10/6/9 Internet2 Fall Member Meeting Chris Hyzer, University of Pennsylvania Shilen Patel, Duke University What’s new with Grouper.
Download ReportTranscript 10/6/9 Internet2 Fall Member Meeting Chris Hyzer, University of Pennsylvania Shilen Patel, Duke University What’s new with Grouper.
10/6/9 Internet2 Fall Member Meeting Chris Hyzer, University of Pennsylvania Shilen Patel, Duke University
What’s new with Grouper
What’s new with Grouper
• • • • • • • • • • Note: this is not an exhaustive talk on what’s new with Grouper (see demo movies from the last member meeting) Performance update Namespace transition User auditing Attribute framework summary Attribute framework demo Privilege management summary Privilege management demo Privilege management demo #2 Integrating the lite UI into an application demo 2 – 4/29/2020, © 2009 Internet2
Performance update
Effective Memberships in Grouper 1.4.2
Group A Group B Group C Group X 4 – 4/29/2020, © 2009 Internet2
Effective Memberships in Grouper 1.4.2
Group A Group B Group C Group X Person A 5 – 4/29/2020, © 2009 Internet2
Effective Memberships in Grouper 1.4.2
Group A Group B Group C Group X Person B 6 – 4/29/2020, © 2009 Internet2
Effective Memberships in Grouper 1.4.2
Group A Group B Group C Group X Person C 7 – 4/29/2020, © 2009 Internet2
Effective Memberships in Grouper 1.5
Owner
Group A Group B Group C
Group X Group A Group B Group C Member
Group A Group B Group C
Group X Group X Group X Group X Owner
Group A Group B Group C
Group X Member
Group X Group X Group X
Person A
Join where GroupSet Member == Membership Owner
Owner Member
Group A Group X Group B Group C Group X Group X
Group X Person A Group A Person A Group B Person A Group C Person A Type
Immediate Immediate Immediate
Immediate Effective Effective Effective
8 – 4/29/2020, © 2009 Internet2
Write Performance Comparison
API Method
Stem.addChildGroup(…) Group.delete() Stem.addChildStem(…) Stem.delete() Group.addCompositeMember(CompositeType.UNION, …) Group.addCompositeMember(CompositeType.INTERSECTION, …) Group.addCompositeMember(CompositeType.COMPLEMENT, …) Group.deleteCompositeMember() Group.addMember(Subject) Group.deleteMember(Subject) Group.addMember(Subject) – Subject is a group Group.deleteMember(Subject) – Subject is a group Group.addMember(Subject) – Results in a composite membership add
1.4.2 (ms) 1.5 (ms)
162 319 69 66 91 84 81 64 47 46 57 49 98 96 251 174 114 65 70 67 63 46 49 40 83 65 81 73
Effective Membership Performance Comparison 100000 10000 1000 100 10 1 71 48 440 48 16955 111 Grouper 1.4.2
Grouper 1.5
1 10 100
number of effective memberships due to single immediate membership
10 – 4/29/2020, © 2009 Internet2
Read Performance Comparison
API Method
Group.getUpdaters() Group.getEffectiveMembers() Group.getEffectiveMemberships() Group.getImmediateMembers() Group.getImmediateMemberships() Group.getMembers() Group.getMemberships() Group.getPrivs(Subject) 10 37 Group.hasImmediateMember(Subject) 25 Group.hasEffectiveMember(Subject) 25 11 – 4/29/2020, © 2009 Internet2 Group.hasMember(Subject) 25 7 4 7 6
1.4.2 (ms)
21 5
1.5 (ms)
19 5 9 5 9 7 13 27 18 19 19
API Method
Member.getEffectiveMemberships() Member.getImmediateMemberships() Member.getMemberships() Member.hasUpdate() Member.hasCreate() Stem.getChildGroups(Scope.ONE) Stem.getChildGroups(Scope.SUB) 42 Stem.getChildMembershipGroups(Scope.ONE, …) 49 25 19 23 40 41
1.4.2 (ms) 1.5 (ms)
30 28 21 26 26 41 24 20 29 Stem.getChildMembershipGroups(Scope.SUB, …) 52 Stem.getStemmers() Stem.getPrivs(Subject) 6 40 31 8 34
Namespace transition
Namespace Transition
• Functionality – – – – Copy groups from one folder to another Copy folders from one folder to another Move groups from one folder to another Move folders from one folder to another • Integrated with – Grouper UI – – Grouper Shell Grouper Web Services (soon) 13 – 4/29/2020, © 2009 Internet2
Use cases
• Changes in organizational structure • Template groups and folders 14 – 4/29/2020, © 2009 Internet2
Options during Folder Copy
• • • • • • Copy privileges of folder Copy privileges of groups within folder Copy list memberships of groups within folder Copy attributes of groups within folder Copy privileges where groups within this folder are a member Copy list memberships where groups within this folder are a member 15 – 4/29/2020, © 2009 Internet2
Options during Group Copy
• • • • • Copy privileges of group Copy list memberships of group Copy attributes of group Copy privileges where the group is a member Copy list memberships where the group is a member 16 – 4/29/2020, © 2009 Internet2
Options during Group and Folder Moves
• Assign alternate name – Feature that adds the previous group name as an alternate group name – Group can be found using standard API calls, such as GroupFinder.findByName() 17 – 4/29/2020, © 2009 Internet2
Auditing
Auditing
• • High level actions are audited: – – Membership changes Groups (create, update, delete) – Folders (create, update, delete) – Attribute actions – Group/folder move or copy – XML import – Etc I believe there is a demo from the last MM © Internet2 2009
Auditing – high level
• • • Only high level actions are audited E.g. If a group is deleted, then memberships are also deleted The only audit record will be that the group was deleted © Internet2 2009
Auditing context data
• • • • • • • Application: UI, WS, GSH, etc Logged in user id User IP address Server host Environment name (prod, test, etc) Duration of operation (for performance tuning) Etc.
© Internet2 2009
Auditing point in time
• • Point in time auditing is on the roadmap This will show – Who was in a group at a certain point in time – Who has been in a group over the past 6 months – How someone’s membership in a group has changed over time © Internet2 2009
Audit log and the UI
• • • Groups and Stems – actions carried out on the selected object Subjects – actions carried out by a subject – membership changes on a subject – privilege changes on a subject Schema – creation, update or deletion of group types © Internet2 2009
Find the object of interest
© Internet2 2009
View the results
© Internet2 2009
Filter and sort results
© Internet2 2009
Extended information
© Internet2 2009
Entity summary
© Internet2 2009
Group types
© Internet2 2009
Change log
Change log
• • • • Each low level event that occurs in Grouper is appended to the change log table Massaged and ordered by a loader process Can be read – Hook through loader gives callback on events – SQL – API Will be integrated with ldappc in future © Internet2 2009
Change log (continued)
• • • • Change log is transactional Loader cleanup job of old change log records Will have a web service interface in the future There is a demo from the last MM © Internet2 2009
Attribute framework
Attribute framework
• • Grouper currently has Group types and attributes In 1.5, this feature is redone and improved © Internet2 2009
Can assign attributes to many objects
• • • • • • Groups Folders Members Memberships (immediate or effective) Other attributes Attribute assignments (1 level deep) © Internet2 2009
Attribute security
• • • • • • • Similar privileges to group security ATTR_READ (can see assignments) ATTR_UPDATE (can make assignments) ATTR_ADMIN (can edit attribute fields) ATTR_VIEW (can see that the attribute exists) ATTR_OPTIN (can assign to own member or membership) ATTR_OPTOUT © Internet2 2009
Attribute security (continued)
• • • Anyone with CREATE in a folder can create attributes It takes more than attribute security to assign attributes, you need rights on the object as well – E.g. To assign a group attribute, you need ADMIN on the group and ATTR_UPDATE on the attribute One attribute definition can have multiple names (to reduce the security assignments) © Internet2 2009
Attribute advanced features
• • • • • • Not sure on timeline: Multi-assign attribute names Attribute values Multi-assign attribute values Limit where attributes can be used Formatting and validation on attribute values © Internet2 2009
Attribute framework demo
Netherlands attribute framework use case
• • • Labels on Groups to organize and search for relevant groups “groups (of students) would belong to a certain school/university but also to one or more departments (depending on the school they're enrolled at) and we would like to find them either way” Organize many to many relationships (without stems or groups of groups) 40 – 4/29/2020, © 2009 Internet2
Netherlands attribute framework use case
• • All labels can be configured in the system (not free-form) “Security: the Grouper instance will be used by two separate end-user groups, for which we will instantiate a different version of the GUI that will operate on a different stem. Labels of one instance should not come up in the other GUI and vice versa” 41 – 4/29/2020, © 2009 Internet2
Netherlands attribute framework use case
• • • • External Application written in PHP SQL interface for READ is ok GSH for WRITE is ok if performance is ok WS is the long term solution 42 – 4/29/2020, © 2009 Internet2
Groups and attributes
• • • Group: school:math:
brainProject
– – Attribute: school:attr:students:
artsAndSciences
Attribute: school:attr:students:
opticalResearch
– Attribute: school:attr:faculty:
neurology
Group: school:med:
neurologyProfessors
– Attribute: school:attr:students:
residents
– – Attribute: school:attr:students:
opticalResearch
Attribute: school:attr:faculty:
professors
Group: school:computerScience:
neuralNetworks
– Attribute: school:attr:students:
engineering
– Attribute: school:attr:faculty:
neurology
43 – 4/29/2020, © 2009 Internet2
Create groups with GSH
gsh 0% addRootStem("school","school"); gsh 1% addStem("school", "math", "math"); gsh 2% addStem("school", "med", "med"); gsh 3% addStem("school", "computerScience", "computerScience"); gsh 4% groupBrainProject = addGroup
("school:math", "brainProject"
, "brainProject"); gsh 5% groupNeurologyProfessors = addGroup(
"school:med", "neurologyProfessors"
, "neurologyProfessors"); gsh 6%groupNeuralNetworks=addGroup(
"school:computerScience", "neuralNetworks"
, "neuralNetworks"); 44 – 4/29/2020, © 2009 Internet2
Create attribute stems with GSH
gsh 7% addStem("school", "attr", "attr"); gsh 8% addStem("school:attr", "students", "students"); gsh 9% addStem("school:attr", "faculty", "faculty"); gsh 11% grouperSession = GrouperSession.startRootSession(); gsh 12% attrStudentsStem = StemFinder.findByName(grouperSession, "
school:attr:students
"); gsh 13% attrFacultyStem = StemFinder.findByName(grouperSession, "
school:attr:faculty
"); 45 – 4/29/2020, © 2009 Internet2
Create attribute definitions with GSH
gsh 15% studentsAttrDef = attrStudentsStem.addChildAttributeDef("students", AttributeDefType.attr); gsh 16% facultyAttrDef = attrStudentsStem.addChildAttributeDef("faculty", AttributeDefType.attr); 46 – 4/29/2020, © 2009 Internet2
Create attribute names with GSH
attrArtsAndSciences = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "artsAndSciences", "artsAndSciences"); attrOpticalResearch = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "opticalResearch", "opticalResearch"); attrResidents = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "residents", "residents"); attrNeurology = attrFacultyStem.addChildAttributeDefName(facultyAttrDef, "neurology", "neurology"); attrProfessors = attrFacultyStem.addChildAttributeDefName(facultyAttrDef, "professors", "professors"); attrEngineering = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "engineering", "engineering"); 47 – 4/29/2020, © 2009 Internet2
Assign attributes with GSH
groupBrainProject
.getAttributeDelegate().assignAttribute(
attrArtsAndSciences
); groupBrainProject.getAttributeDelegate().assignAttribute(attrOpticalResearch); groupBrainProject.getAttributeDelegate().assignAttribute(attrNeurology); groupNeurologyProfessors.getAttributeDelegate().assignAttribute(attrResidents);
groupNeurologyProfessors
.getAttributeDelegate().assignAttribute(
attrOpticalResearch
); groupNeurologyProfessors.getAttributeDelegate().assignAttribute( attrProfessors); groupNeuralNetworks.getAttributeDelegate().assignAttribute(attrEngineering); groupNeuralNetworks.getAttributeDelegate().assignAttribute(attrNeurology); 48 – 4/29/2020, © 2009 Internet2
Add users with GSH
groupStudents = addGroup("school", "students", "students"); groupFaculty = addGroup("school", "faculty", "faculty"); addMember("school:students", "test.subject.0"); addMember("school:faculty", "test.subject.1"); addMember("school:students", "test.subject.2"); addMember("school:faculty", "test.subject.2"); 49 – 4/29/2020, © 2009 Internet2
Assign attribute security with GSH
studentsAttrDef
.getPrivilegeDelegate().grantPriv(
groupStudents
.toSubject(),
AttributeDefPrivilege.ATTR_READ
, false);
facultyAttrDef
.getPrivilegeDelegate().grantPriv(
groupFaculty
.toSubject(),
AttributeDefPrivilege.ATTR_READ
, false); 50 – 4/29/2020, © 2009 Internet2
Create a view for secure attribute reading
• • If integrating with Grouper via SQL, there will probably be a supported SQL interface soon Always put a view on top of the underlying tables, which assures smooth upgrading create view school_group_labels_secure_v as select gaagv.
group_name
, gaagv.
attribute_def_name_name
, gm.subject_source as
reader_subject_source_id
, gm.subject_id as
reader_subject_subject_id
from … • Full DDL in slide notes… 51 – 4/29/2020, © 2009 Internet2
Query the attributes securely
• test.subject.0 is a student only, select all groups with attributes (secure query) select group_name, attribute_def_name_name from school_group_labels_secure_v where reader_subject_source_id = 'jdbc' and
reader_subject_id = 'test.subject.0'
Group school:med:neurologyProfessors school:med:neurologyProfessors school:computerScience:neuralNetworks school:math:brainProject school:math:brainProject Attribute school:attr:students:opticalResearch school:attr:students:residents school:attr:students:engineering school:attr:students:opticalResearch school:attr:students:artsAndSciences 52 – 4/29/2020, © 2009 Internet2
Query the attributes securely
• test.subject.1 is a faculty only, select all groups with attributes (secure query) select group_name, attribute_def_name_name from school_group_labels_secure_v where reader_subject_source_id = 'jdbc' and
reader_subject_id = 'test.subject.1 '
Group school:med:neurologyProfessors school:computerScience:neuralNetworks school:math:brainProject Attribute school:attr:faculty:professors school:attr:faculty:neurology school:attr:faculty:neurology 53 – 4/29/2020, © 2009 Internet2
Query the attributes securely
• test.subject.2 is a faculty and student, select all attributes for group neurologyProfessors select group_name, attribute_def_name_name from school_group_labels_secure_v where reader_subject_source_id = 'jdbc' and
reader_subject_id = 'test.subject.2' and group_name = 'school:med:neurologyProfessors '
Group school:med:neurologyProfessors school:med:neurologyProfessors school:med:neurologyProfessors school:attr: school:attr: school:attr: Attribute
students:opticalResearch faculty:professors students:residents
54 – 4/29/2020, © 2009 Internet2
Permission management
Grouper privilege management
• • • Grouper 1.5 introduces central privilege management features Built on top of the groups registry and new attribute framework (includes security) Since privilege in grouper means privilege on a group or folder or attribute, will use “permission” © Internet2 2009
Permission management
• • • In Grouper (in the API, GSH, WS, docs, etc) a privilege refers to being able to do something in Grouper (e.g. READ a group or CREATE objects in a folder) So, since privilege = permission, resources in the new privilege management features, a non-grouper privilege will be referred to as “permission” There are permissions as RBAC (Role Based Access Control), and individual permissions 57 – 4/29/2020, © 2009 Internet2
Grouper permission management
• • • • • Roles: links up groups/subjects and permission resources Permission resources: a type of attribute (on Role or effective Membership) Permission sets: can bunch up permission resources into one resource (e.g. for hierarchies) Role inheritance: can allow roles to inherit permissions from other roles (e.g. Senior loan administrator inherits from loan administrator) Action: qualifier of permission assignment, e.g. read or write © Internet2 2009
Grouper role or permission directed graphs
• • • Not a hierarchy (supports multiple parents) Supports circular references Image is test case © Internet2 2009
Permission management demo #1
RBAC integration into an application
61 – 4/29/2020, © 2009 Internet2
Authorization design
62 – 4/29/2020, © 2009 Internet2
Role definitions
63 – 4/29/2020, © 2009 Internet2
Role definitions
• • • userSharer : can share documents, and can do anything a receiver can do – userReceiver : can receive documents sysAdmin : can manage emails and daemons, and things an admin can do – admin : can view audit logs on the admin console (complete GSH code in slide notes) gsh 30% userSharerRole = rolesStem.addChildRole("userSharer", "userSharer"); gsh 31% userReceiverRole = rolesStem.addChildRole("userReceiver", "userReceiver"); gsh 32% userSharerRole.getRoleInheritanceDelegate() .addRoleToInheritFromThis(userReceiverRole); 64 – 4/29/2020, © 2009 Internet2
Role members
65 – 4/29/2020, © 2009 Internet2
Role members
• • • • userSharer : should have the group penn:community:staff (includes choate) – userReceiver : should have the group penn:community:students (includes mchyzer) sysAdmin : should have the user (includes melinas) – admin : can view audit logs on the admin console (includes bwh) Note: you could do this part in the Grouper UI or WS (complete GSH code in slide notes) gsh 40% studentsGroup = addGroup("penn:community", "students", "students"); gsh 41% studentsGroup.addMember(SubjectFinder.findByIdentifier("mchyzer")); gsh 42% userReceiverRole.addMember(studentsGroup.toSubject()); gsh 43% adminRole.addMember(SubjectFinder.findByIdentifier("bwh")); 66 – 4/29/2020, © 2009 Internet2
Resource definitions
67 – 4/29/2020, © 2009 Internet2
Resource definitions
• • • Penn’s web framework already manages (local) permissions To integrate, we can use the same names, and override the decision (complete GSH code in slide notes) gsh 50% resourcesStem = addStem("penn:isc:apps:secureShare", "resources", "resources"); gsh 51% resourcesDef = resourcesStem .addChildAttributeDef("secureShareWebResources", AttributeDefType.perm); gsh 52% splashResource = resourcesStem .addChildAttributeDefName(resourcesDef, "splash.jsp", "splash.jsp"); 68 – 4/29/2020, © 2009 Internet2
Resource sets
69 – 4/29/2020, © 2009 Internet2
Resource sets
• Not all that useful in this case, but as an example…(complete code in notes) gsh 60% resourceSetsStem = addStem("penn:isc:apps:secureShare", "resourceSets", "resourceSets"); gsh 61% receiveSetResource = resourceSetsStem.addChildAttributeDefName( resourcesDef, "receiveSet", "receiveSet"); gsh 62% sendSetResource = resourceSetsStem.addChildAttributeDefName( resourcesDef, "sendSet", "sendSet"); gsh 63% receiveSetResource.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet(splashResource); gsh 64% receiveSetResource.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet(receiveButtonResource); gsh 65% sendSetResource.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet(sendButtonResource); gsh 66% sendSetResource.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet(sendSectionResource); 70 – 4/29/2020, © 2009 Internet2
Resource assignments
71 – 4/29/2020, © 2009 Internet2
Resource assignments
• Assign resource sets to roles… gsh 70% userSharerRole.getPermissionRoleDelegate() .assignRolePermission(sendSetResource); gsh 71% userReceiverRole.getPermissionRoleDelegate() .assignRolePermission(receiveSetResource); gsh 72% sysAdminRole.getPermissionRoleDelegate() .assignRolePermission(sysAdminSetResource); gsh 73% adminRole.getPermissionRoleDelegate() .assignRolePermission(adminSetResource); 72 – 4/29/2020, © 2009 Internet2
Make a view for app to read permissions
• Always make a view, don’t query the registry directly create or replace view apps_sec_share_web_perms_v as select distinct gpav.role_name, psv.pennname, gpav.attribute_def_name_name
from grouper_perms_all_v gpav, grouper_attribute_def ad, person_source_v psv where subject_source_id = 'pennperson' and gpav.attribute_def_id = ad.id
and ad.name= 'penn:isc:apps:secureShare:resources:secureShareWebResources' and psv.penn_id = gpav.subject_id
73 – 4/29/2020, © 2009 Internet2
Make a view for app to read permissions
select * from apps_sec_share_web_perms_v PennName Resource bwh /fast/fastAdminConsole.jsp bwh bwh choate choate choate choate mchyzer /fast/fastAuditLogViewer.jsp resourceSets:adminSet splash.jsp resourceSets:receiveSet resourceSets:sendSet FASTXsplash.jsp sendDocument splash.jsp Role_name admin admin admin userSharer userSharer userSharer userSharer userReceiver mchyzer melinas resourceSets:receiveSet /fast/fastEmailConfig.jsp
userReceiver sysAdmin etc Note: the actual fully qualified data is in slide notes 74 – 4/29/2020, © 2009 Internet2
On login, cache the user’s permissions
• • • • • Improve performance Not as dependent on Grouper DB Permissions changes will require a logout/login if logged in Can easily be swapped for WS call when available Put this code in a login hook in the application: //lets cache the Grouper permissions in session List
Check permissions when needed
• Penn’s framework has a hook to override authorization List
Show
demo
• • • • • mchyzer is student choate is staff bwh is staff, admin melinas is staff, sysAdmin schleind was an admin, and needs to manage emails but not daemons (thus can’t be sysAdmin) schleindMember = MemberFinder.findBySubject(this.grouperSession, SubjectFinder.findByIdentifier("schleind"), true); adminRole.getPermissionRoleDelegate().assignSubjectRolePermission( adminEmailButtonResource, schleindMember); adminRole.getPermissionRoleDelegate().assignSubjectRolePermission( adminEmailResource, schleindMember); 77 – 4/29/2020, © 2009 Internet2
Act as a specific allowed role
• • • Note, the SQL view of permission assignments (and future WS interface) can show the roles a user has It also can show permissions of a user while acting as a certain role So if you do not want “flattened” permissions in an application (for security purposes), you can let the user act as one of their roles 78 – 4/29/2020, © 2009 Internet2
Permission management for data (demo #2)
Authorization with data
• Can use a similar strategy to the previous web example, especially if there aren’t many resources to secure e.g. select records from table where section in (?,?,?,?,?,?) • • If there are to many resources to secure (e.g. more than 100) or you want to join data in the database, you can use the following strategy This contrived example shows how to join SQL to security tables populated from Grouper 80 – 4/29/2020, © 2009 Internet2
Authorization with data
• • Org chart / class list school – artsAndSciences • chemistry – – chemistry101 chemistry201 • math – – math220 math240 – engineering • computerScience – computerScience99 – computerScience300 • electricalEngineering – electricalEngineering400 – electricalEngineering450 81 – 4/29/2020, © 2009 Internet2
Create central stems (folders)
gsh 100% communityStem = StemFinder.findByName(grouperSession, "penn:community", true); gsh 101% orgResourcesStem = addStem("penn:community", "orgResources", "orgResources"); gsh 102% schoolStem = addStem("penn:community:orgResources", "school", "school"); gsh 103% artsAndSciencesStem = addStem( "penn:community:orgResources:school", "artsAndSciences", "artsAndSciences"); gsh 104% chemistryStem = addStem( "penn:community:orgResources:school:artsAndSciences", "chemistry", "chemistry"); • gsh 105% mathStem = addStem( "penn:community:orgResources:school:artsAndSciences", "math", "math") Complete GSH commands in slide notes 82 – 4/29/2020, © 2009 Internet2
Create resources
• • Note: this will be able to be managed by the Grouper loader Note: complete GSH commands in slide notes gsh 110% orgResourcesDef = orgResourcesStem.addChildAttributeDef( "orgResourcesDef", AttributeDefType.perm); gsh 111% schoolResource = orgResourcesStem.addChildAttributeDefName( orgResourcesDef, "school", "school"); gsh 112% artsAndSciencesResource = schoolStem.addChildAttributeDefName( orgResourcesDef, "artsAndSciences", "artsAndSciences"); gsh 113% chemistryResource = artsAndSciencesStem .addChildAttributeDefName(orgResourcesDef, "chemistry", "chemistry"); gsh 114% chemistry101Resource = chemistryStem .addChildAttributeDefName(orgResourcesDef, "chemistry101", "chemistry101"); gsh 115% chemistry201Resource = chemistryStem .addChildAttributeDefName(orgResourcesDef, "chemistry201", "chemistry201"); gsh 116% mathResource = artsAndSciencesStem .addChildAttributeDefName(orgResourcesDef, "math", "math"); 83 – 4/29/2020, © 2009 Internet2
Create resource sets (org hierarchy)
• • Note: this will be able to be managed by the Grouper loader Note: complete GSH commands in slide notes gsh 120%
schoolResource
.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet(
artsAndSciencesResource
); gsh 121%
schoolResource
.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet( engineeringResource ); gsh 122%
artsAndSciencesResource
.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet(
chemistryResource
); gsh 123%
artsAndSciencesResource
.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet(
mathResource
); gsh 124%
chemistryResource
.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet(
chemistry101Resource
); gsh 125%
chemistryResource
.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet(
chemistry201Resource
); gsh 126%
mathResource
.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet(
math220Resource
); 84 – 4/29/2020, © 2009 Internet2
Use admin role from web example above
• • • Note: complete GSH commands in slide notes bwh can write all of chemistry, and math 220 bwh can read all of arts and sciences gsh 130% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", chemistryResource, bwhMember
); gsh 131% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", math220Resource, bwhMember
); • • gsh 132% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"read", artsAndSciencesResource, bwhMember
); schleind can write computerScience99, and all of electricalEngineering schleind can read the whole school gsh 133% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", computerScience99Resource, schleindMember
); gsh 134% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", electricalEngineeringResource, schleindMember
); gsh 135% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"read", schoolResource, schleindMember
); 85 – 4/29/2020, © 2009 Internet2
Create a view of permissions
• Note: complete DDL in slide notes SELECT DISTINCT gpav.role_name, psv.pennname,
gpav.action
,
gadn.extension AS resource_extension
FROM grouper_perms_all_v gpav, grouper_attribute_def ad, person_source_v psv, grouper_attribute_def_name gadn WHERE subject_source_id = 'pennperson' AND gpav.attribute_def_id = ad.ID
AND ad.NAME = 'penn:community:orgResources:orgResourcesDef'
AND psv.penn_id = gpav.subject_id
AND gpav.attribute_def_name_id = gadn.ID
AND gpav.role_name like 'penn:isc:apps:secureShare:roles:%'
86 – 4/29/2020, © 2009 Internet2
Sample data
• Note: complete data in slide notes SELECT * from APPS_SEC_SHARE_DB_PERMS_V Role Pennname Action Resource_extension penn:isc:apps:secureShare:roles:admin bwh penn:isc:apps:secureShare:roles:admin schleind penn:isc:apps:secureShare:roles:admin bwh write read read chemistry101 computerScience math220 penn:isc:apps:secureShare:roles:admin schleind penn:isc:apps:secureShare:roles:admin bwh penn:isc:apps:secureShare:roles:admin schleind penn:isc:apps:secureShare:roles:admin schleind penn:isc:apps:secureShare:roles:admin schleind penn:isc:apps:secureShare:roles:admin schleind penn:isc:apps:secureShare:roles:admin schleind read write read read write read read chemistry math220 engineering computerScience99 electricalEngineering chemistry201 electricalEngineering 87 – 4/29/2020, © 2009 Internet2
Create application table for permissions
CREATE TABLE SEC_SHARE_GROUPER_PERMS ( ); ROLE_NAME VARCHAR2(1024 BYTE), PENNNAME VARCHAR2(24 BYTE), ACTION VARCHAR2(32 BYTE), RESOURCE_EXTENSION VARCHAR2(255 BYTE) 88 – 4/29/2020, © 2009 Internet2
Refresh user’s permissions on login
• • Note: this could be done many ways, including a global periodic refresh In this case, delete and insert the user’s permissions on login in one transaction HibernateSession2.callbackHibernateSession(true, new HibernateHandler2() { public Object callback(HibernateSession2 hibernateSession2) throws Exception { hibernateSession2.bySql().executeSql(
"delete from SEC_SHARE_GROUPER_PERMS where pennname = ?"
, fastUser.getPennkey()); } }); hibernateSession2.bySql().executeSql(
"insert into SEC_SHARE_GROUPER_PERMS " + "(select role_name, pennname, action, resource_extension " + "from authzadm.APPS_SEC_SHARE_DB_PERMS_V@dcom_link " + "where pennname = ?)"
, fastUser.getPennkey()); hibernateSession2.endAndCloseSession(HibernateAction.
COMMIT
); return null; 89 – 4/29/2020, © 2009 Internet2
Data security demo
• • • • Create a table with org (class) identifiers Join to the security table Make screen editable if writable, readable if readable Show demo 90 – 4/29/2020, © 2009 Internet2
Lite UI
Lite membership update UI
• • • • • • There is a new part of the UI which is for lite membership updates Can deep link from an external application Ajax based Can easily add/remove members Can import/export membership lists (including replace all) Can search for members of a group © Internet2 2009
Grouper UI lite
• • Feature demo Integration demo 93 – 4/29/2020, © 2009 Internet2
What’s new with Grouper
10/5/9 Internet2 Fall Member Meeting Chris Hyzer, University of Pennsylvania Shilen Patel, Duke University For more information, visit www.internet2.edu
94 – 4/29/2020, © 2009 Internet2