Task #1794 (closed)
Permissions : Define exceptions to standard group permissions (#1434)
Reported by: | jamoore | Owned by: | jamoore |
---|---|---|---|
Priority: | major | Milestone: | OMERO-Beta4.2 |
Component: | Security | Version: | 4.1 |
Keywords: | n.a. | Cc: | atarkowska, jburel |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | 0.0d |
Sprint: | 2010-03-19 (5) |
Description (last modified by jmoore)
As a follow-up to #1434, an attempt should be made to outline the exceptions to the group-security system that has been put in place. E.g. what objects cannot exist in only one group? Two examples have already shown up:
==Discussion Mar. 22 (Ola, Jean-Marie, Josh):==
- the goal is a common-pot
- the common-pot is an area to put objects which
- should be seen by all users
- can be linked to by all objects
- the common-pot is an area to put objects which
- possible objects for the common pot: ratings (1-5), tags, scripts (#1784) , user photos (#1791)
- need to keep in mind uploading private scripts versus uploading public scripts
- need method for uploading user photos
- an alternative might be adding roles ("PUBLIC", etc.) but this will need more investigation
==Questions:==
- What does an owner of "user" group mean?
- Do we need a parameters item to filter out the common-pot?
- will these objects be allowed to have divergent permissions (not tied to the group) or is it even necessary since they have special handling?
- would it be possible to use the "WORLD" flag?
==Decisions:==
- move from using "system" and "user" group to only using "user" group for common-pot
- only admins can add to the common pot (add methods where necessary)
- we will wait on the parameter filter and decide on its need
Change History (11)
comment:1 Changed 15 years ago by jmoore
- Description modified (diff)
comment:2 Changed 15 years ago by jmoore
- Description modified (diff)
comment:3 Changed 15 years ago by jmoore
comment:4 Changed 15 years ago by jmoore
- Type changed from User Story to Task
comment:5 Changed 15 years ago by jmoore
- Remaining Time set to 0.5
- Sprint set to 2010-03-19 (5)
comment:6 Changed 15 years ago by jmoore
- Status changed from new to assigned
comment:8 Changed 15 years ago by jmoore
- Remaining Time changed from 0.5 to 0
- Resolution set to fixed
- Status changed from assigned to closed
comment:9 Changed 15 years ago by jmoore
From Colin:
Josh: I got one of these: 2010-03-25 10:48:24,465 WARN [.services.blitz.repo.AbstractRepositoryI] (r_Worker-2) Making repository readable... 2010-03-25 10:48:24,466 WARN [.services.blitz.repo.AbstractRepositoryI] (r_Worker-0) Making repository readable... 2010-03-25 10:48:24,472 INFO [ org.perf4j.TimingLogger] (r_Worker-0) start[1269514104444] time[28] tag[omero.call.exception] 2010-03-25 10:48:24,472 INFO [ ome.services.util.ServiceHandler] (r_Worker-0) Excp: ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_3(rw----) from rw---- to r-r-r- 2010-03-25 10:48:24,472 INFO [ org.perf4j.TimingLogger] (r_Worker-2) start[1269514104442] time[30] tag[omero.call.exception] 2010-03-25 10:48:24,472 ERROR [.services.blitz.repo.AbstractRepositoryI] (r_Worker-0) Unexpected error in called executor on takeover ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_3(rw----) from rw---- to r-r-r- at ome.security.basic.OmeroInterceptor.managedPermissions(OmeroInterceptor.java:792) at ome.security.basic.OmeroInterceptor.checkManagedDetails(OmeroInterceptor.java:624) at ome.security.basic.OmeroInterceptor.resetDetails(OmeroInterceptor.java:306) at ome.security.basic.OmeroInterceptor.onFlushDirty(OmeroInterceptor.java:180) at org.hibernate.event.def.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:331) at org.hibernate.event.def.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:308) at org.hibernate.event.def.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:248) at org.hibernate.event.def.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:128) at org.hibernate.event.def.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:196) at org.hibernate.event.def.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:76) at org.hibernate.event.def.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:26) at org.hibernate.impl.SessionImpl.flush(SessionImpl.java:1000) at ome.security.basic.EventHandler.invoke(EventHandler.java:167) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:175) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:111) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at $Proxy55.doWork(Unknown Source) at ome.services.util.Executor$Impl.execute(Executor.java:324) at ome.services.blitz.repo.AbstractRepositoryI.takeover(AbstractRepositoryI.java:113) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:592) at org.springframework.util.MethodInvoker.invoke(MethodInvoker.java:276) at org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean$MethodInvokingJob.executeInternal(MethodInvokingJobDetailFactoryBean.java:260) at org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86) at org.quartz.core.JobRunShell.run(JobRunShell.java:203) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520) 2010-03-25 10:48:24,472 INFO [ ome.services.util.ServiceHandler] (r_Worker-2) Excp: ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_4(rw----) from rw---- to r-r-r- 2010-03-25 10:48:24,473 ERROR [.services.blitz.repo.AbstractRepositoryI] (r_Worker-2) Unexpected error in called executor on takeover ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_4(rw----) from rw---- to r-r-r- at ome.security.basic.OmeroInterceptor.managedPermissions(OmeroInterceptor.java:792) at ome.security.basic.OmeroInterceptor.checkManagedDetails(OmeroInterceptor.java:624) at ome.security.basic.OmeroInterceptor.resetDetails(OmeroInterceptor.java:306) at ome.security.basic.OmeroInterceptor.onFlushDirty(OmeroInterceptor.java:180) at org.hibernate.event.def.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:331) at org.hibernate.event.def.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:308) at org.hibernate.event.def.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:248) at org.hibernate.event.def.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:128) at org.hibernate.event.def.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:196) at org.hibernate.event.def.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:76) at org.hibernate.event.def.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:26) at org.hibernate.impl.SessionImpl.flush(SessionImpl.java:1000) at ome.security.basic.EventHandler.invoke(EventHandler.java:167) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:175) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:111) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at $Proxy55.doWork(Unknown Source) at ome.services.util.Executor$Impl.execute(Executor.java:324) at ome.services.blitz.repo.AbstractRepositoryI.takeover(AbstractRepositoryI.java:113) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:592) at org.springframework.util.MethodInvoker.invoke(MethodInvoker.java:276) at org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean$MethodInvokingJob.executeInternal(MethodInvokingJobDetailFactoryBean.java:260) at org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86) at org.quartz.core.JobRunShell.run(JobRunShell.java:203) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520) 2010-03-25 10:48:51,123 INFO [ ome.services.blitz.Entry] ( main) Calling close on context OMERO.blitz 2010-03-25 10:48:51,123 INFO [.services.blitz.repo.AbstractRepositoryI] ( main) Releasing /var/folders/UW/UWnTPUPNGxWefg1GbEBoL++++TI/-Tmp-/ 2010-03-25 10:48:51,123 INFO [.services.blitz.repo.AbstractRepositoryI] ( main) Releasing /OMERO/ 2010-03-25 10:48:51,219 INFO [ ome.services.blitz.fire.Registry] ( main) Removed ClusterNode/5d5c8745-da25-4368-a956-ab57144b1b99 from registry 50:46 I noted there were no proxies. 51:44 ...repository proxies
comment:10 Changed 15 years ago by jmoore
comment:11 Changed 15 years ago by jmoore
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
At least while testing (which happens often as root) this can be a good surprise:
so that:
can return 50K+ images.