Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #1794 (closed)

Opened 15 years ago

Closed 15 years ago

Last modified 15 years ago

Permissions : Define exceptions to standard group permissions (#1434)

Reported by: jamoore Owned by: jamoore
Priority: major Milestone: OMERO-Beta4.2
Component: Security Version: 4.1
Keywords: n.a. Cc: atarkowska, jburel
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: 0.0d
Sprint: 2010-03-19 (5)

Description (last modified by jmoore)

As a follow-up to #1434, an attempt should be made to outline the exceptions to the group-security system that has been put in place. E.g. what objects cannot exist in only one group? Two examples have already shown up:

  • #1784 - scripts in the "system" group
  • #1791 - user photos in the "user" group

==Discussion Mar. 22 (Ola, Jean-Marie, Josh):==

  • the goal is a common-pot
    • the common-pot is an area to put objects which
      1. should be seen by all users
      2. can be linked to by all objects
  • possible objects for the common pot: ratings (1-5), tags, scripts (#1784) , user photos (#1791)
  • need to keep in mind uploading private scripts versus uploading public scripts
  • need method for uploading user photos
  • an alternative might be adding roles ("PUBLIC", etc.) but this will need more investigation

==Questions:==

  • What does an owner of "user" group mean?
  • Do we need a parameters item to filter out the common-pot?
  • will these objects be allowed to have divergent permissions (not tied to the group) or is it even necessary since they have special handling?
  • would it be possible to use the "WORLD" flag?

==Decisions:==

  • move from using "system" and "user" group to only using "user" group for common-pot
  • only admins can add to the common pot (add methods where necessary)
  • we will wait on the parameter filter and decide on its need

Change History (11)

comment:1 Changed 15 years ago by jmoore

  • Description modified (diff)

comment:2 Changed 15 years ago by jmoore

  • Description modified (diff)

comment:3 Changed 15 years ago by jmoore

At least while testing (which happens often as root) this can be a good surprise:

omero=# select count(id) from image where group_id = 4054;
 count 
-------
     4
(1 row)

omero=# select count(id) from image where group_id = 4054 OR group_id = 0;
 count 
-------
 51549
(1 row)

so that:

srvFactory.setSecurityContext(someSmallGroup);
iQuery.findAll("Image", None);

can return 50K+ images.

comment:4 Changed 15 years ago by jmoore

  • Type changed from User Story to Task

comment:5 Changed 15 years ago by jmoore

  • Remaining Time set to 0.5
  • Sprint set to 2010-03-19 (5)

comment:6 Changed 15 years ago by jmoore

  • Status changed from new to assigned

comment:7 Changed 15 years ago by jmoore

  • Description modified (diff)

Merging #1784 and #1791

comment:8 Changed 15 years ago by jmoore

  • Remaining Time changed from 0.5 to 0
  • Resolution set to fixed
  • Status changed from assigned to closed

(In [6373]) fix #1794 - Now using "user" group as common space with added methods

  • IAdmin.moveToCommonSpace (admin or pi only)
  • IAdmin.uploadMyUserPhoto
  • IAdmin.getMyUserPhotos
  • ScriptUploader and co. move automatically to "user"

comment:9 Changed 15 years ago by jmoore

From Colin:

Josh: I got one of these:
2010-03-25 10:48:24,465 WARN  [.services.blitz.repo.AbstractRepositoryI] (r_Worker-2) Making repository readable...
2010-03-25 10:48:24,466 WARN  [.services.blitz.repo.AbstractRepositoryI] (r_Worker-0) Making repository readable...
2010-03-25 10:48:24,472 INFO  [                 org.perf4j.TimingLogger] (r_Worker-0) start[1269514104444] time[28] tag[omero.call.exception]
2010-03-25 10:48:24,472 INFO  [        ome.services.util.ServiceHandler] (r_Worker-0)  Excp:    ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_3(rw----) from rw---- to r-r-r- 
2010-03-25 10:48:24,472 INFO  [                 org.perf4j.TimingLogger] (r_Worker-2) start[1269514104442] time[30] tag[omero.call.exception]
2010-03-25 10:48:24,472 ERROR [.services.blitz.repo.AbstractRepositoryI] (r_Worker-0) Unexpected error in called executor on takeover
ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_3(rw----) from rw---- to r-r-r- 
    at ome.security.basic.OmeroInterceptor.managedPermissions(OmeroInterceptor.java:792)
    at ome.security.basic.OmeroInterceptor.checkManagedDetails(OmeroInterceptor.java:624)
    at ome.security.basic.OmeroInterceptor.resetDetails(OmeroInterceptor.java:306)
    at ome.security.basic.OmeroInterceptor.onFlushDirty(OmeroInterceptor.java:180)
    at org.hibernate.event.def.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:331)
    at org.hibernate.event.def.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:308)
    at org.hibernate.event.def.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:248)
    at org.hibernate.event.def.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:128)
    at org.hibernate.event.def.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:196)
    at org.hibernate.event.def.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:76)
    at org.hibernate.event.def.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:26)
    at org.hibernate.impl.SessionImpl.flush(SessionImpl.java:1000)
    at ome.security.basic.EventHandler.invoke(EventHandler.java:167)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:175)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:111)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
    at $Proxy55.doWork(Unknown Source)
    at ome.services.util.Executor$Impl.execute(Executor.java:324)
    at ome.services.blitz.repo.AbstractRepositoryI.takeover(AbstractRepositoryI.java:113)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:592)
    at org.springframework.util.MethodInvoker.invoke(MethodInvoker.java:276)
    at org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean$MethodInvokingJob.executeInternal(MethodInvokingJobDetailFactoryBean.java:260)
    at org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
    at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)
2010-03-25 10:48:24,472 INFO  [        ome.services.util.ServiceHandler] (r_Worker-2)  Excp:    ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_4(rw----) from rw---- to r-r-r- 
2010-03-25 10:48:24,473 ERROR [.services.blitz.repo.AbstractRepositoryI] (r_Worker-2) Unexpected error in called executor on takeover
ome.conditions.GroupSecurityViolation: Cannot change permissions for ome.model.core.OriginalFile:Id_4(rw----) from rw---- to r-r-r- 
    at ome.security.basic.OmeroInterceptor.managedPermissions(OmeroInterceptor.java:792)
    at ome.security.basic.OmeroInterceptor.checkManagedDetails(OmeroInterceptor.java:624)
    at ome.security.basic.OmeroInterceptor.resetDetails(OmeroInterceptor.java:306)
    at ome.security.basic.OmeroInterceptor.onFlushDirty(OmeroInterceptor.java:180)
    at org.hibernate.event.def.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:331)
    at org.hibernate.event.def.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:308)
    at org.hibernate.event.def.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:248)
    at org.hibernate.event.def.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:128)
    at org.hibernate.event.def.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:196)
    at org.hibernate.event.def.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:76)
    at org.hibernate.event.def.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:26)
    at org.hibernate.impl.SessionImpl.flush(SessionImpl.java:1000)
    at ome.security.basic.EventHandler.invoke(EventHandler.java:167)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:175)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:111)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
    at $Proxy55.doWork(Unknown Source)
    at ome.services.util.Executor$Impl.execute(Executor.java:324)
    at ome.services.blitz.repo.AbstractRepositoryI.takeover(AbstractRepositoryI.java:113)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:592)
    at org.springframework.util.MethodInvoker.invoke(MethodInvoker.java:276)
    at org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean$MethodInvokingJob.executeInternal(MethodInvokingJobDetailFactoryBean.java:260)
    at org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
    at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)
2010-03-25 10:48:51,123 INFO  [                ome.services.blitz.Entry] (      main) Calling close on context OMERO.blitz
2010-03-25 10:48:51,123 INFO  [.services.blitz.repo.AbstractRepositoryI] (      main) Releasing /var/folders/UW/UWnTPUPNGxWefg1GbEBoL++++TI/-Tmp-/
2010-03-25 10:48:51,123 INFO  [.services.blitz.repo.AbstractRepositoryI] (      main) Releasing /OMERO/
2010-03-25 10:48:51,219 INFO  [        ome.services.blitz.fire.Registry] (      main) Removed ClusterNode/5d5c8745-da25-4368-a956-ab57144b1b99 from registry
50:46
I noted there were no proxies.
51:44
...repository proxies

comment:10 Changed 15 years ago by jmoore

(In [6386]) see #1794 - fix for Colin's repo permissions issue

comment:11 Changed 15 years ago by jmoore

(In [6391]) fix #2058 - allowing modifications to "user" group (see #1794)

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.68297 sec.)

We're Hiring!