Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #8278 (closed)

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

Simplify changePermissions implementation

Reported by: jamoore Owned by: jamoore
Priority: major Milestone: OMERO-4.4
Component: Security Version: n.a.
Keywords: n.a. Cc: jburel, wmoore
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: 0.0d
Sprint: 2012-04-10 (12)

Description

In order to make changePermissions (a.k.a chmod) more usable, it cannot be allowed that every row belonging to the group be changed (See #8277). Instead, only the single group object should be modified, with relaxed rules on what is permissible.

Note: when reducing READ permissions it will still be necessary to scan the entire data structure for the group looking for mis-links. Therefore we will also provide an asynchronous chmod, and the previous synchronous IAdmin.changePermissions will throw an exception if the work is going to take too long.

Change History (12)

comment:1 Changed 12 years ago by jburel

  • Sprint changed from 2012-03-27 (11) to 2012-04-10 (12)

Moved from sprint 2012-03-27 (11)

comment:2 Changed 12 years ago by jmoore

  • Remaining Time changed from 1.0 to 0
  • Resolution set to fixed
  • Status changed from new to closed

Fixed on my 2874-chmod branch. The implementation now only requires thorough checking when dropping group permissions which should make chmod far more usable. All chmods on non-ExperimenterGroup objects is currently forbidden.

comment:3 Changed 12 years ago by jmoore <josh@…>

(In [e1e45adc6eb833c447cb32db9be26d5756a19255/ome.git] on branch develop) Passing chmod tests (See #8277, #8278)

These are simple tests which already pass when there is not much data.
The intent is to remove the changing of each row (#8278) and then have
these fail until #8277 is implemented.

comment:4 Changed 12 years ago by jmoore <josh@…>

(In [f745d734b188612bd87d64ae3a39c0661043a154/ome.git] on branch develop) Remove chmod of each row (See #8278)

comment:5 Changed 12 years ago by jmoore <josh@…>

(In [0b47b2b57efef05b25c031f0da908d51e5b3cc32/ome.git] on branch develop) Add ChmodStrategy? to re-use changePermission logic (See #8278)

Most of the chmod logic was stored in AdminImpl?. In order to re-use
this in ChmodI, it needed to be refactored out. At the same time,
also added an etc/omero.properties property for extensibility:

omero.security.chmod_strategy

comment:6 Changed 12 years ago by jmoore <josh@…>

(In [1e19154dfe1930acdb1fbad09d605e6f997a505d/ome.git] on branch develop) Add omero.cmd.ChmodI implementation (See #8278)

To allow asynchronous calling of chmod, a strategy like ChgrpI needs to
be followed. This commit will return a status with many steps when/if it
is necessary to check data for the chmod. I.e. consumers may want to
block if the chmod will be fast but background the handle if there are
many checks to perform.

comment:7 Changed 12 years ago by jmoore <josh@…>

(In [b528bd00289820e10d417b27a12b853a75593ee2/ome.git] on branch develop) Working permission downgrade implementation (Fix #8278)

With this commit, all the tests are passing exception for WORLD-READ
downgrade since it's not yet possible to setup the test data, since
the WORLD-READ downgrade does not trigger a full permission check.

The only action which triggers the check of permissions is reduction
of GROUP-READ since that would prevent other group members from loading
linked objects.

comment:8 Changed 12 years ago by jmoore <josh@…>

(In [e1e45adc6eb833c447cb32db9be26d5756a19255/ome.git] on branch develop) Passing chmod tests (See #8277, #8278)

These are simple tests which already pass when there is not much data.
The intent is to remove the changing of each row (#8278) and then have
these fail until #8277 is implemented.

comment:9 Changed 12 years ago by jmoore <josh@…>

(In [f745d734b188612bd87d64ae3a39c0661043a154/ome.git] on branch develop) Remove chmod of each row (See #8278)

comment:10 Changed 12 years ago by jmoore <josh@…>

(In [0b47b2b57efef05b25c031f0da908d51e5b3cc32/ome.git] on branch develop) Add ChmodStrategy? to re-use changePermission logic (See #8278)

Most of the chmod logic was stored in AdminImpl?. In order to re-use
this in ChmodI, it needed to be refactored out. At the same time,
also added an etc/omero.properties property for extensibility:

omero.security.chmod_strategy

comment:11 Changed 12 years ago by jmoore <josh@…>

(In [1e19154dfe1930acdb1fbad09d605e6f997a505d/ome.git] on branch develop) Add omero.cmd.ChmodI implementation (See #8278)

To allow asynchronous calling of chmod, a strategy like ChgrpI needs to
be followed. This commit will return a status with many steps when/if it
is necessary to check data for the chmod. I.e. consumers may want to
block if the chmod will be fast but background the handle if there are
many checks to perform.

comment:12 Changed 12 years ago by jmoore <josh@…>

(In [b528bd00289820e10d417b27a12b853a75593ee2/ome.git] on branch develop) Working permission downgrade implementation (Fix #8278)

With this commit, all the tests are passing exception for WORLD-READ
downgrade since it's not yet possible to setup the test data, since
the WORLD-READ downgrade does not trigger a full permission check.

The only action which triggers the check of permissions is reduction
of GROUP-READ since that would prevent other group members from loading
linked objects.

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.71106 sec.)

We're Hiring!