ppt
advertisement
10/6/9 Internet2 Fall Member Meeting
Chris Hyzer, University of Pennsylvania
Shilen Patel, Duke University
What’s new with Grouper
What’s new with Grouper
• Note: this is not an exhaustive talk on what’s new with Grouper
(see demo movies from the last member meeting)
• Performance update
• Namespace transition
• User auditing
• Attribute framework summary
• Attribute framework demo
• Privilege management summary
• Privilege management demo
• Privilege management demo #2
• Integrating the lite UI into an application demo
2 – 3/23/2016, © 2009 Internet2
Performance update
Effective Memberships in Grouper 1.4.2
Group A
Group B
Group X
4 – 3/23/2016, © 2009 Internet2
Group C
Effective Memberships in Grouper 1.4.2
Group A
Group B
Group X
Person A
5 – 3/23/2016, © 2009 Internet2
Group C
Effective Memberships in Grouper 1.4.2
Group A
Group B
Group X
Person B
6 – 3/23/2016, © 2009 Internet2
Group C
Effective Memberships in Grouper 1.4.2
Group A
Group B
Group C
Group X
Person C
7 – 3/23/2016, © 2009 Internet2
Effective Memberships in Grouper 1.5
Owner
Member
Owner
Member
Owner
Group A
Group A
Group A
Group X
Group A Group X
Immediate
Group B
Group B
Group B
Group X
Group B
Group X
Immediate
Group C
Group C
Group C
Group X
Group C
Group X
Immediate
Group X
Group X
Group X
Person A
Group X Person A
Immediate
Group A
Group X
Group A Person A
Effective
Group B
Group X
Group B Person A
Effective
Group C
Group X
Group C Person A
Effective
8 – 3/23/2016, © 2009 Internet2
Join where
GroupSet Member ==
Membership Owner
Member
Type
Write Performance Comparison
API Method
1.4.2 (ms)
1.5 (ms)
Stem.addChildGroup(…)
162
251
Group.delete()
319
174
Stem.addChildStem(…)
69
114
Stem.delete()
66
65
Group.addCompositeMember(CompositeType.UNION, …)
91
70
Group.addCompositeMember(CompositeType.INTERSECTION, …)
84
67
Group.addCompositeMember(CompositeType.COMPLEMENT, …)
81
63
Group.deleteCompositeMember()
64
46
Group.addMember(Subject)
47
49
Group.deleteMember(Subject)
46
40
Group.addMember(Subject) – Subject is a group
57
83
Group.deleteMember(Subject) – Subject is a group
49
65
Group.addMember(Subject) – Results in a composite membership add
98
81
96
73
9 – 3/23/2016, © 2009 Internet2
Group.deleteMember(Subject) – Results in a composite membership delete
Effective Membership Performance Comparison
100000
16955
milliseconds
10000
1000
100
440
71
111
48
48
Grouper 1.4.2
Grouper 1.5
10
1
1
10
100
number of effective memberships
due to single immediate membership
10 – 3/23/2016, © 2009 Internet2
Read Performance Comparison
API Method
1.4.2
(ms)
1.5
(ms)
API Method
1.4.2 1.5
(ms) (ms)
Group.getUpdaters()
21
19
Member.getEffectiveMemberships()
30
28
Group.getEffectiveMembers()
5
5
Member.getImmediateMemberships()
25
21
Group.getEffectiveMemberships()
7
9
Member.getMemberships()
19
26
Group.getImmediateMembers()
4
5
Member.hasUpdate()
23
26
Group.getImmediateMemberships()
7
9
Member.hasCreate()
40
41
Group.getMembers()
6
7
Stem.getChildGroups(Scope.ONE)
41
24
Group.getMemberships()
10
13
Stem.getChildGroups(Scope.SUB)
42
20
Group.getPrivs(Subject)
37
27
Stem.getChildMembershipGroups(Scope.ONE, …)
49
29
Group.hasImmediateMember(Subject)
25
18
Stem.getChildMembershipGroups(Scope.SUB, …)
52
31
Group.hasEffectiveMember(Subject)
25
19
Stem.getStemmers()
6
8
11 – 3/23/2016, © 2009 Internet2
Group.hasMember(Subject)
25
19
Stem.getPrivs(Subject)
40
34
Namespace transition
Namespace Transition
• Functionality
–
–
–
–
Copy groups from one folder to another
Copy folders from one folder to another
Move groups from one folder to another
Move folders from one folder to another
• Integrated with
– Grouper UI
– Grouper Shell
– Grouper Web Services (soon)
13 – 3/23/2016, © 2009 Internet2
Use cases
• Changes in organizational structure
• Template groups and folders
14 – 3/23/2016, © 2009 Internet2
Options during Folder Copy
•
•
•
•
•
Copy privileges of folder
Copy privileges of groups within folder
Copy list memberships of groups within folder
Copy attributes of groups within folder
Copy privileges where groups within this folder
are a member
• Copy list memberships where groups within
this folder are a member
15 – 3/23/2016, © 2009 Internet2
Options during Group Copy
•
•
•
•
•
Copy privileges of group
Copy list memberships of group
Copy attributes of group
Copy privileges where the group is a member
Copy list memberships where the group is a
member
16 – 3/23/2016, © 2009 Internet2
Options during Group and Folder Moves
• Assign alternate name
– Feature that adds the previous group name as
an alternate group name
– Group can be found using standard API calls,
such as GroupFinder.findByName()
17 – 3/23/2016, © 2009 Internet2
Auditing
Auditing
• High level actions are audited:
–
–
–
–
–
–
–
Membership changes
Groups (create, update, delete)
Folders (create, update, delete)
Attribute actions
Group/folder move or copy
XML import
Etc
• I believe there is a demo from the last MM
© Internet2 2009
Auditing – high level
• Only high level actions are audited
• E.g. If a group is deleted, then memberships
are also deleted
• The only audit record will be that the group
was deleted
© Internet2 2009
Auditing context data
•
•
•
•
•
•
Application: UI, WS, GSH, etc
Logged in user id
User IP address
Server host
Environment name (prod, test, etc)
Duration of operation (for performance
tuning)
• Etc.
© Internet2 2009
Auditing point in time
• Point in time auditing is on the roadmap
• This will show
– Who was in a group at a certain point in time
– Who has been in a group over the past 6 months
– How someone’s membership in a group has
changed over time
© Internet2 2009
Audit log and the UI
• Groups and Stems
– actions carried out on the selected object
• Subjects
– actions carried out by a subject
– membership changes on a subject
– privilege changes on a subject
• Schema
– creation, update or deletion of group types
© Internet2 2009
Find the object of interest
© Internet2 2009
View the results
© Internet2 2009
Filter and sort results
© Internet2 2009
Extended information
© Internet2 2009
Entity summary
© Internet2 2009
Group types
© Internet2 2009
Change log
Change log
• Each low level event that occurs in Grouper is
appended to the change log table
• Massaged and ordered by a loader process
• Can be read
– Hook through loader gives callback on events
– SQL
– API
• Will be integrated with ldappc in future
© Internet2 2009
Change log (continued)
•
•
•
•
Change log is transactional
Loader cleanup job of old change log records
Will have a web service interface in the future
There is a demo from the last MM
© Internet2 2009
Attribute framework
Attribute framework
• Grouper currently has Group types and
attributes
• In 1.5, this feature is redone and improved
© Internet2 2009
Can assign attributes to many
objects
•
•
•
•
•
•
Groups
Folders
Members
Memberships (immediate or effective)
Other attributes
Attribute assignments (1 level deep)
© Internet2 2009
Attribute security
•
•
•
•
•
•
Similar privileges to group security
ATTR_READ (can see assignments)
ATTR_UPDATE (can make assignments)
ATTR_ADMIN (can edit attribute fields)
ATTR_VIEW (can see that the attribute exists)
ATTR_OPTIN (can assign to own member or
membership)
• ATTR_OPTOUT
© Internet2 2009
Attribute security (continued)
• Anyone with CREATE in a folder can create
attributes
• It takes more than attribute security to assign
attributes, you need rights on the object as
well
– E.g. To assign a group attribute, you need ADMIN
on the group and ATTR_UPDATE on the attribute
• One attribute definition can have multiple
names (to reduce the security assignments)
© Internet2 2009
Attribute advanced features
•
•
•
•
•
•
Not sure on timeline:
Multi-assign attribute names
Attribute values
Multi-assign attribute values
Limit where attributes can be used
Formatting and validation on attribute values
© Internet2 2009
Attribute framework demo
Netherlands attribute framework use case
• Labels on Groups to organize and search for relevant groups
• “groups (of students) would belong to a certain
school/university but also to one or more departments
(depending on the school they're enrolled at) and we would like
to find them either way”
• Organize many to many relationships (without stems or groups
of groups)
40 – 3/23/2016, © 2009 Internet2
Netherlands attribute framework use case
• All labels can be configured in the system (not free-form)
• “Security: the Grouper instance will be used by two separate
end-user groups, for which we will instantiate a different
version of the GUI that will operate on a different stem. Labels
of one instance should not come up in the other GUI and vice
versa”
41 – 3/23/2016, © 2009 Internet2
Netherlands attribute framework use case
•
•
•
•
External Application written in PHP
SQL interface for READ is ok
GSH for WRITE is ok if performance is ok
WS is the long term solution
42 – 3/23/2016, © 2009 Internet2
Groups and attributes
• Group: school:math:brainProject
– Attribute: school:attr:students:artsAndSciences
– Attribute: school:attr:students:opticalResearch
– Attribute: school:attr:faculty:neurology
• Group: school:med:neurologyProfessors
– Attribute: school:attr:students:residents
– Attribute: school:attr:students:opticalResearch
– Attribute: school:attr:faculty:professors
• Group: school:computerScience:neuralNetworks
– Attribute: school:attr:students:engineering
– Attribute: school:attr:faculty:neurology
43 – 3/23/2016, © 2009 Internet2
Create groups with GSH
gsh 0% addRootStem("school","school");
gsh 1% addStem("school", "math", "math");
gsh 2% addStem("school", "med", "med");
gsh 3% addStem("school", "computerScience", "computerScience");
gsh 4% groupBrainProject = addGroup("school:math", "brainProject",
"brainProject");
gsh 5% groupNeurologyProfessors = addGroup("school:med",
"neurologyProfessors", "neurologyProfessors");
gsh 6%groupNeuralNetworks=addGroup("school:computerScience",
"neuralNetworks", "neuralNetworks");
44 – 3/23/2016, © 2009 Internet2
Create attribute stems with GSH
gsh 7% addStem("school", "attr", "attr");
gsh 8% addStem("school:attr", "students", "students");
gsh 9% addStem("school:attr", "faculty", "faculty");
gsh 11% grouperSession = GrouperSession.startRootSession();
gsh 12% attrStudentsStem =
StemFinder.findByName(grouperSession, "school:attr:students");
gsh 13% attrFacultyStem = StemFinder.findByName(grouperSession,
"school:attr:faculty");
45 – 3/23/2016, © 2009 Internet2
Create attribute definitions with GSH
gsh 15% studentsAttrDef =
attrStudentsStem.addChildAttributeDef("students",
AttributeDefType.attr);
gsh 16% facultyAttrDef =
attrStudentsStem.addChildAttributeDef("faculty",
AttributeDefType.attr);
46 – 3/23/2016, © 2009 Internet2
Create attribute names with GSH
attrArtsAndSciences =
attrStudentsStem.addChildAttributeDefName(studentsAttrDef,
"artsAndSciences", "artsAndSciences");
attrOpticalResearch =
attrStudentsStem.addChildAttributeDefName(studentsAttrDef,
"opticalResearch", "opticalResearch");
attrResidents = attrStudentsStem.addChildAttributeDefName(studentsAttrDef,
"residents", "residents");
attrNeurology = attrFacultyStem.addChildAttributeDefName(facultyAttrDef,
"neurology", "neurology");
attrProfessors = attrFacultyStem.addChildAttributeDefName(facultyAttrDef,
"professors", "professors");
attrEngineering = attrStudentsStem.addChildAttributeDefName(studentsAttrDef,
"engineering", "engineering");
47 – 3/23/2016, © 2009 Internet2
Assign attributes with GSH
groupBrainProject.getAttributeDelegate().assignAttribute(attrArtsAndSciences);
groupBrainProject.getAttributeDelegate().assignAttribute(attrOpticalResearch);
groupBrainProject.getAttributeDelegate().assignAttribute(attrNeurology);
groupNeurologyProfessors.getAttributeDelegate().assignAttribute(attrResidents);
groupNeurologyProfessors.getAttributeDelegate().assignAttribute(
attrOpticalResearch);
groupNeurologyProfessors.getAttributeDelegate().assignAttribute(
attrProfessors);
groupNeuralNetworks.getAttributeDelegate().assignAttribute(attrEngineering);
groupNeuralNetworks.getAttributeDelegate().assignAttribute(attrNeurology);
48 – 3/23/2016, © 2009 Internet2
Add users with GSH
groupStudents = addGroup("school", "students", "students");
groupFaculty = addGroup("school", "faculty", "faculty");
addMember("school:students", "test.subject.0");
addMember("school:faculty", "test.subject.1");
addMember("school:students", "test.subject.2");
addMember("school:faculty", "test.subject.2");
49 – 3/23/2016, © 2009 Internet2
Assign attribute security with GSH
studentsAttrDef.getPrivilegeDelegate().grantPriv(groupStudents.toSubject(),
AttributeDefPrivilege.ATTR_READ, false);
facultyAttrDef.getPrivilegeDelegate().grantPriv(groupFaculty.toSubject(),
AttributeDefPrivilege.ATTR_READ, false);
50 – 3/23/2016, © 2009 Internet2
Create a view for secure attribute reading
• If integrating with Grouper via SQL, there will probably be a supported SQL
interface soon
• Always put a view on top of the underlying tables, which assures smooth
upgrading
create view school_group_labels_secure_v as
select gaagv.group_name,
gaagv.attribute_def_name_name,
gm.subject_source as reader_subject_source_id,
gm.subject_id as reader_subject_subject_id
from …
• Full DDL in slide notes…
51 – 3/23/2016, © 2009 Internet2
Query the attributes securely
• test.subject.0 is a student only, select all groups with attributes (secure query)
select group_name, attribute_def_name_name
from school_group_labels_secure_v
where reader_subject_source_id = 'jdbc'
and reader_subject_id = 'test.subject.0'
Group
school:med:neurologyProfessors
school:med:neurologyProfessors
school:computerScience:neuralNetworks
school:math:brainProject
school:math:brainProject
52 – 3/23/2016, © 2009 Internet2
Attribute
school:attr:students:opticalResearch
school:attr:students:residents
school:attr:students:engineering
school:attr:students:opticalResearch
school:attr:students:artsAndSciences
Query the attributes securely
• test.subject.1 is a faculty only, select all groups with attributes (secure query)
select group_name, attribute_def_name_name
from school_group_labels_secure_v
where reader_subject_source_id = 'jdbc'
and reader_subject_id = 'test.subject.1 '
Group
school:med:neurologyProfessors
school:computerScience:neuralNetworks
school:math:brainProject
53 – 3/23/2016, © 2009 Internet2
Attribute
school:attr:faculty:professors
school:attr:faculty:neurology
school:attr:faculty:neurology
Query the attributes securely
• test.subject.2 is a faculty and student, select all attributes for group
neurologyProfessors
select group_name, attribute_def_name_name
from school_group_labels_secure_v
where reader_subject_source_id = 'jdbc'
and reader_subject_id = 'test.subject.2'
and group_name = 'school:med:neurologyProfessors '
Group
school:med:neurologyProfessors
school:med:neurologyProfessors
school:med:neurologyProfessors
54 – 3/23/2016, © 2009 Internet2
Attribute
school:attr:students:opticalResearch
school:attr:faculty:professors
school:attr:students:residents
Permission management
Grouper privilege management
• Grouper 1.5 introduces central privilege
management features
• Built on top of the groups registry and new
attribute framework (includes security)
• Since privilege in grouper means privilege on a
group or folder or attribute, will use
“permission”
© Internet2 2009
Permission management
• In Grouper (in the API, GSH, WS, docs, etc) a privilege refers to being able to
do something in Grouper (e.g. READ a group or CREATE objects in a folder)
• So, since privilege = permission, resources in the new privilege management
features, a non-grouper privilege will be referred to as “permission”
• There are permissions as RBAC (Role Based Access Control), and individual
permissions
57 – 3/23/2016, © 2009 Internet2
Grouper permission management
• Roles: links up groups/subjects and permission resources
• Permission resources: a type of attribute (on Role or
effective Membership)
• Permission sets: can bunch up permission resources into
one resource (e.g. for hierarchies)
• Role inheritance: can allow roles to inherit permissions
from other roles (e.g. Senior loan administrator inherits
from loan administrator)
• Action: qualifier of permission assignment, e.g. read or
write
© Internet2 2009
Grouper role or permission
directed graphs
• Not a hierarchy
(supports
multiple
parents)
• Supports
circular
references
• Image is test
case
© Internet2 2009
Permission management demo #1
RBAC integration into an application
61 – 3/23/2016, © 2009 Internet2
Authorization design
62 – 3/23/2016, © 2009 Internet2
Role definitions
63 – 3/23/2016, © 2009 Internet2
Role definitions
• userSharer : can share documents, and can do anything a receiver can do
– userReceiver : can receive documents
• sysAdmin : can manage emails and daemons, and things an admin can do
– admin : can view audit logs on the admin console
• (complete GSH code in slide notes)
gsh 30% userSharerRole = rolesStem.addChildRole("userSharer", "userSharer");
gsh 31% userReceiverRole = rolesStem.addChildRole("userReceiver",
"userReceiver");
gsh 32% userSharerRole.getRoleInheritanceDelegate()
.addRoleToInheritFromThis(userReceiverRole);
64 – 3/23/2016, © 2009 Internet2
Role members
65 – 3/23/2016, © 2009 Internet2
Role members
• userSharer : should have the group penn:community:staff (includes choate)
– userReceiver : should have the group penn:community:students (includes mchyzer)
• sysAdmin : should have the user (includes melinas)
– admin : can view audit logs on the admin console (includes bwh)
• Note: you could do this part in the Grouper UI or WS
• (complete GSH code in slide notes)
gsh 40% studentsGroup = addGroup("penn:community", "students", "students");
gsh 41% studentsGroup.addMember(SubjectFinder.findByIdentifier("mchyzer"));
gsh 42% userReceiverRole.addMember(studentsGroup.toSubject());
gsh 43% adminRole.addMember(SubjectFinder.findByIdentifier("bwh"));
66 – 3/23/2016, © 2009 Internet2
Resource definitions
67 – 3/23/2016, © 2009 Internet2
Resource definitions
• Penn’s web framework already manages (local) permissions
• To integrate, we can use the same names, and override the decision
• (complete GSH code in slide notes)
gsh 50% resourcesStem = addStem("penn:isc:apps:secureShare",
"resources", "resources");
gsh 51% resourcesDef = resourcesStem
.addChildAttributeDef("secureShareWebResources", AttributeDefType.perm);
gsh 52% splashResource = resourcesStem
.addChildAttributeDefName(resourcesDef, "splash.jsp", "splash.jsp");
68 – 3/23/2016, © 2009 Internet2
Resource sets
69 – 3/23/2016, © 2009 Internet2
Resource sets
•
Not all that useful in this case, but as an example…(complete code in notes)
gsh 60% resourceSetsStem = addStem("penn:isc:apps:secureShare",
"resourceSets", "resourceSets");
gsh 61% receiveSetResource = resourceSetsStem.addChildAttributeDefName(
resourcesDef, "receiveSet", "receiveSet");
gsh 62% sendSetResource = resourceSetsStem.addChildAttributeDefName(
resourcesDef, "sendSet", "sendSet");
gsh 63% receiveSetResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(splashResource);
gsh 64% receiveSetResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(receiveButtonResource);
gsh 65% sendSetResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(sendButtonResource);
gsh 66% sendSetResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(sendSectionResource);
70 – 3/23/2016, © 2009 Internet2
Resource assignments
71 – 3/23/2016, © 2009 Internet2
Resource assignments
• Assign resource sets to roles…
gsh 70% userSharerRole.getPermissionRoleDelegate()
.assignRolePermission(sendSetResource);
gsh 71% userReceiverRole.getPermissionRoleDelegate()
.assignRolePermission(receiveSetResource);
gsh 72% sysAdminRole.getPermissionRoleDelegate()
.assignRolePermission(sysAdminSetResource);
gsh 73% adminRole.getPermissionRoleDelegate()
.assignRolePermission(adminSetResource);
72 – 3/23/2016, © 2009 Internet2
Make a view for app to read permissions
• Always make a view, don’t query the registry directly
create or replace view apps_sec_share_web_perms_v as
select distinct gpav.role_name, psv.pennname,
gpav.attribute_def_name_name
from grouper_perms_all_v gpav, grouper_attribute_def ad,
person_source_v psv
where subject_source_id = 'pennperson'
and gpav.attribute_def_id = ad.id
and ad.name=
'penn:isc:apps:secureShare:resources:secureShareWebResources'
and psv.penn_id = gpav.subject_id
73 – 3/23/2016, © 2009 Internet2
Make a view for app to read permissions
select * from apps_sec_share_web_perms_v
PennName Resource
Role_name
bwh
/fast/fastAdminConsole.jsp
admin
bwh
/fast/fastAuditLogViewer.jsp
admin
bwh
resourceSets:adminSet
admin
choate
splash.jsp
userSharer
choate
resourceSets:receiveSet
userSharer
choate
resourceSets:sendSet
userSharer
choate
FASTXsplash.jsp sendDocument
userSharer
mchyzer
splash.jsp
userReceiver
mchyzer
resourceSets:receiveSet
userReceiver
melinas
/fast/fastEmailConfig.jsp
sysAdmin
etc Note: the actual fully qualified data is in slide notes
74 – 3/23/2016, © 2009 Internet2
On login, cache the user’s permissions
•
•
•
•
•
Improve performance
Not as dependent on Grouper DB
Permissions changes will require a logout/login if logged in
Can easily be swapped for WS call when available
Put this code in a login hook in the application:
//lets cache the Grouper permissions in session
List<String> permissions = HibernateSession2.bySqlStatic()
.conn("pennCommunity").listSelect(String.class,
"select distinct ATTRIBUTE_DEF_NAME_NAME from " +
"authzadm.apps_sec_share_web_perms_v where pennname = ?",
fastUser.getPennkey());
httpSession.setAttribute("grouperPermissions", permissions);
75 – 3/23/2016, © 2009 Internet2
Check permissions when needed
• Penn’s framework has a hook to override authorization
List<String> permissions = (List<String>)httpSession.getAttribute(
"grouperPermissions");
String resourceName = "penn:isc:apps:secureShare:resources:" +
propertyValue.getNameSystem();
boolean allowed = permissions.contains(resourceName)
76 – 3/23/2016, © 2009 Internet2
Show demo
•
•
•
•
•
mchyzer is student
choate is staff
bwh is staff, admin
melinas is staff, sysAdmin
schleind was an admin, and needs to manage emails but not
daemons (thus can’t be sysAdmin)
schleindMember = MemberFinder.findBySubject(this.grouperSession,
SubjectFinder.findByIdentifier("schleind"), true);
adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
adminEmailButtonResource, schleindMember);
adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
adminEmailResource, schleindMember);
77 – 3/23/2016, © 2009 Internet2
Act as a specific allowed role
• Note, the SQL view of permission assignments (and future WS
interface) can show the roles a user has
• It also can show permissions of a user while acting as a certain
role
• So if you do not want “flattened” permissions in an application
(for security purposes), you can let the user act as one of their
roles
78 – 3/23/2016, © 2009 Internet2
Permission management for data
(demo #2)
Authorization with data
• Can use a similar strategy to the previous web example,
especially if there aren’t many resources to secure
e.g. select records from table where section in (?,?,?,?,?,?)
• If there are to many resources to secure (e.g. more than 100) or
you want to join data in the database, you can use the following
strategy
• This contrived example shows how to join SQL to security tables
populated from Grouper
80 – 3/23/2016, © 2009 Internet2
Authorization with data
• Org chart / class list
• school
– artsAndSciences
• chemistry
–
–
chemistry101
chemistry201
• math
–
–
math220
math240
– engineering
• computerScience
–
–
computerScience99
computerScience300
• electricalEngineering
–
–
electricalEngineering400
electricalEngineering450
81 – 3/23/2016, © 2009 Internet2
Create central stems (folders)
gsh 100% communityStem = StemFinder.findByName(grouperSession,
"penn:community", true);
gsh 101% orgResourcesStem = addStem("penn:community", "orgResources",
"orgResources");
gsh 102% schoolStem = addStem("penn:community:orgResources", "school",
"school");
gsh 103% artsAndSciencesStem = addStem(
"penn:community:orgResources:school", "artsAndSciences",
"artsAndSciences");
gsh 104% chemistryStem = addStem(
"penn:community:orgResources:school:artsAndSciences", "chemistry",
"chemistry");
gsh 105% mathStem = addStem(
"penn:community:orgResources:school:artsAndSciences", "math", "math")
• Complete GSH commands in slide notes
82 – 3/23/2016, © 2009 Internet2
Create resources
• Note: this will be able to be managed by the Grouper loader
• Note: complete GSH commands in slide notes
gsh 110% orgResourcesDef = orgResourcesStem.addChildAttributeDef(
"orgResourcesDef", AttributeDefType.perm);
gsh 111% schoolResource = orgResourcesStem.addChildAttributeDefName(
orgResourcesDef, "school", "school");
gsh 112% artsAndSciencesResource = schoolStem.addChildAttributeDefName(
orgResourcesDef, "artsAndSciences", "artsAndSciences");
gsh 113% chemistryResource = artsAndSciencesStem
.addChildAttributeDefName(orgResourcesDef, "chemistry", "chemistry");
gsh 114% chemistry101Resource = chemistryStem
.addChildAttributeDefName(orgResourcesDef, "chemistry101", "chemistry101");
gsh 115% chemistry201Resource = chemistryStem
.addChildAttributeDefName(orgResourcesDef, "chemistry201", "chemistry201");
gsh 116% mathResource = artsAndSciencesStem
.addChildAttributeDefName(orgResourcesDef, "math", "math");
83 – 3/23/2016, © 2009 Internet2
Create resource sets (org hierarchy)
• Note: this will be able to be managed by the Grouper loader
• Note: complete GSH commands in slide notes
gsh 120% schoolResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(artsAndSciencesResource);
gsh 121% schoolResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(engineeringResource);
gsh 122% artsAndSciencesResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(chemistryResource);
gsh 123% artsAndSciencesResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(mathResource);
gsh 124% chemistryResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(chemistry101Resource);
gsh 125% chemistryResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(chemistry201Resource);
gsh 126% mathResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(math220Resource);
84 – 3/23/2016, © 2009 Internet2
Use admin role from web example above
• Note: complete GSH commands in slide notes
• bwh can write all of chemistry, and math 220
• bwh can read all of arts and sciences
gsh 130% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", chemistryResource, bwhMember);
gsh 131% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", math220Resource, bwhMember);
gsh 132% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"read", artsAndSciencesResource, bwhMember);
• schleind can write computerScience99, and all of electricalEngineering
• schleind can read the whole school
gsh 133% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", computerScience99Resource, schleindMember);
gsh 134% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", electricalEngineeringResource, schleindMember);
gsh 135% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"read", schoolResource, schleindMember);
85 – 3/23/2016, © 2009 Internet2
Create a view of permissions
• Note: complete DDL in slide notes
SELECT DISTINCT gpav.role_name, psv.pennname, gpav.action,
gadn.extension AS resource_extension
FROM grouper_perms_all_v gpav,
grouper_attribute_def ad,
person_source_v psv,
grouper_attribute_def_name gadn
WHERE subject_source_id = 'pennperson'
AND gpav.attribute_def_id = ad.ID
AND ad.NAME = 'penn:community:orgResources:orgResourcesDef'
AND psv.penn_id = gpav.subject_id
AND gpav.attribute_def_name_id = gadn.ID
AND gpav.role_name like 'penn:isc:apps:secureShare:roles:%'
86 – 3/23/2016, © 2009 Internet2
Sample data
• Note: complete data in slide notes
SELECT * from APPS_SEC_SHARE_DB_PERMS_V
Role
Pennname
penn:isc:apps:secureShare:roles:admin bwh
penn:isc:apps:secureShare:roles:admin schleind
penn:isc:apps:secureShare:roles:admin bwh
penn:isc:apps:secureShare:roles:admin schleind
penn:isc:apps:secureShare:roles:admin bwh
penn:isc:apps:secureShare:roles:admin schleind
penn:isc:apps:secureShare:roles:admin schleind
penn:isc:apps:secureShare:roles:admin schleind
penn:isc:apps:secureShare:roles:admin schleind
penn:isc:apps:secureShare:roles:admin schleind
87 – 3/23/2016, © 2009 Internet2
Action
write
read
read
read
write
read
read
write
read
read
Resource_extension
chemistry101
computerScience
math220
chemistry
math220
engineering
computerScience99
electricalEngineering
chemistry201
electricalEngineering
Create application table for permissions
CREATE TABLE SEC_SHARE_GROUPER_PERMS (
ROLE_NAME VARCHAR2(1024 BYTE),
PENNNAME VARCHAR2(24 BYTE),
ACTION VARCHAR2(32 BYTE),
RESOURCE_EXTENSION VARCHAR2(255 BYTE)
);
88 – 3/23/2016, © 2009 Internet2
Refresh user’s permissions on login
• Note: this could be done many ways, including a global periodic refresh
• In this case, delete and insert the user’s permissions on login in one transaction
HibernateSession2.callbackHibernateSession(true, new HibernateHandler2() {
public Object callback(HibernateSession2 hibernateSession2) throws Exception {
hibernateSession2.bySql().executeSql(
"delete from SEC_SHARE_GROUPER_PERMS where pennname = ?",
fastUser.getPennkey());
hibernateSession2.bySql().executeSql(
"insert into SEC_SHARE_GROUPER_PERMS "
+ "(select role_name, pennname, action, resource_extension "
+ "from authzadm.APPS_SEC_SHARE_DB_PERMS_V@dcom_link "
+ "where pennname = ?)",
fastUser.getPennkey());
hibernateSession2.endAndCloseSession(HibernateAction.COMMIT);
return null;
}
});
89 – 3/23/2016, © 2009 Internet2
Data security demo
•
•
•
•
Create a table with org (class) identifiers
Join to the security table
Make screen editable if writable, readable if readable
Show demo
90 – 3/23/2016, © 2009 Internet2
Lite UI
Lite membership update UI
• There is a new part of the UI which is for lite
membership updates
• Can deep link from an external application
• Ajax based
• Can easily add/remove members
• Can import/export membership lists (including
replace all)
• Can search for members of a group
© Internet2 2009
Grouper UI lite
• Feature demo
• Integration demo
93 – 3/23/2016, © 2009 Internet2
What’s new with Grouper
10/5/9 Internet2 Fall Member Meeting
Chris Hyzer, University of Pennsylvania
Shilen Patel, Duke University
For more information, visit www.internet2.edu
94 – 3/23/2016, © 2009 Internet2
