Upload
scot-fields
View
214
Download
1
Tags:
Embed Size (px)
Citation preview
What’s new with GrouperWhat’s new with Grouper
10/5/9 Internet2 Fall Member MeetingChris Hyzer, University of Pennsylvania
• Labels on Groups to organize and search for relevant groups• “groups (of students) would belong to a certain
school/university but also to one or more departments (depending on the school they're enrolled at) and we would like to find them either way”
• Organize many to many relationships (without stems or groups of groups)
3 – 04/20/23, © 2009 Internet2
Netherlands attribute framework use caseNetherlands attribute framework use case
• All labels can be configured in the system (not free-form)• “Security: the Grouper instance will be used by two separate
end-user groups, for which we will instantiate a different version of the GUI that will operate on a different stem. Labels of one instance should not come up in the other GUI and vice versa”
4 – 04/20/23, © 2009 Internet2
Netherlands attribute framework use caseNetherlands attribute framework use case
• External Application written in PHP• SQL interface for READ is ok• GSH for WRITE is ok if performance is ok• WS is the long term solution
5 – 04/20/23, © 2009 Internet2
Netherlands attribute framework use caseNetherlands attribute framework use case
• Group: school:math:brainProject– Attribute: school:attr:students:artsAndSciences– Attribute: school:attr:students:opticalResearch– Attribute: school:attr:faculty:neurology
• Group: school:med:neurologyProfessors– Attribute: school:attr:students:residents– Attribute: school:attr:students:opticalResearch– Attribute: school:attr:faculty:professors
• Group: school:computerScience:neuralNetworks– Attribute: school:attr:students:engineering– Attribute: school:attr:faculty:neurology
6 – 04/20/23, © 2009 Internet2
Groups and attributesGroups and attributes
gsh 0% addRootStem("school","school");
gsh 1% addStem("school", "math", "math");gsh 2% addStem("school", "med", "med");gsh 3% addStem("school", "computerScience", "computerScience");
gsh 4% groupBrainProject = addGroup("school:math", "brainProject", "brainProject");
gsh 5% groupNeurologyProfessors = addGroup("school:med", "neurologyProfessors", "neurologyProfessors");
gsh 6%groupNeuralNetworks=addGroup("school:computerScience", "neuralNetworks", "neuralNetworks");
7 – 04/20/23, © 2009 Internet2
Create groups with GSHCreate groups with GSH
gsh 7% addStem("school", "attr", "attr");gsh 8% addStem("school:attr", "students", "students");gsh 9% addStem("school:attr", "faculty", "faculty");gsh 11% grouperSession = GrouperSession.startRootSession();gsh 12% attrStudentsStem =
StemFinder.findByName(grouperSession, "school:attr:students");gsh 13% attrFacultyStem = StemFinder.findByName(grouperSession,
"school:attr:faculty");
8 – 04/20/23, © 2009 Internet2
Create attribute stems with GSHCreate attribute stems with GSH
gsh 15% studentsAttrDef = attrStudentsStem.addChildAttributeDef("students", AttributeDefType.attr);
gsh 16% facultyAttrDef = attrStudentsStem.addChildAttributeDef("faculty", AttributeDefType.attr);
9 – 04/20/23, © 2009 Internet2
Create attribute definitions with GSHCreate attribute definitions with GSH
attrArtsAndSciences = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "artsAndSciences", "artsAndSciences");
attrOpticalResearch = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "opticalResearch", "opticalResearch");
attrResidents = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "residents", "residents");
attrNeurology = attrFacultyStem.addChildAttributeDefName(facultyAttrDef, "neurology", "neurology");
attrProfessors = attrFacultyStem.addChildAttributeDefName(facultyAttrDef, "professors", "professors");
attrEngineering = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "engineering", "engineering");
10 – 04/20/23, © 2009 Internet2
Create attribute names with GSHCreate attribute names with GSH
groupBrainProject.getAttributeDelegate().assignAttribute(attrArtsAndSciences);groupBrainProject.getAttributeDelegate().assignAttribute(attrOpticalResearch);groupBrainProject.getAttributeDelegate().assignAttribute(attrNeurology);
groupNeurologyProfessors.getAttributeDelegate().assignAttribute(attrResidents);groupNeurologyProfessors.getAttributeDelegate().assignAttribute( attrOpticalRes
earch);groupNeurologyProfessors.getAttributeDelegate().assignAttribute( attrProfessors)
;
groupNeuralNetworks.getAttributeDelegate().assignAttribute(attrEngineering);groupNeuralNetworks.getAttributeDelegate().assignAttribute(attrNeurology);
11 – 04/20/23, © 2009 Internet2
Assign attributes with GSHAssign attributes with GSH
groupStudents = addGroup("school", "students", "students");groupFaculty = addGroup("school", "faculty", "faculty");
addMember("school:students", "test.subject.0");addMember("school:faculty", "test.subject.1");addMember("school:students", "test.subject.2");addMember("school:faculty", "test.subject.2");
12 – 04/20/23, © 2009 Internet2
Add users with GSHAdd users with GSH
studentsAttrDef.getPrivilegeDelegate().grantPriv(groupStudents.toSubject(), AttributeDefPrivilege.ATTR_READ, false);
facultyAttrDef.getPrivilegeDelegate().grantPriv(groupFaculty.toSubject(), AttributeDefPrivilege.ATTR_READ, false);
13 – 04/20/23, © 2009 Internet2
Assign attribute security with GSHAssign attribute security with GSH
• If integrating with Grouper via SQL, there will probably be a supported SQL interface soon
• Always put a view on top of the underlying tables, which assures smooth upgrading
create view school_group_labels_secure_v asselect gaagv.group_name, gaagv.attribute_def_name_name,gm.subject_source as reader_subject_source_id,gm.subject_id as reader_subject_subject_idfrom …
• Full DDL in slide notes…
14 – 04/20/23, © 2009 Internet2
Create a view for secure attribute readingCreate a view for secure attribute reading
• test.subject.0 is a student only, select all groups with attributes (secure query)
select group_name, attribute_def_name_name from school_group_labels_secure_vwhere reader_subject_source_id = 'jdbc'and reader_subject_id = 'test.subject.0'
Group Attributeschool:med:neurologyProfessors school:attr:students:opticalResearchschool:med:neurologyProfessors school:attr:students:residentsschool:computerScience:neuralNetworks school:attr:students:engineeringschool:math:brainProject school:attr:students:opticalResearchschool:math:brainProject school:attr:students:artsAndSciences
15 – 04/20/23, © 2009 Internet2
Query the attributes securelyQuery the attributes securely
• test.subject.1 is a faculty only, select all groups with attributes (secure query)
select group_name, attribute_def_name_name from school_group_labels_secure_vwhere reader_subject_source_id = 'jdbc'and reader_subject_id = 'test.subject.1 '
Group Attributeschool:med:neurologyProfessors school:attr:faculty:professorsschool:computerScience:neuralNetworks school:attr:faculty:neurologyschool:math:brainProject school:attr:faculty:neurology
16 – 04/20/23, © 2009 Internet2
Query the attributes securelyQuery the attributes securely
• test.subject.2 is a faculty and student, select all attributes for group neurologyProfessors
select group_name, attribute_def_name_name from school_group_labels_secure_vwhere reader_subject_source_id = 'jdbc'and reader_subject_id = 'test.subject.2' and group_name = 'school:med:neurologyProfessors '
Group Attributeschool:med:neurologyProfessors school:attr:students:opticalResearchschool:med:neurologyProfessors school:attr:faculty:professorsschool:med:neurologyProfessors school:attr:students:residents
17 – 04/20/23, © 2009 Internet2
Query the attributes securelyQuery the attributes securely
• In Grouper (in the API, GSH, WS, docs, etc) a privilege refers to being able to do something in Grouper (e.g. READ a group or CREATE objects in a folder)
• So, since privilege = permission, resources in the new privilege management features, a non-grouper privilege will be referred to as “permission”
• There are permissions as RBAC (Role Based Access Control), and individual permissions
19 – 04/20/23, © 2009 Internet2
Permission managementPermission management
20 – 04/20/23, © 2009 Internet2
RBAC integration into an applicationRBAC integration into an application
• userSharer : can share documents, and can do anything a receiver can do– userReceiver : can receive documents
• sysAdmin : can manage emails and daemons, and things an admin can do– admin : can view audit logs on the admin console
• (complete GSH code in slide notes)
gsh 30% userSharerRole = rolesStem.addChildRole("userSharer", "userSharer");gsh 31% userReceiverRole = rolesStem.addChildRole("userReceiver",
"userReceiver");
gsh 32% userSharerRole.getRoleInheritanceDelegate().addRoleToInheritFromThis(userReceiverRole);
23 – 04/20/23, © 2009 Internet2
Role definitionsRole definitions
• userSharer : should have the group penn:community:staff (includes choate)– userReceiver : should have the group penn:community:students (includes mchyzer)
• sysAdmin : should have the user (includes melinas)– admin : can view audit logs on the admin console (includes bwh)
• Note: you could do this part in the Grouper UI or WS• (complete GSH code in slide notes)
gsh 40% studentsGroup = addGroup("penn:community", "students", "students");gsh 41% studentsGroup.addMember(SubjectFinder.findByIdentifier("mchyzer"));gsh 42% userReceiverRole.addMember(studentsGroup.toSubject());
gsh 43% adminRole.addMember(SubjectFinder.findByIdentifier("bwh"));
25 – 04/20/23, © 2009 Internet2
Role membersRole members
• Penn’s web framework already manages (local) permissions• To integrate, we can use the same names, and override the decision• (complete GSH code in slide notes)
gsh 50% resourcesStem = addStem("penn:isc:apps:secureShare", "resources", "resources");
gsh 51% resourcesDef = resourcesStem.addChildAttributeDef("secureShareWebResources", AttributeDefType.perm);
gsh 52% splashResource = resourcesStem.addChildAttributeDefName(resourcesDef, "splash.jsp", "splash.jsp");
27 – 04/20/23, © 2009 Internet2
Resource definitionsResource definitions
• Not all that useful in this case, but as an example…(complete code in notes)
gsh 60% resourceSetsStem = addStem("penn:isc:apps:secureShare", "resourceSets", "resourceSets");
gsh 61% receiveSetResource = resourceSetsStem.addChildAttributeDefName(resourcesDef, "receiveSet", "receiveSet");
gsh 62% sendSetResource = resourceSetsStem.addChildAttributeDefName(resourcesDef, "sendSet", "sendSet");
gsh 63% receiveSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(splashResource);
gsh 64% receiveSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(receiveButtonResource);
gsh 65% sendSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(sendButtonResource);
gsh 66% sendSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(sendSectionResource);
29 – 04/20/23, © 2009 Internet2
Resource setsResource sets
• Assign resource sets to roles…
gsh 70% userSharerRole.getPermissionRoleDelegate().assignRolePermission(sendSetResource);
gsh 71% userReceiverRole.getPermissionRoleDelegate().assignRolePermission(receiveSetResource);
gsh 72% sysAdminRole.getPermissionRoleDelegate().assignRolePermission(sysAdminSetResource);
gsh 73% adminRole.getPermissionRoleDelegate().assignRolePermission(adminSetResource);
31 – 04/20/23, © 2009 Internet2
Resource assignmentsResource assignments
• Always make a view, don’t query the registry directly
create or replace view apps_sec_share_web_perms_v asselect distinct gpav.role_name, psv.pennname,
gpav.attribute_def_name_name from grouper_perms_all_v gpav, grouper_attribute_def ad,
person_source_v psv where subject_source_id = 'pennperson' and gpav.attribute_def_id = ad.id and ad.name= 'penn:isc:apps:secureShare:resources:secureShareWebResources' and psv.penn_id = gpav.subject_id
32 – 04/20/23, © 2009 Internet2
Make a view for app to read permissionsMake a view for app to read permissions
select * from apps_sec_share_web_perms_vPennNameResource Role_namebwh /fast/fastAdminConsole.jsp adminbwh /fast/fastAuditLogViewer.jsp adminbwh resourceSets:adminSet adminchoate splash.jsp userSharerchoate resourceSets:receiveSet userSharerchoate resourceSets:sendSet userSharerchoate FASTXsplash.jsp sendDocument userSharermchyzer splash.jsp userReceivermchyzer resourceSets:receiveSet userReceivermelinas /fast/fastEmailConfig.jsp sysAdminetc Note: the actual fully qualified data is in slide notes
33 – 04/20/23, © 2009 Internet2
Make a view for app to read permissionsMake a view for app to read permissions
• Improve performance• Not as dependent on Grouper DB• Permissions changes will require a logout/login if logged in• Can easily be swapped for WS call when available• Put this code in a login hook in the application:
//lets cache the Grouper permissions in sessionList<String> permissions = HibernateSession2.bySqlStatic() .conn("pennCommunity").listSelect(String.class, "select distinct ATTRIBUTE_DEF_NAME_NAME from " + "authzadm.apps_sec_share_web_perms_v where pennname = ?", fastUser.getPennkey());
httpSession.setAttribute("grouperPermissions", permissions);34 – 04/20/23, © 2009 Internet2
On login, cache the user’s permissionsOn login, cache the user’s permissions
• Penn’s framework has a hook to override authorization
List<String> permissions = (List<String>)httpSession.getAttribute( "grouperPermissions"); String resourceName = "penn:isc:apps:secureShare:resources:" +
propertyValue.getNameSystem(); boolean allowed = permissions.contains(resourceName)
35 – 04/20/23, © 2009 Internet2
Check permissions when neededCheck permissions when needed
• mchyzer is student• choate is staff• bwh is staff, admin• melinas is staff, sysAdmin• schleind was an admin, and needs to manage emails but not
daemons
36 – 04/20/23, © 2009 Internet2
Show demoShow demo
• mchyzer is student• choate is staff• bwh is staff, admin• melinas is staff, sysAdmin• schleind was an admin, and needs to manage emails but not
daemons (thus can’t be sysAdmin)schleindMember = MemberFinder.findBySubject(this.grouperSession,
SubjectFinder.findByIdentifier("schleind"), true); adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
adminEmailButtonResource, schleindMember);adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
adminEmailResource, schleindMember);
37 – 04/20/23, © 2009 Internet2
Show demoShow demo
• Note, the SQL view of permission assignments (and future WS interface) can show the roles a user has
• It also can show permissions of a user while acting as a certain role
• So if you do not want “flattened” permissions in an application (for security purposes), you can let the user act as one of their roles
38 – 04/20/23, © 2009 Internet2
Act as a specific allowed roleAct as a specific allowed role
• Can use a similar strategy to the previous web example, especially if there aren’t many resources to secure
e.g. select records from table where section in (?,?,?,?,?,?)
• If there are to many resources to secure (e.g. more than 100) or you want to join data in he database, you can use the following strategy
• This contrived example shows how to join SQL to security tables populated from Grouper
40 – 04/20/23, © 2009 Internet2
Authorization with dataAuthorization with data
• Org chart• school
– artsAndSciences• chemistry
– chemistry101– chemistry201
• math– math220– math240
– engineering• computerScience
– computerScience99– computerScience300
• electricalEngineering– electricalEngineering400– electricalEngineering450
41 – 04/20/23, © 2009 Internet2
Authorization with dataAuthorization with data
gsh 100% communityStem = StemFinder.findByName(grouperSession, "penn:community", true);
gsh 101% orgResourcesStem = addStem("penn:community", "orgResources", "orgResources");
gsh 102% schoolStem = addStem("penn:community:orgResources", "school", "school");
gsh 103% artsAndSciencesStem = addStem("penn:community:orgResources:school", "artsAndSciences", "artsAndSciences");
gsh 104% chemistryStem = addStem("penn:community:orgResources:school:artsAndSciences", "chemistry", "chemistry");
gsh 105% mathStem = addStem("penn:community:orgResources:school:artsAndSciences", "math", "math")
• Complete GSH commands in slide notes
42 – 04/20/23, © 2009 Internet2
Create central stems (folders)Create central stems (folders)
• Note: this will be able to be managed by the Grouper loader• Note: complete GSH commands in slide notesgsh 110% orgResourcesDef = orgResourcesStem.addChildAttributeDef(
"orgResourcesDef", AttributeDefType.perm);gsh 111% schoolResource = orgResourcesStem.addChildAttributeDefName(
orgResourcesDef, "school", "school");gsh 112% artsAndSciencesResource = schoolStem.addChildAttributeDefName(
orgResourcesDef, "artsAndSciences", "artsAndSciences");gsh 113% chemistryResource = artsAndSciencesStem
.addChildAttributeDefName(orgResourcesDef, "chemistry", "chemistry");gsh 114% chemistry101Resource = chemistryStem
.addChildAttributeDefName(orgResourcesDef, "chemistry101", "chemistry101");gsh 115% chemistry201Resource = chemistryStem
.addChildAttributeDefName(orgResourcesDef, "chemistry201", "chemistry201");gsh 116% mathResource = artsAndSciencesStem
.addChildAttributeDefName(orgResourcesDef, "math", "math");
43 – 04/20/23, © 2009 Internet2
Create resourcesCreate resources
• Note: this will be able to be managed by the Grouper loader• Note: complete GSH commands in slide notesgsh 120% schoolResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(artsAndSciencesResource);gsh 121% schoolResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(engineeringResource);gsh 122% artsAndSciencesResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(chemistryResource);gsh 123% artsAndSciencesResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(mathResource);gsh 124% chemistryResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(chemistry101Resource);gsh 125% chemistryResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(chemistry201Resource);gsh 126% mathResource.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(math220Resource);
44 – 04/20/23, © 2009 Internet2
Create resource sets (org hierarchy)Create resource sets (org hierarchy)
• Note: complete GSH commands in slide notes• bwh can write all of chemistry, and math 220• bwh can read all of arts and sciencesgsh 130% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", chemistryResource, bwhMember);gsh 131% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", math220Resource, bwhMember);gsh 132% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"read", artsAndSciencesResource, bwhMember);• schleind can write computerScience99, and all of electricalEngineering• schleind can read the whole schoolgsh 133% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", computerScience99Resource, schleindMember);gsh 134% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"write", electricalEngineeringResource, schleindMember);gsh 135% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(
"read", schoolResource, schleindMember);
45 – 04/20/23, © 2009 Internet2
Use admin role from web example aboveUse admin role from web example above
• Note: complete DDL in slide notesSELECT DISTINCT gpav.role_name, psv.pennname, gpav.action, gadn.extension AS resource_extension FROM grouper_perms_all_v gpav, grouper_attribute_def ad, person_source_v psv, grouper_attribute_def_name gadn WHERE subject_source_id = 'pennperson' AND gpav.attribute_def_id = ad.ID AND ad.NAME = 'penn:community:orgResources:orgResourcesDef' AND psv.penn_id = gpav.subject_id AND gpav.attribute_def_name_id = gadn.ID AND gpav.role_name like 'penn:isc:apps:secureShare:roles:%'
46 – 04/20/23, © 2009 Internet2
Create a view of permissionsCreate a view of permissions
• Note: complete data in slide notesSELECT * from APPS_SEC_SHARE_DB_PERMS_VRole Pennname Action Resource_extensionpenn:isc:apps:secureShare:roles:admin bwh write chemistry101 penn:isc:apps:secureShare:roles:admin schleind read computerScience penn:isc:apps:secureShare:roles:admin bwh read math220 penn:isc:apps:secureShare:roles:admin schleind read chemistry penn:isc:apps:secureShare:roles:admin bwh write math220 penn:isc:apps:secureShare:roles:admin schleind read engineering penn:isc:apps:secureShare:roles:admin schleind read computerScience99 penn:isc:apps:secureShare:roles:admin schleind write electricalEngineering penn:isc:apps:secureShare:roles:admin schleind read chemistry201 penn:isc:apps:secureShare:roles:admin schleind read electricalEngineering
47 – 04/20/23, © 2009 Internet2
Sample dataSample data
CREATE TABLE SEC_SHARE_GROUPER_PERMS ( ROLE_NAME VARCHAR2(1024 BYTE), PENNNAME VARCHAR2(24 BYTE), ACTION VARCHAR2(32 BYTE), RESOURCE_EXTENSION VARCHAR2(255 BYTE));
48 – 04/20/23, © 2009 Internet2
Create application table for permissionsCreate application table for permissions
• Note: this could be done many ways, including a global periodic refresh• In this case, delete and insert the user’s permissions on login in one transaction HibernateSession2.callbackHibernateSession(true, new HibernateHandler2() { public Object callback(HibernateSession2 hibernateSession2) throws Exception { hibernateSession2.bySql().executeSql( "delete from SEC_SHARE_GROUPER_PERMS where pennname = ?", fastUser.getPennkey()); hibernateSession2.bySql().executeSql( "insert into SEC_SHARE_GROUPER_PERMS " + "(select role_name, pennname, action, resource_extension " + "from authzadm.APPS_SEC_SHARE_DB_PERMS_V@dcom_link " + "where pennname = ?)", fastUser.getPennkey()); hibernateSession2.endAndCloseSession(HibernateAction.COMMIT); return null; } });
49 – 04/20/23, © 2009 Internet2
Refresh user’s permissions on loginRefresh user’s permissions on login
• Create a table with org (class) identifiers• Join to the security table• Make screen editable if writable, readable if readable• Show demo
50 – 04/20/23, © 2009 Internet2
Data security demoData security demo