Task #6066 (closed)
Opened 8 years ago
Closed 8 years ago
Bug: script replace GroupSecurityViolation
| Reported by: | wmoore | Owned by: | jamoore |
|---|---|---|---|
| Priority: | major | Milestone: | OMERO-Beta4.3.2 |
| Component: | Scripting | Version: | n.a. |
| Keywords: | n.a. | Cc: | |
| Resources: | n.a. | Referenced By: | n.a. |
| References: | n.a. | Remaining Time: | 0.0d |
| Sprint: | 2011-08-04 (2) |
Description (last modified by jmoore)
It seems that if you are not the owner of the group you use to 'upload --official' and then 'replace' scripts then you get this error (even though you are 'admin'). Get the same error if non-root users are logged in to 'system'.
wjm:omero will$ omero script upload util_scripts/Combine_Images.py --official
Using session 0528af83-74fa-45a6-9d6a-7ef4e7493eac (joe@localhost:4064). Idle timeout: 10.0 min. Current group: JRS - Private
Uploaded official script as original file #1953
wjm:omero will$ omero script replace 1953 util_scripts/Combine_Images.py
Using session 0528af83-74fa-45a6-9d6a-7ef4e7493eac (joe@localhost:4064). Idle timeout: 10.0 min. Current group: JRS - Private
Traceback (most recent call last):
File "/Users/will/Desktop/OMERO/dist/bin/omero", line 123, in <module>
rv = omero.cli.argv()
File "/Users/will/Desktop/OMERO/dist/lib/python/omero/cli.py", line 1172, in argv
cli.invoke(args[1:])
File "/Users/will/Desktop/OMERO/dist/lib/python/omero/cli.py", line 722, in invoke
stop = self.onecmd(line, previous_args)
File "/Users/will/Desktop/OMERO/dist/lib/python/omero/cli.py", line 791, in onecmd
self.execute(line, previous_args)
File "/Users/will/Desktop/OMERO/dist/lib/python/omero/cli.py", line 871, in execute
args.func(args)
File "/Users/will/Desktop/OMERO/dist/lib/python/omero/plugins/script.py", line 554, in replace
scriptSvc.editScript(ofile, scriptText)
File "/Users/will/Desktop/OMERO/dist/lib/python/omero_api_IScript_ice.py", line 126, in editScript
return _M_omero.api.IScript._op_editScript.invoke(self, ((fileObject, scriptText), _ctx))
omero.GroupSecurityViolation: exception ::omero::GroupSecurityViolation
{
serverStackTrace = ome.conditions.GroupSecurityViolation: ome.model.core.OriginalFile:Id_1953-modification violates group-security.
at ome.security.basic.BasicACLVoter.throwUpdateViolation(BasicACLVoter.java:167)
at ome.security.CompositeACLVoter.throwUpdateViolation(CompositeACLVoter.java:90)
at ome.security.ACLEventListener.onPreUpdate(ACLEventListener.java:129)
at org.hibernate.action.EntityUpdateAction.preUpdate(EntityUpdateAction.java:236)
at org.hibernate.action.EntityUpdateAction.execute(EntityUpdateAction.java:87)
at org.hibernate.engine.ActionQueue.execute(ActionQueue.java:267)
at org.hibernate.engine.ActionQueue.executeActions(ActionQueue.java:259)
at org.hibernate.engine.ActionQueue.executeActions(ActionQueue.java:179)
at org.hibernate.event.def.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:321)
at org.hibernate.event.def.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:51)
at org.hibernate.impl.SessionImpl.flush(SessionImpl.java:1208)
at ome.logic.UpdateImpl.afterUpdate(UpdateImpl.java:294)
at ome.logic.UpdateImpl.doAction(UpdateImpl.java:312)
at ome.logic.UpdateImpl.doAction(UpdateImpl.java:302)
at ome.logic.UpdateImpl.saveAndReturnObject(UpdateImpl.java:118)
at ome.services.blitz.impl.ScriptI$15.doWork(ScriptI.java:592)
at sun.reflect.GeneratedMethodAccessor251.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:592)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at ome.services.util.Executor$Impl$Interceptor.invoke(Executor.java:440)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at ome.security.basic.EventHandler.invoke(EventHandler.java:150)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:231)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy64.doWork(Unknown Source)
at ome.services.util.Executor$Impl.execute(Executor.java:371)
at ome.services.blitz.impl.ScriptI.updateFile(ScriptI.java:585)
at ome.services.blitz.impl.ScriptI.access$500(ScriptI.java:82)
at ome.services.blitz.impl.ScriptI$6.call(ScriptI.java:267)
at ome.services.throttling.Callback2.run(Callback2.java:49)
at ome.services.throttling.InThreadThrottlingStrategy.safeRunnableCall(InThreadThrottlingStrategy.java:80)
at ome.services.blitz.impl.AbstractAmdServant.safeRunnableCall(AbstractAmdServant.java:155)
at ome.services.blitz.impl.ScriptI.editScript_async(ScriptI.java:244)
at omero.api._IScriptTie.editScript_async(_IScriptTie.java:78)
at omero.api._IScriptDisp.___editScript(_IScriptDisp.java:305)
at omero.api._IScriptDisp.__dispatch(_IScriptDisp.java:490)
at IceInternal.Incoming.invoke(Incoming.java:159)
at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)
at Ice.ConnectionI.message(ConnectionI.java:972)
at IceInternal.ThreadPool.run(ThreadPool.java:577)
at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)
serverExceptionClass = ome.conditions.GroupSecurityViolation
message = ome.model.core.OriginalFile:Id_1953-modification violates group-security.
}
See: https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=737
Change History (7)
comment:1 Changed 8 years ago by jmoore
- Remaining Time set to 0.5
- Sprint set to 2011-08-04 (2)
comment:2 Changed 8 years ago by jmoore
- Description modified (diff)
comment:3 Changed 8 years ago by wmoore
comment:4 Changed 8 years ago by jmoore
- Status changed from new to accepted
comment:5 Changed 8 years ago by jmoore
This doesn't seem to be related to whether or not the user is an owner of the current group or not, but just the permissions of the current group. From BasicACLVoter.java:
public void throwUpdateViolation(IObject iObject) throws SecurityViolation {
Assert.notNull(iObject);
boolean sysType = sysTypes.isSystemType(iObject.getClass()) ||
sysTypes.isInSystemGroup(iObject.getDetails());
if (!sysType && currentUser.isGraphCritical()) { // ticket:1769
throw new GroupSecurityViolation(iObject +"-modification violates " +
"group-security.");
}
throw new SecurityViolation("Updating " + iObject + " not allowed.");
}
See #1769
comment:6 Changed 8 years ago by jmoore
Here are the ownerships and permissions of files created by my test (still uncommitted):
43d=# select id, owner_id, group_id, ome_perms(permissions), path, name from originalfile order by id desc limit 20;; id | owner_id | group_id | ome_perms | path | name ------+----------+----------+-----------+-------------------------------------------------------------+--------------------------------------------------- 2958 | 3278 | 3270 | rw---- | /Users/moore/omero/tmp/omero_moore/75423/processJjPQN_.dir/ | stderr 2957 | 0 | 1 | rw---- | /test/ | ticket6066a9990b0f-55c4-449a-80ba-a4c491471d58.py 2956 | 3274 | 3268 | rw---- | /Users/moore/omero/tmp/omero_moore/75423/processWTVZtQ.dir/ | stderr 2955 | 0 | 1 | rw---- | /test/ | ticket6066c7f18d09-27f2-424f-aaf0-f83363f1ebb1.py 2954 | 3271 | 3266 | rw---- | /Users/moore/omero/tmp/omero_moore/75423/process8UlsWA.dir/ | stderr 2953 | 0 | 1 | rw---- | /test/ | ticket60663dbc08c4-6c16-4744-a070-2ab94cab2c0c.py
so it would seem that what needs to happen is support for the user group (1) for when the admin is not logged into "system", in which isGraphCritical will return false.
comment:7 Changed 8 years ago by jmoore <josh@…>
- Remaining Time changed from 0.5 to 0
- Resolution set to fixed
- Status changed from accepted to closed
(In [a4dca596b23c1b0573c141ba8eb877e1e9fde11d/ome.git] on branch develop) Prevent GroupSecurityViolation via check for user group (Fix #6066)
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
From the forum:
A further update on this issue.
I was migrating my scripts from my localhost server to our test server and I encountered this problem again. This server more closely mirrors our production environment and all the groups are Private by default.
When I added my username to the list of group owners for my default login group the problem still occurred. The group has about 20 members, several owners and is set as private. I checked my localhost server where I fixed the problem and the group permissions are Collaborative.
I did not want to change the existing group's policy so I had to create a new group just for me and the other admins with Collaborative permissions and set it as my default login group. This solved the problem. I can now upload and replace scripts.
Regards,
Alex