Add Group ID parameter to commands

[awalter17]

Current we only use one SecurityContext, which is set with the user's default group ID (see here). This means that the user can only access data that they have access to within that group.

To remedy this, we should add a groupId parameter to the OMEROService methods to allow users to access additional data. Or possibly some sort of smarter mechanism?

[ctrueden]

I don't understand. The user belongs to groups, right? Why can't the remote API provide access to all data to which that user has access? I am afraid that requiring users to select a specific group will confuse people.

[ctrueden]

@joshmoore @dominikl Question about the OMERO gateway: it appears that SecurityContext takes a single groupID? It would be ideal if, when a user provides their login credentials, they don't have to select an active group that matches what they want to download. How does this work in OMERO.web?

[fmeyenhofer]

you could change the default group in omero web as a workaround. If you want to create a nice security whole just se GID to -1 ;)

[ctrueden]

@Meyenhofer Why is a GID of -1 a security hole? The user can only affect what the user can affect... right? There is no way a user could authenticate as themselves but set their GID to -1 and thus gain access to anything extra?

[fmeyenhofer]

yes, -1 just shows all the available groups for a given user. I did not test what happens if you choose an image ID that is not of an image inside a group the user is associated with.. But we might want someone from OME commenting on the ramifications of that

[joshmoore]

Hi @Meyenhofer and @ctrueden.

The user belongs to groups, right? Why can't the remote API provide access to all data to which that user has access? I am afraid that requiring users to select a specific group will confuse people.

By default, the client is logged into the default group. By using -1, you are saying, "give me data to all my groups". For reading, there isn't much of an issue. When writing, it becomes more critical. Objects cannot be cross-linked between groups.

If you want to create a nice security whole just se GID to -1 ;)

It's not a security hole, it's a client choice. There's nothing the client can do to see objects that are in a group that the user is not a member of.

I did not test what happens if you choose an image ID that is not of an image inside a group the user is associated with

Then it will appear as if the data does not exist.

[dominikl]

The SecurityContext always has to be set to a specific group. In the Java gateway you have to do it explicitely, I think the Python blitz gateway just uses the user's default group if it's not specified. At the moment there's no direct way to access data across groups in the Java gateway, but there is on the Java API level, for example you can pass a Map specifying 'omero.group == -1' to the QueryService, something like:

Map<String, String> options = new HashMap<String, String>();
options.put("omero.group", "-1");
gateway.getQueryService(ctx).findByQuery(query, null, options);

Related discussion going on here: ome/openmicroscopy#5765