10/6/9 Internet2 Fall Member Meeting Chris Hyzer, University of Pennsylvania Shilen Patel, Duke University What’s new with Grouper.

Transcript 10/6/9 Internet2 Fall Member Meeting Chris Hyzer, University of Pennsylvania Shilen Patel, Duke University What’s new with Grouper.

10/6/9 Internet2 Fall Member Meeting Chris Hyzer, University of Pennsylvania Shilen Patel, Duke University

What’s new with Grouper

• • • • • • • • • • Note: this is not an exhaustive talk on what’s new with Grouper (see demo movies from the last member meeting) Performance update Namespace transition User auditing Attribute framework summary Attribute framework demo Privilege management summary Privilege management demo Privilege management demo #2 Integrating the lite UI into an application demo 2 – 4/29/2020, © 2009 Internet2

Performance update

Effective Memberships in Grouper 1.4.2

Effective Memberships in Grouper 1.5

Owner

Group A Group B Group C

Group X Group A Group B Group C Member

Group A Group B Group C

Group X Group X Group X Group X Owner

Group A Group B Group C

Group X Member

Group X Group X Group X

Person A

Join where GroupSet Member == Membership Owner

Owner Member

Group A Group X Group B Group C Group X Group X

Group X Person A Group A Person A Group B Person A Group C Person A Type

Immediate Immediate Immediate

Immediate Effective Effective Effective

Write Performance Comparison

API Method

Stem.addChildGroup(…) Group.delete() Stem.addChildStem(…) Stem.delete() Group.addCompositeMember(CompositeType.UNION, …) Group.addCompositeMember(CompositeType.INTERSECTION, …) Group.addCompositeMember(CompositeType.COMPLEMENT, …) Group.deleteCompositeMember() Group.addMember(Subject) Group.deleteMember(Subject) Group.addMember(Subject) – Subject is a group Group.deleteMember(Subject) – Subject is a group Group.addMember(Subject) – Results in a composite membership add

1.4.2 (ms) 1.5 (ms)

162 319 69 66 91 84 81 64 47 46 57 49 98 96 251 174 114 65 70 67 63 46 49 40 83 65 81 73

Effective Membership Performance Comparison 100000 10000 1000 100 10 1 71 48 440 48 16955 111 Grouper 1.4.2

Grouper 1.5

1 10 100

number of effective memberships due to single immediate membership

Read Performance Comparison

API Method

Group.getUpdaters() Group.getEffectiveMembers() Group.getEffectiveMemberships() Group.getImmediateMembers() Group.getImmediateMemberships() Group.getMembers() Group.getMemberships() Group.getPrivs(Subject) 10 37 Group.hasImmediateMember(Subject) 25 Group.hasEffectiveMember(Subject) 25 11 – 4/29/2020, © 2009 Internet2 Group.hasMember(Subject) 25 7 4 7 6

1.4.2 (ms)

21 5

1.5 (ms)

19 5 9 5 9 7 13 27 18 19 19

API Method

Member.getEffectiveMemberships() Member.getImmediateMemberships() Member.getMemberships() Member.hasUpdate() Member.hasCreate() Stem.getChildGroups(Scope.ONE) Stem.getChildGroups(Scope.SUB) 42 Stem.getChildMembershipGroups(Scope.ONE, …) 49 25 19 23 40 41

1.4.2 (ms) 1.5 (ms)

30 28 21 26 26 41 24 20 29 Stem.getChildMembershipGroups(Scope.SUB, …) 52 Stem.getStemmers() Stem.getPrivs(Subject) 6 40 31 8 34

Namespace transition

Namespace Transition

• Functionality – – – – Copy groups from one folder to another Copy folders from one folder to another Move groups from one folder to another Move folders from one folder to another • Integrated with – Grouper UI – – Grouper Shell Grouper Web Services (soon) 13 – 4/29/2020, © 2009 Internet2

Use cases

Options during Folder Copy

• • • • • • Copy privileges of folder Copy privileges of groups within folder Copy list memberships of groups within folder Copy attributes of groups within folder Copy privileges where groups within this folder are a member Copy list memberships where groups within this folder are a member 15 – 4/29/2020, © 2009 Internet2

Options during Group Copy

• • • • • Copy privileges of group Copy list memberships of group Copy attributes of group Copy privileges where the group is a member Copy list memberships where the group is a member 16 – 4/29/2020, © 2009 Internet2

Options during Group and Folder Moves

• Assign alternate name – Feature that adds the previous group name as an alternate group name – Group can be found using standard API calls, such as GroupFinder.findByName() 17 – 4/29/2020, © 2009 Internet2

Auditing

• • High level actions are audited: – – Membership changes Groups (create, update, delete) – Folders (create, update, delete) – Attribute actions – Group/folder move or copy – XML import – Etc I believe there is a demo from the last MM © Internet2 2009

Auditing – high level

• • • Only high level actions are audited E.g. If a group is deleted, then memberships are also deleted The only audit record will be that the group was deleted © Internet2 2009

Auditing context data

• • • • • • • Application: UI, WS, GSH, etc Logged in user id User IP address Server host Environment name (prod, test, etc) Duration of operation (for performance tuning) Etc.

Auditing point in time

• • Point in time auditing is on the roadmap This will show – Who was in a group at a certain point in time – Who has been in a group over the past 6 months – How someone’s membership in a group has changed over time © Internet2 2009

Audit log and the UI

• • • Groups and Stems – actions carried out on the selected object Subjects – actions carried out by a subject – membership changes on a subject – privilege changes on a subject Schema – creation, update or deletion of group types © Internet2 2009

Find the object of interest

View the results

Filter and sort results

Extended information

Entity summary

Group types

Change log

• • • • Each low level event that occurs in Grouper is appended to the change log table Massaged and ordered by a loader process Can be read – Hook through loader gives callback on events – SQL – API Will be integrated with ldappc in future © Internet2 2009

Change log (continued)

• • • • Change log is transactional Loader cleanup job of old change log records Will have a web service interface in the future There is a demo from the last MM © Internet2 2009

Attribute framework

• • Grouper currently has Group types and attributes In 1.5, this feature is redone and improved © Internet2 2009

Can assign attributes to many objects

• • • • • • Groups Folders Members Memberships (immediate or effective) Other attributes Attribute assignments (1 level deep) © Internet2 2009

Attribute security

• • • • • • • Similar privileges to group security ATTR_READ (can see assignments) ATTR_UPDATE (can make assignments) ATTR_ADMIN (can edit attribute fields) ATTR_VIEW (can see that the attribute exists) ATTR_OPTIN (can assign to own member or membership) ATTR_OPTOUT © Internet2 2009

Attribute security (continued)

• • • Anyone with CREATE in a folder can create attributes It takes more than attribute security to assign attributes, you need rights on the object as well – E.g. To assign a group attribute, you need ADMIN on the group and ATTR_UPDATE on the attribute One attribute definition can have multiple names (to reduce the security assignments) © Internet2 2009

Attribute advanced features

• • • • • • Not sure on timeline: Multi-assign attribute names Attribute values Multi-assign attribute values Limit where attributes can be used Formatting and validation on attribute values © Internet2 2009

Attribute framework demo

Netherlands attribute framework use case

• • • Labels on Groups to organize and search for relevant groups “groups (of students) would belong to a certain school/university but also to one or more departments (depending on the school they're enrolled at) and we would like to find them either way” Organize many to many relationships (without stems or groups of groups) 40 – 4/29/2020, © 2009 Internet2

Netherlands attribute framework use case

• • All labels can be configured in the system (not free-form) “Security: the Grouper instance will be used by two separate end-user groups, for which we will instantiate a different version of the GUI that will operate on a different stem. Labels of one instance should not come up in the other GUI and vice versa” 41 – 4/29/2020, © 2009 Internet2

Netherlands attribute framework use case

Groups and attributes

• • • Group: school:math:

brainProject

– – Attribute: school:attr:students:

artsAndSciences

Attribute: school:attr:students:

opticalResearch

– Attribute: school:attr:faculty:

neurology

Group: school:med:

neurologyProfessors

– Attribute: school:attr:students:

residents

– – Attribute: school:attr:students:

opticalResearch

Attribute: school:attr:faculty:

professors

Group: school:computerScience:

neuralNetworks

– Attribute: school:attr:students:

engineering

– Attribute: school:attr:faculty:

neurology

Create groups with GSH

gsh 0% addRootStem("school","school"); gsh 1% addStem("school", "math", "math"); gsh 2% addStem("school", "med", "med"); gsh 3% addStem("school", "computerScience", "computerScience"); gsh 4% groupBrainProject = addGroup

("school:math", "brainProject"

, "brainProject"); gsh 5% groupNeurologyProfessors = addGroup(

"school:med", "neurologyProfessors"

, "neurologyProfessors"); gsh 6%groupNeuralNetworks=addGroup(

"school:computerScience", "neuralNetworks"

Create attribute stems with GSH

gsh 7% addStem("school", "attr", "attr"); gsh 8% addStem("school:attr", "students", "students"); gsh 9% addStem("school:attr", "faculty", "faculty"); gsh 11% grouperSession = GrouperSession.startRootSession(); gsh 12% attrStudentsStem = StemFinder.findByName(grouperSession, "

school:attr:students

"); gsh 13% attrFacultyStem = StemFinder.findByName(grouperSession, "

school:attr:faculty

Create attribute definitions with GSH

gsh 15% studentsAttrDef = attrStudentsStem.addChildAttributeDef("students", AttributeDefType.attr); gsh 16% facultyAttrDef = attrStudentsStem.addChildAttributeDef("faculty", AttributeDefType.attr); 46 – 4/29/2020, © 2009 Internet2

Create attribute names with GSH

attrArtsAndSciences = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "artsAndSciences", "artsAndSciences"); attrOpticalResearch = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "opticalResearch", "opticalResearch"); attrResidents = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "residents", "residents"); attrNeurology = attrFacultyStem.addChildAttributeDefName(facultyAttrDef, "neurology", "neurology"); attrProfessors = attrFacultyStem.addChildAttributeDefName(facultyAttrDef, "professors", "professors"); attrEngineering = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "engineering", "engineering"); 47 – 4/29/2020, © 2009 Internet2

Assign attributes with GSH

groupBrainProject

.getAttributeDelegate().assignAttribute(

attrArtsAndSciences

); groupBrainProject.getAttributeDelegate().assignAttribute(attrOpticalResearch); groupBrainProject.getAttributeDelegate().assignAttribute(attrNeurology); groupNeurologyProfessors.getAttributeDelegate().assignAttribute(attrResidents);

groupNeurologyProfessors

.getAttributeDelegate().assignAttribute(

attrOpticalResearch

); groupNeurologyProfessors.getAttributeDelegate().assignAttribute( attrProfessors); groupNeuralNetworks.getAttributeDelegate().assignAttribute(attrEngineering); groupNeuralNetworks.getAttributeDelegate().assignAttribute(attrNeurology); 48 – 4/29/2020, © 2009 Internet2

Add users with GSH

groupStudents = addGroup("school", "students", "students"); groupFaculty = addGroup("school", "faculty", "faculty"); addMember("school:students", "test.subject.0"); addMember("school:faculty", "test.subject.1"); addMember("school:students", "test.subject.2"); addMember("school:faculty", "test.subject.2"); 49 – 4/29/2020, © 2009 Internet2

Assign attribute security with GSH

studentsAttrDef

.getPrivilegeDelegate().grantPriv(

groupStudents

.toSubject(),

AttributeDefPrivilege.ATTR_READ

, false);

facultyAttrDef

.getPrivilegeDelegate().grantPriv(

groupFaculty

.toSubject(),

AttributeDefPrivilege.ATTR_READ

Create a view for secure attribute reading

• • If integrating with Grouper via SQL, there will probably be a supported SQL interface soon Always put a view on top of the underlying tables, which assures smooth upgrading create view school_group_labels_secure_v as select gaagv.

group_name

, gaagv.

attribute_def_name_name

, gm.subject_source as

reader_subject_source_id

, gm.subject_id as

reader_subject_subject_id

Query the attributes securely

• test.subject.0 is a student only, select all groups with attributes (secure query) select group_name, attribute_def_name_name from school_group_labels_secure_v where reader_subject_source_id = 'jdbc' and

reader_subject_id = 'test.subject.0'

Group school:med:neurologyProfessors school:med:neurologyProfessors school:computerScience:neuralNetworks school:math:brainProject school:math:brainProject Attribute school:attr:students:opticalResearch school:attr:students:residents school:attr:students:engineering school:attr:students:opticalResearch school:attr:students:artsAndSciences 52 – 4/29/2020, © 2009 Internet2

Query the attributes securely

• test.subject.1 is a faculty only, select all groups with attributes (secure query) select group_name, attribute_def_name_name from school_group_labels_secure_v where reader_subject_source_id = 'jdbc' and

reader_subject_id = 'test.subject.1 '

Group school:med:neurologyProfessors school:computerScience:neuralNetworks school:math:brainProject Attribute school:attr:faculty:professors school:attr:faculty:neurology school:attr:faculty:neurology 53 – 4/29/2020, © 2009 Internet2

Query the attributes securely

• test.subject.2 is a faculty and student, select all attributes for group neurologyProfessors select group_name, attribute_def_name_name from school_group_labels_secure_v where reader_subject_source_id = 'jdbc' and

reader_subject_id = 'test.subject.2' and group_name = 'school:med:neurologyProfessors '

Group school:med:neurologyProfessors school:med:neurologyProfessors school:med:neurologyProfessors school:attr: school:attr: school:attr: Attribute

students:opticalResearch faculty:professors students:residents

Permission management

Grouper privilege management

• • • Grouper 1.5 introduces central privilege management features Built on top of the groups registry and new attribute framework (includes security) Since privilege in grouper means privilege on a group or folder or attribute, will use “permission” © Internet2 2009

Permission management

• • • In Grouper (in the API, GSH, WS, docs, etc) a privilege refers to being able to do something in Grouper (e.g. READ a group or CREATE objects in a folder) So, since privilege = permission, resources in the new privilege management features, a non-grouper privilege will be referred to as “permission” There are permissions as RBAC (Role Based Access Control), and individual permissions 57 – 4/29/2020, © 2009 Internet2

Grouper permission management

• • • • • Roles: links up groups/subjects and permission resources Permission resources: a type of attribute (on Role or effective Membership) Permission sets: can bunch up permission resources into one resource (e.g. for hierarchies) Role inheritance: can allow roles to inherit permissions from other roles (e.g. Senior loan administrator inherits from loan administrator) Action: qualifier of permission assignment, e.g. read or write © Internet2 2009

Grouper role or permission directed graphs

• • • Not a hierarchy (supports multiple parents) Supports circular references Image is test case © Internet2 2009

Permission management demo #1

RBAC integration into an application

Authorization design

Role definitions

• • • userSharer : can share documents, and can do anything a receiver can do – userReceiver : can receive documents sysAdmin : can manage emails and daemons, and things an admin can do – admin : can view audit logs on the admin console (complete GSH code in slide notes) gsh 30% userSharerRole = rolesStem.addChildRole("userSharer", "userSharer"); gsh 31% userReceiverRole = rolesStem.addChildRole("userReceiver", "userReceiver"); gsh 32% userSharerRole.getRoleInheritanceDelegate() .addRoleToInheritFromThis(userReceiverRole); 64 – 4/29/2020, © 2009 Internet2

Role members

• • • • userSharer : should have the group penn:community:staff (includes choate) – userReceiver : should have the group penn:community:students (includes mchyzer) sysAdmin : should have the user (includes melinas) – admin : can view audit logs on the admin console (includes bwh) Note: you could do this part in the Grouper UI or WS (complete GSH code in slide notes) gsh 40% studentsGroup = addGroup("penn:community", "students", "students"); gsh 41% studentsGroup.addMember(SubjectFinder.findByIdentifier("mchyzer")); gsh 42% userReceiverRole.addMember(studentsGroup.toSubject()); gsh 43% adminRole.addMember(SubjectFinder.findByIdentifier("bwh")); 66 – 4/29/2020, © 2009 Internet2

Resource definitions

• • • Penn’s web framework already manages (local) permissions To integrate, we can use the same names, and override the decision (complete GSH code in slide notes) gsh 50% resourcesStem = addStem("penn:isc:apps:secureShare", "resources", "resources"); gsh 51% resourcesDef = resourcesStem .addChildAttributeDef("secureShareWebResources", AttributeDefType.perm); gsh 52% splashResource = resourcesStem .addChildAttributeDefName(resourcesDef, "splash.jsp", "splash.jsp"); 68 – 4/29/2020, © 2009 Internet2

Resource sets

• Not all that useful in this case, but as an example…(complete code in notes) gsh 60% resourceSetsStem = addStem("penn:isc:apps:secureShare", "resourceSets", "resourceSets"); gsh 61% receiveSetResource = resourceSetsStem.addChildAttributeDefName( resourcesDef, "receiveSet", "receiveSet"); gsh 62% sendSetResource = resourceSetsStem.addChildAttributeDefName( resourcesDef, "sendSet", "sendSet"); gsh 63% receiveSetResource.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet(splashResource); gsh 64% receiveSetResource.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet(receiveButtonResource); gsh 65% sendSetResource.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet(sendButtonResource); gsh 66% sendSetResource.getAttributeDefNameSetDelegate() .addToAttributeDefNameSet(sendSectionResource); 70 – 4/29/2020, © 2009 Internet2

Resource assignments

• Assign resource sets to roles… gsh 70% userSharerRole.getPermissionRoleDelegate() .assignRolePermission(sendSetResource); gsh 71% userReceiverRole.getPermissionRoleDelegate() .assignRolePermission(receiveSetResource); gsh 72% sysAdminRole.getPermissionRoleDelegate() .assignRolePermission(sysAdminSetResource); gsh 73% adminRole.getPermissionRoleDelegate() .assignRolePermission(adminSetResource); 72 – 4/29/2020, © 2009 Internet2

Make a view for app to read permissions

• Always make a view, don’t query the registry directly create or replace view apps_sec_share_web_perms_v as select distinct gpav.role_name, psv.pennname, gpav.attribute_def_name_name

from grouper_perms_all_v gpav, grouper_attribute_def ad, person_source_v psv where subject_source_id = 'pennperson' and gpav.attribute_def_id = ad.id

and ad.name= 'penn:isc:apps:secureShare:resources:secureShareWebResources' and psv.penn_id = gpav.subject_id

Make a view for app to read permissions

select * from apps_sec_share_web_perms_v PennName Resource bwh /fast/fastAdminConsole.jsp bwh bwh choate choate choate choate mchyzer /fast/fastAuditLogViewer.jsp resourceSets:adminSet splash.jsp resourceSets:receiveSet resourceSets:sendSet FASTXsplash.jsp sendDocument splash.jsp Role_name admin admin admin userSharer userSharer userSharer userSharer userReceiver mchyzer melinas resourceSets:receiveSet /fast/fastEmailConfig.jsp

On login, cache the user’s permissions

• • • • • Improve performance Not as dependent on Grouper DB Permissions changes will require a logout/login if logged in Can easily be swapped for WS call when available Put this code in a login hook in the application: //lets cache the Grouper permissions in session List permissions = HibernateSession2.bySqlStatic() .conn("pennCommunity").listSelect(String.class, "select distinct ATTRIBUTE_DEF_NAME_NAME from " + "authzadm.apps_sec_share_web_perms_v where pennname = ?", fastUser.getPennkey()); httpSession.setAttribute("grouperPermissions", permissions); 75 – 4/29/2020, © 2009 Internet2

Check permissions when needed

• Penn’s framework has a hook to override authorization List permissions = (List)httpSession.getAttribute( "grouperPermissions"); String resourceName = "penn:isc:apps:secureShare:resources:" + propertyValue.getNameSystem(); boolean allowed = permissions.contains(resourceName) 76 – 4/29/2020, © 2009 Internet2

Show

demo

• • • • • mchyzer is student choate is staff bwh is staff, admin melinas is staff, sysAdmin schleind was an admin, and needs to manage emails but not daemons (thus can’t be sysAdmin) schleindMember = MemberFinder.findBySubject(this.grouperSession, SubjectFinder.findByIdentifier("schleind"), true); adminRole.getPermissionRoleDelegate().assignSubjectRolePermission( adminEmailButtonResource, schleindMember); adminRole.getPermissionRoleDelegate().assignSubjectRolePermission( adminEmailResource, schleindMember); 77 – 4/29/2020, © 2009 Internet2

Act as a specific allowed role

• • • Note, the SQL view of permission assignments (and future WS interface) can show the roles a user has It also can show permissions of a user while acting as a certain role So if you do not want “flattened” permissions in an application (for security purposes), you can let the user act as one of their roles 78 – 4/29/2020, © 2009 Internet2

Permission management for data (demo #2)

Authorization with data

• Can use a similar strategy to the previous web example, especially if there aren’t many resources to secure e.g. select records from table where section in (?,?,?,?,?,?) • • If there are to many resources to secure (e.g. more than 100) or you want to join data in the database, you can use the following strategy This contrived example shows how to join SQL to security tables populated from Grouper 80 – 4/29/2020, © 2009 Internet2

Authorization with data

• • Org chart / class list school – artsAndSciences • chemistry – – chemistry101 chemistry201 • math – – math220 math240 – engineering • computerScience – computerScience99 – computerScience300 • electricalEngineering – electricalEngineering400 – electricalEngineering450 81 – 4/29/2020, © 2009 Internet2

Create central stems (folders)

gsh 100% communityStem = StemFinder.findByName(grouperSession, "penn:community", true); gsh 101% orgResourcesStem = addStem("penn:community", "orgResources", "orgResources"); gsh 102% schoolStem = addStem("penn:community:orgResources", "school", "school"); gsh 103% artsAndSciencesStem = addStem( "penn:community:orgResources:school", "artsAndSciences", "artsAndSciences"); gsh 104% chemistryStem = addStem( "penn:community:orgResources:school:artsAndSciences", "chemistry", "chemistry"); • gsh 105% mathStem = addStem( "penn:community:orgResources:school:artsAndSciences", "math", "math") Complete GSH commands in slide notes 82 – 4/29/2020, © 2009 Internet2

Create resources

• • Note: this will be able to be managed by the Grouper loader Note: complete GSH commands in slide notes gsh 110% orgResourcesDef = orgResourcesStem.addChildAttributeDef( "orgResourcesDef", AttributeDefType.perm); gsh 111% schoolResource = orgResourcesStem.addChildAttributeDefName( orgResourcesDef, "school", "school"); gsh 112% artsAndSciencesResource = schoolStem.addChildAttributeDefName( orgResourcesDef, "artsAndSciences", "artsAndSciences"); gsh 113% chemistryResource = artsAndSciencesStem .addChildAttributeDefName(orgResourcesDef, "chemistry", "chemistry"); gsh 114% chemistry101Resource = chemistryStem .addChildAttributeDefName(orgResourcesDef, "chemistry101", "chemistry101"); gsh 115% chemistry201Resource = chemistryStem .addChildAttributeDefName(orgResourcesDef, "chemistry201", "chemistry201"); gsh 116% mathResource = artsAndSciencesStem .addChildAttributeDefName(orgResourcesDef, "math", "math"); 83 – 4/29/2020, © 2009 Internet2

Create resource sets (org hierarchy)

• • Note: this will be able to be managed by the Grouper loader Note: complete GSH commands in slide notes gsh 120%

schoolResource