User Story #1434 (closed)
Opened 15 years ago
Closed 14 years ago
Re-enable group permissions support
Reported by: | jamoore | Owned by: | jamoore |
---|---|---|---|
Priority: | critical | Milestone: | OMERO-Beta4.2 |
Component: | Security | Keywords: | n.a. |
Cc: | jrswedlow, jburel, cxallan, bwzloranger, atarkowska, jmwallach@…, carlos@… | Story Points: | n.a. |
Sprint: | n.a. | Importance: | n.a. |
Total Remaining Time: | 0.0d | Estimated Remaining Time: | n.a. |
Description (last modified by jmoore)
This ticket is the story umbrella for all the permissions improvements planned for milestone:OMERO-Beta4.2 in order to re-activate group-sharing. Linked tickets are available under [WorkPlan/Permissions]
Items under discussion
The following items are not listed on the WorkPlan page. If they are deemed important for 4.2, they should be moved there. If not, they should either be deleted or moved to their own tickets.
- event on setSecurityContext and on changePermissions(group)
- thumbnails, annotation links, etc. become a new type of object: "shared" (or similar) which don't prevent delete.
- In some cases, automatically convert object's group to the attached to object? (From #1171, is this necessary if other groups are not visible?)
See also:
Change History (35)
comment:1 Changed 15 years ago by jburel
comment:2 Changed 15 years ago by jmoore
- Cc bwzloranger atarkowska added
comment:3 Changed 15 years ago by jmoore
- Description modified (diff)
From Sep 04 conf call:
- permissions (Brian) -- private space, and a single or multiple public space? -- fine for vast majority of people -- private space gets rid of PI concept. perhaps via 600 -- Donald: no private space? -- Brian: can you add more than one boss? -- Chris: how does this work with the setting a group to public from private? -- quickest option: --- uesr only in one group --- turn group private or public --- server ensures graph-consistency, both group_id and permissions --- PI or admin can move group to public --- UI: need to know group prespective (don't show data) --- ADMIN UI: need to allow upgrade to group visible. can't downgrade ---- offering upgrade button ---- sending email to all the users?? -- next stage: either private space or multiple groups. -- really a testing issue: moving the component/client tests. --- get them green --- then modify them as expected
comment:4 Changed 15 years ago by jmoore
- Description modified (diff)
comment:5 Changed 15 years ago by jmoore
- Description modified (diff)
comment:6 Changed 15 years ago by jmoore
- Description modified (diff)
comment:7 Changed 15 years ago by jmoore
- Description modified (diff)
comment:8 Changed 15 years ago by jmoore
- Description modified (diff)
comment:9 Changed 15 years ago by jmoore
- Milestone changed from OMERO-Beta4.1 to OMERO-Beta4.2
Moving as discussed conf call 2009-09-18
comment:10 Changed 14 years ago by jmoore
- Description modified (diff)
comment:11 Changed 14 years ago by jmoore
- Description modified (diff)
comment:12 Changed 14 years ago by jmoore
- Description modified (diff)
comment:13 Changed 14 years ago by jmoore
- Description modified (diff)
comment:14 Changed 14 years ago by jmoore
- Description modified (diff)
comment:15 Changed 14 years ago by jmoore
Brief discussion on write with Ola, Josh, Jean-Marie:
- want to keep things simple for the user
- the solution above allows setting on group
- but do we need to let user change write-ability?
- e.g. "make container read-only or full-access"
- J-M: dangerous except for annotations to let change
- Josh: but Image.description or Shape.color?
- "rwrwrw" not a good idea. But could have a PUBLIC group (with guest)
- for options of groups: rw, rwr, rwrw
- configurable initial groups? Maybe
- users in more than one group? Yes
- more than one PI? Yes
- G/E/P/D/I? Yes, but G is strict (security based), E isn't (could be mixed)
- Need a way to restrict owner-mixing? Maybe (would be LINK permission)
- Perhaps handle it via best-practice
- Possible to distinguish hierarchies and annotations? Hard.
- Possibly use color codes per user initially.
- If user filtering, pass back "friend" user list of who was queried?
comment:16 Changed 14 years ago by jmoore
- Cc jmwallach@… added
comment:17 Changed 14 years ago by jmoore
- Description modified (diff)
comment:18 Changed 14 years ago by jmoore
comment:19 Changed 14 years ago by jmoore
- Description modified (diff)
comment:20 Changed 14 years ago by jmoore
- Description modified (diff)
Maked #203 as a duplicate of this ticket.
comment:21 Changed 14 years ago by jmoore
- Description modified (diff)
comment:22 Changed 14 years ago by jmoore
- Description modified (diff)
comment:23 Changed 14 years ago by jmoore
- r6012 Initial work for enabling group sharing
- r6014 removing default permissions (compiling)
- r6015 beginning work on group-pased permission inheritance
- r6016 First version of 4.2-DEV0 with global ExperimenterGroup?
- r6017 Update of 4.2-DEV0 with global GroupExperimenterMap? and
- r6018 setting of group permissions (intermediate)
- r6019 Added GroupSecurityViolation?
- r6020 Modifying SecurityFilter? for consistent graphs
- r6021 Allow root login to non-member groups
- r6022 group-consistent graph test fixes
- r6023 Allow multiple group owners (API support)
- r6024 Global enumerations (no DB upgrade yet)
- r6025 Primary test package
- r6026 test fixes
- r6027 Band-aid fixes for WebAdmin?
comment:24 Changed 14 years ago by jmoore
.#1 Permissions 10:28 ([[OmeWork#190]]) - With Ola -- private / public groups, check-box --- @How long does it take? -- Features to include --- Group creation gets toggle --- Multiple-owners --- List owned-groups on MyAccount --- adding checkboxes to "Edit scientist" - New things -- getSecurityContexts -- GroupSecurityViolation -- changePermissions -- objects global (no owner) -- admin don't have to log in as system -- multiple owners (unsetGroupOwner, etc) - Questions -- no-owners? all-owners? toggle? -- default/active? (check box to change forever?) -- private group viewed by root/pi? -- wizard for chgrp & make-private -- admin logging into all groups? -- initial login? or last login or default?
comment:25 Changed 14 years ago by jmoore
.#2 Permissions 11:45 ([[OmeWork#191]]) - switching group on login -- Insight: different user/server list disappears -- not so important // need more interaction testing -- # of people in multiple group is limited -- more important to have ability to see other's data - more important... -- being able to administer groups while viewing images -- j-m: working on lite version of admin - active/last-selected/default/"default" -- last-selected / default -- ExperimenterGroup.name == "default" --- name? CHANGE_ME? --- documenting deleting/changing name --- root redirected to group page? (renaming) --- click box for creating a new group? --- bin/omero db script to be something other than "default" -- existing group identifications --- active: group set on the session --- default: top of list of groups --- last-selected: ?? no storage -- issues --- pi --- scripts -- not so important // need more interaction testing - other questions -- enforcing an owner on a group -- pi in private group --- read-only? (renderingsettings of user) --- move to owner of group? --- group-shared/public permissions? -- chgrp wizard --- possibly needed for upgrade --- clarification: no changing READ permissions at object level --- use case: archiving - demo @ end of week -- Thurs. screenshots -- couple of users on ola's machine
comment:27 Changed 14 years ago by jmoore
comment:28 Changed 14 years ago by jmoore
.#1 Permissions prioritized bugs 14:20 ([[OmeWork#194]]) - Ola -- rwr-- mode --- doesn't use to WRITE --- allow OWNER to call changePermissions() --- for now only upgrade --- WRITE also is based on group (1776) --- PUBLIC group in the next week or two -- updateGroup --- says permissions must be changed in IAdmin -- owner --- create group and set owner in one call --- addGroupOwners() --- removeGroupOwners() - Jean-Marie -- Shoola is crashing with lastest server (#1777)
comment:29 Changed 14 years ago by jmoore
comment:30 Changed 14 years ago by jmoore
comment:31 Changed 14 years ago by omero
Dear Sirs,
While trying to upgrade the OMERO database from version 4.1 to version 4.2 by using the script committed on:
I get the following error:
omero@omero:/opt/omero_dist/sql/psql/OMERO4.2-DEV__0$ psql -h localhost -U omero < OMERO4.10.sql
Password for user omero:
BEGIN
CREATE FUNCTION
omero_assert_omero4_1_0
(1 row)
DROP FUNCTION
INSERT 0 1
ALTER TABLE
ERROR: syntax error at or near "="
LINE 5: AND experimenterid. = groupexperimentermap.child;
ERROR: syntax error at or near "COLUMN"
LINE 1: ALTER TABLE groupexperimentermap SET COLUMN owner NOT NULL;
ERROR: current transaction is aborted, commands ignored until end of transaction block
ERROR: current transaction is aborted, commands ignored until end of transaction block
ERROR: current transaction is aborted, commands ignored until end of transaction block
ERROR: current transaction is aborted, commands ignored until end of transaction block
ROLLBACK
And the upgrade of the database fails. I'm not sure if commenting here is the best way to report this kind of problems, just in case feel free to drop me a line at alessandro.dellavedova<@>ifom-ieo-campus.it
Thank you for your continued efforts in developing OMERO !
Alessandro
comment:32 Changed 14 years ago by jmoore
comment:33 Changed 14 years ago by jmoore
comment:34 Changed 14 years ago by jmoore
comment:35 Changed 14 years ago by jmoore
- Resolution set to fixed
- Status changed from new to closed
GUI
will be presented. User will then have ability to switch to another group.