Public Repository:

permissions, deployment
and customization

10th Annual OME Meeting

Paris 2015

Ola Tarkowska, Will Moore

OMERO & repositories

Presentation Outline

  • Groups & Permissions
  • User authentication
  • Publishing data
  • Customizing repository

OMERO & Repository Mode

Private User Repository

  • You always retain ownership of your data.
  • No limitations on the operations on your own data.
  • Restricted access to the data based on permissions.

Public & Controlled Repository

  • Data can be owner agnostic.
  • Limited operations on the data.
  • Public access to the raw data.


Public repositories:

Controlled repositories:

Public data in OMERO


Groups & Permissions

  • Private
  • Read-Only
  • Read-Write

Public User

  • Public visitors are logged-in as a specified public user
  • Visitors are able to access data available to public user
  • Functionality exposed can be controlled by url filters
$ bin/omero config set omero.web.public.enabled True
$ bin/omero config set omero.web.public.server_id 1
$ bin/omero config set omero.web.public.user '<username>'
$ bin/omero config set omero.web.public.password '*****'
$ bin/omero config set omero.web.public.url_filter '^/webgateway'

$ bin/omero config set omero.web.public.url_filter '^/webgateway/(?!archived_files|download_as)'
$ bin/omero config set omero.web.public.url_filter '^/(?!webadmin|webclient/(action|logout|annotate_(file|tags|comment|rating|map)|script_ui|ome_tiff|figure_script)|webgateway/(archived_files|download_as))'
Public Data Documentation

Accessing Public data

Moving data to public space

LINK https://...



Embedding </ >


HTML page

<link href="https://omero/static/omeroweb.viewer.min.css" type="text/css" rel="stylesheet">
<script src="https://omero/static/omeroweb.viewer.min.js" type="text/javascript">
<style type="text/css">
.viewport {
    height: 500px;
    width: 500px;
<javascript type="text/javascript">
    /* Prepare the viewport */
    viewport = $.WeblitzViewport($("#viewport"), "http://omero/webgateway/", {
        'mediaroot': "http://omero/static/"
    /* Load the selected image into the viewport */
    <div id="viewport" class="viewport"></div>


Custom application


Index page

$ bin/omero config set omero.web.index_template 'mytemplate/test.html'
$ bin/omero config set omero.web.template_dirs '/your/path/to/templates/'

Login screen

$ bin/omero config set omero.web.login_logo 'http://www.url/to/image.png'

Login redirection

$ bin/omero config set omero.web.login_redirect 
                '{"redirect": ["webindex"], "viewname": "load_template", 
                "args":["userdata"], "query_string": "experimenter=-1"}'

Post login page

$ bin/omero config set omero.web.login_redirect 
        '{"redirect": ["webindex"], "viewname": "webindex_custom"}'

Override existing view

def custom_index(request, conn=None, **kwargs):
    context = {"version": omero_version}
    active_group = request.session.get('active_group') or conn.getEventContext().groupId
    group = conn.getObject("ExperimenterGroup", active_group)
    leaders, members = group.groupSummary()
    leaders.sort(key=lambda x: x.getOmeName() and x.getOmeName().lower())
    context["courses"]  = leaders
    context['template'] = 'virtualmicroscope/start.html'
    return context

omeroweb.webstart.views.custom_index = custom_index

Top links menu

$ bin/omero config append omero.web.ui.top_links 
                '["Figure", "webfigure"]'
$ bin/omero config set omero.web.ui.top_links 
                '["GRE", ""]'

Group and Users
in dropdown menu

$ bin/omero config set "Owners"
$ bin/omero config set true
$ bin/omero config set "Members"
$ bin/omero config set true
$ bin/omero config set "All Members"
$ bin/omero config set true

Orphaned container

$ bin/omero config set "Orphaned images"

Disabling scripts

$ bin/omero config append omero.client.scripts_to_ignore "/my_scripts/"

Download restriction

$ bin/omero config set omero.policy.binary_access "+read,+write,+image"

Webstart restriction

$ bin/omero config set omero.web.webstart_admins_only true

Email notification


$ bin/omero config set omero.mail.config true
$ bin/omero config set omero.mail.from "sysadmin@localhost.domain"
$ bin/omero config set "localhost"
$ bin/omero config set omero.mail.port 465
$ bin/omero config set omero.mail.username
$ bin/omero config set omero.mail.password
$ bin/omero config set omero.mail.smtp.starttls.enable true

LDAP authentication


$ bin/omero config set omero.ldap.config True
$ bin/omero config set omero.ldap.urls "ldaps://ldap:636"
$ bin/omero config set omero.ldap.username "cn=ldapuser,ou=Lab,o=College"
$ bin/omero config set omero.ldap.password "***"
$ bin/omero config set omero.ldap.base "o=College"

$ bin/omero config set True

Mapping groups and users

$ bin/omero config set omero.ldap.group_mapping "name=cn"
$ bin/omero config set omero.ldap.user_mapping "omeName=cn,firstName=givenName

$ bin/omero config set omero.ldap.group_filter "(&(objectClass=groupOfUniqueNames)

$ bin/omero config set omero.ldap.user_filter "(memberOf=cn=repository,ou=Lab

$ bin/omero config set omero.ldap.new_user_group ":query:(uniqueMember=@{dn})"

$ bin/omero config set omero.ldap.new_user_group "Virtual Microscope"
LDAP documentation

LDAP & Command line

$ bin/omero ldap getdn --user-name atarkowska
Using session 425b795b-1c7b-49c0-bd47-587252001744 (root@localhost:4064). Idle timeout: 60.0 min. Current group: system
atarkowska: cn=ATarkowska,ou=Lab,o=College

$ bin/omero ldap create wmoore
Using session 425b795b-1c7b-49c0-bd47-587252001744 (root@localhost:4064). Idle timeout: 60.0 min. Current group: system
Added user wmoore (id=1352) with DN=cn=wmoore,ou=Lab,o=College

$ bin/omero ldap list
Using session 425b795b-1c7b-49c0-bd47-587252001744 (root@localhost:4064). Idle timeout: 60.0 min. Current group: system
   | Id   | OmeName    | DN                              
 0 | 52   | atarkowska | cn=atarkowska,ou=Lab,o=College 
 1 | 1352 | wmoore     | cn=wmoore,ou=Lab,o=College 
Command Line Interface documentation

OMERO session key-based authentication

https://omero/webgateway/img_detail/IMAGE_ID/ ?server=SERVER_ID&bsession=OMERO_SESSION_KEY
$ $ bin/omero login
Previously logged in to localhost:4064 as root
Server: [localhost:4064]
Username: [test-user]
Created session 531389ec-300e-4a01-9bdf-90e9f3869473 (test-user@localhost:4064). Idle timeout: 60.0 min. Current group: read-only

$ bin/omero sessions list
 Server    | User | Group           | Session                              | Active    | Started
 localhost | test | read-only       | 531389ec-300e-4a01-9bdf-90e9f3869473 | Logged in | Fri May 01 14:55:25 2015
 localhost | root | system          | 1f800a16-1dc2-407a-8a85-fb44005306be | True      | Fri May 01 14:55:18 2015
(2 rows)
Server-side Session documentation

Future work

  • Integration with 3rd party systems
    • OMERO Single Sign On authentication
  • Web URL filters improvement
  • Embedding
    • Complex JavaScript and JSON API
  • Complex usage of ROIs and annotations.

Thank you

  • Prof. Jason Swedlow
  • OME team

Questions ?