Grouper Users - Open Discussion List

[Tom Barton <>]

And much the same can be accomplished by a simple use of gsh:

  gsh 0.1.1% getMembers("aStem:aGroup")

will return the list of subjectId's and sourceIds of the members of the 
group as given in the grouper_members table.

Tom

Chris Hyzer wrote:
> The only place subjectId is stored in the grouper db is the grouper_members 
> table (and any DB subject sources might have it as an attribute, Im assuming 
> you aren't using any).  You might be experiencing caching in your app server. 
>  If you want to see immediate results, try logging out / in, or restarting 
> the servlet container (might be tomcat), or waiting a few minutes (whatever 
> the cache timeout is set to).
>
> To see in the DB which members are in a group (in this case a group named 
> aStem:aGroup, change that for the group you are trying to display), try this 
> query:
>
> select distinct gm.SUBJECT_ID, gm.subject_source subject_source_id, ga.VALUE 
> group_name
>  from grouper_memberships gms, grouper_members gm, grouper_groups gg, 
> grouper_attributes ga
>  where gms.MEMBER_ID = gm.MEMBER_UUID
>  and gms.owner_id = gg.uuid
>  and ga.group_id = gg.UUID
>  and ga.FIELD_NAME = 'name'
>  and gms.list_name = 'members'
>  and gms.list_type = 'list'
>  and ga.VALUE = 'aStem:aGroup'
>
> Make sure that is showing the subject_id's and subject_source_id's that you 
> are expecting...
>
> Kind regards,
> Chris
>
> > -----Original Message-----
> > From: Thomas M Goerger 
> > [mailto:]
> > Sent: Wednesday, May 21, 2008 5:34 PM
> > To: Chris Hyzer
> > Cc: GW Brown, Information Systems and Computing; Tom Barton; grouper-
> >
> > Subject: RE: [grouper-users] Changing Grouper ID
> >
> > I guess what I'm wondering is when I click on the 'List All Members'
> > button in the Grouper UI, what mechanism is it using to actually list
> > those members.  It doesn't seem like it is using the subject_id to list
> > these, as when the LDAP directory name is changed, and the subject_id
> > is
> > changed to match it, the UI is still looking for the original name as
> > it
> > was listed in the LDAP directory.  So, there must be some other place
> > that
> > Grouper is storing this information for it to still be looking for it.
> >
> > Example:
> >
> > We changed my cn in the LDAP directory from Thomas M Goerger-3 to Tom M
> > Goerger-3.  When you go into one of the created groups of which this
> > user
> > is a member and try to list them, you get this error.
> >
> > edu.internet2.middleware.grouper.GrouperRuntimeException: unable to
> > find
> > member as subject: No results: searchSubject filter:(& (cn=%TERM%)
> > (objectclass=person)) searchValue: Thomas M Goerger-3 at
> > edu.internet2.middleware.grouper.Member.getSubjectSource(Member.java:49
> > 2)
> > at
> > edu.internet2.middleware.grouper.GrouperHelper.getOneMembershipPerSubje
> > ctOrGroup(GrouperHelper.java:2271)
> > at
> > edu.internet2.middleware.grouper.ui.actions.PopulateGroupMembersAction.
> > grouperExecute(PopulateGroupMembersAction.java:399)
> > at
> > edu.internet2.middleware.grouper.ui.actions.GrouperCapableAction.execut
> > e(GrouperCapableAction.java:223)
> > at
> > org.apache.struts.action.RequestProcessor.processActionPerform(RequestP
> > rocessor.java:421)
> > at
> > org.apache.struts.action.RequestProcessor.process(RequestProcessor.java
> > :226)
> > at
> > org.apache.struts.action.ActionServlet.process(ActionServlet.java:1164)
> > at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:397)
> > at
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:690) at
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at
> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> > ationFilterChain.java:269)
> > at
> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> > terChain.java:188)
> > at
> > edu.internet2.middleware.grouper.ui.LoginCheckFilter.doFilter(LoginChec
> > kFilter.java:168)
> > at
> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> > ationFilterChain.java:215)
> > at
> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> > terChain.java:188)
> > at
> > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
> > ve.java:204)
> > at
> > org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
> > ve.java:174)
> > at
> > org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato
> > rBase.java:433)
> > at
> > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
> > a:127)
> > at
> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.jav
> > a:117)
> > at
> > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
> > .java:108)
> > at
> > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
> > 151)
> > at
> > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:8
> > 74)
> > at
> > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.pro
> > cessConnection(Http11BaseProtocol.java:665)
> > at
> > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoin
> > t.java:528)
> > at
> > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollo
> > werWorkerThread.java:81)
> > at
> > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo
> > l.java:689)
> > at java.lang.Thread.run(Thread.java:595) Caused by:
> > edu.internet2.middleware.subject.SubjectNotFoundException: No results:
> > searchSubject filter:(& (cn=%TERM%) (objectclass=person)) searchValue:
> > Thomas M Goerger-3 at
> > edu.internet2.middleware.subject.provider.JNDISourceAdapter.getLdapUniq
> > ue(Unknown
> > Source) at
> > edu.internet2.middleware.subject.provider.JNDISourceAdapter.getSubject(
> > Unknown
> > Source) at
> > edu.internet2.middleware.grouper.subj.SourcesXmlResolver.find(SourcesXm
> > lResolver.java:117)
> > at
> > edu.internet2.middleware.grouper.subj.CachingResolver.find(CachingResol
> > ver.java:104)
> > at
> > edu.internet2.middleware.grouper.subj.ValidatingResolver.find(Validatin
> > gResolver.java:88)
> > at
> > edu.internet2.middleware.grouper.SubjectFinder.findById(SubjectFinder.j
> > ava:122)
> > at edu.internet2.middleware.grouper.Member.getSubject(Member.java:449)
> > at
> > edu.internet2.middleware.grouper.Member.getSubjectSource(Member.java:48
> > 7)
> > ... 27 more
> >
> > If I change the subject_id in the database, this error remains
> > unchanged.
> > Grouper is still looking for the old cn.  So, it must be being stored
> > somewhere else.  Looking through the tables in the database hasn't
> > yielded
> > anything.  Is the original value actually hard-coded into a different
> > value somewhere, or is it found in another place?
> >
> > Thanks,
> >
> > Tom Goerger
> > University of Minnesota
> > Internet Services
> >
> >
> > On Mon, 12 May 2008, Chris Hyzer wrote:
> >
> > > Hopefully this will help you out:
> > >
> > > 1. To see if the setSubjectId() method has worked, look in the
> > grouper_members table.  For the uuid / subjectId / subjectSourceId
> > record, you should see the same uuid, and same sourceId, but different
> > subjectId.
> > > 2. That is all that method does, so when you pull up a membership
> > record, there could be a couple of things going on:
> > > 3. Most likely, the subject source has the wrong data.  Search for
> > and view the entity details for the subject (click on search on left
> > menu, find and click on subject for details).  Make sure that
> > information is correct, if not, then the source system need to be
> > updated (and that is outside of grouper, see the sources.xml).  If you
> > are using the subject tables that grouper shipped with, then you need
> > to update those tables, the setSubjectId method will not change them I
> > believe (correct me if wrong).  Those are shipped generally to get up
> > and running, and should generally be replaced with real
> > tables/views/ldap in prod.  However, if you use them, you might need to
> > put more infrastructure in place like what we are discussing.
> > > 4. Less likely, but still possible, you need to make sure that the
> > membership record you think you are looking at is really the one you
> > are looking at.  I have run into the situation that I have all these
> > test sources and overlap and stuff, and the membership lists get
> > confusing.  Maybe its just me though.  :)
> > > Good luck,
> > > Chris
> > >
> > >
> > > > -----Original Message-----
> > > > From: Thomas M Goerger 
> > > > [mailto:]
> > > > Sent: Monday, May 12, 2008 1:31 PM
> > > > To: GW Brown, Information Systems and Computing
> > > > Cc: Tom Barton; 
> > > >
> > > > Subject: Re: [grouper-users] Changing Grouper ID
> > > >
> > > > Hi,
> > > >
> > > > I've gotten these commands to all run, but it doesn't seem like the
> > > > change
> > > > is being reflected in the database.  The name associated with the
> > UUID
> > > > has
> > > > changed, but not the one that the UI displays when a group
> > membership
> > > > listing is shown.  This still shows the old name information.  Is
> > there
> > > > a
> > > > refresh that has to be done to make this happen, or do I need to
> > change
> > > > a
> > > > different attribute.
> > > >
> > > > Thanks,
> > > >
> > > > Tom Goerger
> > > > University of Minnesota
> > > > Internet Services
> > > >
> > > >
> > > > On Wed, 23 Apr 2008, GW Brown, Information Systems and Computing
> > wrote:
> > > > > Tom,
> > > > >
> > > > > The session has to be a root session:
> > > > >
> > > > > root=SubjectFinder.findRootSubject()
> > > > > session=GrouperSession.start(root)
> > > > >
> > > > > subject=findSubject("<id>")
> > > > > member=MemberFinder.findBySubject(session,subject)
> > > > > member.setSubjectId("<newid>")
> > > > >
> > > > >
> > > > > Internally an InsufficientPrivilegeException is thrown.
> > Unfortunately
> > > > that
> > > > > is not reflected in the error message you got - something we'll
> > need
> > > > to
> > > > > work on.
> > > > >
> > > > > Gary
> > > > >
> > > > > --On 22 April 2008 12:53 -0500 Thomas M Goerger 
> > > > > <>
> > wrote:
> > > > > > I'm having a problem with the setSubjectID() command.  I'm
> > hitting
> > > > my
> > > > > > subject a little differently than below, which may be making
> > the
> > > > > > difference?  I'd rather not use the uuid, so I'm hitting the
> > > > subject as
> > > > > > follows:
> > > > > >
> > > > > > subject=findSubject("<id>")
> > > > > > session=GrouperSession.start(subject)
> > > > > > member=MemberFinder.findBySubject(session,subject)
> > > > > >
> > > > > > When I then try to run:
> > > > > >
> > > > > > member.setSubjectId("<newid>")
> > > > > >
> > > > > > I'm receiving the error:
> > > > > >
> > > > > > // Error: unable to evaluate command: Sourced file: inline
> > > > evaluation of:
> > > > > > ``member.setSubjectId("<newid>");'' : Method Invocation
> > > > > > member.setSubjectId
> > > > > >
> > > > > > Seems like its not seeing the setSubjectId subcommand at all.
> > I'm
> > > > using
> > > > > > GrouperShell 0.1.1.  Is there something off in my sequence that
> > > > might be
> > > > > > causing the problem?
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Tom Goerger
> > > > > >
> > > > > >
> > > > > > On Thu, 17 Apr 2008, Tom Barton wrote:
> > > > > >
> > > > > > > Or you could use Grouper Shell to make the change. Using
> > Gary's
> > > > code as
> > > > > > > a model, the corresponding sequence of gsh commands would be
> > > > > > >
> > > > > > > s=GrouperSession.start(SubjectFinder.findRootSubject())
> > > > > > > m=MemberFinder.findByUuid(s, "<uuid>")
> > > > > > > m.setSubjectId("newId")
> > > > > > >
> > > > > > > Tom
> > > > > > >
> > > > > > > GW Brown, Information Systems and Computing wrote:
> > > > > > > > No, you would need to write some code to do it. I'm sure we
> > can
> > > > come up
> > > > > > > > with a command line script but we're busy getting 1.3.0
> > ready
> > > > just now.
> > > > > > > > You could alter the database directly -
> > > > > > > >
> > > > > > > > update grouper_members set subject_id=:newId where
> > > > subject_id=:oldId
> > > > > > > > The code would look something like:
> > > > > > > >
> > > > > > > > GrouperSession s =
> > > > > > > > GrouperSession.start(SubjectFinder.findRootSubject(); Member
> > m =
> > > > > > > > MemberFinder.findByUuid(s, "<uuid>") ; //look up uuid in the
> > db
> > > > > > > > m.setSubjectId(newId);
> > > > > > > >
> > > > > > > > Gary
> > > > > > > >
> > > > > > > > --On 17 April 2008 11:31 -0500 Thomas M Goerger
> > <>
> > > > wrote:
> > > > > > > > > Do I just add that by adding the attribute to the
> > > > grouper.properties
> > > > > > > > > file,
> > > > > > > > > and setting it to true?  And then rebuild the API?
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Thu, 17 Apr 2008, GW Brown, Information Systems and
> > > > Computing
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Hi Tom,
> > > > > > > > > >
> > > > > > > > > > Grouper does membership mapping against a row in
> > > > grouper_members. You
> > > > > > > > > > can
> > > > > > > > > > change the subject id there and all the group memberships
> > /
> > > > > > > > > > privileges still work because they map to a group using
> > the
> > > > member
> > > > > > > > > > uuid.
> > > > > > > > > >
> > > > > > > > > > There is a Member.setSubjectId method which allows
> > > > GrouperSystem to
> > > > > > > > > > do this change via the API.
> > > > > > > > > >
> > > > > > > > > > Gary
> > > > > > > > > >
> > > > > > > > > > --On 17 April 2008 09:56 -0500 Thomas M Goerger
> > <>
> > > > wrote:
> > > > > > > > > > > Hi,
> > > > > > > > > > >
> > > > > > > > > > > I'm having an issue with changing the underlying name
> > that
> > > > Grouper
> > > > > > > > > > > is using to identify a user.  We have an attribute
> > called
> > > > > > > > > > > OfficialName that we want to use as the unique
> > identifier in
> > > > > > > > > > > Grouper.  Changing this value, as might happen if
> > someone
> > > > has a
> > > > > > > > > > > legal name change, seems to be problematic for Grouper.
> > It
> > > > > > > > > > > recognizes the change if you do another search, but if
> > you
> > > > try to
> > > > > > > > > > > list members in a group where one of the names has been
> > > > changed,
> > > > > > > > > > > Grouper spits back a Runtime Exception.
> > > > > > > > > > >
> > > > > > > > > > > Anyone else dealt with this at all?  How do you deal
> > with a
> > > > > > > > > > > changing id in your implementation?
> > > > > > > > > > >
> > > > > > > > > > > Thanks,
> > > > > > > > > > >
> > > > > > > > > > > Tom Goerger
> > > > > > > > > > > University of Minnesota - Internet Services
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > ----------------------
> > > > > > > > > > GW Brown, Information Systems and Computing
> > > > > > > >
> > > > > > > >
> > > > > > > > ----------------------
> > > > > > > > GW Brown, Information Systems and Computing
> > > > >
> > > > >
> > > > > ----------------------
> > > > > GW Brown, Information Systems and Computing
begin:vcard
fn:Tom Barton
n:Barton;Tom
org:University of Chicago;Networking Services & Information Technology
adr;dom:1155 E. 60th St.;;Rm 309, 1155 Bldg;Chicago;IL;60637
email;internet:
title:Sr. Director - Integration
tel;work:+1 773 834 1700
version:2.1
end:vcard