Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #1784 (closed)

Opened 14 years ago

Closed 14 years ago

Permissions : problems with Scripting service

Reported by: wmoore Owned by:
Priority: blocker Milestone: OMERO-Beta4.2
Component: Scripting Version: 4.1
Keywords: n.a. Cc:
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: 0.0d
Sprint: 2010-03-19 (5)

Description (last modified by jmoore)

Scripts are an interesting problem for #1434. They are one of the few (the only?) case of data in the "system" group that is intended for use by others. To make this work, we will most likely need special handling until the FS solution is ready.

Issues

  • #1315 (ScriptI sets permissions) is no longer allowed. Will's issue below
  • Users would have to log into "system" to see the admin scripts
  • Linking between the admin scripts and the result files is not allowed.

(Partial) Options:

  • Make "system" public
  • Allowing linking to "system" objects
    • Cons: how to handle chgrp?
  • Make all objects in "system" system types by definition
  • Have the same scripts in each group

From Will:
Couldn't upload a script.
Using server r6063.

 print scriptService.uploadScript(script)
  File "/Users/will/Documents/workspace/Omero/dist/lib/python/omero_api_IScript_ice.py", line 118, in uploadScript
    return _M_omero.api.IScript._op_uploadScript.invoke(self, ((script, ), _ctx))
Ice.UnknownException: exception ::Ice::UnknownException
{
    unknown = ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_51(rwr-r-) from Lrwrwrw to Lrwrwrw 
	at ome.security.basic.OmeroInterceptor.managedPermissions(OmeroInterceptor.java:781)
	at ome.security.basic.OmeroInterceptor.checkManagedDetails(OmeroInterceptor.java:614)
	at ome.security.basic.OmeroInterceptor.resetDetails(OmeroInterceptor.java:303)
	at ome.security.basic.OmeroInterceptor.onFlushDirty(OmeroInterceptor.java:177)
	at org.hibernate.event.def.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:331)
	at org.hibernate.event.def.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:308)
	at org.hibernate.event.def.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:248)
	at org.hibernate.event.def.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:128)
	at ome.security.basic.FlushEntityEventListener.onFlushEntity(FlushEntityEventListener.java:52)
	at org.hibernate.event.def.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:196)
	at org.hibernate.event.def.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:76)
	at org.hibernate.event.def.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:26)
	at org.hibernate.impl.SessionImpl.flush(SessionImpl.java:1000)
	at ome.logic.UpdateImpl.afterUpdate(UpdateImpl.java:288)
	at ome.logic.UpdateImpl.doAction(UpdateImpl.java:306)
	at ome.logic.UpdateImpl.doAction(UpdateImpl.java:296)
	at ome.logic.UpdateImpl.saveAndReturnObject(UpdateImpl.java:117)
	at ome.services.JobBean$1.updateObject(JobBean.java:356)
	at ome.security.basic.BasicSecuritySystem.doAction(BasicSecuritySystem.java:484)
	at ome.services.JobBean.secureSave(JobBean.java:354)
	at ome.services.JobBean.submit(JobBean.java:175)
	at ome.services.blitz.impl.SharedResourcesI$6.doWork(SharedResourcesI.java:476)
	at ome.services.blitz.impl.SharedResourcesI$6.doWork(SharedResourcesI.java:464)
	at sun.reflect.GeneratedMethodAccessor172.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:592)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
	at ome.services.util.Executor$Impl$Interceptor.invoke(Executor.java:394)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
	at ome.security.basic.EventHandler.invoke(EventHandler.java:133)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
	at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
	at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:175)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
	at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:110)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
	at $Proxy55.doWork(Unknown Source)
	at ome.services.util.Executor$Impl.execute(Executor.java:324)
	at ome.services.blitz.impl.SharedResourcesI.acquireProcessor(SharedResourcesI.java:460)
	at omero.grid._SharedResourcesTie.acquireProcessor(_SharedResourcesTie.java:64)
	at omero.grid._SharedResourcesDisp.___acquireProcessor(_SharedResourcesDisp.java:114)
	at omero.grid._SharedResourcesDisp.__dispatch(_SharedResourcesDisp.java:219)
	at IceInternal.Incoming.invoke(Incoming.java:159)
	at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)
	at Ice.ConnectionI.message(ConnectionI.java:972)
	at IceInternal.ThreadPool.run(ThreadPool.java:577)
	at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
	at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)

Change History (15)

comment:1 Changed 14 years ago by wmoore

  • Owner changed from dzmacdonald to jmoore
  • Summary changed from Permissions problem with Scritping service to Permissions problem with Scripting service

comment:2 Changed 14 years ago by jmoore

  • Description modified (diff)
  • Priority changed from critical to blocker
  • Summary changed from Permissions problem with Scripting service to Permissions : problems with Scripting service

comment:3 Changed 14 years ago by jmoore

  • Description modified (diff)

comment:4 Changed 14 years ago by jmoore

source:trunk/components/toolsOmeroPy/test/integration/ping.py is working with the commits:

I'll keep testing this morning, but you should be able to try things again, Will.

comment:5 Changed 14 years ago by wmoore

This is working fine for me now - Many thanks!
Close ticket? - or a more permanent fix needed?

comment:6 Changed 14 years ago by jmoore

#1791 and #1794 are related. I'll close them all together if this solution is what we go with.

comment:7 Changed 14 years ago by jmoore

  • Sprint set to Sprint 2
  • Type changed from defect to Bug

comment:8 Changed 14 years ago by jmoore

  • Type changed from Bug to Task

comment:9 Changed 14 years ago by jmoore

  • Status changed from new to assigned

comment:10 Changed 14 years ago by jmoore

  • Remaining Time set to 0.5

comment:11 Changed 14 years ago by jmoore

  • Remaining Time changed from 0.5 to 4

comment:12 Changed 14 years ago by jmoore

  • Owner jmoore deleted
  • Status changed from assigned to new

comment:13 Changed 14 years ago by jmoore

  • Sprint 2010-02-19 (3) deleted

comment:14 Changed 14 years ago by jmoore

  • r6073 - change to ScriptI
  • r6074- security filter and system type changes

comment:15 Changed 14 years ago by jmoore

  • Remaining Time changed from 4 to 0
  • Resolution set to fixed
  • Sprint set to 2010-03-19 (5)
  • Status changed from new to closed

Handling as a part of #1794. Public scripts will be put in the "user" group, either via a new IScript method ("uploadPublicScript" etc) or via a general-purpose method: iAdmin.moveToUser(objs)

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.66307 sec.)

We're Hiring!