Task #1794 (closed)
Permissions : Define exceptions to standard group permissions (#1434)
| Reported by: | jamoore | Owned by: | jamoore |
|---|---|---|---|
| Priority: | major | Milestone: | OMERO-Beta4.2 |
| Component: | Security | Version: | 4.1 |
| Keywords: | n.a. | Cc: | atarkowska, jburel |
| Resources: | n.a. | Referenced By: | n.a. |
| References: | n.a. | Remaining Time: | 0.0d |
| Sprint: | 2010-03-19 (5) |
Description (last modified by jmoore)
As a follow-up to #1434, an attempt should be made to outline the exceptions to the group-security system that has been put in place. E.g. what objects cannot exist in only one group? Two examples have already shown up:
==Discussion Mar. 22 (Ola, Jean-Marie, Josh):==
- the goal is a common-pot
- the common-pot is an area to put objects which
- should be seen by all users
- can be linked to by all objects
- the common-pot is an area to put objects which
- possible objects for the common pot: ratings (1-5), tags, scripts (#1784) , user photos (#1791)
- need to keep in mind uploading private scripts versus uploading public scripts
- need method for uploading user photos
- an alternative might be adding roles ("PUBLIC", etc.) but this will need more investigation
==Questions:==
- What does an owner of "user" group mean?
- Do we need a parameters item to filter out the common-pot?
- will these objects be allowed to have divergent permissions (not tied to the group) or is it even necessary since they have special handling?
- would it be possible to use the "WORLD" flag?
==Decisions:==
- move from using "system" and "user" group to only using "user" group for common-pot
- only admins can add to the common pot (add methods where necessary)
- we will wait on the parameter filter and decide on its need
Change History (11)
comment:1 Changed 9 years ago by jmoore
- Description modified (diff)
comment:2 Changed 9 years ago by jmoore
- Description modified (diff)
comment:3 Changed 9 years ago by jmoore
comment:4 Changed 9 years ago by jmoore
- Type changed from User Story to Task
comment:5 Changed 9 years ago by jmoore
- Remaining Time set to 0.5
- Sprint set to 2010-03-19 (5)
comment:6 Changed 9 years ago by jmoore
- Status changed from new to assigned
comment:8 Changed 9 years ago by jmoore
- Remaining Time changed from 0.5 to 0
- Resolution set to fixed
- Status changed from assigned to closed
comment:9 Changed 9 years ago by jmoore
From Colin:
Josh: I got one of these:
2010-03-25 10:48:24,465 WARN [.services.blitz.repo.AbstractRepositoryI] (r_Worker-2) Making repository readable...
2010-03-25 10:48:24,466 WARN [.services.blitz.repo.AbstractRepositoryI] (r_Worker-0) Making repository readable...
2010-03-25 10:48:24,472 INFO [ org.perf4j.TimingLogger] (r_Worker-0) start[1269514104444] time[28] tag[omero.call.exception]
2010-03-25 10:48:24,472 INFO [ ome.services.util.ServiceHandler] (r_Worker-0) Excp: ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_3(rw----) from rw---- to r-r-r-
2010-03-25 10:48:24,472 INFO [ org.perf4j.TimingLogger] (r_Worker-2) start[1269514104442] time[30] tag[omero.call.exception]
2010-03-25 10:48:24,472 ERROR [.services.blitz.repo.AbstractRepositoryI] (r_Worker-0) Unexpected error in called executor on takeover
ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_3(rw----) from rw---- to r-r-r-
at ome.security.basic.OmeroInterceptor.managedPermissions(OmeroInterceptor.java:792)
at ome.security.basic.OmeroInterceptor.checkManagedDetails(OmeroInterceptor.java:624)
at ome.security.basic.OmeroInterceptor.resetDetails(OmeroInterceptor.java:306)
at ome.security.basic.OmeroInterceptor.onFlushDirty(OmeroInterceptor.java:180)
at org.hibernate.event.def.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:331)
at org.hibernate.event.def.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:308)
at org.hibernate.event.def.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:248)
at org.hibernate.event.def.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:128)
at org.hibernate.event.def.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:196)
at org.hibernate.event.def.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:76)
at org.hibernate.event.def.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:26)
at org.hibernate.impl.SessionImpl.flush(SessionImpl.java:1000)
at ome.security.basic.EventHandler.invoke(EventHandler.java:167)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:175)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:111)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy55.doWork(Unknown Source)
at ome.services.util.Executor$Impl.execute(Executor.java:324)
at ome.services.blitz.repo.AbstractRepositoryI.takeover(AbstractRepositoryI.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:592)
at org.springframework.util.MethodInvoker.invoke(MethodInvoker.java:276)
at org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean$MethodInvokingJob.executeInternal(MethodInvokingJobDetailFactoryBean.java:260)
at org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)
2010-03-25 10:48:24,472 INFO [ ome.services.util.ServiceHandler] (r_Worker-2) Excp: ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_4(rw----) from rw---- to r-r-r-
2010-03-25 10:48:24,473 ERROR [.services.blitz.repo.AbstractRepositoryI] (r_Worker-2) Unexpected error in called executor on takeover
ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_4(rw----) from rw---- to r-r-r-
at ome.security.basic.OmeroInterceptor.managedPermissions(OmeroInterceptor.java:792)
at ome.security.basic.OmeroInterceptor.checkManagedDetails(OmeroInterceptor.java:624)
at ome.security.basic.OmeroInterceptor.resetDetails(OmeroInterceptor.java:306)
at ome.security.basic.OmeroInterceptor.onFlushDirty(OmeroInterceptor.java:180)
at org.hibernate.event.def.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:331)
at org.hibernate.event.def.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:308)
at org.hibernate.event.def.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:248)
at org.hibernate.event.def.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:128)
at org.hibernate.event.def.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:196)
at org.hibernate.event.def.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:76)
at org.hibernate.event.def.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:26)
at org.hibernate.impl.SessionImpl.flush(SessionImpl.java:1000)
at ome.security.basic.EventHandler.invoke(EventHandler.java:167)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:175)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:111)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy55.doWork(Unknown Source)
at ome.services.util.Executor$Impl.execute(Executor.java:324)
at ome.services.blitz.repo.AbstractRepositoryI.takeover(AbstractRepositoryI.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:592)
at org.springframework.util.MethodInvoker.invoke(MethodInvoker.java:276)
at org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean$MethodInvokingJob.executeInternal(MethodInvokingJobDetailFactoryBean.java:260)
at org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)
2010-03-25 10:48:51,123 INFO [ ome.services.blitz.Entry] ( main) Calling close on context OMERO.blitz
2010-03-25 10:48:51,123 INFO [.services.blitz.repo.AbstractRepositoryI] ( main) Releasing /var/folders/UW/UWnTPUPNGxWefg1GbEBoL++++TI/-Tmp-/
2010-03-25 10:48:51,123 INFO [.services.blitz.repo.AbstractRepositoryI] ( main) Releasing /OMERO/
2010-03-25 10:48:51,219 INFO [ ome.services.blitz.fire.Registry] ( main) Removed ClusterNode/5d5c8745-da25-4368-a956-ab57144b1b99 from registry
50:46
I noted there were no proxies.
51:44
...repository proxies
comment:10 Changed 9 years ago by jmoore
comment:11 Changed 9 years ago by jmoore
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
At least while testing (which happens often as root) this can be a good surprise:
omero=# select count(id) from image where group_id = 4054; count ------- 4 (1 row) omero=# select count(id) from image where group_id = 4054 OR group_id = 0; count ------- 51549 (1 row)so that:
srvFactory.setSecurityContext(someSmallGroup); iQuery.findAll("Image", None);can return 50K+ images.