xapi/access/permissions/irregular/fix

42 views
Skip to first unread message

Ben Wagner

unread,
Jun 22, 2020, 2:27:16 PM6/22/20
to xnat_discussion
Hi all,
  Just upgraded to 1.7.6 and tasks.log gives a long list of project groups with irregular permission mappings (org.nrg.xnat.initialization.tasks.FixMismatchedMappingElements).  It then recommends running the rest call xapi/access/permissions/irregular/fix.    What does this do?  There is near zero information in swagger and google didn't help either.

Thanks,
Ben

Herrick, Rick

unread,
Jun 22, 2020, 4:43:26 PM6/22/20
to xnat_di...@googlegroups.com

There are a couple of predefined queries/functions in the file META-INF/xnat/project-group-functions.sql:

 

  • project_groups_find_irregular_settings
  • project_groups_fix_irregular_settings

 

The first view looks for standard user groups–owners, members, collaborators–where the various permissions aren’t properly configured. For example, the owner group for a project should have create, read, edit, delete, and activate permissions for all data types in the associated project. One of the big changes in 1.7.5 and 1.7.6 was refactoring of authorization and permissions resolution, primarily for performance reasons but also to normalize permissions configuration so that permissions are set consistently. Prior to that, there were bits of code in various place that did things manually and sometimes incorrectly. Those sorts of things are what the find view is looking for. If you want to see the specifics, you’ve got the log output, but can also run the query manually:

 

SELECT * FROM project_groups_find_irregular_settings;

 

The fix function just takes the output from the find view and loops through the mismatched values, composing a query for correcting each mismatched permission setting.

 

I actually just modified the SQL for the fix function so that by default it does a dry run that just reports the query that would be performed when running the fix operation. You can give this a try by running the attached SQL script on your database. It drops the existing function (and the new function in case you run it multiple times), creates a new function, then runs the new function like so:

 

SELECT *

FROM

    project_groups_fix_irregular_settings();

 

The default behavior is a dry run, so you should just see something like this:

 

psql:show-fixes.sql:3: NOTICE:  Dry run specified, queries will be displayed but not executed.

psql:show-fixes.sql:3: NOTICE:  Fixing irregular permissions for field mapping 452 with SQL: UPDATE xdat_field_mapping SET create_element = 0 WHERE xdat_field_mapping_id = 452

psql:show-fixes.sql:3: NOTICE:  Fixing irregular permissions for field mapping 444 with SQL: UPDATE xdat_field_mapping SET create_element = 0 WHERE xdat_field_mapping_id = 444

psql:show-fixes.sql:3: NOTICE:  Fixing irregular permissions for field mapping 413 with SQL: UPDATE xdat_field_mapping SET create_element = 0 WHERE xdat_field_mapping_id = 413

 

Although it’s fairly clear what’s wrong with each group from the query, you can find out specifics like this:

 

xnat=> SELECT * FROM project_groups_find_irregular_settings WHERE xdat_field_mapping_id = 452;

    tag     |        id         | xdat_field_mapping_id |                 field                 | mismatched_values | mismatched_read_value | mismatched_edit_value | mismatched_create_value | mismatched_delete_value | mismatched_active_value

------------+-------------------+-----------------------+---------------------------------------+-------------------+-----------------------+-----------------------+-------------------------+-------------------------+-------------------------

ALI_US_X8W | ALI_US_X8W_member |                   452 | xnat:pVisitData/sharing/share/project | create            |                       |                       |                       1 |                         |

(1 row)

 

-- 

Rick Herrick

Sr. Programmer/Analyst

Neuroinformatics Research Group

Washington University School of Medicine

Phone: +1 (314) 273-1645

 

From: "xnat_di...@googlegroups.com" <xnat_di...@googlegroups.com> on behalf of Ben Wagner <thewa...@gmail.com>
Reply-To: "xnat_di...@googlegroups.com" <xnat_di...@googlegroups.com>
Date: Monday, June 22, 2020 at 1:27 PM
To: "xnat_di...@googlegroups.com" <xnat_di...@googlegroups.com>
Subject: [XNAT Discussion] xapi/access/permissions/irregular/fix

 

* External Email - Caution *

--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/59b8a089-cde8-4f17-822f-1696ff92406eo%40googlegroups.com.

 

The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.

fix-update.sql
Reply all
Reply to author
Forward
0 new messages