[gold-users] limit user to query only accounts he is connected to

Scott Jackson scottmo at adaptivecomputing.com
Wed Sep 22 17:27:11 MDT 2010


That is correct. The SELF instance is only valid for the User object and other objects which have a User attribute. And even then, as you have surmised, it will simply allow queries where the correct instance of the object is requested and reject queries that might return other instances.

I agree that that is not very helpful, and completely unhelpful in cases involving the listing of accounts, etc. where the relationships to the user may be several associations removed.

Keep your ears open over the next few months and you will probably hear about some potential remedies to this limitation.

Thanks,

Scott


----- Original Message -----
From: "Alexander Oltu" <Alexander.Oltu at uni.no>
To: "Gold Users Mailing List" <gold-users at supercluster.org>
Sent: Thursday, September 16, 2010 8:15:31 AM
Subject: [gold-users] limit user to query only accounts he is connected to

Hi all,

We will need to change our security model for queries in our gold setup.

I think now we have default behavior which is that the regular user can
do queries on all objects. 
We will need something like: user can check project usage and available
resources only for the accounts which he has access to.

I looked in to RoleAction and tried to replace 

Anonymous    ANY            Query   ANY
to 
Anonymous    ANY            Query   SELF

but this results in that the user can only perform glsuser -u $USER ;
commands like gbalance and gstatment are not working...

>From manual looks like the Instance SELF will allow operations only
on objects identified with $USER.


I wonder if there is an easy solution to our problem?

Thanks,
Alex.
_______________________________________________
gold-users mailing list
gold-users at supercluster.org
http://www.supercluster.org/mailman/listinfo/gold-users


More information about the gold-users mailing list