Open Microscopy Environment

In our CHAMBER web site, currently access to webclient page, eg. http://chamber.mrc.ox.ac.uk/webclient/?show=dataset-51, requires log in.

We have set a user named Public Public for public access to iviewer. How can we configure the permission of OMERO, so that a user Public Public can access to specified projects/datasets without password?

Our filter is set as:

Code: Select all

omero.web.public.url_filter '^/(webadmin/myphoto/|webclient/(?!(script_ui|ome_tiff|figure_script))|webgateway/(?!(archived_files|download_as))|iviewer|api)'


I believe it may be due to the Project (51 in this case) needing to be owned by the public user, not just in a public group. Is this a requirement?

Is ability to change ownerships via cli only?

I've tried to list users, as the first stage to changing ownership, as that needs the user's ID (which isn't even displayed in the administration view of OMERO.insight). I get the following error:

Code: Select all

bash-4.2$ bin/omero user list --sudo ben
Server: [localhost:4064]
Username: [omero-web]
Password for ben:
InternalException: Failed to connect: exception ::omero::AuthenticationException
{
    reason = Error creating session.
}

I'm using --sudo as I don't have the omero-web password. We are trying to set up LDAP at the moment, could that be causing this issue? When I tried with a username that is not an omero user (using the OS user by mistake!), I got an LDAP- related error

Code: Select all

"Internal error. Please contact your administrator:
Wrapped Exception: (org.springframework.ldap.PartialResultException):
Unprocessed Continuation Reference(s); nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ''

I don't want to resolve the LDAP issue at this stage, but just letting you know that it another variable in the mix.

Kouichi_C_Nakamura wrote:How can we configure the permission of OMERO, so that a user Public Public can access to specified projects/datasets without password?

Once the public user is setup the only requirement should be that the projects and/or datasets are in a group where the public user is a member.

bmicklem wrote:Our filter is set as:

Code: Select all

omero.web.public.url_filter '^/(webadmin/myphoto/|webclient/(?!(script_ui|ome_tiff|figure_script))|webgateway/(?!(archived_files|download_as))|iviewer|api)'


We generate the filter for IDR from https://github.com/IDR/deployment/blob/0f45c6f97da53751f9ed3166008327bad0b6addb/ansible/group_vars/omero-hosts.yml#L95

Code: Select all

omero.web.public.url_filter=^/(api/|webadmin/myphoto/|mapr/|iviewer/|webclient/(?!(action|annotate_(file|tags|comment|rating|map)|script_ui|ome_tiff|figure_script))|webgateway/(?!(archived_files|download_as)))


There are enough differences there that you might try it wholesale. I assume it will work, since `?show=` works on IDR. If you'd like to then pair it back down, we can help with that.

bmicklem wrote:I believe it may be due to the Project (51 in this case) needing to be owned by the public user, not just in a public group. Is this a requirement?

Definitely not. Ideally, the public user should not own any data.

bmicklem wrote:Is ability to change ownerships via cli only?

Yes.

bmicklem wrote:
InternalException: Failed to connect: exception ::omero::AuthenticationException
{
reason = Error creating session.
}[/code]

I'm using --sudo as I don't have the omero-web password. We are trying to set up LDAP at the moment, could that be causing this issue?

Yes. My guess would be that you would have the same error trying to login as `ben`. Is that true? Is `ben` an LDAP user? Is `omero-web`?

bmicklem wrote:When I tried with a username that is not an omero user (using the OS user by mistake!), I got an LDAP- related error

Code: Select all

"Internal error. Please contact your administrator:
Wrapped Exception: (org.springframework.ldap.PartialResultException):
Unprocessed Continuation Reference(s); nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ''

I don't want to resolve the LDAP issue at this stage, but just letting you know that it another variable in the mix.

Understood. You can temporarily set an account to non-LDAP and use a password if that's useful.

~Josh.