grouper-users - RE: AssignGrouperPrivileges in GrouperClient

Subject: Grouper Users - Open Discussion List

List archive

RE: AssignGrouperPrivileges in GrouperClient

From: Paul Gazda <>
To: Chris Hyzer <>, "" <>
Subject: RE: AssignGrouperPrivileges in GrouperClient
Date: Mon, 4 Jan 2010 10:38:20 -0700
Accept-language: en-US
Acceptlanguage: en-US

Chris,

This looks great! Thank you. The multiple subjects and replace all functionality will greatly improve efficiency in my application. I have a couple of questions.

I’m not clear how the wsSubjectLookups, privilegeType and privilegeNames relate. It looks like you have one privilegeType that applies to all of the privilegeNames (they must be all of the same type). Then, there is a 1:1 correspondence between wsSubjectLookups and privilegeNames such that one privilege is assigned to one subject. For example, if wsSubjectLookups contains “id.test.subject.1, id.test.subject.2, and id.test.subject.3”, and privilegeNames contains “admin, read, update”, then id.test.subject.1 is given admin privilege, id.test.subject.2 is given read privilege, and id.test.subject.3 is given update privilege. Is my understanding correct?

I notice that the existing GcAssignGrouperPrivilegesLite uses the group name via assignGroupName(groupName), whereas AssignGrouperPrivileges uses WsGroupLookup. Why the switch? Wouldn’t it be more consistent to use the same means of obtaining the group (and stem) names in both methods?

Paul Gazda

From: Chris Hyzer [mailto:]
Sent: Saturday, January 02, 2010 1:24 AM
To: Paul Gazda;
Subject: RE: AssignGrouperPrivileges in GrouperClient

Ø Chris,

Ø I see that you currently have only GcAssignGrouperPrivilegesLite in GrouperClient 1.4.1. Are you planning to add a GcAssignGrouperPrivileges that will allow assignment of privileges to more than one subject in a single invocation?

Ø Paul Gazda

This is done for 1.6.0. Note, we just switched from CVS to subversion (more details to follow soon), so the links in the web service docs are not current or will not work. Fyi here are the svn urls:

http://anonsvn.internet2.edu/svn/i2mi or http://anonsvn.internet2.edu/cgi-bin/viewvc.cgi/i2mi/

Non-lite privilege management:

https://bugs.internet2.edu/jira/browse/GRP-242

https://spaces.internet2.edu/display/GrouperWG/v1.6.0+Add+or+remove+grouper+privileges

Let me know asap if this design needs changes.

Here is the ws method:

/**

* <pre>

* assign a privilege for a user/group/type/name combo

* e.g. POST /grouperPrivileges

* </pre>

* @param clientVersion is the version of the client. Must be in GrouperWsVersion, e.g. v1_3_000

* @param wsSubjectLookups are the subjects to assign the privileges to, looked up by subjectId or identifier

* @param wsGroupLookup if this is a group privilege, this is the group

* @param wsStemLookup if this is a stem privilege, this is the stem

* @param replaceAllExisting

* optional: T or F (default), if the existing privilege assignments for this object should be

* replaced

* @param actAsSubjectLookup optional: is the subject to act as (if proxying).

* @param privilegeType (e.g. "access" for groups and "naming" for stems)

* @param privilegeNames (e.g. for groups: read, view, update, admin, optin, optout. e.g. for stems:

* stem, create)

* @param allowed is T to allow this privilege, F to deny this privilege

* @param includeSubjectDetail

* T|F, for if the extended subject information should be

* returned (anything more than just the id)

* @param subjectAttributeNames are the additional subject attributes (data) to return.

* If blank, whatever is configured in the grouper-ws.properties will be sent (comma separated)

* @param includeGroupDetail T or F as for if group detail should be included

* @param txType is the GrouperTransactionType for the request. If blank, defaults to

* NONE (will finish as much as possible). Generally the only values for this param that make sense

* are NONE (or blank), and READ_WRITE_NEW.

* @param params

* optional: reserved for future use

* @return the result of one member query

public static WsAssignGrouperPrivilegesResults assignGrouperPrivileges(

final GrouperWsVersion clientVersion,

final WsSubjectLookup[] wsSubjectLookups,

final WsGroupLookup wsGroupLookup,

final WsStemLookup wsStemLookup,

final PrivilegeType privilegeType, final Privilege[] privilegeNames,

final boolean allowed,

final boolean replaceAllExisting, GrouperTransactionType txType,

final WsSubjectLookup actAsSubjectLookup,

final boolean includeSubjectDetail, final String[] subjectAttributeNames,

final boolean includeGroupDetail, final WsParam[] params) {

Here is a sample:

#########################################

## HTTP request sample (could be formatted for view by

## indenting or changing dates or other data)

#########################################

POST /grouper-ws/servicesRest/v1_5_000/grouperPrivileges HTTP/1.1

Connection: close

Authorization: Basic xxxxxxxxxxxxxxxxx==

User-Agent: Jakarta Commons-HttpClient/3.1

Host: localhost:8092

Content-Length: 771

Content-Type: text/xml; charset=UTF-8

<groupName>aStem:aGroup</groupName>

</wsGroupLookup>

<privilegeType>access</privilegeType>

<string>update</string>

</privilegeNames>

<subjectId>test.subject.0</subjectId>

</WsSubjectLookup>

<subjectIdentifier>id.test.subject.1</subjectIdentifier>

</WsSubjectLookup>

</wsSubjectLookups>

<subjectId>GrouperSystem</subjectId>

</actAsSubjectLookup>

</WsRestAssignGrouperPrivilegesRequest>

#########################################

## HTTP response sample (could be formatted for view by

## indenting or changing dates or other data)

#########################################

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Set-Cookie: JSESSIONID=xxxxxxxxxxxxxxxxxxxxxxxx; Path=/grouper-ws

X-Grouper-resultCode: SUCCESS

X-Grouper-success: T

X-Grouper-resultCode2: NONE

Content-Type: text/xml;charset=UTF-8

Date: Thu, 31 Dec 2009 17:31:46 GMT

Connection: close

<resultCode>SUCCESS</resultCode>

<resultMessage>No subjects were passed in, Success for: clientVersion: v1_5_000, wsSubjects: Array size: 2: [0]: WsSubjectLookup[subjectId=test.subject.0,subjectIdentifier=,subjectSourceId=j..., group: WsGroupLookup[groupName=aStem:aGroup], stem: null, privilege: ACCESS-Array size: 2: [0]: update

[1]: read

, allowed? true, actAsSubject: WsSubjectLookup[subjectId=GrouperSystem], replaceAllExisting: false

, params: nullNo subjects were passed in, Success for: clientVersion: v1_5_000, wsSubjects: Array size: 2: [0]: WsSubjectLookup[subjectId=test.subject.0,subjectIdentifier=,subjectSourceId=j..., group: WsGroupLookup[groupName=aStem:aGroup], stem: null, privilege: ACCESS-Array size: 2: [0]: update

[1]: read

, allowed? true, actAsSubject: WsSubjectLookup[subjectId=GrouperSystem], replaceAllExisting: false

, params: null</resultMessage>

</resultMetadata>

</responseMetadata>

<extension>aGroup</extension>

<displayExtension>a group</displayExtension>

<description>a group description</description>

<displayName>a stem:a group</displayName>

<name>aStem:aGroup</name>

</wsGroup>

<resultCode>SUCCESS_ALLOWED</resultCode>

</resultMetadata>

<privilegeName>update</privilegeName>

<privilegeType>access</privilegeType>

<resultCode>SUCCESS</resultCode>

<id>test.subject.0</id>

<name>my name is test.subject.0</name>

</wsSubject>

</WsAssignGrouperPrivilegesResult>

<resultCode>SUCCESS_ALLOWED</resultCode>

</resultMetadata>

<privilegeName>update</privilegeName>

<privilegeType>access</privilegeType>

<resultCode>SUCCESS</resultCode>

<id>test.subject.1</id>

<name>my name is test.subject.1</name>

</wsSubject>

</WsAssignGrouperPrivilegesResult>

<resultCode>SUCCESS_ALLOWED</resultCode>

</resultMetadata>

<privilegeType>access</privilegeType>

<resultCode>SUCCESS</resultCode>

<id>test.subject.0</id>

<name>my name is test.subject.0</name>

</wsSubject>

</WsAssignGrouperPrivilegesResult>

<resultCode>SUCCESS_ALLOWED</resultCode>

</resultMetadata>

<privilegeType>access</privilegeType>

<resultCode>SUCCESS</resultCode>

<id>test.subject.1</id>

<name>my name is test.subject.1</name>

</wsSubject>

</WsAssignGrouperPrivilegesResult>

</results>

</WsAssignGrouperPrivilegesResults>

###############################

There is also a client operation:

assignGrouperPrivilegesWs web service usage

java -jar grouperClient.jar --operation=assignGrouperPrivilegesWs --privilegeNames=admin|view|read|optin|optout|update|stem|create|etc (comma separated) --allowed=true|false [--groupName=a:b:c] [--stemName=a:b] [--privilegeType=access|naming|etc] [--subjectIds=subjId0,subjId1] [--subjectIdentifiers=subjIdent0,subjIdent1] [--subjectSources=source0,source1] [--txType=GcTransactionType] [--replaceAllExisting=true|false] [--includeGroupDetail=true|false] [--includeSubjectDetail=true|false] [--subjectAttributeNames=name0,name1] [--actAsSubjectId=subjId] [--actAsSubjectIdentifier=subjIdent] [--actAsSubjectSource=source] [--saveResultsToFile=fileName] [--outputTemplate=somePattern] [--paramName0=name0] [--paramValue0=value1] [--paramNameX=xthParamName] [--paramValueX=xthParamValue] [--debug=true] [--clientVersion=someVersion]

e.g.: java -jar grouperClient.jar --operation=assignGrouperPrivilegesWs --groupName=aStem:aGroup --subjectIds=test.subject.0,test.subject.1 --privilegeNames=admin,update --allowed=true

output: Index: 0, success: T, code: SUCCESS_ALLOWED, group: aStem:aGroup, subject: test.subject.0, access: admin

Chris

From: Paul Gazda [mailto:]
Sent: Monday, March 02, 2009 7:27 PM
To: Chris Hyzer;
Subject: AssignGrouperPrivileges in GrouperClient

Chris,

I see that you currently have only GcAssignGrouperPrivilegesLite in GrouperClient 1.4.1. Are you planning to add a GcAssignGrouperPrivileges that will allow assignment of privileges to more than one subject in a single invocation?

Paul Gazda

RE: AssignGrouperPrivileges in GrouperClient, Chris Hyzer, 01/02/2010
- RE: AssignGrouperPrivileges in GrouperClient, Paul Gazda, 01/04/2010
  - RE: AssignGrouperPrivileges in GrouperClient, Chris Hyzer, 01/04/2010

List archive

RE: AssignGrouperPrivileges in GrouperClient