Hi Eric! See my comments inline below.
Il 2013-11-06 19:56 Eric Rasche ha scritto:
Oh, excellent. I must've skipped over that, given the strange title of the thread.
Your solution at the end of that thread is very promising, and certainly handles failure MUCH better than mine does (i.e. raising exceptions and not breaking a workflow if the user isn't permitted access.)
(Did you put it on the galaxy wiki anywhere? If it weren't for you linking that, I never would've known about it and that's very useful info!)
No, the original code is from John, so I blame him for not documenting it ;) Seriously, I can do that, maybe even create a pull request with the code, if there's enough interest.
In my organisation's case; if a user isn't allowed access to a given tool, we believe that
- galaxy has no reason to admit it exists
- galaxy should not share default information about a tool
Which is a bit different from the case of having a license to use a tool. For licensing issues, naturally it would be fine to say "yes this exists and if you can't run it, obtain a license".
For my org's case, we might want to store administrative tools (for other services) in galaxy. It's a very convenient platform for more than just bioinformatics and we have some non-technical people on staff who occasionally need to pull various data sets from various services/make database backups/etc. Students and clients who use our galaxy instance don't need to know that these tools are available.
In his first reply in the mentioned thread, John explained also how to hide tools using tool filters. Here is his example code:
In the mean time, tool filters has been enhanced with this pull request by Bjoern:
I hope this is what you need.
On 11/06/2013 12:12 PM, Nicola Soranzo wrote:
Hi Eric, please also take a look at this mailing list thread:
If you are interested in the is_user_in_group solution, I have a slightly updated version which also uses roles instead of groups.
Il giorno mer, 06/11/2013 alle 11.38 -0600, Eric Rasche ha scritto:
I've implemented some rather basic tool access control and am looking for feedback on my implementation.
Our organisation wanted the ability to restrict tools to different users/roles. As such I've implemented as an "execute" tag which can be applied to either <section> or <tools> in the tool configuration file.
# Example galaxy-admin changes
<section execute="firstname.lastname@example.org,email@example.com" id="EncodeTools" name="ENCODE Tools"> <tool file="encode/gencode_partition.xml" /> <tool execute="firstname.lastname@example.org" file="encode/random_intervals.xml" /> </section>
which would allow A and B to access gencode_parition, but only B would be able to access random_intervals. To put it explicity
- by default, everyone can access all tools
- if section level permissions are set, then those are set as
defaults for all tools in that section
- if tool permissions are set, they will override the defaults.
# Pros and Cons
There are some good features
- non-accessible tools won't show up in the left hand panel, based
- non-accessible tools cannot be run or accessed.
There are some caveats however.
- existence of tools is not completely hidden.
- Labels are not hidden at all.
- workflows break completely if a tool is unavailable to a shared
user and the user copies+edits. They can be copied, and viewed (says tool not found), but cannot be edited.
For a brief overview of my changes, please see the attached diff. (It's missing one change because I wasn't being careful and started work on multiple different features)
# Changeset overview
In brief, most of the changes consist of
- new method in model.User to check if an array of roles overlaps
at all with a user's roles
- modifications to appropriate files for reading in the new
- modification to get_tool to pass user information, as whether or
not a tool exists is now dependent on who is asking.
Please let me know if you have input on this before I create a pull request on this feature.
I believe this will fix a number of previously brought up issues (at least to my understanding of the issues listed)
- (I saw some solution where they were adding "_beta" to tool names
which gave permissions to developers somewhere, but cannot find that now)
Cheers, Eric Rasche