grouper-users - RE: [grouper-users] RE: Globally unique extension/identifier in Grouper
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: Tom Zeller <>
- Cc: Gagné Sébastien <>, "" <>
- Subject: RE: [grouper-users] RE: Globally unique extension/identifier in Grouper
- Date: Sat, 21 Jan 2012 16:23:44 +0000
- Accept-language: en-US
Well, I can help you write one without too much trouble. First of all, you
might want to put a database unique constraint on the group extension column
for belts and suspenders. Then you need a hook like this (below).
Attached is a jar of this you can try.
Configure in grouper.properties:
#implement a group hook by extending
edu.internet2.middleware.grouper.hooks.GroupHooks
hooks.group.class =
edu.internet2.middleware.grouper.hooks.examples.GroupUniqueExtensionHook
groupUniqueExtensionHook.resolveSubjectByIdOrIdentifier = false
The message to users can be customized in the nav.properties:
veto.group.unique.extension = This group ID is in use, please choose another
one.
Here is a test with GSH:
gsh 0% grouperSession = GrouperSession.startRootSession();
gsh 1% new
GroupSave(grouperSession).assignName("stem1:a").assignCreateParentStemsIfNotExist(true).save();
group: name='stem1:a' displayName='stem1:a'
uuid='693d167ff4c545f9b3532e2ef50a6031'
gsh 2% new
GroupSave(grouperSession).assignName("stem2:a").assignCreateParentStemsIfNotExist(true).save();
// Error: unable to evaluate command: Sourced file: inline evaluation of:
``new
GroupSave(grouperSession).assignName("stem2:a").assignCreateParentStemsIfNot
. . . '' : Method Invocation save
// See error log for full stacktrace
// caused by: edu.internet2.middleware.grouper.hooks.logic.HookVeto:
// veto.group.unique.extension: The group ID is already in use, please use a
different ID
gsh 3% new
GroupSave(grouperSession).assignName("stem1:GrouperSystem").assignCreateParentStemsIfNotExist(true).save();
// Error: unable to evaluate command: Sourced file: inline evaluation of:
``new
GroupSave(grouperSession).assignName("stem1:GrouperSystem").assignCreatePare
. . . '' : Method Invocation save
// See error log for full stacktrace
// caused by: edu.internet2.middleware.grouper.hooks.logic.HookVeto:
// veto.group.unique.extension: The group ID is already in use, please use a
different ID
/*
* @author mchyzer
* $Id: GroupAttributeNameValidationHook.java,v 1.6 2009-03-24 17:12:08
mchyzer Exp $
*/
package edu.internet2.middleware.grouper.hooks.examples;
import edu.internet2.middleware.grouper.Group;
import edu.internet2.middleware.grouper.SubjectFinder;
import edu.internet2.middleware.grouper.cfg.GrouperConfig;
import edu.internet2.middleware.grouper.hibernate.HibernateSession;
import edu.internet2.middleware.grouper.hooks.GroupHooks;
import edu.internet2.middleware.grouper.hooks.beans.HooksContext;
import edu.internet2.middleware.grouper.hooks.beans.HooksGroupBean;
import edu.internet2.middleware.grouper.hooks.logic.HookVeto;
import edu.internet2.middleware.subject.Subject;
/**
* <pre>
* built in hook to grouper, which is turned on when it is configured in the
grouper.properties.
*
* extensions in groups will be unique, and optionally you can resolve any
subject to make sure the extension is not a netid or whatever
*
* set that with grouper.properties:
*
* groupUniqueExtensionHook.resolveSubjectByIdOrIdentifier = true
*
* </pre>
*/
public class GroupUniqueExtensionHook extends GroupHooks {
/**
*
* @see
edu.internet2.middleware.grouper.hooks.GroupHooks#groupPreInsert(edu.internet2.middleware.grouper.hooks.beans.HooksContext,
edu.internet2.middleware.grouper.hooks.beans.HooksGroupBean)
*/
@Override
public void groupPreInsert(HooksContext hooksContext, HooksGroupBean
preInsertBean) {
Group group = preInsertBean.getGroup();
verifyUniqueExtension(group);
}
/**
*
* @param group
*/
public static void verifyUniqueExtension(Group group) {
//see if there is another group with the same extension
long count = HibernateSession.byHqlStatic().createQuery("select count(g)
from Group as g where g.extensionDb = :theExtension")
.setString("theExtension",
group.getExtension()).uniqueResult(long.class);
if (count > 0) {
throw new HookVeto("veto.group.unique.extension", "The group ID is
already in use, please use a different ID");
}
//see if we are checking subjects
if
(GrouperConfig.getPropertyBoolean("groupUniqueExtensionHook.resolveSubjectByIdOrIdentifier",
false)) {
//resolve by id or identifier
Subject subject =
SubjectFinder.findByIdOrIdentifier(group.getExtension(), false);
if (subject != null) {
throw new HookVeto("veto.group.unique.extension", "The group ID is
already in use, please use a different ID");
}
}
}
/**
* @see
edu.internet2.middleware.grouper.hooks.GroupHooks#groupPreUpdate(edu.internet2.middleware.grouper.hooks.beans.HooksContext,
edu.internet2.middleware.grouper.hooks.beans.HooksGroupBean)
*/
@Override
public void groupPreUpdate(HooksContext hooksContext, HooksGroupBean
preUpdateBean) {
Group group = preUpdateBean.getGroup();
verifyUniqueExtension(group);
}
}
-----Original Message-----
From:
[mailto:]
On Behalf Of Tom Zeller
Sent: Friday, January 20, 2012 8:08 PM
To: Chris Hyzer
Cc: Gagné Sébastien;
Subject: Re: [grouper-users] RE: Globally unique extension/identifier in
Grouper
I thought you (Chris) wrote a uniqueness-mandater, but I only found
the attribute validator in grouper.properties
#Attach a regex validator by attribute name
#group.attribute.validator.attributeName.0=extension
#group.attribute.validator.regex.0=^[a-zA-Z0-9]+$
The Memphis stuff, which predated hooks, queried our person registry
and ldap and active directory and grouper (but ignored postfix) for
name uniqueness. I thought about including all namespace sources in
grouper for uniqueness checking, but decided against it because I did
not want the overhead during grouper membership operations.
So, no hook.
TomZ
2012/1/20 Chris Hyzer
<>:
> Yes, that is possible, I think memphis did this (aat least with group
> names), right TomZ? Do you have the hook that made that possible? If not
> we can add a new one.
>
>
>
> You can make sure no group extensions are the same as other extensions or
> subject ids, and then I assume when you create subjects you make sure there
> is another not another group with that extension.
>
>
>
> Thanks,
>
> Chris
>
>
>
>
>
> From:
>
> [mailto:]
> On Behalf Of Gagné Sébastien
> Sent: Thursday, January 19, 2012 2:40 PM
> To:
>
> Subject: [grouper-users] Globally unique extension/identifier in Grouper
>
>
>
> Hi again,
>
> We have a requirement here that Groups should have their sAMAccountName
> equal to their CN. LDAPPCNG was configured to provision the sAMAccountName
> attribute to Groups in our Active Directory using the Extension attribute.
> We are using a bushy DN structure so we cannot have stem1:stem2:GroupName as
> the CN or sAMAccountName.
>
>
>
> This configuration causes problems because two groups can have the same
> extension (ID in the UI) if they are in different stems . In that case their
> name (ID Path in UI) will be different :
>
> - Name: stem1:groupABC, extension : groupABC
>
> - Name: stem2:groupABC, extiension: groupABC
>
>
>
> When trying to provision something like that to AD grouper will receive an
> error code from AD (LDAP: error code 68, ENTRY_EXISTS) since both of them
> will have "sAMAccountName=groupABC" even if they are in different OUs. This
> is also a problem if a group has the same ID as an AD user (sAMAccountName
> is our Subject ID).
>
>
>
> My question (or request) is : is it possible for Grouper to enforce an
> unique group extension throughout all of its stems and maybe even including
> the SubjectIDs ?
>
>
>
> I'm glad we have naming conventions here, but you never know when someone
> might manually create a conflicting entry
>
>
>
> Thank you
>
>
>
>
>
> Sébastien Gagné, | Analyste en informatique
>
> 514-343-6111 x33844 | Université de Montréal,
>
> | Pavillon Roger-Gaudry, local X-100-11
>
>
Attachment:
groupUniqueExtension.jar
Description: groupUniqueExtension.jar
- [grouper-users] Globally unique extension/identifier in Grouper, Gagné Sébastien, 01/19/2012
- [grouper-users] RE: Globally unique extension/identifier in Grouper, Chris Hyzer, 01/20/2012
- Re: [grouper-users] RE: Globally unique extension/identifier in Grouper, Tom Zeller, 01/20/2012
- RE: [grouper-users] RE: Globally unique extension/identifier in Grouper, Chris Hyzer, 01/21/2012
- Re: [grouper-users] RE: Globally unique extension/identifier in Grouper, Tom Zeller, 01/20/2012
- [grouper-users] RE: Globally unique extension/identifier in Grouper, Chris Hyzer, 01/20/2012
Archive powered by MHonArc 2.6.16.