grouper-users - RE: [grouper-users] Changing Grouper ID
Subject: Grouper Users - Open Discussion List
List archive
- From: Thomas M Goerger <>
- To: Chris Hyzer <>
- Cc: "GW Brown, Information Systems and Computing" <>, Tom Barton <>, "" <>
- Subject: RE: [grouper-users] Changing Grouper ID
- Date: Wed, 21 May 2008 16:33:38 -0500 (CDT)
I guess what I'm wondering is when I click on the 'List All Members'
button in the Grouper UI, what mechanism is it using to actually list
those members. It doesn't seem like it is using the subject_id to list
these, as when the LDAP directory name is changed, and the subject_id is
changed to match it, the UI is still looking for the original name as it
was listed in the LDAP directory. So, there must be some other place that
Grouper is storing this information for it to still be looking for it.
Example:
We changed my cn in the LDAP directory from Thomas M Goerger-3 to Tom M
Goerger-3. When you go into one of the created groups of which this user
is a member and try to list them, you get this error.
edu.internet2.middleware.grouper.GrouperRuntimeException: unable to find
member as subject: No results: searchSubject filter:(& (cn=%TERM%)
(objectclass=person)) searchValue: Thomas M Goerger-3 at
edu.internet2.middleware.grouper.Member.getSubjectSource(Member.java:492)
at
edu.internet2.middleware.grouper.GrouperHelper.getOneMembershipPerSubjectOrGroup(GrouperHelper.java:2271)
at
edu.internet2.middleware.grouper.ui.actions.PopulateGroupMembersAction.grouperExecute(PopulateGroupMembersAction.java:399)
at
edu.internet2.middleware.grouper.ui.actions.GrouperCapableAction.execute(GrouperCapableAction.java:223)
at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:421)
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:226)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1164)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:397) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:690) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at
edu.internet2.middleware.grouper.ui.LoginCheckFilter.doFilter(LoginCheckFilter.java:168)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:204)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thread.run(Thread.java:595) Caused by:
edu.internet2.middleware.subject.SubjectNotFoundException: No results:
searchSubject filter:(& (cn=%TERM%) (objectclass=person)) searchValue:
Thomas M Goerger-3 at
edu.internet2.middleware.subject.provider.JNDISourceAdapter.getLdapUnique(Unknown
Source) at
edu.internet2.middleware.subject.provider.JNDISourceAdapter.getSubject(Unknown
Source) at
edu.internet2.middleware.grouper.subj.SourcesXmlResolver.find(SourcesXmlResolver.java:117)
at
edu.internet2.middleware.grouper.subj.CachingResolver.find(CachingResolver.java:104)
at
edu.internet2.middleware.grouper.subj.ValidatingResolver.find(ValidatingResolver.java:88)
at
edu.internet2.middleware.grouper.SubjectFinder.findById(SubjectFinder.java:122)
at edu.internet2.middleware.grouper.Member.getSubject(Member.java:449) at
edu.internet2.middleware.grouper.Member.getSubjectSource(Member.java:487)
... 27 more
If I change the subject_id in the database, this error remains unchanged.
Grouper is still looking for the old cn. So, it must be being stored
somewhere else. Looking through the tables in the database hasn't yielded
anything. Is the original value actually hard-coded into a different
value somewhere, or is it found in another place?
Thanks,
Tom Goerger
University of Minnesota
Internet Services
On Mon, 12 May 2008, Chris Hyzer wrote:
> Hopefully this will help you out:
>
> 1. To see if the setSubjectId() method has worked, look in the
> grouper_members table. For the uuid / subjectId / subjectSourceId record,
> you should see the same uuid, and same sourceId, but different subjectId.
> 2. That is all that method does, so when you pull up a membership record,
> there could be a couple of things going on:
> 3. Most likely, the subject source has the wrong data. Search for and view
> the entity details for the subject (click on search on left menu, find and
> click on subject for details). Make sure that information is correct, if
> not, then the source system need to be updated (and that is outside of
> grouper, see the sources.xml). If you are using the subject tables that
> grouper shipped with, then you need to update those tables, the
> setSubjectId method will not change them I believe (correct me if wrong).
> Those are shipped generally to get up and running, and should generally be
> replaced with real tables/views/ldap in prod. However, if you use them,
> you might need to put more infrastructure in place like what we are
> discussing.
> 4. Less likely, but still possible, you need to make sure that the
> membership record you think you are looking at is really the one you are
> looking at. I have run into the situation that I have all these test
> sources and overlap and stuff, and the membership lists get confusing.
> Maybe its just me though. :)
>
> Good luck,
> Chris
>
>
> > -----Original Message-----
> > From: Thomas M Goerger
> > [mailto:]
> > Sent: Monday, May 12, 2008 1:31 PM
> > To: GW Brown, Information Systems and Computing
> > Cc: Tom Barton;
> >
> > Subject: Re: [grouper-users] Changing Grouper ID
> >
> > Hi,
> >
> > I've gotten these commands to all run, but it doesn't seem like the
> > change
> > is being reflected in the database. The name associated with the UUID
> > has
> > changed, but not the one that the UI displays when a group membership
> > listing is shown. This still shows the old name information. Is there
> > a
> > refresh that has to be done to make this happen, or do I need to change
> > a
> > different attribute.
> >
> > Thanks,
> >
> > Tom Goerger
> > University of Minnesota
> > Internet Services
> >
> >
> > On Wed, 23 Apr 2008, GW Brown, Information Systems and Computing wrote:
> >
> > > Tom,
> > >
> > > The session has to be a root session:
> > >
> > > root=SubjectFinder.findRootSubject()
> > > session=GrouperSession.start(root)
> > >
> > > subject=findSubject("<id>")
> > > member=MemberFinder.findBySubject(session,subject)
> > > member.setSubjectId("<newid>")
> > >
> > >
> > > Internally an InsufficientPrivilegeException is thrown. Unfortunately
> > that
> > > is not reflected in the error message you got - something we'll need
> > to
> > > work on.
> > >
> > > Gary
> > >
> > > --On 22 April 2008 12:53 -0500 Thomas M Goerger
> > > <>
> > > wrote:
> > >
> > > > I'm having a problem with the setSubjectID() command. I'm hitting
> > my
> > > > subject a little differently than below, which may be making the
> > > > difference? I'd rather not use the uuid, so I'm hitting the
> > subject as
> > > > follows:
> > > >
> > > > subject=findSubject("<id>")
> > > > session=GrouperSession.start(subject)
> > > > member=MemberFinder.findBySubject(session,subject)
> > > >
> > > > When I then try to run:
> > > >
> > > > member.setSubjectId("<newid>")
> > > >
> > > > I'm receiving the error:
> > > >
> > > > // Error: unable to evaluate command: Sourced file: inline
> > evaluation of:
> > > > ``member.setSubjectId("<newid>");'' : Method Invocation
> > > > member.setSubjectId
> > > >
> > > > Seems like its not seeing the setSubjectId subcommand at all. I'm
> > using
> > > > GrouperShell 0.1.1. Is there something off in my sequence that
> > might be
> > > > causing the problem?
> > > >
> > > > Thanks,
> > > >
> > > > Tom Goerger
> > > >
> > > >
> > > > On Thu, 17 Apr 2008, Tom Barton wrote:
> > > >
> > > >> Or you could use Grouper Shell to make the change. Using Gary's
> > code as
> > > >> a model, the corresponding sequence of gsh commands would be
> > > >>
> > > >> s=GrouperSession.start(SubjectFinder.findRootSubject())
> > > >> m=MemberFinder.findByUuid(s, "<uuid>")
> > > >> m.setSubjectId("newId")
> > > >>
> > > >> Tom
> > > >>
> > > >> GW Brown, Information Systems and Computing wrote:
> > > >> > No, you would need to write some code to do it. I'm sure we can
> > come up
> > > >> > with a command line script but we're busy getting 1.3.0 ready
> > just now.
> > > >> >
> > > >> > You could alter the database directly -
> > > >> >
> > > >> > update grouper_members set subject_id=:newId where
> > subject_id=:oldId
> > > >> >
> > > >> > The code would look something like:
> > > >> >
> > > >> > GrouperSession s =
> > > >> > GrouperSession.start(SubjectFinder.findRootSubject(); Member m =
> > > >> > MemberFinder.findByUuid(s, "<uuid>") ; //look up uuid in the db
> > > >> > m.setSubjectId(newId);
> > > >> >
> > > >> > Gary
> > > >> >
> > > >> > --On 17 April 2008 11:31 -0500 Thomas M Goerger
> > > >> > <>
> > wrote:
> > > >> >
> > > >> >> Do I just add that by adding the attribute to the
> > grouper.properties
> > > >> >> file,
> > > >> >> and setting it to true? And then rebuild the API?
> > > >> >>
> > > >> >>
> > > >> >> On Thu, 17 Apr 2008, GW Brown, Information Systems and
> > Computing
> > > >> >> wrote:
> > > >> >>
> > > >> >>> Hi Tom,
> > > >> >>>
> > > >> >>> Grouper does membership mapping against a row in
> > grouper_members. You
> > > >> >>> can
> > > >> >>> change the subject id there and all the group memberships /
> > > >> >>> privileges still work because they map to a group using the
> > member
> > > >> >>> uuid.
> > > >> >>>
> > > >> >>> There is a Member.setSubjectId method which allows
> > GrouperSystem to
> > > >> >>> do this change via the API.
> > > >> >>>
> > > >> >>> Gary
> > > >> >>>
> > > >> >>> --On 17 April 2008 09:56 -0500 Thomas M Goerger
> > > >> >>> <>
> > wrote:
> > > >> >>>
> > > >> >>> > Hi,
> > > >> >>> >
> > > >> >>> > I'm having an issue with changing the underlying name that
> > Grouper
> > > >> >>> > is using to identify a user. We have an attribute called
> > > >> >>> > OfficialName that we want to use as the unique identifier in
> > > >> >>> > Grouper. Changing this value, as might happen if someone
> > has a
> > > >> >>> > legal name change, seems to be problematic for Grouper. It
> > > >> >>> > recognizes the change if you do another search, but if you
> > try to
> > > >> >>> > list members in a group where one of the names has been
> > changed,
> > > >> >>> > Grouper spits back a Runtime Exception.
> > > >> >>> >
> > > >> >>> > Anyone else dealt with this at all? How do you deal with a
> > > >> >>> > changing id in your implementation?
> > > >> >>> >
> > > >> >>> > Thanks,
> > > >> >>> >
> > > >> >>> > Tom Goerger
> > > >> >>> > University of Minnesota - Internet Services
> > > >> >>> >
> > > >> >>>
> > > >> >>>
> > > >> >>>
> > > >> >>> ----------------------
> > > >> >>> GW Brown, Information Systems and Computing
> > > >> >>>
> > > >> >>>
> > > >> >
> > > >> >
> > > >> >
> > > >> > ----------------------
> > > >> > GW Brown, Information Systems and Computing
> > > >> >
> > > >>
> > >
> > >
> > >
> > > ----------------------
> > > GW Brown, Information Systems and Computing
> > >
> > >
>
- Re: [grouper-users] Changing Grouper ID, Thomas M Goerger, 05/12/2008
- RE: [grouper-users] Changing Grouper ID, Chris Hyzer, 05/12/2008
- RE: [grouper-users] Changing Grouper ID, Thomas M Goerger, 05/13/2008
- RE: [grouper-users] Changing Grouper ID, Thomas M Goerger, 05/21/2008
- RE: [grouper-users] Changing Grouper ID, Chris Hyzer, 05/22/2008
- Re: [grouper-users] Changing Grouper ID, Tom Barton, 05/22/2008
- RE: [grouper-users] Changing Grouper ID, Thomas M Goerger, 05/23/2008
- Re: [grouper-users] Changing Grouper ID, Tom Barton, 05/23/2008
- RE: [grouper-users] Changing Grouper ID, GW Brown, Information Systems and Computing, 05/26/2008
- RE: [grouper-users] Changing Grouper ID, Chris Hyzer, 05/22/2008
- RE: [grouper-users] Changing Grouper ID, Chris Hyzer, 05/12/2008
Archive powered by MHonArc 2.6.16.