Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #8696 (closed)

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

Bug: new perm strings

Reported by: wmoore Owned by: jamoore
Priority: critical Milestone: OMERO-4.4
Component: Security Version: n.a.
Keywords: n.a. Cc: jburel, cxallan, cneves
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: 0.0d
Sprint: 2012-06-19 (17)

Description

Groups that are created in the new chmod 2874 branch https://github.com/openmicroscopy/openmicroscopy/pull/139
have a different string representation in the DB from how they appear in str(permissions) in clients.

See screen-shot.

Here, 'new*' groups were created using 2874 branch server. Other groups were created in 'develop' server.

omero=# select id, ome_perms(permissions), name from experimentergroup;
 id | ome_perms |     name     
----+-----------+--------------
  0 | rw----    | system
  1 | rwr-r-    | user
  2 | rw----    | guest
  3 | rwr---    | JRS-readonly
  4 | rw----    | JRS-private
  5 | rwrw--    | JRS-collab
 53 | rw----    | new-private
 54 | rwr---    | new-readonly
 55 | rwrw--    | new-readAnn

Attachments (1)

Screen shot 2012-05-03 at 14.31.47.png (77.3 KB) - added by wmoore 10 years ago.
Webadmin groups and psql

Download all attachments as: .zip

Change History (14)

Changed 10 years ago by wmoore

Webadmin groups and psql

comment:1 Changed 10 years ago by wmoore

Maybe a bit clearer illustration of this issues is what we get from running the gatewaytest chmod.py

Read-Ann and Read-Only appear the same in this

omero=# select id, ome_perms(permissions), name from experimentergroup;
 id  | ome_perms |           name            
-----+-----------+---------------------------
 155 | rwr---    | weblitz_test_user_group
 156 | rwr---    | weblitz_test_author_group
 154 | rwrw--    | ReadOnly_chmod_group
 157 | rwr---    | ReadAnn_chmod_test
 158 | rwrw--    | ReadWrite_chmod_test
 159 | rwr---    | ReadOnly_chmod_test

comment:2 Changed 10 years ago by jburel

  • Sprint changed from 2012-05-08 (14) to 2012-05-22 (15)

Moved from sprint 2012-05-08 (14)

comment:3 Changed 10 years ago by jmoore

Here are all the types of groups from gretzky's db dump:

green61=# select distinct cast(permissions as bit(16)), ome_perms(permissions), new_ome_perms(permissions) from experimentergroup;
   permissions    | ome_perms | new_ome_perms 
------------------+-----------+---------------
 1111111110011001 | rw----    | rw-a-a
 1111111111011001 | rwr---    | rwra-a
 1111111111011101 | rwr-r-    | rwrara
 1111111111111001 | rwrw--    | rwrw-a
(4 rows)
Last edited 10 years ago by jmoore (previous) (diff)

comment:4 Changed 10 years ago by jmoore

Resultant permissions below. Thoughts?

   permissions    | ome_perms | new_ome_perms 
------------------+-----------+---------------
 1111111110001000 | rw----    | rw----
 1111111111001000 | rwr---    | rwr---
 1111111111001100 | rwr-r-    | rwr-r-
 1111111111011000 | rwr---    | rwra--    <-- was previously rwrw

comment:5 Changed 10 years ago by wmoore

Aren't we expecting

rwrw--  ->  rwra--

"Collaborative read-write" becomes "Read Annotate"

comment:6 Changed 10 years ago by jmoore

Correct, and that's what it says. The listing before the upgrade is up top:

rwrw-- / rwrw-a

and after the upgrade is at the bottom:

rwr--- / rwra--

It's just that the old function (ome_perms) cannot display and "a".

Last edited 10 years ago by jmoore (previous) (diff)

comment:7 Changed 10 years ago by jmoore

  • Cc cneves-x added

One thing I didn't mention is that I made the upgrade script drop all annotate/write permissions for world, since that's completely untested.

-- Unset all world annotate and write flags.
update experimentergroup
   set permissions = (permissions & (-1 # 3));

-- Where the group read flag is not set,
-- do not allow the annotate bit to be set.
update experimentergroup
   set permissions = (permissions & (-1 # 16))
 where (permissions & 32) <> 32;

-- Where the group write flag is set,
-- set the group annotate flag.
update experimentergroup
   set permissions = (permissions | 16)
 where (permissions & 32) = 32;

-- Where the group write flag is set,
-- unset it.
update experimentergroup
   set permissions = (permissions & (-1 # 32))
 where (permissions & 32) = 32;

comment:8 Changed 10 years ago by jmoore

  • Sprint changed from 2012-05-22 (15) to 2012-06-05 (16)

I'm away until Wed., pushing. We should come up with a plan for testing the permissions upgrade above.

comment:9 Changed 10 years ago by jburel

  • Priority changed from major to critical

Promoting to critical, so we agree on strategy.

comment:10 Changed 10 years ago by jmoore

These statements execute very quickly. Should I teach the server how to run them automatically on startup?

comment:11 Changed 10 years ago by jburel

  • Sprint changed from 2012-06-05 (16) to 2012-06-19 (17)

Moved from sprint 2012-06-05 (16)

comment:12 Changed 10 years ago by jmoore

  • Resolution set to fixed
  • Status changed from new to closed

Pushed to https://github.com/joshmoore/openmicroscopy/tree/8696-db-perms

This bumps the database version to OMERO4.4RC__0. Upgrade script from OMERO4.3__0 is available.

comment:13 Changed 10 years ago by jmoore <josh@…>

  • Remaining Time set to 0

(In [9f460136b62a07bfb199d034f17a4ee06dc60c48/ome.git] on branch develop) OMERO4.4RC10: db and upgrade for group perms (Fix #8696)

Group permissions need to all be adjusted in existing databases.
The bit which is now used by the "a" flag was previously ignored
and may well have garbage in it. Further, groups which were set
as "rw" will now be downgraded to "ra" to prevent surprises.

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.66447 sec.)

We're Hiring!