What’s new with Grouper 10/6/9 Internet2 Fall Member Meeting Chris Hyzer, University of...
-
Upload
gloria-bryan -
Category
Documents
-
view
213 -
download
0
Transcript of What’s new with Grouper 10/6/9 Internet2 Fall Member Meeting Chris Hyzer, University of...
What’s new with GrouperWhat’s new with Grouper
10/6/9 Internet2 Fall Member MeetingChris Hyzer, University of PennsylvaniaShilen Patel, Duke University
• Note: this is not an exhaustive talk on what’s new with Grouper (see demo movies from the last member meeting)
• Performance update• Namespace transition• User auditing• Attribute framework summary• Attribute framework demo• Privilege management summary• Privilege management demo• Privilege management demo #2• Integrating the lite UI into an application demo
2 – 04/21/23, © 2009 Internet2
What’s new with GrouperWhat’s new with Grouper
Performance updatePerformance update
4 – 04/21/23, © 2009 Internet2
Effective Memberships in Grouper 1.4.2Effective Memberships in Grouper 1.4.2
Group BGroup B Group CGroup CGroup AGroup A
Group XGroup X
5 – 04/21/23, © 2009 Internet2
Effective Memberships in Grouper 1.4.2Effective Memberships in Grouper 1.4.2
Group BGroup B Group CGroup CGroup AGroup A
Group XGroup X
Person APerson A
6 – 04/21/23, © 2009 Internet2
Effective Memberships in Grouper 1.4.2Effective Memberships in Grouper 1.4.2
Group BGroup B Group CGroup CGroup AGroup A
Group XGroup X
Person BPerson B
7 – 04/21/23, © 2009 Internet2
Effective Memberships in Grouper 1.4.2Effective Memberships in Grouper 1.4.2
Group BGroup B Group CGroup CGroup AGroup A
Group XGroup X
Person CPerson C
8 – 04/21/23, © 2009 Internet2
Effective Memberships in Grouper 1.5Effective Memberships in Grouper 1.5
Owner Member
Group A Group A
Group B Group B
Group C Group C
Group X Group X
Group A Group X
Group B Group X
Group C Group X
Owner Member
Group A Group X
Group B Group X
Group C Group X
Group X Person A
Owner Member Type
Group A Group X Immediate
Group B Group X Immediate
Group C Group X Immediate
Group X Person A Immediate
Group A Person A Effective
Group B Person A Effective
Group C Person A EffectiveJoin where GroupSet Member == Membership Owner
API Method 1.4.2 (ms) 1.5 (ms)
Stem.addChildGroup(…) 162 251
Group.delete() 319 174
Stem.addChildStem(…) 69 114
Stem.delete() 66 65
Group.addCompositeMember(CompositeType.UNION, …) 91 70
Group.addCompositeMember(CompositeType.INTERSECTION, …) 84 67
Group.addCompositeMember(CompositeType.COMPLEMENT, …) 81 63
Group.deleteCompositeMember() 64 46
Group.addMember(Subject) 47 49
Group.deleteMember(Subject) 46 40
Group.addMember(Subject) – Subject is a group 57 83
Group.deleteMember(Subject) – Subject is a group 49 65
Group.addMember(Subject) – Results in a composite membership add 98 81
Group.deleteMember(Subject) – Results in a composite membership delete 96 739 – 04/21/23, © 2009 Internet2
Write Performance ComparisonWrite Performance Comparison
10 – 04/21/23, © 2009 Internet2
Effective Membership Performance ComparisonEffective Membership Performance Comparison
API Method 1.4.2 (ms)
1.5 (ms)
Group.getUpdaters() 21 19
Group.getEffectiveMembers() 5 5
Group.getEffectiveMemberships() 7 9
Group.getImmediateMembers() 4 5
Group.getImmediateMemberships() 7 9
Group.getMembers() 6 7
Group.getMemberships() 10 13
Group.getPrivs(Subject) 37 27
Group.hasImmediateMember(Subject) 25 18
Group.hasEffectiveMember(Subject) 25 19
Group.hasMember(Subject) 25 19
Group.hasOptin(Subject) 32 25
Membership.getParentMembership() 5 6
11 – 04/21/23, © 2009 Internet2
Read Performance ComparisonRead Performance Comparison
API Method 1.4.2 (ms)
1.5 (ms)
Member.getEffectiveMemberships() 30 28
Member.getImmediateMemberships() 25 21
Member.getMemberships() 19 26
Member.hasUpdate() 23 26
Member.hasCreate() 40 41
Stem.getChildGroups(Scope.ONE) 41 24
Stem.getChildGroups(Scope.SUB) 42 20
Stem.getChildMembershipGroups(Scope.ONE, …) 49 29
Stem.getChildMembershipGroups(Scope.SUB, …) 52 31
Stem.getStemmers() 6 8
Stem.getPrivs(Subject) 40 34
Stem.hasCreate(Subject) 31 24
Namespace transitionNamespace transition
• Functionality– Copy groups from one folder to another– Copy folders from one folder to another– Move groups from one folder to another– Move folders from one folder to another
• Integrated with– Grouper UI– Grouper Shell– Grouper Web Services (soon)
13 – 04/21/23, © 2009 Internet2
Namespace Transition
• Changes in organizational structure
• Template groups and folders
14 – 04/21/23, © 2009 Internet2
Use casesUse cases
• Copy privileges of folder• Copy privileges of groups within folder• Copy list memberships of groups within folder• Copy attributes of groups within folder• Copy privileges where groups within this folder
are a member• Copy list memberships where groups within
this folder are a member
15 – 04/21/23, © 2009 Internet2
Options during Folder CopyOptions during Folder Copy
• Copy privileges of group• Copy list memberships of group• Copy attributes of group• Copy privileges where the group is a member• Copy list memberships where the group is a
member
16 – 04/21/23, © 2009 Internet2
Options during Group CopyOptions during Group Copy
• Assign alternate name– Feature that adds the previous group name as
an alternate group name– Group can be found using standard API calls,
such as GroupFinder.findByName()
17 – 04/21/23, © 2009 Internet2
Options during Group and Folder MovesOptions during Group and Folder Moves
AuditingAuditing
© Internet2 2009
Auditing
• High level actions are audited:– Membership changes– Groups (create, update, delete)– Folders (create, update, delete)– Attribute actions– Group/folder move or copy– XML import– Etc
• I believe there is a demo from the last MM
© Internet2 2009
Auditing – high level
• Only high level actions are audited• E.g. If a group is deleted, then memberships
are also deleted• The only audit record will be that the group
was deleted
© Internet2 2009
Auditing context data
• Application: UI, WS, GSH, etc• Logged in user id• User IP address• Server host• Environment name (prod, test, etc)• Duration of operation (for performance
tuning)• Etc.
© Internet2 2009
Auditing point in time
• Point in time auditing is on the roadmap• This will show
– Who was in a group at a certain point in time– Who has been in a group over the past 6 months– How someone’s membership in a group has
changed over time
© Internet2 2009
Audit log and the UI
• Groups and Stems– actions carried out on the selected object
• Subjects– actions carried out by a subject– membership changes on a subject– privilege changes on a subject
• Schema– creation, update or deletion of group types
© Internet2 2009
Find the object of interest
© Internet2 2009
View the results
© Internet2 2009
Filter and sort results
© Internet2 2009
Extended information
© Internet2 2009
Entity summary
© Internet2 2009
Group types
Change logChange log
© Internet2 2009
Change log
• Each low level event that occurs in Grouper is appended to the change log table
• Massaged and ordered by a loader process• Can be read
– Hook through loader gives callback on events– SQL– API
• Will be integrated with ldappc in future
© Internet2 2009
Change log (continued)
• Change log is transactional• Loader cleanup job of old change log records• Will have a web service interface in the future• There is a demo from the last MM
Attribute frameworkAttribute framework
© Internet2 2009
Attribute framework
• Grouper currently has Group types and attributes
• In 1.5, this feature is redone and improved
© Internet2 2009
Can assign attributes to many objects
• Groups• Folders• Members• Memberships (immediate or effective)• Other attributes• Attribute assignments (1 level deep)
© Internet2 2009
Attribute security
• Similar privileges to group security• ATTR_READ (can see assignments)• ATTR_UPDATE (can make assignments)• ATTR_ADMIN (can edit attribute fields)• ATTR_VIEW (can see that the attribute exists)• ATTR_OPTIN (can assign to own member or
membership)• ATTR_OPTOUT
© Internet2 2009
Attribute security (continued)
• Anyone with CREATE in a folder can create attributes
• It takes more than attribute security to assign attributes, you need rights on the object as well– E.g. To assign a group attribute, you need ADMIN
on the group and ATTR_UPDATE on the attribute
• One attribute definition can have multiple names (to reduce the security assignments)
© Internet2 2009
Attribute advanced features
• Not sure on timeline:• Multi-assign attribute names• Attribute values• Multi-assign attribute values• Limit where attributes can be used• Formatting and validation on attribute values
Attribute framework demoAttribute framework demo
• Labels on Groups to organize and search for relevant groups• “groups (of students) would belong to a certain
school/university but also to one or more departments (depending on the school they're enrolled at) and we would like to find them either way”
• Organize many to many relationships (without stems or groups of groups)
40 – 04/21/23, © 2009 Internet2
Netherlands attribute framework use caseNetherlands attribute framework use case
• All labels can be configured in the system (not free-form)• “Security: the Grouper instance will be used by two separate
end-user groups, for which we will instantiate a different version of the GUI that will operate on a different stem. Labels of one instance should not come up in the other GUI and vice versa”
41 – 04/21/23, © 2009 Internet2
Netherlands attribute framework use caseNetherlands attribute framework use case
• External Application written in PHP• SQL interface for READ is ok• GSH for WRITE is ok if performance is ok• WS is the long term solution
42 – 04/21/23, © 2009 Internet2
Netherlands attribute framework use caseNetherlands attribute framework use case
• Group: school:math:brainProject– Attribute: school:attr:students:artsAndSciences– Attribute: school:attr:students:opticalResearch– Attribute: school:attr:faculty:neurology
• Group: school:med:neurologyProfessors– Attribute: school:attr:students:residents– Attribute: school:attr:students:opticalResearch– Attribute: school:attr:faculty:professors
• Group: school:computerScience:neuralNetworks– Attribute: school:attr:students:engineering– Attribute: school:attr:faculty:neurology
43 – 04/21/23, © 2009 Internet2
Groups and attributesGroups and attributes
gsh 0% addRootStem("school","school");
gsh 1% addStem("school", "math", "math");gsh 2% addStem("school", "med", "med");gsh 3% addStem("school", "computerScience", "computerScience");
gsh 4% groupBrainProject = addGroup("school:math", "brainProject", "brainProject");
gsh 5% groupNeurologyProfessors = addGroup("school:med", "neurologyProfessors", "neurologyProfessors");
gsh 6%groupNeuralNetworks=addGroup("school:computerScience", "neuralNetworks", "neuralNetworks");
44 – 04/21/23, © 2009 Internet2
Create groups with GSHCreate groups with GSH
gsh 7% addStem("school", "attr", "attr");gsh 8% addStem("school:attr", "students", "students");gsh 9% addStem("school:attr", "faculty", "faculty");gsh 11% grouperSession = GrouperSession.startRootSession();gsh 12% attrStudentsStem =
StemFinder.findByName(grouperSession, "school:attr:students");gsh 13% attrFacultyStem = StemFinder.findByName(grouperSession,
"school:attr:faculty");
45 – 04/21/23, © 2009 Internet2
Create attribute stems with GSHCreate attribute stems with GSH
gsh 15% studentsAttrDef = attrStudentsStem.addChildAttributeDef("students", AttributeDefType.attr);
gsh 16% facultyAttrDef = attrStudentsStem.addChildAttributeDef("faculty", AttributeDefType.attr);
46 – 04/21/23, © 2009 Internet2
Create attribute definitions with GSHCreate attribute definitions with GSH
attrArtsAndSciences = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "artsAndSciences", "artsAndSciences");
attrOpticalResearch = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "opticalResearch", "opticalResearch");
attrResidents = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "residents", "residents");
attrNeurology = attrFacultyStem.addChildAttributeDefName(facultyAttrDef, "neurology", "neurology");
attrProfessors = attrFacultyStem.addChildAttributeDefName(facultyAttrDef, "professors", "professors");
attrEngineering = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "engineering", "engineering");
47 – 04/21/23, © 2009 Internet2
Create attribute names with GSHCreate attribute names with GSH
groupBrainProject.getAttributeDelegate().assignAttribute(attrArtsAndSciences);groupBrainProject.getAttributeDelegate().assignAttribute(attrOpticalResearch);groupBrainProject.getAttributeDelegate().assignAttribute(attrNeurology);
groupNeurologyProfessors.getAttributeDelegate().assignAttribute(attrResidents);groupNeurologyProfessors.getAttributeDelegate().assignAttribute( attrOpticalRe
search);groupNeurologyProfessors.getAttributeDelegate().assignAttribute( attrProfessors)
;
groupNeuralNetworks.getAttributeDelegate().assignAttribute(attrEngineering);groupNeuralNetworks.getAttributeDelegate().assignAttribute(attrNeurology);
48 – 04/21/23, © 2009 Internet2
Assign attributes with GSHAssign attributes with GSH
groupStudents = addGroup("school", "students", "students");groupFaculty = addGroup("school", "faculty", "faculty");
addMember("school:students", "test.subject.0");addMember("school:faculty", "test.subject.1");addMember("school:students", "test.subject.2");addMember("school:faculty", "test.subject.2");
49 – 04/21/23, © 2009 Internet2
Add users with GSHAdd users with GSH
studentsAttrDef.getPrivilegeDelegate().grantPriv(groupStudents.toSubject(), AttributeDefPrivilege.ATTR_READ, false);
facultyAttrDef.getPrivilegeDelegate().grantPriv(groupFaculty.toSubject(), AttributeDefPrivilege.ATTR_READ, false);
50 – 04/21/23, © 2009 Internet2
Assign attribute security with GSHAssign attribute security with GSH
• If integrating with Grouper via SQL, there will probably be a supported SQL interface soon
• Always put a view on top of the underlying tables, which assures smooth upgrading
create view school_group_labels_secure_v asselect gaagv.group_name, gaagv.attribute_def_name_name,gm.subject_source as reader_subject_source_id,gm.subject_id as reader_subject_subject_idfrom …
• Full DDL in slide notes…
51 – 04/21/23, © 2009 Internet2
Create a view for secure attribute readingCreate a view for secure attribute reading
• test.subject.0 is a student only, select all groups with attributes (secure query)
select group_name, attribute_def_name_name from school_group_labels_secure_vwhere reader_subject_source_id = 'jdbc'and reader_subject_id = 'test.subject.0'
Group Attributeschool:med:neurologyProfessors school:attr:students:opticalResearchschool:med:neurologyProfessors school:attr:students:residentsschool:computerScience:neuralNetworks school:attr:students:engineeringschool:math:brainProject school:attr:students:opticalResearchschool:math:brainProject school:attr:students:artsAndSciences
52 – 04/21/23, © 2009 Internet2
Query the attributes securelyQuery the attributes securely
• test.subject.1 is a faculty only, select all groups with attributes (secure query)
select group_name, attribute_def_name_name from school_group_labels_secure_vwhere reader_subject_source_id = 'jdbc'and reader_subject_id = 'test.subject.1 '
Group Attributeschool:med:neurologyProfessors school:attr:faculty:professorsschool:computerScience:neuralNetworks school:attr:faculty:neurologyschool:math:brainProject school:attr:faculty:neurology
53 – 04/21/23, © 2009 Internet2
Query the attributes securelyQuery the attributes securely
• test.subject.2 is a faculty and student, select all attributes for group neurologyProfessors
select group_name, attribute_def_name_name from school_group_labels_secure_vwhere reader_subject_source_id = 'jdbc'and reader_subject_id = 'test.subject.2' and group_name = 'school:med:neurologyProfessors '
Group Attributeschool:med:neurologyProfessors school:attr:students:opticalResearchschool:med:neurologyProfessors school:attr:faculty:professorsschool:med:neurologyProfessors school:attr:students:residents
54 – 04/21/23, © 2009 Internet2
Query the attributes securelyQuery the attributes securely
Permission managementPermission management
© Internet2 2009
Grouper privilege management
• Grouper 1.5 introduces central privilege management features
• Built on top of the groups registry and new attribute framework (includes security)
• Since privilege in grouper means privilege on a group or folder or attribute, will use “permission”
• In Grouper (in the API, GSH, WS, docs, etc) a privilege refers to being able to do something in Grouper (e.g. READ a group or CREATE objects in a folder)
• So, since privilege = permission, resources in the new privilege management features, a non-grouper privilege will be referred to as “permission”
• There are permissions as RBAC (Role Based Access Control), and individual permissions
57 – 04/21/23, © 2009 Internet2
Permission managementPermission management
© Internet2 2009
Grouper permission management
• Roles: links up groups/subjects and permission resources• Permission resources: a type of attribute (on Role or
effective Membership)• Permission sets: can bunch up permission resources into
one resource (e.g. for hierarchies)• Role inheritance: can allow roles to inherit permissions
from other roles (e.g. Senior loan administrator inherits from loan administrator)
• Action: qualifier of permission assignment, e.g. read or write
© Internet2 2009
Grouper role or permission directed graphs
• Not a hierarchy (supports multiple parents)
• Supports circular references
• Image is test case
Permission management demo #1Permission management demo #1
61 – 04/21/23, © 2009 Internet2
RBAC integration into an applicationRBAC integration into an application
62 – 04/21/23, © 2009 Internet2
Authorization designAuthorization design
63 – 04/21/23, © 2009 Internet2
Role definitionsRole definitions
• userSharer : can share documents, and can do anything a receiver can do– userReceiver : can receive documents
• sysAdmin : can manage emails and daemons, and things an admin can do– admin : can view audit logs on the admin console
• (complete GSH code in slide notes)
gsh 30% userSharerRole = rolesStem.addChildRole("userSharer", "userSharer");gsh 31% userReceiverRole = rolesStem.addChildRole("userReceiver",
"userReceiver");
gsh 32% userSharerRole.getRoleInheritanceDelegate().addRoleToInheritFromThis(userReceiverRole);
64 – 04/21/23, © 2009 Internet2
Role definitionsRole definitions
65 – 04/21/23, © 2009 Internet2
Role membersRole members
• userSharer : should have the group penn:community:staff (includes choate)– userReceiver : should have the group penn:community:students (includes mchyzer)
• sysAdmin : should have the user (includes melinas)– admin : can view audit logs on the admin console (includes bwh)
• Note: you could do this part in the Grouper UI or WS• (complete GSH code in slide notes)
gsh 40% studentsGroup = addGroup("penn:community", "students", "students");gsh 41% studentsGroup.addMember(SubjectFinder.findByIdentifier("mchyzer"));gsh 42% userReceiverRole.addMember(studentsGroup.toSubject());
gsh 43% adminRole.addMember(SubjectFinder.findByIdentifier("bwh"));
66 – 04/21/23, © 2009 Internet2
Role membersRole members
67 – 04/21/23, © 2009 Internet2
Resource definitionsResource definitions
• Penn’s web framework already manages (local) permissions• To integrate, we can use the same names, and override the decision• (complete GSH code in slide notes)
gsh 50% resourcesStem = addStem("penn:isc:apps:secureShare", "resources", "resources");
gsh 51% resourcesDef = resourcesStem.addChildAttributeDef("secureShareWebResources", AttributeDefType.perm);
gsh 52% splashResource = resourcesStem.addChildAttributeDefName(resourcesDef, "splash.jsp", "splash.jsp");
68 – 04/21/23, © 2009 Internet2
Resource definitionsResource definitions
69 – 04/21/23, © 2009 Internet2
Resource setsResource sets
• Not all that useful in this case, but as an example…(complete code in notes)
gsh 60% resourceSetsStem = addStem("penn:isc:apps:secureShare", "resourceSets", "resourceSets");
gsh 61% receiveSetResource = resourceSetsStem.addChildAttributeDefName(resourcesDef, "receiveSet", "receiveSet");
gsh 62% sendSetResource = resourceSetsStem.addChildAttributeDefName(resourcesDef, "sendSet", "sendSet");
gsh 63% receiveSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(splashResource);
gsh 64% receiveSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(receiveButtonResource);
gsh 65% sendSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(sendButtonResource);
gsh 66% sendSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(sendSectionResource);
70 – 04/21/23, © 2009 Internet2
Resource setsResource sets
71 – 04/21/23, © 2009 Internet2
Resource assignmentsResource assignments
• Assign resource sets to roles…
gsh 70% userSharerRole.getPermissionRoleDelegate().assignRolePermission(sendSetResource);
gsh 71% userReceiverRole.getPermissionRoleDelegate().assignRolePermission(receiveSetResource);
gsh 72% sysAdminRole.getPermissionRoleDelegate().assignRolePermission(sysAdminSetResource);
gsh 73% adminRole.getPermissionRoleDelegate().assignRolePermission(adminSetResource);
72 – 04/21/23, © 2009 Internet2
Resource assignmentsResource assignments
• Always make a view, don’t query the registry directly
create or replace view apps_sec_share_web_perms_v asselect distinct gpav.role_name, psv.pennname,
gpav.attribute_def_name_name from grouper_perms_all_v gpav, grouper_attribute_def ad,
person_source_v psv where subject_source_id = 'pennperson' and gpav.attribute_def_id = ad.id and ad.name= 'penn:isc:apps:secureShare:resources:secureShareWebResources' and psv.penn_id = gpav.subject_id
73 – 04/21/23, © 2009 Internet2
Make a view for app to read permissionsMake a view for app to read permissions
select * from apps_sec_share_web_perms_vPennNameResource Role_namebwh /fast/fastAdminConsole.jsp adminbwh /fast/fastAuditLogViewer.jsp adminbwh resourceSets:adminSet adminchoate splash.jsp userSharerchoate resourceSets:receiveSet userSharerchoate resourceSets:sendSet userSharerchoate FASTXsplash.jsp sendDocument userSharermchyzer splash.jsp userReceivermchyzer resourceSets:receiveSet userReceivermelinas /fast/fastEmailConfig.jsp sysAdminetc Note: the actual fully qualified data is in slide notes
74 – 04/21/23, © 2009 Internet2
Make a view for app to read permissionsMake a view for app to read permissions
• Improve performance• Not as dependent on Grouper DB• Permissions changes will require a logout/login if logged in• Can easily be swapped for WS call when available• Put this code in a login hook in the application:
//lets cache the Grouper permissions in sessionList<String> permissions = HibernateSession2.bySqlStatic() .conn("pennCommunity").listSelect(String.class, "select distinct ATTRIBUTE_DEF_NAME_NAME from " + "authzadm.apps_sec_share_web_perms_v where pennname = ?", fastUser.getPennkey());
httpSession.setAttribute("grouperPermissions", permissions);75 – 04/21/23, © 2009 Internet2
On login, cache the user’s permissionsOn login, cache the user’s permissions
• Penn’s framework has a hook to override authorization
List<String> permissions = (List<String>)httpSession.getAttribute( "grouperPermissions"); String resourceName = "penn:isc:apps:secureShare:resources:" +
propertyValue.getNameSystem(); boolean allowed = permissions.contains(resourceName)
76 – 04/21/23, © 2009 Internet2
Check permissions when neededCheck permissions when needed
• mchyzer is student• choate is staff• bwh is staff, admin• melinas is staff, sysAdmin• schleind was an admin, and needs to manage emails but not
daemons (thus can’t be sysAdmin)schleindMember = MemberFinder.findBySubject(this.grouperSession,
SubjectFinder.findByIdentifier("schleind"), true); adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
adminEmailButtonResource, schleindMember);adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
adminEmailResource, schleindMember);
77 – 04/21/23, © 2009 Internet2
Show Show demo
• Note, the SQL view of permission assignments (and future WS interface) can show the roles a user has
• It also can show permissions of a user while acting as a certain role
• So if you do not want “flattened” permissions in an application (for security purposes), you can let the user act as one of their roles
78 – 04/21/23, © 2009 Internet2
Act as a specific allowed roleAct as a specific allowed role
Permission management for data Permission management for data (demo #2)(demo #2)
• Can use a similar strategy to the previous web example, especially if there aren’t many resources to secure
e.g. select records from table where section in (?,?,?,?,?,?)
• If there are to many resources to secure (e.g. more than 100) or you want to join data in the database, you can use the following strategy
• This contrived example shows how to join SQL to security tables populated from Grouper
80 – 04/21/23, © 2009 Internet2
Authorization with dataAuthorization with data
• Org chart / class list• school
– artsAndSciences• chemistry
– chemistry101– chemistry201
• math– math220– math240
– engineering• computerScience
– computerScience99– computerScience300
• electricalEngineering– electricalEngineering400– electricalEngineering450
81 – 04/21/23, © 2009 Internet2
Authorization with dataAuthorization with data
gsh 100% communityStem = StemFinder.findByName(grouperSession, "penn:community", true);
gsh 101% orgResourcesStem = addStem("penn:community", "orgResources", "orgResources");
gsh 102% schoolStem = addStem("penn:community:orgResources", "school", "school");
gsh 103% artsAndSciencesStem = addStem("penn:community:orgResources:school", "artsAndSciences", "artsAndSciences");
gsh 104% chemistryStem = addStem("penn:community:orgResources:school:artsAndSciences", "chemistry", "chemistry");
gsh 105% mathStem = addStem("penn:community:orgResources:school:artsAndSciences", "math", "math")
• Complete GSH commands in slide notes
82 – 04/21/23, © 2009 Internet2
Create central stems (folders)Create central stems (folders)
• Note: this will be able to be managed by the Grouper loader• Note: complete GSH commands in slide notesgsh 110% orgResourcesDef = orgResourcesStem.addChildAttributeDef(
"orgResourcesDef", AttributeDefType.perm);gsh 111% schoolResource = orgResourcesStem.addChildAttributeDefName(
orgResourcesDef, "school", "school");gsh 112% artsAndSciencesResource = schoolStem.addChildAttributeDefName(
orgResourcesDef, "artsAndSciences", "artsAndSciences");gsh 113% chemistryResource = artsAndSciencesStem
.addChildAttributeDefName(orgResourcesDef, "chemistry", "chemistry");gsh 114% chemistry101Resource = chemistryStem
.addChildAttributeDefName(orgResourcesDef, "chemistry101", "chemistry101");gsh 115% chemistry201Resource = chemistryStem
.addChildAttributeDefName(orgResourcesDef, "chemistry201", "chemistry201");gsh 116% mathResource = artsAndSciencesStem
.addChildAttributeDefName(orgResourcesDef, "math", "math");
83 – 04/21/23, © 2009 Internet2
Create resourcesCreate resources
• Note: this will be able to be managed by the Grouper loader• Note: complete GSH commands in slide notesgsh 120% schoolResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(artsAndSciencesResource);gsh 121% schoolResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(engineeringResource);gsh 122% artsAndSciencesResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(chemistryResource);gsh 123% artsAndSciencesResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(mathResource);gsh 124% chemistryResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(chemistry101Resource);gsh 125% chemistryResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(chemistry201Resource);gsh 126% mathResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(math220Resource);
84 – 04/21/23, © 2009 Internet2
Create resource sets (org hierarchy)Create resource sets (org hierarchy)
• Note: complete GSH commands in slide notes• bwh can write all of chemistry, and math 220• bwh can read all of arts and sciencesgsh 130% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", chemistryResource, bwhMember);gsh 131% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", math220Resource, bwhMember);gsh 132% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"read", artsAndSciencesResource, bwhMember);• schleind can write computerScience99, and all of electricalEngineering• schleind can read the whole schoolgsh 133% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", computerScience99Resource, schleindMember);gsh 134% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", electricalEngineeringResource, schleindMember);gsh 135% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"read", schoolResource, schleindMember);
85 – 04/21/23, © 2009 Internet2
Use admin role from web example aboveUse admin role from web example above
• Note: complete DDL in slide notesSELECT DISTINCT gpav.role_name, psv.pennname, gpav.action, gadn.extension AS resource_extension FROM grouper_perms_all_v gpav, grouper_attribute_def ad, person_source_v psv, grouper_attribute_def_name gadn WHERE subject_source_id = 'pennperson' AND gpav.attribute_def_id = ad.ID AND ad.NAME = 'penn:community:orgResources:orgResourcesDef' AND psv.penn_id = gpav.subject_id AND gpav.attribute_def_name_id = gadn.ID AND gpav.role_name like 'penn:isc:apps:secureShare:roles:%'
86 – 04/21/23, © 2009 Internet2
Create a view of permissionsCreate a view of permissions
• Note: complete data in slide notesSELECT * from APPS_SEC_SHARE_DB_PERMS_VRole Pennname Action Resource_extensionpenn:isc:apps:secureShare:roles:admin bwh write chemistry101 penn:isc:apps:secureShare:roles:admin schleind read computerScience penn:isc:apps:secureShare:roles:admin bwh read math220 penn:isc:apps:secureShare:roles:admin schleind read chemistry penn:isc:apps:secureShare:roles:admin bwh write math220 penn:isc:apps:secureShare:roles:admin schleind read engineering penn:isc:apps:secureShare:roles:admin schleind read computerScience99 penn:isc:apps:secureShare:roles:admin schleind write electricalEngineering penn:isc:apps:secureShare:roles:admin schleind read chemistry201 penn:isc:apps:secureShare:roles:admin schleind read electricalEngineering
87 – 04/21/23, © 2009 Internet2
Sample dataSample data
CREATE TABLE SEC_SHARE_GROUPER_PERMS ( ROLE_NAME VARCHAR2(1024 BYTE), PENNNAME VARCHAR2(24 BYTE), ACTION VARCHAR2(32 BYTE), RESOURCE_EXTENSION VARCHAR2(255 BYTE));
88 – 04/21/23, © 2009 Internet2
Create application table for permissionsCreate application table for permissions
• Note: this could be done many ways, including a global periodic refresh• In this case, delete and insert the user’s permissions on login in one transaction HibernateSession2.callbackHibernateSession(true, new HibernateHandler2() { public Object callback(HibernateSession2 hibernateSession2) throws Exception { hibernateSession2.bySql().executeSql( "delete from SEC_SHARE_GROUPER_PERMS where pennname = ?", fastUser.getPennkey()); hibernateSession2.bySql().executeSql( "insert into SEC_SHARE_GROUPER_PERMS " + "(select role_name, pennname, action, resource_extension " + "from authzadm.APPS_SEC_SHARE_DB_PERMS_V@dcom_link " + "where pennname = ?)", fastUser.getPennkey()); hibernateSession2.endAndCloseSession(HibernateAction.COMMIT); return null; } });
89 – 04/21/23, © 2009 Internet2
Refresh user’s permissions on loginRefresh user’s permissions on login
• Create a table with org (class) identifiers• Join to the security table• Make screen editable if writable, readable if readable• Show demo
90 – 04/21/23, © 2009 Internet2
Data security demoData security demo
Lite UILite UI
© Internet2 2009
Lite membership update UI
• There is a new part of the UI which is for lite membership updates
• Can deep link from an external application• Ajax based• Can easily add/remove members• Can import/export membership lists (including
replace all)• Can search for members of a group
• Feature demo• Integration demo
93 – 04/21/23, © 2009 Internet2
Grouper UI liteGrouper UI lite
What’s new with GrouperWhat’s new with Grouper10/5/9 Internet2 Fall Member MeetingChris Hyzer, University of PennsylvaniaShilen Patel, Duke University
For more information, visit www.internet2.edu
94 – 04/21/23, © 2009 Internet2