Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow rodsuser to run a rule string #105

Open
d-w-moore opened this issue Jan 28, 2022 · 1 comment
Open

allow rodsuser to run a rule string #105

d-w-moore opened this issue Jan 28, 2022 · 1 comment
Labels
enhancement

Comments

@d-w-moore
Copy link
Contributor

The command:

irule -r irods_rule_engine_plugin-python-instance python_rule null  null

should succeed if executed by a rodsuser.
In this context, the command line argument python_rule should be taken as the identifier of a python function (a rule) defined in the global namespace of /etc/irods/core.py.
Currently this command only succeeds for a rodsadmin. A rodsuser gets the errorSYS_NO_API_PRIV.
@korydraughn
Copy link
Contributor

The following code is the reason why only rodsadmin users can use irule to invoke rules in core.py.

irods_rule_engine_plugin_python/irods_rule_engine_plugin-python.cxx

Lines 623 to 626 in 0a07fb9

if ( ( client_user_authflag < REMOTE_PRIV_USER_AUTH ) || ( proxy_user_authflag < REMOTE_PRIV_USER_AUTH ) ) {
rodsLog( LOG_DEBUG, "Insufficient privileges to run irule in Python rule engine plugin" );
return ERROR( SYS_NO_API_PRIV, "Insufficient privileges to run irule in Python rule engine plugin" );
}

If Boost.Python gives us a way to fetch all rules/functions inside of core.py, then we can use that to determine whether the rule text sent by the client should be executed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Milestone
No milestone
Development

No branches or pull requests
3 participants
@trel @korydraughn @d-w-moore