Task #8696 (closed)
Bug: new perm strings
Reported by: | wmoore | Owned by: | jamoore |
---|---|---|---|
Priority: | critical | Milestone: | OMERO-4.4 |
Component: | Security | Version: | n.a. |
Keywords: | n.a. | Cc: | jburel, cxallan, cneves |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | 0.0d |
Sprint: | 2012-06-19 (17) |
Description
Groups that are created in the new chmod 2874 branch https://github.com/openmicroscopy/openmicroscopy/pull/139
have a different string representation in the DB from how they appear in str(permissions) in clients.
See screen-shot.
Here, 'new*' groups were created using 2874 branch server. Other groups were created in 'develop' server.
omero=# select id, ome_perms(permissions), name from experimentergroup; id | ome_perms | name ----+-----------+-------------- 0 | rw---- | system 1 | rwr-r- | user 2 | rw---- | guest 3 | rwr--- | JRS-readonly 4 | rw---- | JRS-private 5 | rwrw-- | JRS-collab 53 | rw---- | new-private 54 | rwr--- | new-readonly 55 | rwrw-- | new-readAnn
Attachments (1)
Change History (14)
Changed 12 years ago by wmoore
comment:1 Changed 12 years ago by wmoore
Maybe a bit clearer illustration of this issues is what we get from running the gatewaytest chmod.py
Read-Ann and Read-Only appear the same in this
omero=# select id, ome_perms(permissions), name from experimentergroup; id | ome_perms | name -----+-----------+--------------------------- 155 | rwr--- | weblitz_test_user_group 156 | rwr--- | weblitz_test_author_group 154 | rwrw-- | ReadOnly_chmod_group 157 | rwr--- | ReadAnn_chmod_test 158 | rwrw-- | ReadWrite_chmod_test 159 | rwr--- | ReadOnly_chmod_test
comment:2 Changed 12 years ago by jburel
- Sprint changed from 2012-05-08 (14) to 2012-05-22 (15)
Moved from sprint 2012-05-08 (14)
comment:3 Changed 12 years ago by jmoore
Here are all the types of groups from gretzky's db dump:
green61=# select distinct cast(permissions as bit(16)), ome_perms(permissions), new_ome_perms(permissions) from experimentergroup; permissions | ome_perms | new_ome_perms ------------------+-----------+--------------- 1111111110011001 | rw---- | rw-a-a 1111111111011001 | rwr--- | rwra-a 1111111111011101 | rwr-r- | rwrara 1111111111111001 | rwrw-- | rwrw-a (4 rows)
comment:4 Changed 12 years ago by jmoore
Resultant permissions below. Thoughts?
permissions | ome_perms | new_ome_perms ------------------+-----------+--------------- 1111111110001000 | rw---- | rw---- 1111111111001000 | rwr--- | rwr--- 1111111111001100 | rwr-r- | rwr-r- 1111111111011000 | rwr--- | rwra-- <-- was previously rwrw
comment:5 Changed 12 years ago by wmoore
Aren't we expecting
rwrw-- -> rwra--
"Collaborative read-write" becomes "Read Annotate"
comment:6 Changed 12 years ago by jmoore
Correct, and that's what it says. The listing before the upgrade is up top:
rwrw-- / rwrw-a
and after the upgrade is at the bottom:
rwr--- / rwra--
It's just that the old function (ome_perms) cannot display and "a".
comment:7 Changed 12 years ago by jmoore
- Cc cneves-x added
One thing I didn't mention is that I made the upgrade script drop all annotate/write permissions for world, since that's completely untested.
-- Unset all world annotate and write flags. update experimentergroup set permissions = (permissions & (-1 # 3)); -- Where the group read flag is not set, -- do not allow the annotate bit to be set. update experimentergroup set permissions = (permissions & (-1 # 16)) where (permissions & 32) <> 32; -- Where the group write flag is set, -- set the group annotate flag. update experimentergroup set permissions = (permissions | 16) where (permissions & 32) = 32; -- Where the group write flag is set, -- unset it. update experimentergroup set permissions = (permissions & (-1 # 32)) where (permissions & 32) = 32;
comment:8 Changed 12 years ago by jmoore
- Sprint changed from 2012-05-22 (15) to 2012-06-05 (16)
I'm away until Wed., pushing. We should come up with a plan for testing the permissions upgrade above.
comment:9 Changed 12 years ago by jburel
- Priority changed from major to critical
Promoting to critical, so we agree on strategy.
comment:10 Changed 12 years ago by jmoore
These statements execute very quickly. Should I teach the server how to run them automatically on startup?
comment:11 Changed 12 years ago by jburel
- Sprint changed from 2012-06-05 (16) to 2012-06-19 (17)
Moved from sprint 2012-06-05 (16)
comment:12 Changed 12 years ago by jmoore
- Resolution set to fixed
- Status changed from new to closed
Pushed to https://github.com/joshmoore/openmicroscopy/tree/8696-db-perms
This bumps the database version to OMERO4.4RC__0. Upgrade script from OMERO4.3__0 is available.
comment:13 Changed 12 years ago by jmoore <josh@…>
- Remaining Time set to 0
(In [9f460136b62a07bfb199d034f17a4ee06dc60c48/ome.git] on branch develop) OMERO4.4RC10: db and upgrade for group perms (Fix #8696)
Group permissions need to all be adjusted in existing databases.
The bit which is now used by the "a" flag was previously ignored
and may well have garbage in it. Further, groups which were set
as "rw" will now be downgraded to "ra" to prevent surprises.
Webadmin groups and psql