grouper-users - RE: [grouper-users] Changing Grouper ID
Subject: Grouper Users - Open Discussion List
List archive
- From: "GW Brown, Information Systems and Computing" <>
- To: Thomas M Goerger <>, Chris Hyzer <>
- Cc: Tom Barton <>,
- Subject: RE: [grouper-users] Changing Grouper ID
- Date: Mon, 26 May 2008 16:32:21 +0100
Tom,
I think I have found the problem. The code which looks up Member objects by uuid uses a simple HashMap to cache the objects. It should use an Ehcache which can be configured to expire objects after a specified idle time.
For the time being youll have to restart the Grouper UI webapp or the application server (Tomcat), before changes made using GSH appear in the UI. Well work on reviewing the code to see if there are other, similar non-expiring caches and switch any over to use Ehcache.
Im not sure this is a commonly used feature which is why no one else has reported it before.
As far as I could see, changes made in GSH were reflected immediately in the database.
Gary
--On 23 May 2008 13:10 -0500 Thomas M Goerger
<>
wrote:
Thanks for the advice. I did manage to get the subject_id to update in
the database, and in the UI finally. A few notes though, and maybe
someone can tell me if I'm doing something wrong.
I wasn't able to get the name to change by using the grouper shell. I was
able to get the commands to run successfully, and was able to see the
change made within the shell. However, when I accessed the database after
making these changes, I didn't see any change to the subject ID there. Is
there something I need to do to push these changes through?
In order to make the actual change to the subject ID, I just hit the
database itself, and changed the subject ID using SQL commands. Fine for
what we need. But, in order for the UI to actually see the changes made,
I had to rebuild the UI completely. I'm sure that this wouldn't actually
be necessary. Is there another way to refresh what the UI is seeing in
the database short of rebuilding? I'm not certain how to just restart the
Grouper instance, which I'm sure would probably do it. However, this
brings up another question. Why would I need to restart Grouper at all?
Surely there should be an easy way to dump the cache that Grouper is
working off of, and force it to see a fresh view of the DB. Any way to do
this?
I'm wondering if anyone has actually changed a subject ID in Grouper the
way we are. It doesn't seem like these problems have come up with anyone
else, from searching the Web, or from reading the list. Is this not
something that was expected to happen, or is Grouper just not built to
accomodate this?
Thanks,
Tom Goerger
University of Minnesota
Internet Services
On Thu, 22 May 2008, Chris Hyzer wrote:
The only place subjectId is stored in the grouper db is the
grouper_members table (and any DB subject sources might have it as an
attribute, Im assuming you aren't using any). You might be experiencing
caching in your app server. If you want to see immediate results, try
logging out / in, or restarting the servlet container (might be tomcat),
or waiting a few minutes (whatever the cache timeout is set to).
To see in the DB which members are in a group (in this case a group
named aStem:aGroup, change that for the group you are trying to
display), try this query:
select distinct gm.SUBJECT_ID, gm.subject_source subject_source_id,
ga.VALUE group_name from grouper_memberships gms, grouper_members gm,
grouper_groups gg, grouper_attributes ga where gms.MEMBER_ID =
gm.MEMBER_UUID
and gms.owner_id = gg.uuid
and ga.group_id = gg.UUID
and ga.FIELD_NAME = 'name'
and gms.list_name = 'members'
and gms.list_type = 'list'
and ga.VALUE = 'aStem:aGroup'
Make sure that is showing the subject_id's and subject_source_id's that
you are expecting...
Kind regards,
Chris
> -----Original Message-----
> From: Thomas M Goerger
[mailto:]
> Sent: Wednesday, May 21, 2008 5:34 PM
> To: Chris Hyzer
> Cc: GW Brown, Information Systems and Computing; Tom Barton; grouper-
>
> Subject: RE: [grouper-users] Changing Grouper ID
>
> I guess what I'm wondering is when I click on the 'List All Members'
> button in the Grouper UI, what mechanism is it using to actually list
> those members. It doesn't seem like it is using the subject_id to list
> these, as when the LDAP directory name is changed, and the subject_id
> is
> changed to match it, the UI is still looking for the original name as
> it
> was listed in the LDAP directory. So, there must be some other place
> that
> Grouper is storing this information for it to still be looking for it.
>
> Example:
>
> We changed my cn in the LDAP directory from Thomas M Goerger-3 to Tom M
> Goerger-3. When you go into one of the created groups of which this
> user
> is a member and try to list them, you get this error.
>
> edu.internet2.middleware.grouper.GrouperRuntimeException: unable to
> find
> member as subject: No results: searchSubject filter:(& (cn=%TERM%)
> (objectclass=person)) searchValue: Thomas M Goerger-3 at
> edu.internet2.middleware.grouper.Member.getSubjectSource(Member.java:49
> 2)
> at
> edu.internet2.middleware.grouper.GrouperHelper.getOneMembershipPerSubje
> ctOrGroup(GrouperHelper.java:2271)
> at
> edu.internet2.middleware.grouper.ui.actions.PopulateGroupMembersAction.
> grouperExecute(PopulateGroupMembersAction.java:399)
> at
> edu.internet2.middleware.grouper.ui.actions.GrouperCapableAction.execut
> e(GrouperCapableAction.java:223)
> at
> org.apache.struts.action.RequestProcessor.processActionPerform(RequestP
> rocessor.java:421)
> at
> org.apache.struts.action.RequestProcessor.process(RequestProcessor.java
> :226)
> at
> org.apache.struts.action.ActionServlet.process(ActionServlet.java:1164)
> at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:397)
> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ationFilterChain.java:269)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> terChain.java:188)
> at
> edu.internet2.middleware.grouper.ui.LoginCheckFilter.doFilter(LoginChec
> kFilter.java:168)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ationFilterChain.java:215)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> terChain.java:188)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
> ve.java:204)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
> ve.java:174)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato
> rBase.java:433)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
> a:127)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.jav
> a:117)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
> .java:108)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
> 151)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:8
> 74)
> at
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.pro
> cessConnection(Http11BaseProtocol.java:665)
> at
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoin
> t.java:528)
> at
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollo
> werWorkerThread.java:81)
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo
> l.java:689)
> at java.lang.Thread.run(Thread.java:595) Caused by:
> edu.internet2.middleware.subject.SubjectNotFoundException: No results:
> searchSubject filter:(& (cn=%TERM%) (objectclass=person)) searchValue:
> Thomas M Goerger-3 at
> edu.internet2.middleware.subject.provider.JNDISourceAdapter.getLdapUniq
> ue(Unknown
> Source) at
> edu.internet2.middleware.subject.provider.JNDISourceAdapter.getSubject(
> Unknown
> Source) at
> edu.internet2.middleware.grouper.subj.SourcesXmlResolver.find(SourcesXm
> lResolver.java:117)
> at
> edu.internet2.middleware.grouper.subj.CachingResolver.find(CachingResol
> ver.java:104)
> at
> edu.internet2.middleware.grouper.subj.ValidatingResolver.find(Validatin
> gResolver.java:88)
> at
> edu.internet2.middleware.grouper.SubjectFinder.findById(SubjectFinder.j
> ava:122)
> at edu.internet2.middleware.grouper.Member.getSubject(Member.java:449)
> at
> edu.internet2.middleware.grouper.Member.getSubjectSource(Member.java:48
> 7)
> ... 27 more
>
> If I change the subject_id in the database, this error remains
> unchanged.
> Grouper is still looking for the old cn. So, it must be being stored
> somewhere else. Looking through the tables in the database hasn't
> yielded
> anything. Is the original value actually hard-coded into a different
> value somewhere, or is it found in another place?
>
> Thanks,
>
> Tom Goerger
> University of Minnesota
> Internet Services
>
>
> On Mon, 12 May 2008, Chris Hyzer wrote:
>
> > Hopefully this will help you out:
> >
> > 1. To see if the setSubjectId() method has worked, look in the
> grouper_members table. For the uuid / subjectId / subjectSourceId
> record, you should see the same uuid, and same sourceId, but different
> subjectId.
> > 2. That is all that method does, so when you pull up a membership
> record, there could be a couple of things going on:
> > 3. Most likely, the subject source has the wrong data. Search for
> and view the entity details for the subject (click on search on left
> menu, find and click on subject for details). Make sure that
> information is correct, if not, then the source system need to be
> updated (and that is outside of grouper, see the sources.xml). If you
> are using the subject tables that grouper shipped with, then you need
> to update those tables, the setSubjectId method will not change them I
> believe (correct me if wrong). Those are shipped generally to get up
> and running, and should generally be replaced with real
> tables/views/ldap in prod. However, if you use them, you might need to
> put more infrastructure in place like what we are discussing.
> > 4. Less likely, but still possible, you need to make sure that the
> membership record you think you are looking at is really the one you
> are looking at. I have run into the situation that I have all these
> test sources and overlap and stuff, and the membership lists get
> confusing. Maybe its just me though. :)
> >
> > Good luck,
> > Chris
> >
> >
> > > -----Original Message-----
> > > From: Thomas M Goerger
[mailto:]
> > > Sent: Monday, May 12, 2008 1:31 PM
> > > To: GW Brown, Information Systems and Computing
> > > Cc: Tom Barton;
> > > Subject: Re: [grouper-users] Changing Grouper ID
> > >
> > > Hi,
> > >
> > > I've gotten these commands to all run, but it doesn't seem like the
> > > change
> > > is being reflected in the database. The name associated with the
> UUID
> > > has
> > > changed, but not the one that the UI displays when a group
> membership
> > > listing is shown. This still shows the old name information. Is
> there
> > > a
> > > refresh that has to be done to make this happen, or do I need to
> change
> > > a
> > > different attribute.
> > >
> > > Thanks,
> > >
> > > Tom Goerger
> > > University of Minnesota
> > > Internet Services
> > >
> > >
> > > On Wed, 23 Apr 2008, GW Brown, Information Systems and Computing
> wrote:
> > >
> > > > Tom,
> > > >
> > > > The session has to be a root session:
> > > >
> > > > root=SubjectFinder.findRootSubject()
> > > > session=GrouperSession.start(root)
> > > >
> > > > subject=findSubject("<id>")
> > > > member=MemberFinder.findBySubject(session,subject)
> > > > member.setSubjectId("<newid>")
> > > >
> > > >
> > > > Internally an InsufficientPrivilegeException is thrown.
> Unfortunately
> > > that
> > > > is not reflected in the error message you got - something we'll
> need
> > > to
> > > > work on.
> > > >
> > > > Gary
> > > >
> > > > --On 22 April 2008 12:53 -0500 Thomas M Goerger
<>
> wrote:
> > > >
> > > > > I'm having a problem with the setSubjectID() command. I'm
> hitting
> > > my
> > > > > subject a little differently than below, which may be making
> the
> > > > > difference? I'd rather not use the uuid, so I'm hitting the
> > > subject as
> > > > > follows:
> > > > >
> > > > > subject=findSubject("<id>")
> > > > > session=GrouperSession.start(subject)
> > > > > member=MemberFinder.findBySubject(session,subject)
> > > > >
> > > > > When I then try to run:
> > > > >
> > > > > member.setSubjectId("<newid>")
> > > > >
> > > > > I'm receiving the error:
> > > > >
> > > > > // Error: unable to evaluate command: Sourced file: inline
> > > evaluation of:
> > > > > ``member.setSubjectId("<newid>");'' : Method Invocation
> > > > > member.setSubjectId
> > > > >
> > > > > Seems like its not seeing the setSubjectId subcommand at all.
> I'm
> > > using
> > > > > GrouperShell 0.1.1. Is there something off in my sequence that
> > > might be
> > > > > causing the problem?
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Tom Goerger
> > > > >
> > > > >
> > > > > On Thu, 17 Apr 2008, Tom Barton wrote:
> > > > >
> > > > >> Or you could use Grouper Shell to make the change. Using
> Gary's
> > > code as
> > > > >> a model, the corresponding sequence of gsh commands would be
> > > > >>
> > > > >> s=GrouperSession.start(SubjectFinder.findRootSubject())
> > > > >> m=MemberFinder.findByUuid(s, "<uuid>")
> > > > >> m.setSubjectId("newId")
> > > > >>
> > > > >> Tom
> > > > >>
> > > > >> GW Brown, Information Systems and Computing wrote:
> > > > >> > No, you would need to write some code to do it. I'm sure we
> can
> > > come up
> > > > >> > with a command line script but we're busy getting 1.3.0
> ready
> > > just now.
> > > > >> >
> > > > >> > You could alter the database directly -
> > > > >> >
> > > > >> > update grouper_members set subject_id=:newId where
> > > subject_id=:oldId
> > > > >> >
> > > > >> > The code would look something like:
> > > > >> >
> > > > >> > GrouperSession s =
> > > > >> > GrouperSession.start(SubjectFinder.findRootSubject(); Member
> m =
> > > > >> > MemberFinder.findByUuid(s, "<uuid>") ; //look up uuid in the
> db
> > > > >> > m.setSubjectId(newId);
> > > > >> >
> > > > >> > Gary
> > > > >> >
> > > > >> > --On 17 April 2008 11:31 -0500 Thomas M Goerger
>
<>
> > > wrote:
> > > > >> >
> > > > >> >> Do I just add that by adding the attribute to the
> > > grouper.properties
> > > > >> >> file,
> > > > >> >> and setting it to true? And then rebuild the API?
> > > > >> >>
> > > > >> >>
> > > > >> >> On Thu, 17 Apr 2008, GW Brown, Information Systems and
> > > Computing
> > > > >> >> wrote:
> > > > >> >>
> > > > >> >>> Hi Tom,
> > > > >> >>>
> > > > >> >>> Grouper does membership mapping against a row in
> > > grouper_members. You
> > > > >> >>> can
> > > > >> >>> change the subject id there and all the group memberships
> /
> > > > >> >>> privileges still work because they map to a group using
> the
> > > member
> > > > >> >>> uuid.
> > > > >> >>>
> > > > >> >>> There is a Member.setSubjectId method which allows
> > > GrouperSystem to
> > > > >> >>> do this change via the API.
> > > > >> >>>
> > > > >> >>> Gary
> > > > >> >>>
> > > > >> >>> --On 17 April 2008 09:56 -0500 Thomas M Goerger
>
<>
> > > wrote:
> > > > >> >>>
> > > > >> >>> > Hi,
> > > > >> >>> >
> > > > >> >>> > I'm having an issue with changing the underlying name
> that
> > > Grouper
> > > > >> >>> > is using to identify a user. We have an attribute
> called
> > > > >> >>> > OfficialName that we want to use as the unique
> identifier in
> > > > >> >>> > Grouper. Changing this value, as might happen if
> someone
> > > has a
> > > > >> >>> > legal name change, seems to be problematic for Grouper.
> It
> > > > >> >>> > recognizes the change if you do another search, but if
> you
> > > try to
> > > > >> >>> > list members in a group where one of the names has been
> > > changed,
> > > > >> >>> > Grouper spits back a Runtime Exception.
> > > > >> >>> >
> > > > >> >>> > Anyone else dealt with this at all? How do you deal
> with a
> > > > >> >>> > changing id in your implementation?
> > > > >> >>> >
> > > > >> >>> > Thanks,
> > > > >> >>> >
> > > > >> >>> > Tom Goerger
> > > > >> >>> > University of Minnesota - Internet Services
> > > > >> >>> >
> > > > >> >>>
> > > > >> >>>
> > > > >> >>>
> > > > >> >>> ----------------------
> > > > >> >>> GW Brown, Information Systems and Computing
> > > > >> >>>
> > > > >> >>>
> > > > >> >
> > > > >> >
> > > > >> >
> > > > >> > ----------------------
> > > > >> > GW Brown, Information Systems and Computing
> > > > >> >
> > > > >>
> > > >
> > > >
> > > >
> > > > ----------------------
> > > > GW Brown, Information Systems and Computing
> > > >
> > > >
> >
----------------------
GW Brown, Information Systems and Computing
- Re: [grouper-users] Changing Grouper ID, Thomas M Goerger, 05/12/2008
- RE: [grouper-users] Changing Grouper ID, Chris Hyzer, 05/12/2008
- RE: [grouper-users] Changing Grouper ID, Thomas M Goerger, 05/13/2008
- RE: [grouper-users] Changing Grouper ID, Thomas M Goerger, 05/21/2008
- RE: [grouper-users] Changing Grouper ID, Chris Hyzer, 05/22/2008
- Re: [grouper-users] Changing Grouper ID, Tom Barton, 05/22/2008
- RE: [grouper-users] Changing Grouper ID, Thomas M Goerger, 05/23/2008
- Re: [grouper-users] Changing Grouper ID, Tom Barton, 05/23/2008
- RE: [grouper-users] Changing Grouper ID, GW Brown, Information Systems and Computing, 05/26/2008
- RE: [grouper-users] Changing Grouper ID, Chris Hyzer, 05/22/2008
- RE: [grouper-users] Changing Grouper ID, Chris Hyzer, 05/12/2008
Archive powered by MHonArc 2.6.16.