Orientdb 简明教程

OrientDB - Security

与 RDBMS 一样,OrientDB 也提供基于众所周知概念、用户和角色的安全机制。每个数据库都有自己的用户,每个用户有一个或多个角色。角色是工作模式和权限集的组合。

Like RDBMS, OrientDB also provides security based on well-known concepts, users, and roles. Each database has its own users and each user has one or more roles. Roles are the combination of working modes and set of permissions.

Users

默认情况下,OrientDB 为服务器中的所有数据库维护三个不同的用户 −

By default OrientDB maintains three different users for all database in the server −

  1. Admin − This user has access to all functions on the database without limitation.

  2. Reader − This user is a read-only user. The reader can query any records in the database, but can’t modify or delete them. It has no access to internal information, such as the users and roles themselves.

  3. Writer − This user is the same as the user reader, but it can also create, update, and delete records.

Working with Users

连接到数据库后,可以通过对 OUser 类的 SELECT 查询来查询数据库上的当前用户。

When you are connected to a database, you can query the current users on the database by using SELECT queries on the OUser class.

orientdb> SELECT RID, name, status FROM OUser

如果成功执行了以上查询,您会获得以下输出。

If the above query is executed successfully, you will get the following output.

---+--------+--------+--------
#  | @CLASS | name   | status
---+--------+--------+--------
0  | null   | admin  | ACTIVE
1  | null   | reader | ACTIVE
2  | null   | writer | ACTIVE
---+--------+--------+--------
3 item(s) found. Query executed in 0.005 sec(s).

Creating a New User

要创建新用户,请使用 INSERT 命令。请记住,在此过程中,你必须将状态设置为 ACTIVE,并授予它一个有效角色。

To create a new user, use the INSERT command. Remember, in doing so, you must set the status to ACTIVE and give it a valid role.

orientdb> INSERT INTO OUser SET
               name = 'jay',
               password = 'JaY',
               status = 'ACTIVE',
               roles = (SELECT FROM ORole WHERE name = 'reader')

Updating Users

你可以使用 UPDATE 语句更改用户名称。

You can change the name for the user with the UPDATE statement.

orientdb> UPDATE OUser SET name = 'jay' WHERE name = 'reader'

同样,你还可以更改用户的密码。

In the same way, you can also change the password for the user.

orientdb> UPDATE OUser SET password = 'hello' WHERE name = 'reader'

OrientDB 以哈希格式保存密码。触发器 OUserTrigger 在保存记录之前,会透明地加密密码。

OrientDB saves the password in a hash format. The trigger OUserTrigger encrypts the password transparently before it saves the record.

Disabling Users

要禁用用户,请使用 UPDATE 将其状态从 ACTIVE 更改为 SUSPENDED。例如,如果你希望禁用除 admin 之外的所有用户,请使用以下命令 −

To disable a user, use UPDATE to switch its status from ACTIVE to SUSPENDED. For instance, if you want to disable all users except for admin, use the following command −

orientdb> UPDATE OUser SET status = 'SUSPENDED' WHERE name <> 'admin'

Roles

角色决定用户可以对资源执行哪些操作。该决定主要取决于工作模式和规则。规则本身根据工作模式会采用不同的工作方式。

A role determines what operations a user can perform against a resource. Mainly, this decision depends on the working mode and the rules. The rules themselves work differently, depending on the working mode.

Working with Roles

连接到数据库后,可以使用对 ORole 类的 SELECT 查询来查询数据库上的当前角色。

When you are connected to a database, you can query the current roles on the database using SELECT queries on the ORole class.

orientdb> SELECT RID, mode, name, rules FROM ORole

如果成功执行了以上查询,您会获得以下输出。

If the above query is executed successfully, you will get the following output.

--+------+----+--------+-------------------------------------------------------
# |@CLASS|mode| name   | rules
--+------+----+--------+-------------------------------------------------------
0 | null | 1  | admin  | {database.bypassRestricted = 15}
1 | null | 0  | reader | {database.cluster.internal = 2, database.cluster.orole = 0...
2 | null | 0  | writer | {database.cluster.internal = 2, database.cluster.orole = 0...
--+------+----+--------+-------------------------------------------------------
3 item(s) found.  Query executed in 0.002 sec(s).

Creating New Roles

要创建新角色,请使用 INSERT 语句。

To create a new role, use the INSERT statement.

orientdb> INSERT INTO ORole SET name = 'developer', mode = 0

Working with Modes

规则用于确定属于特定角色的用户在数据库上可以做什么,工作模式用于确定 OrientDB 如何解释这些规则。工作模式有两种类型,由 1 和 0 指定。

Where rules determine what users belonging to certain roles can do on the databases, working modes determine how OrientDB interprets these rules. There are two types of working modes, designated by 1 and 0.

  1. Allow All But (Rules) − By default it is the super user mode. Specify exceptions to this using the rules. If OrientDB finds no rules for a requested resource, then it allows the user to execute the operation. Use this mode mainly for power users and administrators. The default role admin uses this mode by default and has no exception rules. It is written as 1 in the database.

  2. Deny All But (Rules) − By default this mode allows nothing. Specify exceptions to this using the rules. If OrientDB finds rules for a requested resource, then it allows the user to execute the operation. Use this mode as the default for all classic users. The default roles, reader and writer, use this mode. It is written as 0 in the database.