Grouper Users - Open Discussion List

[Chris Hyzer <>]

Several people have had confusion with actAs in WS.  I made the following 
changes in grouper-ws 1.4.1:

1. If the connecting user is GrouperSystem or a wheel user, then it can actAs 
anyone
2. If the actAs user is the same as the connecting user, then it is allowed.

https://bugs.internet2.edu/jira/browse/GRP-209

Here is my test case:

wheel group: etc:sysadmingroup
GrouperSysAdmin
etc:webServiceActAsGroup

0. Turn off the actAsCache

ws.act.as.cache.minutes = 0

# make sure the user is not automatically put into wheel group in 
grouper.properties

1. See that a normal user cannot act as:

gsh 0% getMembers("etc:sysadmingroup");

gsh 1% delMember("etc:sysadmingroup", "10021368");

gsh 2% getMembers("etc:webServiceActAsGroup");

gsh 3% delMember("etc:webServiceActAsGroup", "10021368");

C:\mchyzer\isc\dev\grouper_v1_4\grouperClient\dist\institution\grouperClient.institution-1.4.0>java
 -jar grouperClient.jar --operation=findGroupsWs 
--queryFilterType=FIND_BY_GROUP_NAME_APPROXIMATE --groupName=aStem:aGroup

<works>

C:\mchyzer\isc\dev\grouper_v1_4\grouperClient\dist\institution\grouperClient.institution-1.4.0>java
 -jar grouperClient.jar --operation=findGroupsWs 
--queryFilterType=FIND_BY_GROUP_NAME_APPROXIMATE --groupName=aStem:aGroup 
--actAsSubjectId=GrouperSystem

<expected exception>

2. See that a normal user can act as himself:

C:\mchyzer\isc\dev\grouper_v1_4\grouperClient\dist\institution\grouperClient.institution-1.4.0>java
 -jar grouperClient.jar --operation=findGroupsWs 
--queryFilterType=FIND_BY_GROUP_NAME_APPROXIMATE --groupName=aStem:aGroup 
--actAsSubjectId=10021368

3. See that a wheel user can act as anyone

gsh 9% addMember("etc:sysadmingroup", "10021368");

C:\mchyzer\isc\dev\grouper_v1_4\grouperClient\dist\institution\grouperClient.institution-1.4.0>java
 -jar grouperClient.jar --operation=findGroupsWs 
--queryFilterType=FIND_BY_GROUP_NAME_APPROXIMATE --groupName=aStem:aGroup 
--actAsSubjectId=GrouperSystem

<works>

4. Take out of wheel and see it fail again:

gsh 12% delMember("etc:sysadmingroup", "10021368");

C:\mchyzer\isc\dev\grouper_v1_4\grouperClient\dist\institution\grouperClient.institution-1.4.0>java
 -jar grouperClient.jar --operation=findGroupsWs 
--queryFilterType=FIND_BY_GROUP_NAME_APPROXIMATE --groupName=aStem:aGroup 
--actAsSubjectId=GrouperSystem

<expected exception>

5. Add to actAsGroup, and see it succeed

gsh 13% addMember("etc:webServiceActAsGroup", "10021368");

C:\mchyzer\isc\dev\grouper_v1_4\grouperClient\dist\institution\grouperClient.institution-1.4.0>java
 -jar grouperClient.jar --operation=findGroupsWs 
--queryFilterType=FIND_BY_GROUP_NAME_APPROXIMATE --groupName=aStem:aGroup 
--actAsSubjectId=GrouperSystem

<works>

> -----Original Message-----
> From: Scott Koranda 
> [mailto:]
> Sent: Friday, January 16, 2009 6:25 PM
> To: Grouper Users Mailing List
> Subject: [grouper-users] Grouper WS, ws.act.as.group, and the
> GrouperSystem subject
>
> Hi,
>
> I am using Grouper WS 1.4.0.
>
> Is it possible to have the 'GrouperSystem' subject leverage
> the actAsSubjectLookup functionality?
>
> I sent in SOAP that included the following
>
> <ns1:actAsSubjectLookup>
>     
> <ns1:subjectId></ns1:subjectId>
>     <ns1:subjectIdentifier></ns1:subjectIdentifier>
>     <ns1:subjectSourceId>ligo</ns1:subjectSourceId>
> </ns1:actAsSubjectLookup>
>
> The operation (groupSave) was invoked by the 'GrouperSystem'
> subject by having tomcat-users.xml include the lines
>
>   <role rolename="grouper_user"/>
>   <user username="GrouperSystem" password="XXXXXXXX"
> roles="grouper_user"/>
>
> and the web.xml for WS include
>
> <auth-constraint>
>   <role-name>grouper_user</role-name>
> </auth-constraint>
>
> When I do this I receive the error
>
> A web service is specifying an actAsUser, but there is no
> 'ws.act.as.group' specified in the grouper-ws.properties
>
> I can specify a ws.act.as.group in grouper-ws.properties, but
> how would I add 'GrouperSystem' to that group?
>
> Thanks,
>
> Scott