Grouper Users - Open Discussion List

[Chris Hyzer <>]

Well, I can help you write one without too much trouble.  First of all, you 
might want to put a database unique constraint on the group extension column 
for belts and suspenders.  Then you need a hook like this (below).

Attached is a jar of this you can try.

Configure in grouper.properties:

#implement a group hook by extending 
edu.internet2.middleware.grouper.hooks.GroupHooks
hooks.group.class = 
edu.internet2.middleware.grouper.hooks.examples.GroupUniqueExtensionHook

groupUniqueExtensionHook.resolveSubjectByIdOrIdentifier = false

The message to users can be customized in the nav.properties:

veto.group.unique.extension = This group ID is in use, please choose another 
one.

Here is a test with GSH:

gsh 0% grouperSession = GrouperSession.startRootSession();
gsh 1% new 
GroupSave(grouperSession).assignName("stem1:a").assignCreateParentStemsIfNotExist(true).save();
group: name='stem1:a' displayName='stem1:a' 
uuid='693d167ff4c545f9b3532e2ef50a6031' 
gsh 2% new 
GroupSave(grouperSession).assignName("stem2:a").assignCreateParentStemsIfNotExist(true).save();
// Error: unable to evaluate command: Sourced file: inline evaluation of: 
``new 
GroupSave(grouperSession).assignName("stem2:a").assignCreateParentStemsIfNot 
. . . '' : Method Invocation save
// See error log for full stacktrace
// caused by: edu.internet2.middleware.grouper.hooks.logic.HookVeto:
// veto.group.unique.extension: The group ID is already in use, please use a 
different ID
gsh 3% new 
GroupSave(grouperSession).assignName("stem1:GrouperSystem").assignCreateParentStemsIfNotExist(true).save();
// Error: unable to evaluate command: Sourced file: inline evaluation of: 
``new 
GroupSave(grouperSession).assignName("stem1:GrouperSystem").assignCreatePare 
. . . '' : Method Invocation save
// See error log for full stacktrace
// caused by: edu.internet2.middleware.grouper.hooks.logic.HookVeto:
// veto.group.unique.extension: The group ID is already in use, please use a 
different ID

/*
 * @author mchyzer
 * $Id: GroupAttributeNameValidationHook.java,v 1.6 2009-03-24 17:12:08 
mchyzer Exp $
 */
package edu.internet2.middleware.grouper.hooks.examples;

import edu.internet2.middleware.grouper.Group;
import edu.internet2.middleware.grouper.SubjectFinder;
import edu.internet2.middleware.grouper.cfg.GrouperConfig;
import edu.internet2.middleware.grouper.hibernate.HibernateSession;
import edu.internet2.middleware.grouper.hooks.GroupHooks;
import edu.internet2.middleware.grouper.hooks.beans.HooksContext;
import edu.internet2.middleware.grouper.hooks.beans.HooksGroupBean;
import edu.internet2.middleware.grouper.hooks.logic.HookVeto;
import edu.internet2.middleware.subject.Subject;


/**
 * <pre>
 * built in hook to grouper, which is turned on when it is configured in the 
grouper.properties.
 * 
 * extensions in groups will be unique, and optionally you can resolve any 
subject to make sure the extension is not a netid or whatever
 * 
 * set that with grouper.properties:
 * 
 * groupUniqueExtensionHook.resolveSubjectByIdOrIdentifier = true
 * 
 * </pre>
 */
public class GroupUniqueExtensionHook extends GroupHooks {
  
  /**
   * 
   * @see 
edu.internet2.middleware.grouper.hooks.GroupHooks#groupPreInsert(edu.internet2.middleware.grouper.hooks.beans.HooksContext,
 edu.internet2.middleware.grouper.hooks.beans.HooksGroupBean)
   */
  @Override
  public void groupPreInsert(HooksContext hooksContext, HooksGroupBean 
preInsertBean) {
    Group group = preInsertBean.getGroup();
    verifyUniqueExtension(group);
  }

  /**
   * 
   * @param group
   */
  public static void verifyUniqueExtension(Group group) {
    
    //see if there is another group with the same extension
    long count = HibernateSession.byHqlStatic().createQuery("select count(g) 
from Group as g where g.extensionDb = :theExtension")
      .setString("theExtension", 
group.getExtension()).uniqueResult(long.class);
    if (count > 0) {
      throw new HookVeto("veto.group.unique.extension", "The group ID is 
already in use, please use a different ID");
    }
    
    //see if we are checking subjects
    if 
(GrouperConfig.getPropertyBoolean("groupUniqueExtensionHook.resolveSubjectByIdOrIdentifier",
 false)) {
      
      //resolve by id or identifier
      Subject subject = 
SubjectFinder.findByIdOrIdentifier(group.getExtension(), false);
      if (subject != null) {
        throw new HookVeto("veto.group.unique.extension", "The group ID is 
already in use, please use a different ID");
      }
    }
  }
  
  /**
   * @see 
edu.internet2.middleware.grouper.hooks.GroupHooks#groupPreUpdate(edu.internet2.middleware.grouper.hooks.beans.HooksContext,
 edu.internet2.middleware.grouper.hooks.beans.HooksGroupBean)
   */
  @Override
  public void groupPreUpdate(HooksContext hooksContext, HooksGroupBean 
preUpdateBean) {
    Group group = preUpdateBean.getGroup();
    verifyUniqueExtension(group);
  }
  
}


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Zeller
Sent: Friday, January 20, 2012 8:08 PM
To: Chris Hyzer
Cc: Gagné Sébastien; 

Subject: Re: [grouper-users] RE: Globally unique extension/identifier in 
Grouper

I thought you (Chris) wrote a uniqueness-mandater, but I only found
the attribute validator in grouper.properties

 #Attach a regex validator by attribute name
 #group.attribute.validator.attributeName.0=extension
 #group.attribute.validator.regex.0=^[a-zA-Z0-9]+$

The Memphis stuff, which predated hooks, queried our person registry
and ldap and active directory and grouper (but ignored postfix) for
name uniqueness. I thought about including all namespace sources in
grouper for uniqueness checking, but decided against it because I did
not want the overhead during grouper membership operations.

So, no hook.

TomZ

2012/1/20 Chris Hyzer 
<>:
> Yes, that is possible, I think memphis did this (aat least with group
> names), right TomZ?  Do you have the hook that made that possible?  If not
> we can add a new one.
>
>
>
> You can make sure no group extensions are the same as other extensions or
> subject ids, and then I assume when you create subjects you make sure there
> is another not another group with that extension.
>
>
>
> Thanks,
>
> Chris
>
>
>
>
>
> From: 
> 
> [mailto:]
>  On Behalf Of Gagné Sébastien
> Sent: Thursday, January 19, 2012 2:40 PM
> To: 
> 
> Subject: [grouper-users] Globally unique extension/identifier in Grouper
>
>
>
> Hi again,
>
> We have a requirement here that Groups should have their sAMAccountName
> equal to their CN. LDAPPCNG was configured to provision the sAMAccountName
> attribute to Groups in our Active Directory using the Extension attribute.
> We are using a bushy DN structure so we cannot have stem1:stem2:GroupName as
> the CN or sAMAccountName.
>
>
>
> This configuration causes problems because two groups can have the same
> extension (ID in the UI) if they are in different stems . In that case their
> name (ID Path in UI) will be different :
>
> -          Name: stem1:groupABC, extension : groupABC
>
> -          Name: stem2:groupABC, extiension: groupABC
>
>
>
> When trying to provision something like that to AD grouper will receive an
> error code from AD (LDAP: error code 68, ENTRY_EXISTS) since both of them
> will have "sAMAccountName=groupABC" even if they are in different OUs. This
> is also a problem if a group has the same ID as an AD user (sAMAccountName
> is our Subject ID).
>
>
>
> My question (or request) is : is it possible for Grouper to enforce an
> unique group extension throughout all of its stems and maybe even including
> the SubjectIDs ?
>
>
>
> I'm glad we have naming conventions here, but you never know when someone
> might manually create a conflicting entry
>
>
>
> Thank you
>
>
>
>
>
> Sébastien Gagné,     | Analyste en informatique
>
> 514-343-6111 x33844  | Université de Montréal,
>
>                      | Pavillon Roger-Gaudry, local X-100-11
>
>

Attachment: groupUniqueExtension.jar
Description: groupUniqueExtension.jar