[ome-devel] Using omero.gateway.Gateway for sudo-connections

Christian Carsten Sachs c.sachs at fz-juelich.de
Mon Apr 18 12:58:03 BST 2016 

Hello Dominik,

I've tried the same example on another freshly installed OMERO at home 
(via Docker) and it did not work;

Both users (admin and normal user, then with password) work. And sudo is 
needed, the getDatasets is just an example, lateron the program should 
manage some automated imports.

Apropos, when the OMERO cli tool sudo'es, it works fine, i.e. we 
regularily do sudo'ed imports.

Stepping through the client, the line

         Glacier2.RouterPrx router = 
Glacier2.RouterPrxHelper.checkedCast(prx);

in omero.client::getRouter(Ice.Communicator comm) throws an
Ice.ConnectTimeoutException ... but only on the third (sudo'd) time, the 
first guest/guest connection to lookup the admin user works, the 
connection as admin user works ... only the third conenction as sudo'ed 
other-user ends in an error ...

UPDATE: I just found the problem / a workaround!

I've noticed that prx (toString()) looks like this on the third time:

OMERO.Glacier2/router -t -e 1.0:ssl -h hostname -p 0

compared to the other times

OMERO.Glacier2/router -t -e 1.0:ssl -h hostname -p 4064...

I've changed my example to add

ADMIN_CREDENTIALS.getServer().setPort(4064);

and now it works, so apparently some code auto-guessing the port which 
normally is active does not seem to be active during sudo-session 
initialization...

Thank you,
best regards,
Christian Sachs

On 2016-04-18 09:27, Dominik Lindner (Staff) wrote:
> Hi Christian,
>
> your example looks alright. And I also just tried it on one of our test servers, no problem.
> I have to check if this “sudo” session is a feature which has to be enabled explicitly on the server.
>
> Can you actually log in with this user directly? Just to exclude the possibility that the user might
> be disabled from logging in.
>
> In case you only need the user’s datasets, you don’t have to use a “sudo” session by the way,
> there’s a method "getDatasets(SecurityContext ctx, long ownerId)” which retrieves the datasets
> the user owns.
>
> Regards,
> Dominik
>
>
>> On 15 Apr 2016, at 12:17, Christian Carsten Sachs <c.sachs at fz-juelich.de> wrote:
>>
>> Hi Dominik,
>>
>> thanks for the fast response!
>>
>> I was playing around with these options but so far had no luck. Attached a whole minimal (non)working example:
>>
>> <<<
>>
>> Logger logger = new SimpleLogger();
>> Gateway gateway = new Gateway(logger);
>>
>> LoginCredentials ADMIN_CREDENTIALS = new LoginCredentials();
>>
>> ADMIN_CREDENTIALS.getServer().setHostname("hostname");
>> ADMIN_CREDENTIALS.getUser().setUsername("admin");
>> ADMIN_CREDENTIALS.getUser().setPassword("password");
>>
>> ExperimenterData adminUser = gateway.connect(ADMIN_CREDENTIALS);
>>
>> SecurityContext adminCtx = new SecurityContext(adminUser.getGroupId());
>>
>> ExperimenterData user = gateway.getFacility(AdminFacility.class).lookupExperimenter(adminCtx, "normalUserName");
>>
>> SecurityContext ctx = new SecurityContext(user.getGroupId());
>>
>> // with or without that line
>> //ctx = adminCtx;
>>
>> ctx.setExperimenter(user);
>> ctx.sudo();
>>
>> for(DatasetData d : gateway.getFacility(BrowseFacility.class).getDatasets(ctx)) {
>>    System.out.println(d.getName());
>> }
>>
>>>>>
>>
>> This yields
>>
>> -! 4/15/16 13:12:15:171 warning: main: null - createSession retry: 1
>> -! 4/15/16 13:12:20:186 warning: main: null - createSession retry: 2
>> Could not load hierarchy
>> omero.gateway.exception.DSOutOfServiceException: Could not derive connector
>> at omero.gateway.Gateway.getConnector(Gateway.java:1301)
>> at omero.gateway.Gateway.getPojosService(Gateway.java:493)
>> at omero.gateway.facility.BrowseFacility.getDatasets(BrowseFacility.java:457)
>> ...
>>
>> (both when I try to set the new experimenter to adminCtx or create a new ctx and set it ...)
>>
>> Am I doing something wrong?
>>
>> Thanks a lot,
>> best regards,
>> Christian Sachs
>>
>> On 2016-04-15 12:58, Dominik Lindner (Staff) wrote:
>>> Hi Christian,
>>>
>>> it should work when you set the user via SecurityContext.setExperimenter() and set the sudo flag via SecurityContext.sudo().
>>> Then operations using this SecurityContext will be performed in the user context.
>>>
>>> I’ll have to check if we have a working code example in the docs somewhere.
>>>
>>> Regards,
>>> Dominik
>>>
>>>
>>>> On 15 Apr 2016, at 11:47, Christian Carsten Sachs <c.sachs at fz-juelich.de> wrote:
>>>>
>>>> Hello,
>>>>
>>>> I'd like to connect to OMERO via Java using a sudo connection, i.e.
>>>> login as an admin user, and then perform actions as another user.
>>>>
>>>> While there is example code at
>>>> https://github.com/openmicroscopy/openmicroscopy/blob/master/examples/OmeroClients/sudo.java
>>>> the code 'manually' establishes a connection, while the current
>>>> developer documentation urges to use the omero.gateway.Gateway class to
>>>> manage the connection (as far as I read, this is the modern and
>>>> recommended way).
>>>>
>>>> Is there any way to use omero.gateway.Gateway for a sudo connection?
>>>>
>>>> I played around with something like this,
>>>>
>>>> adminUser = gateway.connect(ADMIN_CREDENTIALS);
>>>>
>>>> adminCtx = new SecurityContext(adminUser.getGroupId());
>>>>
>>>> user =
>>>> gateway.getFacility(AdminFacility.class).lookupExperimenter(adminCtx,
>>>> "normalUserName");
>>>>
>>>> ctx = new SecurityContext(user.getGroupId());
>>>>
>>>> but using ctx lateron fails; I assume the necessary services are not
>>>> properly started/connected, what gateway would normally do upon login;
>>>> unfortunately I don't seem to find a way to force the gateway object to
>>>> do this lateron for another user ...
>>>>
>>>> I looked around a bit and have some ideas how it might be done manually
>>>> ... within omero.gateway.Gateway, but unfortunately as the necessary
>>>> variables appear private I can't really access that from outside code.
>>>>
>>>> Best regards,
>>>> Christian Sachs
>>>>
>>>>
>>>> ------------------------------------------------------------------------------------------------
>>>> ------------------------------------------------------------------------------------------------
>>>> Forschungszentrum Juelich GmbH
>>>> 52425 Juelich
>>>> Sitz der Gesellschaft: Juelich
>>>> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
>>>> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
>>>> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
>>>> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
>>>> Prof. Dr. Sebastian M. Schmidt
>>>> ------------------------------------------------------------------------------------------------
>>>> ------------------------------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> ome-devel mailing list
>>>> ome-devel at lists.openmicroscopy.org.uk
>>>> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-devel
>>>
>>>
>>> The University of Dundee is a registered Scottish Charity, No: SC015096
>>> _______________________________________________
>>> ome-devel mailing list
>>> ome-devel at lists.openmicroscopy.org.uk
>>> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-devel
>>>
>> _______________________________________________
>> ome-devel mailing list
>> ome-devel at lists.openmicroscopy.org.uk
>> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-devel
>
>
> The University of Dundee is a registered Scottish Charity, No: SC015096
> _______________________________________________
> ome-devel mailing list
> ome-devel at lists.openmicroscopy.org.uk
> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-devel
>

More information about the ome-devel mailing list