[gold-users] Re: Principal investigator role

Scott Jackson scott at clusterresources.com
Fri Sep 22 17:28:46 MDT 2006


Tim,

Your post was rejected because this is a member-only list. Please
subscribe for better response time yada, yada, yada:) (I am the list
owner so I see all the spam and bounced emails.)

I looked into this problem for you and you have configured it correctly.
There are one or more bugs in gold preventing this from working
correctly.

The main problem was with the logic in the Proxy.pm authorize routine
(it was not checking the case where the object to be authorized was an
association).

Here are the patch lines for that:

1104,1121c1104,1105
<           # This is an association
<           if ($association)
<           {
<             # Check if there is a ${parent}User assoc for which $actor
is member
<             my  $membership = Gold::Cache->associationLookup($parent,
"User");<     $log->debug("Membership = $membership");
<
<             if (defined $membership)
<             {
<               my $results = $self->{_database}->select(object =>
$membership, selections => [ new Gold::Selection(name => "Admin") ],
conditions => [ new Gold::Condition(name => $parent, value =>
$instanceCond), new Gold::Condition(name => "Name", value => $actor) ],
chunkNum => 0);
<               if (defined ${$results->{data}}[0]->[0] &&
${$results->{data}}[0]->[0] eq "True")
<               {
<                 next OBJECT;
<               }
<             }
<           }
<           # This is not an association
<           else
---
>           my $membership = Gold::Cache->associationLookup($name,
"User");
>           if (defined $membership)
1123,1125c1107,1108
<             # Check if there is a ${name}User assoc for which $actor
is member<             my $membership =
Gold::Cache->associationLookup($name, "User");
<             if (defined $membership)
---
>             my $results = $self->{_database}->select(object =>
$membership, selections => [ new Gold::Selection(name => "Admin") ],
conditions => [ new Gold::Condition(name => $name, value =>
$instanceCond), new Gold::Condition(name => "Name", value => $actor) ],
chunkNum => 0);
>             if (defined ${$results->{data}}[0]->[0] &&
${$results->{data}}[0]->[0] eq "True")
1127,1131c1110
<               my $results = $self->{_database}->select(object =>
$membership, selections => [ new Gold::Selection(name => "Admin") ],
conditions => [ new Gold::Condition(name => $name, value =>
$instanceCond), new Gold::Condition(name => "Name", value => $actor) ],
chunkNum => 0);
<               if (defined ${$results->{data}}[0]->[0] &&
${$results->{data}}[0]->[0] eq "True")
<               {
<                 next OBJECT;
<               }
---
>               next OBJECT;

I am also attaching the modified file from my current development
version it in case it will work to just plop it into place.

In my version there is a second problem that resulted from some changes
in the way the database cache is stored which broke my associationLookup
routine. I cannot recall if 2.0.0.7 had the new or old Cache structure,
but in my case the fix was as follows to the Cache.pm file.

525c527
<       return $objectNode->getAttribute("Name");
---
>       return $objectNode->nodeName();

This one is attached to, but please make sure the diff of the provided
file with yours does not yield many lines or this fix will not be
applicable (and probably not needed).

Let me know your experience,

Scott


On Mon, 2006-09-04 at 09:43 +0100, Tim Robinson wrote:
> Hi,
> 
> I am having problems implementing a PI role in gold (2.0.0.7). What I
> would like to do is allow a PI (ADMIN) of a project to add or delete
> users from his/her own project.
> 
> zzcgutwr at defiant:~$ goldsh RoleAction Query Role==PI
> Role         Object         Name    Instance
> ------------ -------------- ------- --------
> PI           ProjectUser    ANY     ADMIN
> PI           Project        ANY     ADMIN
> 
> zzcgutwr at defiant:~$ goldsh ProjectUser Query Admin==True
> Project Name     Active Admin
> ------- -------- ------ -----
> tea     zzcgutwr True   True
> 
> So, I should be able to add users / delete users etc from my project
> tea. However, I can't:
> 
> zzcgutwr at defiant:~$ gchproject --addUsers slave2 tea
> zzcgutwr is not authorized to perform this function (ProjectUser Create)
> 
> If I set the instances to "ALL" then I can add users to *any* project,
> which is obviously not what I want.  
> 
> Thanks for any advice,
> Tim 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Cache.pm
Type: application/x-perl
Size: 35111 bytes
Desc: not available
Url : http://www.supercluster.org/pipermail/gold-users/attachments/20060922/633a1910/Cache-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Proxy.pm
Type: application/x-perl
Size: 35360 bytes
Desc: not available
Url : http://www.supercluster.org/pipermail/gold-users/attachments/20060922/633a1910/Proxy-0001.bin


More information about the gold-users mailing list