用户权限管理 #

OrientDB安全模型：
├── User（用户）- 访问数据库的身份
├── Role（角色）- 权限的集合
└── Permission（权限）- 具体操作权限

INSERT INTO OUser SET name = 'tom', password = 'password123', status = 'ACTIVE'

INSERT INTO OUser SET 
    name = 'tom', 
    password = 'password123', 
    status = 'ACTIVE',
    roles = (SELECT FROM ORole WHERE name = 'reader')

SELECT FROM OUser
SELECT name, status, roles.name FROM OUser

SELECT * FROM OUser WHERE name = 'tom'

UPDATE OUser SET password = 'newPassword123' WHERE name = 'tom'

UPDATE OUser SET status = 'SUSPENDED' WHERE name = 'tom'

UPDATE OUser SET status = 'ACTIVE' WHERE name = 'tom'

DELETE FROM OUser WHERE name = 'tom'

INSERT INTO ORole SET 
    name = 'developer', 
    mode = 0,
    inheritedRole = (SELECT FROM ORole WHERE name = 'writer')

SELECT FROM ORole
SELECT name, mode, rules FROM ORole

SELECT * FROM ORole WHERE name = 'developer'

DELETE FROM ORole WHERE name = 'developer'

GRANT ALL ON DATABASE TO developer
GRANT READ ON DATABASE TO reader

GRANT ALL ON Person TO developer
GRANT READ ON Person TO reader
GRANT READ, UPDATE ON Person TO editor

GRANT ALL ON CLUSTER:person_cluster TO developer
GRANT READ ON CLUSTER:person_cluster TO reader

GRANT EXECUTE ON FUNCTION:calculateAge TO developer
GRANT EXECUTE ON FUNCTION:* TO admin

GRANT ALL ON Person, Company, Order TO developer

REVOKE ALL ON DATABASE FROM developer
REVOKE READ ON DATABASE FROM reader

REVOKE ALL ON Person FROM developer
REVOKE DELETE ON Person FROM writer

REVOKE ALL ON CLUSTER:person_cluster FROM developer

REVOKE EXECUTE ON FUNCTION:calculateAge FROM developer

UPDATE OUser ADD roles = (SELECT FROM ORole WHERE name = 'developer') WHERE name = 'tom'

UPDATE OUser REMOVE roles = (SELECT FROM ORole WHERE name = 'developer') WHERE name = 'tom'

UPDATE OUser SET roles = (SELECT FROM ORole WHERE name IN ['reader', 'writer']) WHERE name = 'tom'

UPDATE ORole PUT rules = 'Person', 15 WHERE name = 'developer'

SELECT name, rules FROM ORole WHERE name = 'developer'

UPDATE ORole REMOVE rules['Person'] WHERE name = 'developer'

INSERT INTO ORole SET 
    name = 'app_user', 
    mode = 1,
    inheritedRole = (SELECT FROM ORole WHERE name = 'reader')

GRANT READ, UPDATE ON User TO app_user
GRANT READ ON Product TO app_user
GRANT CREATE ON Order TO app_user
GRANT READ ON Order TO app_user WHERE createdBy = $currentUser

INSERT INTO OUser SET 
    name = 'app_service', 
    password = 'securePassword123!', 
    status = 'ACTIVE',
    roles = (SELECT FROM ORole WHERE name = 'app_user')

INSERT INTO OUser SET 
    name = 'report_user', 
    password = 'reportPassword123', 
    status = 'ACTIVE',
    roles = (SELECT FROM ORole WHERE name = 'reader')

INSERT INTO OUser SET 
    name = 'db_admin', 
    password = 'adminPassword123!', 
    status = 'ACTIVE',
    roles = (SELECT FROM ORole WHERE name = 'admin')

CREATE CLASS SecurityPolicy EXTENDS V
CREATE PROPERTY SecurityPolicy.resource STRING
CREATE PROPERTY SecurityPolicy.condition STRING

INSERT INTO SecurityPolicy SET 
    resource = 'Order',
    condition = 'createdBy = $currentUser'

GRANT READ ON Order TO app_user WHERE createdBy = $currentUser

密码策略建议：
├── 使用强密码
├── 定期更换密码
├── 避免使用默认密码
├── 密码加密存储
└── 使用密码哈希

最小权限原则：
├── 只授予必要的权限
├── 使用角色管理权限
├── 定期审查权限
└── 及时撤销不需要的权限

安全配置建议：
├── 修改默认root密码
├── 禁用不需要的用户
├── 启用SSL/TLS
├── 限制网络访问
└── 启用审计日志

ALTER DATABASE SET security.audit = true

SELECT FROM OAuditingLog
SELECT FROM OAuditingLog ORDER BY timestamp DESC LIMIT 100

SELECT FROM OAuditingLog 
WHERE operation = 'CREATE' 
ORDER BY timestamp DESC