query is executed successfully, you will get the following output.
---+--------+--------+-------- # | @CLASS | name | status ---+--------+--------+-------- 0 | null | admin | ACTIVE 1 | null | reader | ACTIVE 2 | null | writer | ACTIVE ---+--------+--------+-------- 3 item(s) found. Query executed in 0.005 sec(s).
Creating a New User
To create a new user, use the INSERT command. Remember, in doing so, you must set the status to ACTIVE and give it a valid role.
orientdb> INSERT INTO OUser SET
name = 'jay',
password = 'JaY',
status = 'ACTIVE',
roles = (SELECT FROM ORole WHERE name = 'reader')
Updating Users
You can change the name for the user with the UPDATE statement.
orientdb> UPDATE OUser SET name = 'jay' WHERE name = 'reader'
In the same way, you can also change the password for the user.
orientdb> UPDATE OUser SET password = 'hello' WHERE name = 'reader'
OrientDB saves the password in a hash format. The trigger OUserTrigger encrypts the password transparently before it saves the record.
Disabling Users
To disable a user, use UPDATE to switch its status from ACTIVE to SUSPENDED. For instance, if you want to disable all users except for admin, use the following command −
orientdb> UPDATE OUser SET status = 'SUSPENDED' WHERE name <> 'admin'
Roles
A role determines what operations a user can perform against a resource. Mainly, this decision depends on the working mode and the rules. The rules themselves work differently, depending on the working mode.
Working with Roles
When you are connected to a database, you can query the current roles on the database using SELECT queries on the ORole class.
orientdb> SELECT RID, mode, name, rules FROM ORole
If the above query is executed successfully, you will get the following output.
--+------+----+--------+-------------------------------------------------------
# |@CLASS|mode| name | rules
--+------+----+--------+-------------------------------------------------------
0 | null | 1 | admin | {database.bypassRestricted = 15}
1 | null | 0 | reader | {database.cluster.internal = 2, database.cluster.orole = 0...
2 | null | 0 | writer | {database.cluster.internal = 2, database.cluster.orole = 0...
--+------+----+--------+-------------------------------------------------------
3 item(s) found. Query executed in 0.002 sec(s).
Creating New Roles
To create a new role, use the INSERT statement.
orientdb> INSERT INTO ORole SET name = 'developer', mode = 0
Working with Modes
Where rules determine what users belonging to certain roles can do on the databases, working modes determine how OrientDB interprets these rules. There are two types of working modes, designated by 1 and 0.
- Allow All But (Rules) − By default it is the super user mode. Specify exceptions to this using the rules. If OrientDB finds no rules for a requested resource, then it allows the user to execute the operation. Use this mode mainly for power users and administrators. The default role admin uses this mode by default and has no exception rules. It is written as 1 in the database.
- Deny All But (Rules) − By default this mode allows nothing. Specify exceptions to this using the rules. If OrientDB finds rules for a requested resource, then it allows the user to execute the operation. Use this mode as the default for all classic users. The default roles, reader and writer, use this mode. It is written as 0 in the database.
Thanks for the blog post.