Presentation is loading. Please wait.

Presentation is loading. Please wait.

What’s new with Grouper 10/5/9 Internet2 Fall Member Meeting Chris Hyzer, University of Pennsylvania.

Similar presentations


Presentation on theme: "What’s new with Grouper 10/5/9 Internet2 Fall Member Meeting Chris Hyzer, University of Pennsylvania."— Presentation transcript:

1 What’s new with Grouper 10/5/9 Internet2 Fall Member Meeting Chris Hyzer, University of Pennsylvania

2 Feature demo Integration demo 2 – 10/15/2015, © 2009 Internet2 Grouper UI lite

3 Labels on Groups to organize and search for relevant groups “groups (of students) would belong to a certain school/university but also to one or more departments (depending on the school they're enrolled at) and we would like to find them either way” Organize many to many relationships (without stems or groups of groups) 3 – 10/15/2015, © 2009 Internet2 Netherlands attribute framework use case

4 All labels can be configured in the system (not free-form) “Security: the Grouper instance will be used by two separate end-user groups, for which we will instantiate a different version of the GUI that will operate on a different stem. Labels of one instance should not come up in the other GUI and vice versa” 4 – 10/15/2015, © 2009 Internet2 Netherlands attribute framework use case

5 External Application written in PHP SQL interface for READ is ok GSH for WRITE is ok if performance is ok WS is the long term solution 5 – 10/15/2015, © 2009 Internet2 Netherlands attribute framework use case

6 Group: school:math:brainProject – Attribute: school:attr:students:artsAndSciences – Attribute: school:attr:students:opticalResearch – Attribute: school:attr:faculty:neurology Group: school:med:neurologyProfessors – Attribute: school:attr:students:residents – Attribute: school:attr:students:opticalResearch – Attribute: school:attr:faculty:professors Group: school:computerScience:neuralNetworks – Attribute: school:attr:students:engineering – Attribute: school:attr:faculty:neurology 6 – 10/15/2015, © 2009 Internet2 Groups and attributes

7 gsh 0% addRootStem("school","school"); gsh 1% addStem("school", "math", "math"); gsh 2% addStem("school", "med", "med"); gsh 3% addStem("school", "computerScience", "computerScience"); gsh 4% groupBrainProject = addGroup("school:math", "brainProject", "brainProject"); gsh 5% groupNeurologyProfessors = addGroup("school:med", "neurologyProfessors", "neurologyProfessors"); gsh 6%groupNeuralNetworks=addGroup("school:computerScience", "neuralNetworks", "neuralNetworks"); 7 – 10/15/2015, © 2009 Internet2 Create groups with GSH

8 gsh 7% addStem("school", "attr", "attr"); gsh 8% addStem("school:attr", "students", "students"); gsh 9% addStem("school:attr", "faculty", "faculty"); gsh 11% grouperSession = GrouperSession.startRootSession(); gsh 12% attrStudentsStem = StemFinder.findByName(grouperSession, "school:attr:students"); gsh 13% attrFacultyStem = StemFinder.findByName(grouperSession, "school:attr:faculty"); 8 – 10/15/2015, © 2009 Internet2 Create attribute stems with GSH

9 gsh 15% studentsAttrDef = attrStudentsStem.addChildAttributeDef("students", AttributeDefType.attr); gsh 16% facultyAttrDef = attrStudentsStem.addChildAttributeDef("faculty", AttributeDefType.attr); 9 – 10/15/2015, © 2009 Internet2 Create attribute definitions with GSH

10 attrArtsAndSciences = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "artsAndSciences", "artsAndSciences"); attrOpticalResearch = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "opticalResearch", "opticalResearch"); attrResidents = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "residents", "residents"); attrNeurology = attrFacultyStem.addChildAttributeDefName(facultyAttrDef, "neurology", "neurology"); attrProfessors = attrFacultyStem.addChildAttributeDefName(facultyAttrDef, "professors", "professors"); attrEngineering = attrStudentsStem.addChildAttributeDefName(studentsAttrDef, "engineering", "engineering"); 10 – 10/15/2015, © 2009 Internet2 Create attribute names with GSH

11 groupBrainProject.getAttributeDelegate().assignAttribute(attrArtsAndSciences); groupBrainProject.getAttributeDelegate().assignAttribute(attrOpticalResearch); groupBrainProject.getAttributeDelegate().assignAttribute(attrNeurology); groupNeurologyProfessors.getAttributeDelegate().assignAttribute(attrResidents); groupNeurologyProfessors.getAttributeDelegate().assignAttribute( attrOpticalResearch); groupNeurologyProfessors.getAttributeDelegate().assignAttribute( attrProfessors); groupNeuralNetworks.getAttributeDelegate().assignAttribute(attrEngineering); groupNeuralNetworks.getAttributeDelegate().assignAttribute(attrNeurology); 11 – 10/15/2015, © 2009 Internet2 Assign attributes with GSH

12 groupStudents = addGroup("school", "students", "students"); groupFaculty = addGroup("school", "faculty", "faculty"); addMember("school:students", "test.subject.0"); addMember("school:faculty", "test.subject.1"); addMember("school:students", "test.subject.2"); addMember("school:faculty", "test.subject.2"); 12 – 10/15/2015, © 2009 Internet2 Add users with GSH

13 studentsAttrDef.getPrivilegeDelegate().grantPriv(groupStudents.toSubject(), AttributeDefPrivilege.ATTR_READ, false); facultyAttrDef.getPrivilegeDelegate().grantPriv(groupFaculty.toSubject(), AttributeDefPrivilege.ATTR_READ, false); 13 – 10/15/2015, © 2009 Internet2 Assign attribute security with GSH

14 If integrating with Grouper via SQL, there will probably be a supported SQL interface soon Always put a view on top of the underlying tables, which assures smooth upgrading create view school_group_labels_secure_v as select gaagv.group_name, gaagv.attribute_def_name_name, gm.subject_source as reader_subject_source_id, gm.subject_id as reader_subject_subject_id from … Full DDL in slide notes… 14 – 10/15/2015, © 2009 Internet2 Create a view for secure attribute reading

15 test.subject.0 is a student only, select all groups with attributes (secure query) select group_name, attribute_def_name_name from school_group_labels_secure_v where reader_subject_source_id = 'jdbc' and reader_subject_id = 'test.subject.0' GroupAttribute school:med:neurologyProfessors school:attr:students:opticalResearch school:med:neurologyProfessors school:attr:students:residents school:computerScience:neuralNetworks school:attr:students:engineering school:math:brainProject school:attr:students:opticalResearch school:math:brainProject school:attr:students:artsAndSciences 15 – 10/15/2015, © 2009 Internet2 Query the attributes securely

16 test.subject.1 is a faculty only, select all groups with attributes (secure query) select group_name, attribute_def_name_name from school_group_labels_secure_v where reader_subject_source_id = 'jdbc' and reader_subject_id = 'test.subject.1 ' GroupAttribute school:med:neurologyProfessors school:attr:faculty:professors school:computerScience:neuralNetworks school:attr:faculty:neurology school:math:brainProject school:attr:faculty:neurology 16 – 10/15/2015, © 2009 Internet2 Query the attributes securely

17 test.subject.2 is a faculty and student, select all attributes for group neurologyProfessors select group_name, attribute_def_name_name from school_group_labels_secure_v where reader_subject_source_id = 'jdbc' and reader_subject_id = 'test.subject.2' and group_name = 'school:med:neurologyProfessors ' GroupAttribute school:med:neurologyProfessors school:attr:students:opticalResearch school:med:neurologyProfessors school:attr:faculty:professors school:med:neurologyProfessors school:attr:students:residents 17 – 10/15/2015, © 2009 Internet2 Query the attributes securely

18 Permission management in a web application

19 In Grouper (in the API, GSH, WS, docs, etc) a privilege refers to being able to do something in Grouper (e.g. READ a group or CREATE objects in a folder) So, since privilege = permission, resources in the new privilege management features, a non-grouper privilege will be referred to as “permission” There are permissions as RBAC (Role Based Access Control), and individual permissions 19 – 10/15/2015, © 2009 Internet2 Permission management

20 20 – 10/15/2015, © 2009 Internet2 RBAC integration into an application

21 21 – 10/15/2015, © 2009 Internet2 Authorization design

22 22 – 10/15/2015, © 2009 Internet2 Role definitions

23 userSharer : can share documents, and can do anything a receiver can do – userReceiver : can receive documents sysAdmin : can manage emails and daemons, and things an admin can do – admin : can view audit logs on the admin console (complete GSH code in slide notes) gsh 30% userSharerRole = rolesStem.addChildRole("userSharer", "userSharer"); gsh 31% userReceiverRole = rolesStem.addChildRole("userReceiver", "userReceiver"); gsh 32% userSharerRole.getRoleInheritanceDelegate().addRoleToInheritFromThis(userReceiverRole); 23 – 10/15/2015, © 2009 Internet2 Role definitions

24 24 – 10/15/2015, © 2009 Internet2 Role members

25 userSharer : should have the group penn:community:staff (includes choate) – userReceiver : should have the group penn:community:students (includes mchyzer) sysAdmin : should have the user (includes melinas) – admin : can view audit logs on the admin console (includes bwh) Note: you could do this part in the Grouper UI or WS (complete GSH code in slide notes) gsh 40% studentsGroup = addGroup("penn:community", "students", "students"); gsh 41% studentsGroup.addMember(SubjectFinder.findByIdentifier("mchyzer")); gsh 42% userReceiverRole.addMember(studentsGroup.toSubject()); gsh 43% adminRole.addMember(SubjectFinder.findByIdentifier("bwh")); 25 – 10/15/2015, © 2009 Internet2 Role members

26 26 – 10/15/2015, © 2009 Internet2 Resource definitions

27 Penn’s web framework already manages (local) permissions To integrate, we can use the same names, and override the decision (complete GSH code in slide notes) gsh 50% resourcesStem = addStem("penn:isc:apps:secureShare", "resources", "resources"); gsh 51% resourcesDef = resourcesStem.addChildAttributeDef("secureShareWebResources", AttributeDefType.perm); gsh 52% splashResource = resourcesStem.addChildAttributeDefName(resourcesDef, "splash.jsp", "splash.jsp"); 27 – 10/15/2015, © 2009 Internet2 Resource definitions

28 28 – 10/15/2015, © 2009 Internet2 Resource sets

29 Not all that useful in this case, but as an example…(complete code in notes) gsh 60% resourceSetsStem = addStem("penn:isc:apps:secureShare", "resourceSets", "resourceSets"); gsh 61% receiveSetResource = resourceSetsStem.addChildAttributeDefName( resourcesDef, "receiveSet", "receiveSet"); gsh 62% sendSetResource = resourceSetsStem.addChildAttributeDefName( resourcesDef, "sendSet", "sendSet"); gsh 63% receiveSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(splashResource); gsh 64% receiveSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(receiveButtonResource); gsh 65% sendSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(sendButtonResource); gsh 66% sendSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(sendSectionResource); 29 – 10/15/2015, © 2009 Internet2 Resource sets

30 30 – 10/15/2015, © 2009 Internet2 Resource assignments

31 Assign resource sets to roles… gsh 70% userSharerRole.getPermissionRoleDelegate().assignRolePermission(sendSetResource); gsh 71% userReceiverRole.getPermissionRoleDelegate().assignRolePermission(receiveSetResource); gsh 72% sysAdminRole.getPermissionRoleDelegate().assignRolePermission(sysAdminSetResource); gsh 73% adminRole.getPermissionRoleDelegate().assignRolePermission(adminSetResource); 31 – 10/15/2015, © 2009 Internet2 Resource assignments

32 Always make a view, don’t query the registry directly create or replace view apps_sec_share_web_perms_v as select distinct gpav.role_name, psv.pennname, gpav.attribute_def_name_name from grouper_perms_all_v gpav, grouper_attribute_def ad, person_source_v psv where subject_source_id = 'pennperson' and gpav.attribute_def_id = ad.id and ad.name= 'penn:isc:apps:secureShare:resources:secureShareWebResources' and psv.penn_id = gpav.subject_id 32 – 10/15/2015, © 2009 Internet2 Make a view for app to read permissions

33 select * from apps_sec_share_web_perms_v PennNameResourceRole_name bwh /fast/fastAdminConsole.jsp admin bwh /fast/fastAuditLogViewer.jsp admin bwh resourceSets:adminSet admin choate splash.jsp userSharer choate resourceSets:receiveSet userSharer choate resourceSets:sendSet userSharer choate FASTXsplash.jsp sendDocument userSharer mchyzersplash.jsp userReceiver mchyzerresourceSets:receiveSet userReceiver melinas /fast/fastEmailConfig.jspsysAdmin etc Note: the actual fully qualified data is in slide notes 33 – 10/15/2015, © 2009 Internet2 Make a view for app to read permissions

34 Improve performance Not as dependent on Grouper DB Permissions changes will require a logout/login if logged in Can easily be swapped for WS call when available Put this code in a login hook in the application: //lets cache the Grouper permissions in session List permissions = HibernateSession2.bySqlStatic().conn("pennCommunity").listSelect(String.class, "select distinct ATTRIBUTE_DEF_NAME_NAME from " + "authzadm.apps_sec_share_web_perms_v where pennname = ?", fastUser.getPennkey()); httpSession.setAttribute("grouperPermissions", permissions); 34 – 10/15/2015, © 2009 Internet2 On login, cache the user’s permissions

35 Penn’s framework has a hook to override authorization List permissions = (List )httpSession.getAttribute( "grouperPermissions"); String resourceName = "penn:isc:apps:secureShare:resources:" + propertyValue.getNameSystem(); boolean allowed = permissions.contains(resourceName) 35 – 10/15/2015, © 2009 Internet2 Check permissions when needed

36 mchyzer is student choate is staff bwh is staff, admin melinas is staff, sysAdmin schleind was an admin, and needs to manage emails but not daemons 36 – 10/15/2015, © 2009 Internet2 Show demo

37 mchyzer is student choate is staff bwh is staff, admin melinas is staff, sysAdmin schleind was an admin, and needs to manage emails but not daemons (thus can’t be sysAdmin) schleindMember = MemberFinder.findBySubject(this.grouperSession, SubjectFinder.findByIdentifier("schleind"), true); adminRole.getPermissionRoleDelegate().assignSubjectRolePermission( adminEmailButtonResource, schleindMember); adminRole.getPermissionRoleDelegate().assignSubjectRolePermission( adminEmailResource, schleindMember); 37 – 10/15/2015, © 2009 Internet2 Show demo demo

38 Note, the SQL view of permission assignments (and future WS interface) can show the roles a user has It also can show permissions of a user while acting as a certain role So if you do not want “flattened” permissions in an application (for security purposes), you can let the user act as one of their roles 38 – 10/15/2015, © 2009 Internet2 Act as a specific allowed role

39 Permission management for data

40 Can use a similar strategy to the previous web example, especially if there aren’t many resources to secure e.g. select records from table where section in (?,?,?,?,?,?) If there are to many resources to secure (e.g. more than 100) or you want to join data in he database, you can use the following strategy This contrived example shows how to join SQL to security tables populated from Grouper 40 – 10/15/2015, © 2009 Internet2 Authorization with data

41 Org chart school – artsAndSciences chemistry – chemistry101 – chemistry201 math – math220 – math240 – engineering computerScience – computerScience99 – computerScience300 electricalEngineering – electricalEngineering400 – electricalEngineering450 41 – 10/15/2015, © 2009 Internet2 Authorization with data

42 gsh 100% communityStem = StemFinder.findByName(grouperSession, "penn:community", true); gsh 101% orgResourcesStem = addStem("penn:community", "orgResources", "orgResources"); gsh 102% schoolStem = addStem("penn:community:orgResources", "school", "school"); gsh 103% artsAndSciencesStem = addStem( "penn:community:orgResources:school", "artsAndSciences", "artsAndSciences"); gsh 104% chemistryStem = addStem( "penn:community:orgResources:school:artsAndSciences", "chemistry", "chemistry"); gsh 105% mathStem = addStem( "penn:community:orgResources:school:artsAndSciences", "math", "math") Complete GSH commands in slide notes 42 – 10/15/2015, © 2009 Internet2 Create central stems (folders)

43 Note: this will be able to be managed by the Grouper loader Note: complete GSH commands in slide notes gsh 110% orgResourcesDef = orgResourcesStem.addChildAttributeDef( "orgResourcesDef", AttributeDefType.perm); gsh 111% schoolResource = orgResourcesStem.addChildAttributeDefName( orgResourcesDef, "school", "school"); gsh 112% artsAndSciencesResource = schoolStem.addChildAttributeDefName( orgResourcesDef, "artsAndSciences", "artsAndSciences"); gsh 113% chemistryResource = artsAndSciencesStem.addChildAttributeDefName(orgResourcesDef, "chemistry", "chemistry"); gsh 114% chemistry101Resource = chemistryStem.addChildAttributeDefName(orgResourcesDef, "chemistry101", "chemistry101"); gsh 115% chemistry201Resource = chemistryStem.addChildAttributeDefName(orgResourcesDef, "chemistry201", "chemistry201"); gsh 116% mathResource = artsAndSciencesStem.addChildAttributeDefName(orgResourcesDef, "math", "math"); 43 – 10/15/2015, © 2009 Internet2 Create resources

44 Note: this will be able to be managed by the Grouper loader Note: complete GSH commands in slide notes gsh 120% schoolResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(artsAndSciencesResource); gsh 121% schoolResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(engineeringResource); gsh 122% artsAndSciencesResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(chemistryResource); gsh 123% artsAndSciencesResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(mathResource); gsh 124% chemistryResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(chemistry101Resource); gsh 125% chemistryResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(chemistry201Resource); gsh 126% mathResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(math220Resource); 44 – 10/15/2015, © 2009 Internet2 Create resource sets (org hierarchy)

45 Note: complete GSH commands in slide notes bwh can write all of chemistry, and math 220 bwh can read all of arts and sciences gsh 130% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission( "write", chemistryResource, bwhMember); gsh 131% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission( "write", math220Resource, bwhMember); gsh 132% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission( "read", artsAndSciencesResource, bwhMember); schleind can write computerScience99, and all of electricalEngineering schleind can read the whole school gsh 133% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission( "write", computerScience99Resource, schleindMember); gsh 134% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission( "write", electricalEngineeringResource, schleindMember); gsh 135% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission( "read", schoolResource, schleindMember); 45 – 10/15/2015, © 2009 Internet2 Use admin role from web example above

46 Note: complete DDL in slide notes SELECT DISTINCT gpav.role_name, psv.pennname, gpav.action, gadn.extension AS resource_extension FROM grouper_perms_all_v gpav, grouper_attribute_def ad, person_source_v psv, grouper_attribute_def_name gadn WHERE subject_source_id = 'pennperson' AND gpav.attribute_def_id = ad.ID AND ad.NAME = 'penn:community:orgResources:orgResourcesDef' AND psv.penn_id = gpav.subject_id AND gpav.attribute_def_name_id = gadn.ID AND gpav.role_name like 'penn:isc:apps:secureShare:roles:%' 46 – 10/15/2015, © 2009 Internet2 Create a view of permissions

47 Note: complete data in slide notes SELECT * from APPS_SEC_SHARE_DB_PERMS_V Role PennnameActionResource_extension penn:isc:apps:secureShare:roles:admin bwh write chemistry101 penn:isc:apps:secureShare:roles:admin schleindreadcomputerScience penn:isc:apps:secureShare:roles:admin bwhreadmath220 penn:isc:apps:secureShare:roles:admin schleindreadchemistry penn:isc:apps:secureShare:roles:admin bwhwritemath220 penn:isc:apps:secureShare:roles:admin schleindreadengineering penn:isc:apps:secureShare:roles:admin schleindreadcomputerScience99 penn:isc:apps:secureShare:roles:admin schleindwriteelectricalEngineering penn:isc:apps:secureShare:roles:admin schleindreadchemistry201 penn:isc:apps:secureShare:roles:admin schleindreadelectricalEngineering 47 – 10/15/2015, © 2009 Internet2 Sample data

48 CREATE TABLE SEC_SHARE_GROUPER_PERMS ( ROLE_NAME VARCHAR2(1024 BYTE), PENNNAME VARCHAR2(24 BYTE), ACTION VARCHAR2(32 BYTE), RESOURCE_EXTENSION VARCHAR2(255 BYTE) ); 48 – 10/15/2015, © 2009 Internet2 Create application table for permissions

49 Note: this could be done many ways, including a global periodic refresh In this case, delete and insert the user’s permissions on login in one transaction HibernateSession2.callbackHibernateSession(true, new HibernateHandler2() { public Object callback(HibernateSession2 hibernateSession2) throws Exception { hibernateSession2.bySql().executeSql( "delete from SEC_SHARE_GROUPER_PERMS where pennname = ?", fastUser.getPennkey()); hibernateSession2.bySql().executeSql( "insert into SEC_SHARE_GROUPER_PERMS " + "(select role_name, pennname, action, resource_extension " + "from authzadm.APPS_SEC_SHARE_DB_PERMS_V@dcom_link " + "where pennname = ?)", fastUser.getPennkey()); hibernateSession2.endAndCloseSession(HibernateAction.COMMIT); return null; } }); 49 – 10/15/2015, © 2009 Internet2 Refresh user’s permissions on login

50 Create a table with org (class) identifiers Join to the security table Make screen editable if writable, readable if readable Show demodemo 50 – 10/15/2015, © 2009 Internet2 Data security demo

51 What’s new with Grouper 10/5/9 Internet2 Fall Member Meeting Chris Hyzer, University of Pennsylvania For more information, visit www.internet2.edu 51 – 10/15/2015, © 2009 Internet2


Download ppt "What’s new with Grouper 10/5/9 Internet2 Fall Member Meeting Chris Hyzer, University of Pennsylvania."

Similar presentations


Ads by Google