View
218
Download
0
Embed Size (px)
Citation preview
Using PennGroupsUsing PennGroups
Using PennGroupsUsing PennGroups
Chris HyzerChris Hyzer
ISC/ASTTISC/ASTT
Sept 19, 2011Sept 19, 2011
04/18/23 ISC 1
Using PennGroupsUsing PennGroups
Using PennGroupsUsing PennGroups
Overview of Grouper Grouper versions and roadmap Grouper at Penn Secure Space example Atlassian example eForms example PHP use case Grouper UI: groups, permissions, etc Grouper client example Grouper privileges Survey
04/18/23 ISC 2
Using PennGroupsUsing PennGroups
Overview of GrouperOverview of Grouper
Tom Barton’s recent presentation
04/18/23 ISC 3
Using PennGroupsUsing PennGroups
Penn RoadmapPenn Roadmap
Hopefully uses for central permissions– E.g. warehouse permissions– E.g. PennCommunity Direct permissions
Always available read-only web services Shibboleth entitlement group membership integration PennCommunity Direct getPerson WS secure
attributes FAST permissions integration?
Using PennGroupsUsing PennGroups
AtlasAtlas
Penn’s Identity Management StrategyPenn’s Identity Management Strategy
04/18/23 5
PennKeyPennKey
PennCardPennCard
Ancillary Affiliates
(Temp, VFAC, CHOP, etc..)
Ancillary Affiliates
(Temp, VFAC, CHOP, etc..)
PennNames
Penn Community
Penn Directory
UPHSUPHS
SRSSRS
PennGroups3rd
Party Apps
3rdParty Apps
In-HouseApps
In-HouseApps
AuthZ Decisions via LDAP or WS
penn(Root)
CommunityISC
HRHR
Using PennGroupsUsing PennGroups
Penn: example folder structurePenn: example folder structure
Using PennGroupsUsing PennGroups
Getting started with PennGroupsGetting started with PennGroups
When School/Center is purchasing or developing a new system
– LSP (local support provider)/ application developer contacts Central IT
– LSP/developer and Central IT collaborate to:• Establish authorization use cases for the specific
application
• Determine access method (LDAP or Web Services)
• Determine best approach for group creation and maintenance
– School/Center fills out access forms
– Central IT consults with LSP/developer on group hierarchy structure
Using PennGroupsUsing PennGroups
PennGroups use casesPennGroups use cases
PTO – Paid Time Off– Penn Groups provides the flexibility so that the user selects their approver for time off.
Warehouse Apps– Penn groups provides a feed for org based security based on active status
School of Engineering and Applied Science– Affiliate level groups - faculty members, staff members, students, undergrads, grads,
PhD students
– Class level groups - everyone enrolled in every SEAS course, and several ad-hoc groups.
– Ad hoc groups generated and maintained via specific applications and business rules.
Using PennGroupsUsing PennGroups
PennGroups architecturePennGroups architecture
Using PennGroupsUsing PennGroups
PennGroups UIPennGroups UI
Grouper has a built in user interface
Penn generally uses the default UI, though:
– We customized the authentication to use Penn’s single signon
– We added custom code to require users to be in a grouper group to be able to log in (not everyone allowed)
Penn did a facelift for the Grouper 1.3 release in Spring 2008, improving the usability and help documentation
We have a separate app to run the grouper loader in a webapp and register kerberos principals (add in subject database, and keep track of who owns it)
Using PennGroupsUsing PennGroups
PennGroups ancillary UIPennGroups ancillary UI
Using PennGroupsUsing PennGroups
PennGroups ancillary UI (continued)PennGroups ancillary UI (continued)
Using PennGroupsUsing PennGroups
Penn’s experience with GrouperPenn’s experience with Grouper
Live for 3+ years 77 thousand groups 2.7 million memberships 54 kerberos service principals allowed to use
LDAP/WS– Some apps share, some are orphans
Using PennGroupsUsing PennGroups
Components used at PennComponents used at Penn
UI Lite-UI WS Client SQL interface We have our own secure LDAP feed External users GSH Notifications
Using PennGroupsUsing PennGroups
Components used at Penn (continued)Components used at Penn (continued)
Hooks (lightly) Rules (lightly) Permissions (lightly) Permissions UI Subject picker UI Kuali Rice – Grouper integration module Atlassian (Confluence / Jira) integration module Loader Encrypted passwords
Using PennGroupsUsing PennGroups
Penn’s Secure SpacePenn’s Secure Space
Penn launched Secure Space in Fall 2010 Initially it was for PennKey holders only Last month we released a version which uses
Grouper external users
Using PennGroupsUsing PennGroups
Penn’s Secure Space (continued)Penn’s Secure Space (continued)
Secure Space is built on Grouper with three groups per space: admins, users, readonly
When logging in, the grouper client / WS is used to cache the list of groups for user
On create/delete space, GC/WS is used to create/delete groups
Group memberships are managed via the membership lite UI screen
Using PennGroupsUsing PennGroups
Penn’s Secure Space (continued)Penn’s Secure Space (continued)
Penn’s Grouper has rules to only allow external users in certain SS folders
Penn’s Grouper external users must be invited to be able to register
SecureSpace uses InCommon EPPN is required for external users External users self-register their name, email,
institution
Using PennGroupsUsing PennGroups
Penn’s Secure Space (continued)Penn’s Secure Space (continued)
Penn installed Shibboleth Discovery Service (DS/WAYF), customized:– Pennify– Support channel– Make it easy for Penn users– Recommend ProtectNetwork for users who don’t have an
InCommon account which releases EPPN
Using PennGroupsUsing PennGroups
Penn’s Secure Space (continued)Penn’s Secure Space (continued)
Grouper shows external users with different icon, and description:
[unverifiedInfo] First Last - institution [externalUserId] [email protected]
External users do not show in results for groups which do not allow external users
Demo
Using PennGroupsUsing PennGroups
FAST PennGroup’s integrationFAST PennGroup’s integration
FAST can link a FAST group to a PennGroup in the fastConfig
FAST_ADMIN asserts that users are in the ISC org to be an admin (can be overridden in fastConfig)– Contractors can be added in Group in PennGroups
PennKey to PennId translation uses PennCommmunity first, and if failure, then LDAP
FAST PennGroups membership called are also redundant
Using PennGroupsUsing PennGroups
Atlassian – Grouper connectorAtlassian – Grouper connector
• Penn using in production since Dec 2010, requires Grouper 1.6+
• Implements the OpenSymphony osuser interfaces:– Credentials provider (optional?)– Access provider– Profile provider (optional?)
Using PennGroupsUsing PennGroups
Atlassian – Grouper connector Atlassian – Grouper connector (continued)(continued)
Map a root folder for Confluence or Jira Groups (unnamespaced) are in that folder Can create/delete groups from atlassian,
though sometimes there are issues… we just create/use from Grouper
XMPP messaging from Grouper to Atlassian for real time updates
Fail-safe cache so if Grouper is down, Atlassian is up– Note, cache at Penn configured to last 24 hours,
failsafe cache lasts 48 hours
Using PennGroupsUsing PennGroups
Atlassian – Grouper connector Atlassian – Grouper connector (continued)(continued)
If you have LDAP groups with memberOf and member, you can use Atlassian LDAP groups
If not, you can use this Two-way editing is nice (if it works) If no anonymous access, there is a REMOTE_USER
authenticator too
Using PennGroupsUsing PennGroups
Atlassian – Grouper demoAtlassian – Grouper demo See Group in Atlassian See Group in Grouper (lite UI) Edit membership in Grouper See Group unchanged in Atlassian See logs, after 2 minutes a message will appear from
Grouper XMPP notifications Group is now changed in Atlassian Change group back, see message and change
Using PennGroupsUsing PennGroups
Atlassian – Grouper futureAtlassian – Grouper future Penn ISC is happy with it Could have better cache clearing
– Currently it clears all groups, and with large deployments and lots of groups, and lots of membership updates, it can be a performance issue
Fix two way membership changes– This used to work, then stopped working, and we just use
Grouper (show demo)
Using PennGroupsUsing PennGroups
Atlassian – Grouper Penn configAtlassian – Grouper Penn config Show Penn config for atlassian connector
Using PennGroupsUsing PennGroups
Penn eForms: Paper form screenshotPenn eForms: Paper form screenshot
In 2009 Penn wanted to convert paper access management forms to eForms
28 – 04/18/23, © 2009 Internet2
Using PennGroupsUsing PennGroups
Penn eForms: Paper form screenshot (continued)Penn eForms: Paper form screenshot (continued)
29 – 04/18/23, © 2009 Internet2
Using PennGroupsUsing PennGroups
30 – 04/18/23, © 2009 Internet2
Penn eForms: How to connect Rice to Grouper?Penn eForms: How to connect Rice to Grouper?
Add two jars to Rice (grouperRice.jar and grouperClient.jar)
Add and configure grouper.client.properties Configure Rice spring override to group and/or
identity service Setup a Grouper folder for the “Rice root”
Using PennGroupsUsing PennGroups
31 – 04/18/23, © 2009 Internet2
Ricerequest
grouperRice.jar
Kuali DB
Rice server
GrouperRegistry
Grouper WS server
Grouper.client.properties
grouperClient.jar
Penn eForms: Kuali Rice overridable servicesPenn eForms: Kuali Rice overridable services
Using PennGroupsUsing PennGroups
Grouper WS serverGrouper.client.properties
grouperClient.jar
REST
LDAP
Penn eForms: Grouper clientPenn eForms: Grouper client
One jar (no conflicts with existing libraries) Supports all of Grouper WS API Command line example
java –jar grouperClient.jar --operation=hasMemberWs --groupName=aStem:aGroup --subjectIds=1234567
Java library examplenew GcHasMember().assignGroupName("aStem:aGroup“)
.addSubjectId("1234567").execute();
Using PennGroupsUsing PennGroups
Initiator fills out form
GrouperRegistry
Kuali DB
Get members to route to and emails
Grouper WS
Routes to approver group
Routes to approver groupN
Final Add a member to a Grouper group/role and/or assign
permissions
On login to Rice, get subject details
Archive the document data, and workflow history
One in groupapproves
1
3
4
5
Grouper UI
Person / org pickers2
Penn eForms: workflow with GrouperPenn eForms: workflow with Grouper
Using PennGroupsUsing PennGroups
Initiator fills out form If on behalf of someone else, they need to approve it, unless it is a ‘remove access’ 1
4
Supervisor (person picker)
2On behalf of
remove?
3
NoYes
Grouper group selected from available schools
Note: supervisor cannot be thesame as ‘On behalf of’
School admin
HR
Payroll
HR and payroll could approve in parallel in future
8 Operations Grant access that isn’t automatically provisioned
Change KEW initiator to ‘on behalf of’ user
7 Data admin Assert that form is valid
9 Data admin Assert that privileges were granted correctly
Final Send email to ‘on behalf of’ user10
5
6
eForms demo workfloweForms demo workflow
Using PennGroupsUsing PennGroups
Grouper Rice demoGrouper Rice demo
Demo movie Note, there is a larger pres about this too
Using PennGroupsUsing PennGroups
PHP use casePHP use case
Using PennGroupsUsing PennGroups
© Internet2 2009
PHP simple use casePHP simple use case
Clay suggested a simple PHP use case... A Penn department wants to protect parts of their site
based on group in PennGroups https://spaces.internet2.edu/display/Grouper/
Use+case+of+Grouper+and+webpage+access Note, you need to change settings to be specific for
Penn, let me know if you need these settings
Using PennGroupsUsing PennGroups
Some grouper featuresSome grouper features
Using PennGroupsUsing PennGroups
© Internet2 2009
Attribute frameworkAttribute framework
Grouper previously had Group types and attributes In 1.5, this feature was redone and improved
Using PennGroupsUsing PennGroups
© Internet2 2009
Can assign attributes to many object typesCan assign attributes to many object types
Groups Folders Members Memberships (immediate or effective) Other attributes Attribute assignments (1 level deep)
Using PennGroupsUsing PennGroups
© Internet2 2009
Attribute securityAttribute security
Similar privileges to group security ATTR_READ (can see assignments) ATTR_UPDATE (can make assignments) ATTR_ADMIN (can edit attribute fields) ATTR_VIEW (can see that the attribute
exists) ATTR_OPTIN (can assign to own member or
membership) ATTR_OPTOUT
Using PennGroupsUsing PennGroups
© Internet2 2009
Attribute security (continued)Attribute security (continued)
Anyone with CREATE in a folder can create attributes
It takes more than attribute security to assign attributes, you need rights on the object as well– E.g. To assign a group attribute, you need ADMIN
on the group and ATTR_UPDATE on the attribute
One attribute definition can have multiple names (to reduce the security assignments)
Using PennGroupsUsing PennGroups
Attribute framework UIAttribute framework UI
Attribute framework UI is an ajax UI (similar to lite membership screen)
Creates, edits, assigns attributes For Grouper 2.0 Currently in SVN, you can create attributes, names,
hierarchies, privileges, roles, role hierarchies, actions, action hierarchies etc
Using PennGroupsUsing PennGroups
Attribute framework UI Attribute framework UI (continued)(continued)
Attributes and actions Attribute privileges Attribute names (including hierarchy) Groups and roles (including hierarchy and privileges) Attribute assignments Permission assignments (including limits)
Using PennGroupsUsing PennGroups
Permission managementPermission management
In Grouper (in the API, GSH, WS, docs, etc) a privilege refers to being able to do something in Grouper (e.g. READ a group or CREATE objects in a folder)
So, since privilege = permission, resources in the new privilege management features, a non-grouper privilege will be referred to as “permission”
There are permissions as RBAC (Role Based Access Control), and individual permissions
45 – 04/18/23, © 2009 Internet2
Using PennGroupsUsing PennGroups
© Internet2 2009
Grouper permission managementGrouper permission management Roles: links up groups/subjects and permission
resources Permission resources: a type of attribute (on Role or
effective Membership) Permission sets: can bunch up permission
resources into one resource (e.g. for hierarchies) Role inheritance: can allow roles to inherit
permissions from other roles (e.g. Senior loan administrator inherits from loan administrator)
Action: qualifier of permission assignment, e.g. read or write
Using PennGroupsUsing PennGroups
© Internet2 2009
Grouper role or permission directed graphsGrouper role or permission directed graphs
Not a hierarchy (supports multiple parents)
Supports circular references
Image is test case
Using PennGroupsUsing PennGroups
Grouper permissions ALLOW/DENYGrouper permissions ALLOW/DENY
This is an up-and-coming topic (v2.0) Explains permissions in Grouper and how you can
set them up, and the issues involved Document
Using PennGroupsUsing PennGroups
Demo serverDemo server Internet2 has a Grouper Demo Server Address is: https://grouperdemo.internet2.edu/ Host various versions of Grouper Show features (e.g. permissions, external users,
syncing between groupers) Allow users or potential users to kick the tires (not for
production obviously)
Using PennGroupsUsing PennGroups
Penn’s test serverPenn’s test server
Penn has a test environment for Grouper, which is the best place to test things out
The production environment of Grouper has two top-level folders:– /penn/– /test/
If you want to try simple things out in prod in the penn or test folder, go ahead– Note: if you are doing load testing or have a lot of sample
data then do not use prod due to audit and point-in-time
Note: Im not sure of the status of the test ldap
Using PennGroupsUsing PennGroups
Demo server setup folders for usersDemo server setup folders for users
Already done for all users except one (so I can demo) Show setup for mvm Create folder: users/penn2/mvm Create group: users/penn2/mvm/mvmAdmins Invite external user, conscript the eppn since it is
known: [email protected] Assign the CREATE GROUP and CREATE FOLDER
privileges to mvmAdmins, and READ/UPDATE on mvmAdmins
Using PennGroupsUsing PennGroups
Demo server - registerDemo server - register
Google: grouper demo server external users Click on the register link Fill in name, institution, email, etc After everyone is done, I will regenerate external
subjects’ description via GSH, though Im not sure it is necessary
gsh 1% GrouperSession.startRootSession()gsh 2% ExternalSubject.internal_daemonCalcFields();
Using PennGroupsUsing PennGroups
GroupGroup
Group – a collection of subjects Create a group in your folder with the admin UI
– Do not make it world readable– Add some subjects
Do the same thing with the Lite UI
Using PennGroupsUsing PennGroups
Grouper group privilegesGrouper group privilegesPrivileges (or Grouper Privileges) refer to control on Grouper objectsPermissions refer to central permissions management
Try to search for a group that your neighbor created–You shouldn’t be able to do it, you don’t have VIEW
Grant VIEW to your neighbor’s EPPN, have them do it too (Admin UI)–Search for your neighbors group, try to view members, can’t without READ
Grant READ with Lite UI to neighbor’s EPPN, try view membersTry to update members, grant UPDATE, try to update membersTry to change name of neighbor’s group, can’t without ADMINGrant ADMIN to neighbor’s EPPN, change name of group
Using PennGroupsUsing PennGroups
Grouper folder privilegesGrouper folder privilegesCreate a folder in your folderTry to create a group in your neighbor’s new folderCan’t without CREATE GROUP (or other objects)Grant this privilege, try nowTry to create a subfolder in neighbors folderCan’t without CREATE FOLDERGrant this privilege, try now
Using PennGroupsUsing PennGroups
See groups of a subjectSee groups of a subjectSearch for your EPPN from menu on left of admin UISee which direct or indirect groups you are in
–Note, this is a secure view. If there are groups that you cannot READ or ADMIN, then you wont see them in the list
Using PennGroupsUsing PennGroups
Grouper loaderGrouper loaderGrouper can load a group based on SQL query
–Generally this is from the PennCommunity database or the warehouse–Schedule is croned
Can also load a group of groups in one query–E.g. class lists–E.g. orgs
Show examplesISC Data Administration can help write queriesEmail the PennGroups help email list for information
Using PennGroupsUsing PennGroups
Loader include/exclude exampleLoader include/exclude exampleCreate a groupRead/update should not be granted to everyoneUse addIncludeExclude type
Look in folder, there will be 5 groups created with that type.Open the system of record, and lets make that the loader group. The loader group is community:students
Create this view in the DB (this is done):mysql> CREATE OR REPLACE VIEW loader_student AS \(SELECT subjectId AS subject_id FROM SUBJECT WHERE \subjectId LIKE 'fi%');
Using PennGroupsUsing PennGroups
Loader include/exclude example (continued)Loader include/exclude example (continued)
Add the students group to the system of record groupSet the system of record group to be grouperLoader typeEdit attributes on the group (already done, admin only):
grouperLoaderDbName: grouperNOTE: configure other DB connections in grouper-loader.propertiesNOTE: every minute just for testing…grouperLoaderQuartzCron: 0 * * * * ? grouperLoaderQuery: select subject_id subject_id from \ loader_studentgrouperLoaderScheduleType: CRONgrouperLoaderType: SQL_SIMPLEBounce loader (CTRL-c, start again, don’t run twice at same time!)
% ./gsh.sh -loader
Using PennGroupsUsing PennGroups
Loader include/exclude example (continued)Loader include/exclude example (continued)
Never edit the loader group, unless you expect it to get overwrittenAdd fico to the excludes groupAdd bapo to the includes groupLook at the overall groupGenerally the privileges are:Assign READ on all to adminsAssign UPDATE on include/exclude groups to adminsAssign READ to service principal of app for overall group or other people who need to use the group
Using PennGroupsUsing PennGroups
RequireInGroups exampleRequireInGroups exampleCreate a folder under root: appsCreate a folder under that folder: ptoCreate a group in that stem: apps:pto:ptoAdminsSelect the requireInGroups type for that groupThis created another system of record group, and an overall groupIn the overall group, edit the attribute: requireAlsoInGroupsThe value should be: community:studentsNow see that the overall group is an intersection compositeAdd baco and fipo to the system of record groupWhich is in overall groupWhy?
Using PennGroupsUsing PennGroups
Get the Grouper Client BinaryGet the Grouper Client Binary http://www.internet2.edu/grouper/release/2.0.0/ Edit the grouper.client.properties
grouperClient.webService.url = https://grouperdemo.internet2.edu/grouper-ws_v2_0_0/servicesRest
grouperClient.webService.login = test1grouperClient.webService.password = **************
Using PennGroupsUsing PennGroups
Get the Grouper Client (continued)Get the Grouper Client (continued)Get usage:$ java -jar grouperClient.jar$ java -jar grouperClient.jar --operation=getMembersWs --groupNames=users:penn:mchyzer:apps:pto:mchyzerPtoUsers
Customize the output (note, double quotes for windows, single quotes for unix):
$ java -jar grouperClient.jar --operation=getMembersWs --groupNames=users:penn:mchyzer:apps:pto:mchyzerPtoUsers --outputTemplate='${wsSubject.id}$newline$'
Using PennGroupsUsing PennGroups
Grouper client uses XML POXGrouper client uses XML POX$ java -jar grouperClient.jar --operation=getMembersWs \
--groupNames=test:testGroup --debug=true
################ REQUEST START (indented) ###############
POST /test1_grouperWs/servicesRest/v1_6_003/groups HTTP/1.1
Content-Type: text/xml; charset=UTF-8
<WsRestGetMembersRequest>
<wsGroupLookups>
<WsGroupLookup>
<groupName>test:testGroup</groupName>
</WsGroupLookup>
</wsGroupLookups>
</WsRestGetMembersRequest>
################ REQUEST END ###############
Using PennGroupsUsing PennGroups
Grouper client uses XML POX (continued)Grouper client uses XML POX (continued)
################ RESPONSE START (indented) ###############HTTP/1.1 200 OKX-Grouper-resultCode: SUCCESSX-Grouper-success: T<WsGetMembersResults> <resultMetadata> <resultCode>SUCCESS</resultCode> <results> <WsGetMembersResult> <wsSubjects> <WsSubject> <resultCode>SUCCESS</resultCode> <success>T</success> <id>babu</id> <sourceId>jdbc</sourceId> </WsSubject>
Using PennGroupsUsing PennGroups
Grouper client as libraryGrouper client as library% cd ~/1.6.3/grouper.clientBinary-1.6.3% emacs GrouperClientExample.javaimport edu.internet2.middleware.grouperClient.api.GcGetMembers;import edu.internet2.middleware.grouperClient.util.GrouperClientUtils;import edu.internet2.middleware.grouperClient.ws.beans.*;public class GrouperClientExample { public static void main(String[] args) { WsGetMembersResults wsGetMembersResults = new GcGetMembers().addGroupName("test:testGroup").execute(); WsGetMembersResult wsGetMembersResult = wsGetMembersResults.getResults()[0]; for (WsSubject wsSubject : GrouperClientUtils.nonNull( wsGetMembersResult.getWsSubjects(), WsSubject.class)) { System.out.println(wsSubject.getId()); } }}
Using PennGroupsUsing PennGroups
Grouper client as library (continued)Grouper client as library (continued)
Note, colons for unix, semicolons for windows% javac -cp .:grouperClient.jar -sourcepath .
GrouperClientExample.java% java -cp .:grouperClient.jar GrouperClientExamplebabubabrBabl%
Using PennGroupsUsing PennGroups
Grouper WS documentation and samplesGrouper WS documentation and samples
There are hundreds of samples of WS for each operation in:SOAPSOAP-litePOXPOX-liteJSONXHTML
These are auto generated for the release and stored in SVN.
Using PennGroupsUsing PennGroups
Grouper customized UIsGrouper customized UIsGrouper UIs can have custom text or skins
–E.g. membership lite UI–E.g. person picker
Helps the Grouper screens integrate better with applicationShow example
Using PennGroupsUsing PennGroups
Lite UI export/importLite UI export/importGo to the lite UI of ptoAdmins_systemOfRecordUnder advanced, export entity id's of the groupSave as csv, add elwiImport that, and see elwi added
Using PennGroupsUsing PennGroups
Admin UI audit logAdmin UI audit logGo to the admin UI of ptoAdmins_systemOfRecordClick on Audit LogSee all the actions taken to this groupWhy is the Create Group not there?Where is it?
Using PennGroupsUsing PennGroups
SurveySurveyPlease fill out this survey to help us improve our traininghttp://www.surveymonkey.com/s/LLWGLGD
Using PennGroups
Questions?Questions?
04/18/23 ISC 73