Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] finding privileges on groups via WS interface

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] finding privileges on groups via WS interface


Chronological Thread 
  • From: Paul Gazda <>
  • To: Chris Hyzer <>
  • Cc: Grouper Users Mailing List <>
  • Subject: RE: [grouper-users] finding privileges on groups via WS interface
  • Date: Mon, 30 Mar 2009 07:58:42 -0700
  • Accept-language: en-US
  • Acceptlanguage: en-US

Perfect! This is exactly what I need. Thank you for getting this
functionality in so quickly!

Paul Gazda

-----Original Message-----
From: Chris Hyzer
[mailto:]
Sent: Wednesday, March 25, 2009 1:31 AM
To: Paul Gazda
Cc: Grouper Users Mailing List
Subject: RE: [grouper-users] finding privileges on groups via WS interface

This is fixed in the 1.4 branch, please get latest (WS and API) and try it out

https://bugs.internet2.edu/jira/browse/GRP-259

You can now query for privileges with just a user or just a group or stem,
and add more info to narrow the search. I left the issue open since I need
to add some junit test cases for it. Here are some example calls with
grouperClient (to web service):

C:\temp>java -jar grouperClient.jar --operation=getGrouperPrivilegesLiteWs
--groupName=aStem:aGroup
Index 0: success: T: code: SUCCESS: group: aStem:aGroup: subject: 10021368:
access: admin
Index 1: success: T: code: SUCCESS: group: aStem:aGroup: subject: 10021368:
access: read
Index 2: success: T: code: SUCCESS: group: aStem:aGroup: subject: 10021368:
access: update
Index 3: success: T: code: SUCCESS: group: aStem:aGroup: subject: 10021368:
access: view
Index 4: success: T: code: SUCCESS: group: aStem:aGroup: subject: GrouperAll:
access: read
Index 5: success: T: code: SUCCESS: group: aStem:aGroup: subject: GrouperAll:
access: view
Index 6: success: T: code: SUCCESS: group: aStem:aGroup: subject:
GrouperSystem: access: admin
Index 7: success: T: code: SUCCESS: group: aStem:aGroup: subject:
GrouperSystem: access: read
Index 8: success: T: code: SUCCESS: group: aStem:aGroup: subject:
GrouperSystem: access: update
Index 9: success: T: code: SUCCESS: group: aStem:aGroup: subject:
GrouperSystem: access: view
Index 10: success: T: code: SUCCESS: group: aStem:aGroup: subject:
test.subject.0: access: admin
Index 11: success: T: code: SUCCESS: group: aStem:aGroup: subject:
test.subject.0: access: read
Index 12: success: T: code: SUCCESS: group: aStem:aGroup: subject:
test.subject.0: access: view

C:\temp>java -jar grouperClient.jar --operation=getGrouperPrivilegesLiteWs
--subjectId=10021368
Index 0: success: T: code: SUCCESS: stem: aStem: subject: 10021368: naming:
create
Index 1: success: T: code: SUCCESS: stem: aStem: subject: 10021368: naming:
stem
Index 2: success: T: code: SUCCESS: stem: aStem:aStem0: subject: 10021368:
naming: create
Index 3: success: T: code: SUCCESS: stem: aStem:aStem0: subject: 10021368:
naming: stem
Index 4: success: T: code: SUCCESS: group: aStem:aGroup: subject: 10021368:
access: admin
Index 5: success: T: code: SUCCESS: group: aStem:aGroup: subject: 10021368:
access: read
Index 6: success: T: code: SUCCESS: group: aStem:aGroup: subject: 10021368:
access: update
Index 7: success: T: code: SUCCESS: group: aStem:aGroup: subject: 10021368:
access: view
Index 8: success: T: code: SUCCESS: group: aStem:activeEmployee: subject:
10021368: access: admin
Index 9: success: T: code: SUCCESS: group: aStem:activeEmployee: subject:
10021368: access: read
Index 10: success: T: code: SUCCESS: group: aStem:activeEmployee: subject:
10021368: access: update
Index 11: success: T: code: SUCCESS: group: aStem:activeEmployee: subject:
10021368: access: view
Index 12: success: T: code: SUCCESS: group: aStem:activeStudent: subject:
10021368: access: admin
Index 13: success: T: code: SUCCESS: group: aStem:activeStudent: subject:
10021368: access: read
Index 14: success: T: code: SUCCESS: group: aStem:activeStudent: subject:
10021368: access: update
Index 15: success: T: code: SUCCESS: group: aStem:activeStudent: subject:
10021368: access: view
Index 16: success: T: code: SUCCESS: group: etc:sysadmingroup: subject:
10021368: access: admin
Index 17: success: T: code: SUCCESS: group: etc:sysadmingroup: subject:
10021368: access: read
Index 18: success: T: code: SUCCESS: group: etc:sysadmingroup: subject:
10021368: access: update
Index 19: success: T: code: SUCCESS: group: etc:sysadmingroup: subject:
10021368: access: view
Index 20: success: T: code: SUCCESS: group: etc:webServiceActAsGroup:
subject: 10021368: access: admin
Index 21: success: T: code: SUCCESS: group: etc:webServiceActAsGroup:
subject: 10021368: access: read
Index 22: success: T: code: SUCCESS: group: etc:webServiceActAsGroup:
subject: 10021368: access: update
Index 23: success: T: code: SUCCESS: group: etc:webServiceActAsGroup:
subject: 10021368: access: view
Index 24: success: T: code: SUCCESS: group: etc:webServiceClientUsers:
subject: 10021368: access: admin
Index 25: success: T: code: SUCCESS: group: etc:webServiceClientUsers:
subject: 10021368: access: read
Index 26: success: T: code: SUCCESS: group: etc:webServiceClientUsers:
subject: 10021368: access: update
Index 27: success: T: code: SUCCESS: group: etc:webServiceClientUsers:
subject: 10021368: access: view
Index 28: success: T: code: SUCCESS: group: penn:etc:sysAdminGroup: subject:
10021368: access: admin
Index 29: success: T: code: SUCCESS: group: penn:etc:sysAdminGroup: subject:
10021368: access: read
Index 30: success: T: code: SUCCESS: group: penn:etc:sysAdminGroup: subject:
10021368: access: update
Index 31: success: T: code: SUCCESS: group: penn:etc:sysAdminGroup: subject:
10021368: access: view
Index 32: success: T: code: SUCCESS: group: penn:etc:userInterfaceUsers:
subject: 10021368: access: admin
Index 33: success: T: code: SUCCESS: group: penn:etc:userInterfaceUsers:
subject: 10021368: access: read
Index 34: success: T: code: SUCCESS: group: penn:etc:userInterfaceUsers:
subject: 10021368: access: update
Index 35: success: T: code: SUCCESS: group: penn:etc:userInterfaceUsers:
subject: 10021368: access: view
Index 36: success: T: code: SUCCESS: group: penn:etc:webServiceActAsGroup:
subject: 10021368: access: admin
Index 37: success: T: code: SUCCESS: group: penn:etc:webServiceActAsGroup:
subject: 10021368: access: read
Index 38: success: T: code: SUCCESS: group: penn:etc:webServiceActAsGroup:
subject: 10021368: access: update
Index 39: success: T: code: SUCCESS: group: penn:etc:webServiceActAsGroup:
subject: 10021368: access: view
Index 40: success: T: code: SUCCESS: group: penn:etc:webServiceClientUsers:
subject: 10021368: access: admin
Index 41: success: T: code: SUCCESS: group: penn:etc:webServiceClientUsers:
subject: 10021368: access: read
Index 42: success: T: code: SUCCESS: group: penn:etc:webServiceClientUsers:
subject: 10021368: access: update
Index 43: success: T: code: SUCCESS: group: penn:etc:webServiceClientUsers:
subject: 10021368: access: view

C:\temp>java -jar grouperClient.jar --operation=getGrouperPrivilegesLiteWs
--stemName=aStem
Index 0: success: T: code: SUCCESS: stem: aStem: subject: 10021368: naming:
create
Index 1: success: T: code: SUCCESS: stem: aStem: subject: 10021368: naming:
stem
Index 2: success: T: code: SUCCESS: stem: aStem: subject: GrouperSystem:
naming: stem
Index 3: success: T: code: SUCCESS: stem: aStem: subject: test.subject.0:
naming: create
Index 4: success: T: code: SUCCESS: stem: aStem: subject: test.subject.0:
naming: stem

C:\temp>java -jar grouperClient.jar --operation=getGrouperPrivilegesLiteWs
--subjectId=10021368 --privilegeType=naming
Index 0: success: T: code: SUCCESS: stem: aStem: subject: 10021368: naming:
create
Index 1: success: T: code: SUCCESS: stem: aStem: subject: 10021368: naming:
stem
Index 2: success: T: code: SUCCESS: stem: aStem:aStem0: subject: 10021368:
naming: create
Index 3: success: T: code: SUCCESS: stem: aStem:aStem0: subject: 10021368:
naming: stem

C:\temp>java -jar grouperClient.jar --operation=getGrouperPrivilegesLiteWs
--stemName=aStem --privilegeName=create
Index 0: success: T: code: SUCCESS: stem: aStem: subject: 10021368: naming:
create
Index 1: success: T: code: SUCCESS: stem: aStem: subject: test.subject.0:
naming: create

C:\temp>java -jar grouperClient.jar --operation=getGrouperPrivilegesLiteWs
--stemName=aStem --privilegeName=create --subjectId=10021368
Index 0: success: T: code: SUCCESS_ALLOWED: stem: aStem: subject: 10021368:
naming: create

> -----Original Message-----
> From: Paul Gazda
> [mailto:]
> Sent: Monday, March 23, 2009 6:30 PM
> To: Chris Hyzer
> Cc: Grouper Users Mailing List
> Subject: RE: [grouper-users] finding privileges on groups via WS interface
>
> What I am looking for specifically is:
> > > > > Is there a WS operation that I can invoke to find all
> > > > > groups for which a particular subject has the 'UPDATE'
> > > > > privilege?
>
> It seems to me that to accomplish that in GrouperClient, I would have to do
> something like:
> java -jar grouperClient.jar --operation=getGroupsWs --subjectIds=123xxx --
> fieldName=updaters
>
> However, when I try that, I get this error:
> Error with grouper client, check the logs: Invalid command line arguments:
> [fieldName]
>
> I do have the latest grouper-ws and GrouperClient. I can get the latest
> grouper from CVS, but it seems like this error is coming from
> GrouperClient.
>
> Paul Gazda
>
>
> -----Original Message-----
> From: Chris Hyzer
> [mailto:]
> Sent: Monday, March 23, 2009 2:00 PM
> To: Paul Gazda
> Cc: Grouper Users Mailing List
> Subject: RE: [grouper-users] finding privileges on groups via WS interface
>
> Im not sure specifically what you are asking for, but this email below says
> that it is available now if you get latest on the 1.4 branch.
>
> Thanks,
> Chris
>
> > -----Original Message-----
> > From: Paul Gazda
> > [mailto:]
> > Sent: Monday, March 23, 2009 4:50 PM
> > To: Chris Hyzer
> > Cc: Grouper Users Mailing List
> > Subject: RE: [grouper-users] finding privileges on groups via WS
> > interface
> >
> > Will this functionality be available in GrouperClient any time soon? It
> > is very important for our implementation.
> >
> > Paul Gazda
> >
> > -----Original Message-----
> > From: Chris Hyzer
> > [mailto:]
> > Sent: Monday, February 23, 2009 11:43 AM
> > To: Scott Koranda
> > Cc: Grouper Users Mailing List
> > Subject: RE: [grouper-users] finding privileges on groups via WS
> > interface
> >
> > I looked into it, and found out why I never added it to WS, because the
> > grouper API doesn't have a method for it. :)
> >
> > Anyways, I added it, feel free to get latest from the 1.4 branch, and
> > try it out. I need to do more testing before closing the bug, but the
> > test I did through a WS call worked fine.
> >
> > cvs
> > -d:pserver::/home/cvs/i2mi
> > login
> > cvs
> > -d:pserver::/home/cvs/i2mi
> > export -r
> > GROUPER_1_4_BRANCH grouper
> > cvs
> > -d:pserver::/home/cvs/i2mi
> > export -r
> > GROUPER_1_4_BRANCH grouper-ws
> >
> > https://bugs.internet2.edu/jira/browse/GRP-232
> >
> > I added the API:
> >
> > gsh 0% subj = findSubject("10021368")
> > subject: id='10021368' type='person' source='pennperson' name='Chris
> > Hyzer'
> > gsh 1% sess = GrouperSession.start(subj)
> > edu.internet2.middleware.grouper.GrouperSession: 8d17a97d-3d1a-4e39-
> > a44c-01a3fead792d,'10021368','person'
> > gsh 2% member = MemberFinder.findBySubject(sess, subj)
> > member: id='10021368' type='person' source='pennperson' uuid='6512f26a-
> > 98b5-486c-bc94-ac26e0d9a7ca'
> > gsh 3% field = FieldFinder.find("admins")
> > access privilege: 'admins'
> > gsh 4% member.getGroups(field);
> > group: name='aStem:whateverGroup2' displayName='aStem:disp2'
> > uuid='b3be109a-afb6-49d0-8aaf-73cbd130f967'
> > group: name='aStem:aGroup' displayName='aStem:aGroup' uuid='4992b987-
> > 3329-418e-ba83-9d9335305902'
> > group: name='aStem:whateverGroup' displayName='aStem:disp1'
> > uuid='2703916b-ac8a-4830-9a60-698a3b1faf97'
> > gsh 5%
> >
> > Then I added a param on the getGroups web services (all flavors, though
> > here is an example in rest batch):
> >
> > <WsRestGetGroupsRequest>
> > <subjectLookups>
> > <WsSubjectLookup>
> > <subjectId>10021368</subjectId>
> > </WsSubjectLookup>
> > <WsSubjectLookup>
> > <subjectId>10039438</subjectId>
> > </WsSubjectLookup>
> > </subjectLookups>
> > <actAsSubjectLookup>
> > <subjectId>GrouperSystem</subjectId>
> > </actAsSubjectLookup>
> > <params>
> > <WsParam>
> > <paramName>fieldName</paramName>
> > <paramValue>admins</paramValue>
> > </WsParam>
> > </params>
> > </WsRestGetGroupsRequest>
> >
> > This will result in the following response (which looks like the normal
> > response, with the exception of the description):
> >
> > <WsGetGroupsResults>
> > <results>
> > <WsGetGroupsResult>
> > <wsGroups>
> > <WsGroup>
> > <extension>whateverGroup2</extension>
> > <displayExtension>disp2</displayExtension>
> > <description>descs</description>
> > <displayName>aStem:disp2</displayName>
> > <name>aStem:whateverGroup2</name>
> > <uuid>b3be109a-afb6-49d0-8aaf-73cbd130f967</uuid>
> > </WsGroup>
> > <WsGroup>
> > <extension>aGroup</extension>
> > <displayExtension>aGroup</displayExtension>
> > <displayName>aStem:aGroup</displayName>
> > <name>aStem:aGroup</name>
> > <uuid>4992b987-3329-418e-ba83-9d9335305902</uuid>
> > </WsGroup>
> > <WsGroup>
> > <extension>whateverGroup</extension>
> > <displayExtension>disp1</displayExtension>
> > <description>desc1</description>
> > <displayName>aStem:disp1</displayName>
> > <name>aStem:whateverGroup</name>
> > <uuid>2703916b-ac8a-4830-9a60-698a3b1faf97</uuid>
> > </WsGroup>
> > </wsGroups>
> > <resultMetadata>
> > <resultCode>SUCCESS</resultCode>
> > <success>T</success>
> > </resultMetadata>
> > <wsSubject>
> > <resultCode>SUCCESS</resultCode>
> > <success>T</success>
> > <id>10021368</id>
> > <sourceId>pennperson</sourceId>
> > </wsSubject>
> > </WsGetGroupsResult>
> > <WsGetGroupsResult>
> > <resultMetadata>
> > <resultCode>SUCCESS</resultCode>
> > <success>T</success>
> > </resultMetadata>
> > <wsSubject>
> > <resultCode>SUCCESS</resultCode>
> > <success>T</success>
> > <id>10039438</id>
> > <sourceId>pennperson</sourceId>
> > </wsSubject>
> > </WsGetGroupsResult>
> > </results>
> > <resultMetadata>
> > <resultCode>SUCCESS</resultCode>
> > <resultMessage>
> > Success for: clientVersion: v1_4_001, subjectLookups: Array size:
> > 2: [0]:
> >
> > edu.internet2.middleware.grouper.ws.soap.WsSubjectLookup@14b2db7[subjec
> > t=&lt;null&gt;,member=&lt;null&gt;,cause=&lt;null&gt;,causeMember=&lt;n
> > ull&gt;,subjectFindResult=&lt;null&gt;,memberFindResult=&lt;null&gt;,su
> > ...
> > memberFilter: All, includeGroupDetail: false, actAsSubject:
> >
> > edu.internet2.middleware.grouper.ws.soap.WsSubjectLookup@6c9220[subject
> > =&lt;null&gt;,member=&lt;null&gt;,cause=&lt;null&gt;,causeMember=&lt;nu
> > ll&gt;,subjectFindResult=&lt;null&gt;,memberFindResult=&lt;null&gt;,sub
> > jectId=GrouperSystem,subjectIdentifier=&lt;null&gt;,subjectSourceId=&lt
> > ;null&gt;]
> > , params: Array size: 1: [0]:
> >
> > edu.internet2.middleware.grouper.ws.soap.WsParam@1ed7524[paramName=fiel
> > dName,...,
> > field: admins
> > </resultMessage>
> > <success>T</success>
> > </resultMetadata>
> > <responseMetadata>
> > <millis>6437</millis>
> > <serverVersion>v1_4_002</serverVersion>
> > </responseMetadata>
> > </WsGetGroupsResults>
> >
> > Regards,
> > Chris
> >
> > > -----Original Message-----
> > > From: Scott Koranda
> > > [mailto:]
> > > Sent: Monday, February 23, 2009 12:16 PM
> > > To: Chris Hyzer
> > > Cc: Grouper Users Mailing List
> > > Subject: Re: [grouper-users] finding privileges on groups via WS
> > > interface
> > >
> > > Hi,
> > >
> > > > Doesn't look like it is possible. Should have been an
> > > > option in getGroups(), not sure if there was a reason it was
> > > > omitted. Anyways, when do you need it?
> > >
> > > I can work around it for now.
> > >
> > > Would it be possible for the 1.4.2 release or would it break
> > > backwards compatibility with 1.4.[0|1]?
> > >
> > > Or should it wait for 1.5?
> > >
> > > Cheers,
> > >
> > > Scott
> > >
> > > >
> > > > Thanks, Chris
> > > >
> > > > > -----Original Message----- From: Scott Koranda
> > > > > [mailto:]
> > > > > Sent: Monday,
> > > > > February 23, 2009 11:01 AM To: Grouper Users Mailing List
> > > > > Subject: [grouper-users] finding privileges on groups via
> > > > > WS interface
> > > > >
> > > > > Hi,
> > > > >
> > > > > I learned recently that I can find all the subjects that
> > > > > have a privilege like 'UPDATE' on a group using the web
> > > > > services interface by invoking the getMembers operation
> > > > > and specifying the fieldName parameter as 'updaters'.
> > > > >
> > > > > Is there a WS operation that I can invoke to find all
> > > > > groups for which a particular subject has the 'UPDATE'
> > > > > privilege?
> > > > >
> > > > > Scott



Archive powered by MHonArc 2.6.16.

Top of Page