Grouper Developers Forum

[Julien Gribonvald <>]

I have done this GSh script, if you want to watch it :

grouperSession = GrouperSession.startRootSession();
stem = StemFinder.findByName(grouperSession, "esco");
System.out.println("users with privileges : " + stem.getStemmers());

showAdmins (Group group) { System.out.println("====Admins : ") ; for 
(admin : 
GrouperHelper.getSubjectsWithPriv(group,AccessPrivilege.ADMIN.getName()) 
) { if 
(GrouperHelper.hasSubjectImmPrivForGroup(grouperSession,admin,group,AccessPrivilege.ADMIN.getName())){System.out.println(admin.getName()); 
} /*else {System.out.println("===Not immediate : " + 
admin.getName());}*/} };

showReaders (Group group) { System.out.println("====Readers : ") ; for 
(reader : 
GrouperHelper.getSubjectsWithPriv(group,AccessPrivilege.READ.getName())) 
{ if 
(GrouperHelper.hasSubjectImmPrivForGroup(grouperSession,reader,group,AccessPrivilege.READ.getName())){System.out.println(reader.getName()); 
}/*else {System.out.println("===Not immediate : " + 
reader.getName());}*/} };

showViewers (Group group) { System.out.println("====Viewers : ") ; for 
(viewer : 
GrouperHelper.getSubjectsWithPriv(group,AccessPrivilege.VIEW.getName())) 
{ if 
(GrouperHelper.hasSubjectImmPrivForGroup(grouperSession,viewer,group,AccessPrivilege.VIEW.getName())){System.out.println(viewer.getName()); 
}/*else {System.out.println("===Not immediate : " + 
viewer.getName());}*/} };

showUpdaters (Group group) { System.out.println("====Updaters : ") ; for 
(updater : 
GrouperHelper.getSubjectsWithPriv(group,AccessPrivilege.UPDATE.getName())) 
{ if 
(GrouperHelper.hasSubjectImmPrivForGroup(grouperSession,updater,group,AccessPrivilege.UPDATE.getName())){System.out.println(updater.getName()) 
; }/*else {System.out.println("===Not immediate : " + 
updater.getName());}*/} };

for(child : stem.getChildGroups(Stem.Scope.SUB)) 
{System.out.println("childName " + child.getName()); showAdmins(child); 
showReaders(child); showViewers(child); 
showUpdaters(child);System.out.println("============================="); }



"esco" is the root branch, under this branch we have 3 branch, one for 
admin rigths on 5 applications, so not too much groups (one per 
organization and per applications), one branch for applications access 
(so around 10 applications where there is on group per organization), 
and the last branch is organisation with all repartition of users, 
around 170 groups per organisation in this branch, we have a bit less 
than 10000 groups to check now.

This script is only to show rigths on all groups, it's only the 
beginning of my script for checking all rigths and to print it on an 
output file for example.


Before that i look for checking immediate rigths or not I used 
group.getAdmin() ... but this wasn't telling me immediate or not, but it 
took only 5/10 minutes, unlike this script wich is taking around 30 
minutes, the slow code is when asking 
GrouperHelper.hasSubjectImmPrivForGroup, i tested without it and it was 
OK before.

But like I told you we will use such script only few times per years, so 
there is no real need now. But maybe we will pass it one time per week 
or month in some times to check all, I can't tell you...

Thanks
Julien


Le 14/09/2010 18:38, Chris Hyzer a écrit :
> Ok, no problem.  Try it after analyzing tables and let me know how it goes.
>
> If it is still a problem, please give me which GSH commands are slow.  I 
> assume you mean just typing into a GSH shell, and now waiting for GSH to 
> startup...
>
> Thanks,
> Chris
>
> -----Original Message-----
> From: 
>
>  
> [mailto:]
>  On Behalf Of Julien Gribonvald
> Sent: Tuesday, September 14, 2010 12:24 PM
> To: 
>
> Subject: Re: [grouper-dev] gsh scripting operations - questions about API
>
> I'm using GSH will grouper API methods only and with GrouperSystem user,
> I can do all I want but I would prefer to avoid to make request on
> tables directly.
>
> For now we don't have plans for an upgrade to 1.6.3, we will continue to
> works with grouper 1.5.2 (with 1.5.3 upgrades) at least until january.
> We have too many works at the beginning of a new year school so we
> prefer to avoid to works on a migration of a critical application
> (critical because we need to have a good acknowledge of versions that we
> have in production and more we need really good data's at the beginning
> because grouper take a big place in our schema). Also there is a certain
> cost to maintain the ESCO Grouper UI, so we can't follow all versions.
> Also we have more times to make migrations after january.
>
> Thanks,
>
> Julien
>
> Le 14/09/2010 18:06, Chris Hyzer a écrit :
>    
> > How are you exactly checking all groups that you have?  Is it as 
> > groupersystem or as another user?  Can you analyze all your tables and try 
> > again?  Just curious, what are your upgrade plans for 1.6.3?
> >
> > Doc on analyzing tables:
> > https://spaces.internet2.edu/pages/viewpage.action?pageId=11076532#APIBuilding%26Configuration-AnalyzingTablestoImproveQueryPerformance
> >
> > Thanks,
> > Chris
> >
> > -----Original Message-----
> > From: Julien Gribonvald 
> > [mailto:]
> > Sent: Tuesday, September 14, 2010 12:03 PM
> > To: Chris Hyzer
> > Cc: GW Brown, Information Systems and Computing; 
> >
> > Subject: Re: [grouper-dev] gsh scripting operations - questions about API
> >
> > Thank you Chris,
> >
> > What i'm doing is not something that we will do each days, so there is
> > no real need, the only things is that it's slow when we have to check
> > all groups that we have, and for the moment we have only a small part of
> > our perimeter (only 9000 groups), and I think we will up to 50000 groups.
> >
> > Thanks,
> > Julien
> >
> >
> > Le 14/09/2010 16:41, Chris Hyzer a écrit :
> >
> >      
> > > There is no method in the AccessAdapter, so there is no way to efficiently do 
> > > this in one query.  So if the strategy with two methods you are doing 
> > > performs well enough (N+1 at least queries), then go for it.  Otherwise we 
> > > could add a method to AccessAdapter (though you would need an upgrade)...
> > >
> > > Thanks,
> > > Chris
> > >
> > > -----Original Message-----
> > > From: 
> > >
> > >  
> > > [mailto:]
> > >  On Behalf Of Julien Gribonvald
> > > Sent: Tuesday, September 14, 2010 5:55 AM
> > > To: GW Brown, Information Systems and Computing
> > > Cc: 
> > >
> > > Subject: Re: [grouper-dev] gsh scripting operations - questions about API
> > >
> > > Thank you Gary,
> > >
> > > Finaly I use the two method, the first to get users with privilegies and
> > > yourth to know if the user has immediates rigths, but maybe you have a
> > > better way to get users with privilegies on a group ?
> > >
> > > Thanks
> > > Julien
> > >
> > >
> > > Le 14/09/2010 11:15, GW Brown, Information Systems and Computing a écrit :
> > >
> > >
> > >        
> > > > Hi Julien,
> > > >
> > > > I'm not sure that method really does what you want - it just calls
> > > > Group.getAdmins() etc - and does not filter immediate vs indirect.
> > > >
> > > > There is another method which can be applied to each subject:
> > > >
> > > > public static boolean hasSubjectImmPrivForGroup(GrouperSession
> > > > s,Subject subject,Group group,String privilege) throws
> > > > MemberNotFoundException,SchemaException{
> > > >
> > > > However, Chris may have a better way to do it. I wrote many of the
> > > > GrouperHelper methods to work around things the official API did not
> > > > do, however, there have been many API changes and GrouperHelper may
> > > > not have kept pace.
> > > >
> > > > Gary
> > > >
> > > > --On 14 September 2010 11:00 +0200 Julien Gribonvald
> > > > <>
> > > >     wrote:
> > > >
> > > >
> > > >
> > > >          
> > > > > Sorry, finaly I found my needs in the GrouperHelper classe with the
> > > > > method getSubjectsWithPriv(Group group, String privilege)
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Julien Gribonvald
> > > > > GIP RECIA
> > > > >
> > > > >
> > > > > Le 14/09/2010 10:48, Julien Gribonvald a écrit :
> > > > >
> > > > > Hi all,
> > > > >
> > > > > I'm looking for scripting some checking and administration operations
> > > > > with GSH, I have already done some script wich are checking and updating
> > > > > our tree of groups structure.
> > > > > But I have a little problem with the API, found here :
> > > > > http://www.internet2.edu/grouper/release/1.5.0/doc/api/index.html (we
> > > > > are
> > > > > using grouper 1.5.2, with 1.5.3 updates), I can't find an easy way to
> > > > > know, on a given group, if a subject has immediate privileges or herited
> > > > > from a group. For exemple, currently, on a Group g I do like that to get
> > > > > users with privilegies :
> > > > >
> > > > > g.getReaders(); g.getViewers();g.getUpdaters();g.getAdmin();
> > > > >
> > > > > These methods are good to obtain Subjects, but we don't know if they
> > > > > have
> > > > > immediate privileges or not. My wisch would be to get only immediate
> > > > > subjects which have a Privilege P on a Group G.
> > > > >
> > > > > So is there someone who could give me some informations, like the good
> > > > > class to watch and/or where I will find my solution ? Or any idea on how
> > > > > to do that ?
> > > > >
> > > > > Thanks for your help.
> > > > >
> > > > > Julien Gribonvald
> > > > > GIP RECIA
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >            
> > > > ----------------------
> > > > GW Brown, Information Systems and Computing
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >          
> > >
> > >        
> >
> >      
>