Grouper Users - Open Discussion List

[Chris Hyzer <>]

 

 

Ø  I’m not clear how the wsSubjectLookups, privilegeType and privilegeNames relate. It looks like you have one privilegeType that applies to all of the privilegeNames (they must be all of the same type). Then, there is a 1:1 correspondence between wsSubjectLookups and privilegeNames such that one privilege is assigned to one subject. For example, if wsSubjectLookups  contains “id.test.subject.1, id.test.subject.2, and id.test.subject.3”, and privilegeNames contains “admin, read, update”, then id.test.subject.1 is given admin privilege, id.test.subject.2 is given read privilege, and id.test.subject.3 is given update privilege. Is my understanding correct?

 

I added this to the doc:

 

You can pass in multiple privileges (privilegeNames) to assign.  Each privilege name will be assigned to each subject.  So if you pass in 2 privileges, and 4 subjects, there will be 8 assignments. Note, the privilegeType is a one to many with privilegeName, so it is optional and can be derived from the privilege names passed in.

 

 

Ø  I notice that the existing GcAssignGrouperPrivilegesLite uses the group name via assignGroupName(groupName), whereas AssignGrouperPrivileges uses WsGroupLookup. Why the switch? Wouldn’t it be more consistent to use the same means of obtaining  the group (and stem) names in both methods?

 

All the non-lite services take a groupLookup or stemLookup.  That object could have a groupName or groupUuid.  The lite operations don’t have objects, so I expanded those out to strings: groupName and groupUuid.  This operation only takes one group lookup, but others take multiple groups, in which case it is nice to have an array of objects.  So the answer is: consistency with other operations.

 

Regards,

Chris

 

From: Chris Hyzer [mailto:]
Sent: Saturday, January 02, 2010 1:24 AM
To: Paul Gazda;
Subject: RE: AssignGrouperPrivileges in GrouperClient

 

 

Ø  Chris,

Ø  I see that you currently have only GcAssignGrouperPrivilegesLite in GrouperClient 1.4.1. Are you planning to add a GcAssignGrouperPrivileges that will allow assignment of privileges to more than one subject in a single invocation?

Ø  Paul Gazda

 

This is done for 1.6.0.  Note, we just switched from CVS to subversion (more details to follow soon), so the links in the web service docs are not current or will not work.  Fyi here are the svn urls:

 

http://anonsvn.internet2.edu/svn/i2mi or http://anonsvn.internet2.edu/cgi-bin/viewvc.cgi/i2mi/

 

 

Non-lite privilege management:

https://bugs.internet2.edu/jira/browse/GRP-242

 

https://spaces.internet2.edu/display/GrouperWG/v1.6.0+Add+or+remove+grouper+privileges

 

Let me know asap if this design needs changes.

 

Here is the ws method:

 

  /**

   * <pre>

   * assign a privilege for a user/group/type/name combo

   * e.g. POST /grouperPrivileges

   * </pre>

   * @param clientVersion is the version of the client.  Must be in GrouperWsVersion, e.g. v1_3_000

   * @param wsSubjectLookups are the subjects to assign the privileges to, looked up by subjectId or identifier

   * @param wsGroupLookup if this is a group privilege, this is the group

   * @param wsStemLookup if this is a stem privilege, this is the stem

   * @param replaceAllExisting

   *            optional: T or F (default), if the existing privilege assignments for this object should be

   *            replaced

   * @param actAsSubjectLookup optional: is the subject to act as (if proxying).

   * @param privilegeType (e.g. "access" for groups and "naming" for stems)

   * @param privilegeNames (e.g. for groups: read, view, update, admin, optin, optout.  e.g. for stems:

   * stem, create)

   * @param allowed is T to allow this privilege, F to deny this privilege

   * @param includeSubjectDetail

   *            T|F, for if the extended subject information should be

   *            returned (anything more than just the id)

   * @param subjectAttributeNames are the additional subject attributes (data) to return.

   * If blank, whatever is configured in the grouper-ws.properties will be sent (comma separated)

   * @param includeGroupDetail T or F as for if group detail should be included

   * @param txType is the GrouperTransactionType for the request.  If blank, defaults to

   * NONE (will finish as much as possible).  Generally the only values for this param that make sense

   * are NONE (or blank), and READ_WRITE_NEW.

   * @param params

   *            optional: reserved for future use

   * @return the result of one member query

   */

  public static WsAssignGrouperPrivilegesResults assignGrouperPrivileges(

      final GrouperWsVersion clientVersion,

      final WsSubjectLookup[] wsSubjectLookups,

      final WsGroupLookup wsGroupLookup,

      final WsStemLookup wsStemLookup,

      final PrivilegeType privilegeType, final Privilege[] privilegeNames,

      final boolean allowed,

      final boolean replaceAllExisting, GrouperTransactionType txType,

      final WsSubjectLookup actAsSubjectLookup,

      final boolean includeSubjectDetail, final String[] subjectAttributeNames,

      final boolean includeGroupDetail,  final WsParam[] params) {

 

 

Here is a sample:

 

#########################################

##

## HTTP request sample (could be formatted for view by

## indenting or changing dates or other data)

##

#########################################

 

 

POST /grouper-ws/servicesRest/v1_5_000/grouperPrivileges HTTP/1.1

Connection: close

Authorization: Basic xxxxxxxxxxxxxxxxx==

User-Agent: Jakarta Commons-HttpClient/3.1

Host: localhost:8092

Content-Length: 771

Content-Type: text/xml; charset=UTF-8

 

<WsRestAssignGrouperPrivilegesRequest>

  <replaceAllExisting>F</replaceAllExisting>

  <allowed>T</allowed>

  <clientVersion>v1_5_000</clientVersion>

  <wsGroupLookup>

    <groupName>aStem:aGroup</groupName>

  </wsGroupLookup>

  <privilegeType>access</privilegeType>

  <privilegeNames>

    <string>update</string>

    <string>read</string>

  </privilegeNames>

  <wsSubjectLookups>

    <WsSubjectLookup>

      <subjectId>test.subject.0</subjectId>

      <subjectIdentifier></subjectIdentifier>

      <subjectSourceId>jdbc</subjectSourceId>

    </WsSubjectLookup>

    <WsSubjectLookup>

      <subjectId></subjectId>

      <subjectIdentifier>id.test.subject.1</subjectIdentifier>

      <subjectSourceId></subjectSourceId>

    </WsSubjectLookup>

  </wsSubjectLookups>

  <actAsSubjectLookup>

    <subjectId>GrouperSystem</subjectId>

  </actAsSubjectLookup>

</WsRestAssignGrouperPrivilegesRequest>

 

 

#########################################

##

## HTTP response sample (could be formatted for view by

## indenting or changing dates or other data)

##

#########################################

 

 

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Set-Cookie: JSESSIONID=xxxxxxxxxxxxxxxxxxxxxxxx; Path=/grouper-ws

X-Grouper-resultCode: SUCCESS

X-Grouper-success: T

X-Grouper-resultCode2: NONE

Content-Type: text/xml;charset=UTF-8

Date: Thu, 31 Dec 2009 17:31:46 GMT

Connection: close

 

<WsAssignGrouperPrivilegesResults>

  <resultMetadata>

    <resultCode>SUCCESS</resultCode>

    <resultMessage>No subjects were passed in, Success for: clientVersion: v1_5_000, wsSubjects: Array size: 2: [0]: WsSubjectLookup[subjectId=test.subject.0,subjectIdentifier=,subjectSourceId=j..., group: WsGroupLookup[groupName=aStem:aGroup], stem: null, privilege: ACCESS-Array size: 2: [0]: update

[1]: read

, allowed? true, actAsSubject: WsSubjectLookup[subjectId=GrouperSystem], replaceAllExisting: false

, params: nullNo subjects were passed in, Success for: clientVersion: v1_5_000, wsSubjects: Array size: 2: [0]: WsSubjectLookup[subjectId=test.subject.0,subjectIdentifier=,subjectSourceId=j..., group: WsGroupLookup[groupName=aStem:aGroup], stem: null, privilege: ACCESS-Array size: 2: [0]: update

[1]: read

, allowed? true, actAsSubject: WsSubjectLookup[subjectId=GrouperSystem], replaceAllExisting: false

, params: null</resultMessage>

    <success>T</success>

  </resultMetadata>

  <responseMetadata>

    <millis>612</millis>

    <serverVersion>v1_6_000</serverVersion>

  </responseMetadata>

  <wsGroup>

    <extension>aGroup</extension>

    <displayExtension>a group</displayExtension>

    <description>a group description</description>

    <displayName>a stem:a group</displayName>

    <name>aStem:aGroup</name>

    <uuid>78e0da78368c4764b7c08db81d0db2bc</uuid>

  </wsGroup>

  <results>

    <WsAssignGrouperPrivilegesResult>

      <resultMetadata>

        <resultCode>SUCCESS_ALLOWED</resultCode>

      </resultMetadata>

      <privilegeName>update</privilegeName>

      <privilegeType>access</privilegeType>

      <wsSubject>

        <identifierLookup></identifierLookup>

        <resultCode>SUCCESS</resultCode>

        <success>T</success>

        <id>test.subject.0</id>

        <name>my name is test.subject.0</name>

        <sourceId>jdbc</sourceId>

      </wsSubject>

    </WsAssignGrouperPrivilegesResult>

    <WsAssignGrouperPrivilegesResult>

      <resultMetadata>

        <resultCode>SUCCESS_ALLOWED</resultCode>

      </resultMetadata>

      <privilegeName>update</privilegeName>

      <privilegeType>access</privilegeType>

      <wsSubject>

        <resultCode>SUCCESS</resultCode>

        <success>T</success>

        <id>test.subject.1</id>

        <name>my name is test.subject.1</name>

        <sourceId>jdbc</sourceId>

      </wsSubject>

    </WsAssignGrouperPrivilegesResult>

    <WsAssignGrouperPrivilegesResult>

      <resultMetadata>

        <resultCode>SUCCESS_ALLOWED</resultCode>

      </resultMetadata>

      <privilegeName>read</privilegeName>

      <privilegeType>access</privilegeType>

      <wsSubject>

        <identifierLookup></identifierLookup>

        <resultCode>SUCCESS</resultCode>

        <success>T</success>

        <id>test.subject.0</id>

        <name>my name is test.subject.0</name>

        <sourceId>jdbc</sourceId>

      </wsSubject>

    </WsAssignGrouperPrivilegesResult>

    <WsAssignGrouperPrivilegesResult>

      <resultMetadata>

        <resultCode>SUCCESS_ALLOWED</resultCode>

      </resultMetadata>

      <privilegeName>read</privilegeName>

      <privilegeType>access</privilegeType>

      <wsSubject>

        <resultCode>SUCCESS</resultCode>

        <success>T</success>

        <id>test.subject.1</id>

        <name>my name is test.subject.1</name>

        <sourceId>jdbc</sourceId>

      </wsSubject>

    </WsAssignGrouperPrivilegesResult>

  </results>

</WsAssignGrouperPrivilegesResults>

 

 

###############################

 

There is also a client operation:

 

assignGrouperPrivilegesWs web service usage

  java -jar grouperClient.jar --operation=assignGrouperPrivilegesWs --privilegeNames=admin|view|read|optin|optout|update|stem|create|etc (comma separated) --allowed=true|false [--groupName=a:b:c] [--stemName=a:b] [--privilegeType=access|naming|etc] [--subjectIds=subjId0,subjId1] [--subjectIdentifiers=subjIdent0,subjIdent1] [--subjectSources=source0,source1] [--txType=GcTransactionType] [--replaceAllExisting=true|false] [--includeGroupDetail=true|false] [--includeSubjectDetail=true|false] [--subjectAttributeNames=name0,name1] [--actAsSubjectId=subjId] [--actAsSubjectIdentifier=subjIdent] [--actAsSubjectSource=source] [--saveResultsToFile=fileName] [--outputTemplate=somePattern] [--paramName0=name0] [--paramValue0=value1] [--paramNameX=xthParamName] [--paramValueX=xthParamValue] [--debug=true] [--clientVersion=someVersion]

  e.g.: java -jar grouperClient.jar --operation=assignGrouperPrivilegesWs --groupName=aStem:aGroup --subjectIds=test.subject.0,test.subject.1 --privilegeNames=admin,update --allowed=true

  output: Index: 0, success: T, code: SUCCESS_ALLOWED, group: aStem:aGroup, subject: test.subject.0, access: admin

 

Chris

 

 

From: Paul Gazda [mailto:]
Sent: Monday, March 02, 2009 7:27 PM
To: Chris Hyzer;
Subject: AssignGrouperPrivileges in GrouperClient

 

Chris,

I see that you currently have only GcAssignGrouperPrivilegesLite in GrouperClient 1.4.1. Are you planning to add a GcAssignGrouperPrivileges that will allow assignment of privileges to more than one subject in a single invocation?

 

Paul Gazda