grouper-users - RE: [grouper-users] Restricting access to Grouper
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: Baron Fujimoto <>
- Cc: "" <>
- Subject: RE: [grouper-users] Restricting access to Grouper
- Date: Sun, 9 Sep 2012 00:26:04 +0000
- Accept-language: en-US
Here is my video response to your email. Basically your issues are either
explanable, or unreproducable... if you can debug the app perhaps and try to
find out what is going on, that would be great... or let me know the next
step.
http://www.youtube.com/watch?v=9bh8VhweTIQ
Thanks,
Chris
________________________________________
From: Baron Fujimoto
[]
Sent: Friday, August 24, 2012 5:43 PM
To: Chris Hyzer
Subject: Re: [grouper-users] Restricting access to Grouper
On Fri, Aug 24, 2012 at 02:04:05PM +0000, Chris Hyzer wrote:
: Is this a typo?
:
: FROM:
:
: configuration.autocreate.group.name.2 = etc:uiUsers
:
: TO:
:
: configuration.autocreate.group.name.2 = etc:uiLiteUsers
Whoops. Yeah, sorry, that was a typo in my email. I had been conducting
a variety of tests and cut/paste/edited directly from email rather than
from the config file itself. Actual config was
configuration.autocreate.group.name.1 = etc:uiUsers
configuration.autocreate.group.name.2 = etc:uiLiteUsers
: I don’t think that is the problem though. I have a new source file
(attached), which is in the 2.1 branch, if you are 2.1.2 then you are all
set, otherwise, diff with what you have and merge it in... Can you try it?
Here is my test which is now fine.
:
: #### media.properties
: require.group.for.logins=etc:uiUsers
:
: #users must be in this group to be able to login to the lite membership
update UI (if not in require.group.for.logins)
: require.group.for.membershipUpdateLite.logins=etc:uiLiteUsers
:
: #### grouper.properties
: configuration.autocreate.group.name.1 = etc:uiUsers
: configuration.autocreate.group.description.1 = users allowed to log in to
the UI
: configuration.autocreate.group.subjects.1 = test.subject.0, GrouperSystem
: configuration.autocreate.group.name.2 = etc:uiLiteUsers
: configuration.autocreate.group.description.2 = users allowed to log in to
the Lite UI
: configuration.autocreate.group.subjects.2 = test.subject.1
:
: #### test case
: 1. Login button: http://localhost:8090/grouper/
: 2. Deep admin link: http://localhost:8090/grouper/populateAllGroups.do
: 3. Click Lite button from admin:
http://localhost:8090/grouper/populateAllGroups.do
: 4. Deep lite link group:
http://localhost:8090/grouper/grouperUi/appHtml/grouper.html?operation=SimpleMembershipUpdate.init&groupId=2cb216a4a6ce4f9c9aee096d1412d7f1
: 5. Deep lite link index:
http://localhost:8090/grouper/grouperUi/appHtml/grouper.html?operation=Misc.index
: 6. Click admin button from lite:
http://localhost:8090/grouper/grouperUi/appHtml/grouper.html?operation=Misc.index
:
: #### results
: Note: close browser in between to force new login
:
: [...]
:
: C. test.subject.1
: 1. OK, get descriptive error
: 2. OK, get descriptive error
For this one, after authenticating, it seems to drop me in the Admin UI,
but clicking on any links there (e.g. the "etc" group), results in the
descriptive error. Any subsequent action, except 3, also yields that error.
"Error, user Subject id: 12345678, sourceId: UH test LDAP needs to be in one
of the following groups: etc:uiUsers"
: 3. NA
This does seem to be available.
: 4. Works
Can't find group error
: 5. Works (this is not protected since it is just a list of links)
Get list of links, but selecting "Groups / roles / local entities"
<https://[localhost]/grouper/grouperUi/appHtml/grouper.html?operation=SimpleGroupUpdate.index>
results in error,
"Error, user Subject id: 12345678, sourceId: UH test LDAP needs to be in one
of the following groups: etc:uiUsers"
Selecting the Admin UI link <.../popluateIndex.do> OK: kicks back to the
main login page.
: 6. OK, get descriptive error
I don't get an error, it kicks me back to the main login page
<.../populateIndex.do>
For cases where the Admin UI is a link in the pulldown menu, I get
the descriptive error message "...needs to be in one of the following groups:
etc:uiUsers", but not it seems when it's presented in a simple list format.
Aloha,
-baron
: ________________________________________
: From: Baron Fujimoto
[]
: Sent: Thursday, August 23, 2012 9:47 PM
: To: Chris Hyzer
: Subject: Re: [grouper-users] Restricting access to Grouper
:
: Hi Chris,
:
: I applied your patches and redeployed. Now, with the following defined
: in media.properties:
:
: require.group.for.logins=etc:uiUsers
: require.group.for.membershipUpdateLite.logins=etc:uiLiteUsers
:
: and in grouper.properties:
:
: configuration.autocreate.group.name.0 = etc:grouperAdmins
: configuration.autocreate.group.description.0 = users with superuser
privileges
: configuration.autocreate.group.subjects.0 = baron
: configuration.autocreate.group.name.1 = etc:uiUsers
: configuration.autocreate.group.description.1 = users allowed to log in to
the UI
: configuration.autocreate.group.subjects.1 = baron
: configuration.autocreate.group.name.2 = etc:uiUsers
: configuration.autocreate.group.description.2 = users allowed to log in to
the Lite UI
: configuration.autocreate.group.subjects.2 = bkftest
: groups.wheel.use = true
: groups.wheel.group = etc:grouperAdmins
:
: If I try to log in to the UI as "baron", I get the error "Cant find logged
: in user" and find this exception[*] in the logs.
:
: 2012-08-23 15:36:46,437: [http-0.0.0.0-8443-6] INFO EventLog.info(156) -
- [d889d29e29eb47bdb8db9362aa8aebcc,'GrouperSystem','application'] session:
start (4ms)
: 2012-08-23 15:36:46,439: [http-0.0.0.0-8443-6] INFO
SessionInitialiser.init(346) - - resources/grouper/ui-permissions.xml not
found. Default permissions apply.
: 2012-08-23 15:36:52,503: [http-0.0.0.0-8443-6] INFO EventLog.info(156) -
- [0c4a2196fd0f4ae386f8e3a85c6e3c54,'GrouperSystem','application'] session:
start (5ms)
: 2012-08-23 15:36:52,504: [http-0.0.0.0-8443-6] INFO
SessionInitialiser.init(346) - - resources/grouper/ui-permissions.xml not
found. Default permissions apply.
: 2012-08-23 15:36:52,523: [http-0.0.0.0-8443-6] INFO EventLog.info(156) -
- [f45f0dc5c7c447a68e04acddaaec3382,'GrouperSystem','application'] session:
start (0ms)
: 2012-08-23 15:36:52,524: [http-0.0.0.0-8443-6] ERROR
GrouperUiFilter.doFilter(833) - - UI error
: java.lang.RuntimeException: Cant find logged in user
: at
edu.internet2.middleware.grouper.ui.GrouperUiFilter.retrieveSubjectLoggedIn(GrouperUiFilter.java:261)
: at
edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:822)
: at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
: at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
: at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
: at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
: at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
: at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
: at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
: at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:615)
: at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
: at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
: at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
: at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
: at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
: at java.lang.Thread.run(Thread.java:662)
:
: If I log in to the Lite UI with "baron", it works as expected. I can also
: choose "Admin UI Home" from the "Main menu" link on the Lite UI and
: successfully access the Admin UI. I just can't get there from the Login
: link on the main start page.
:
: If I attempt to login to the Admin UI with "bkftest" from the main grouper
: start page, I get the error "Error, user Subject id: 12345678, sourceId:
: UH test LDAP needs to be in one of the following groups: etc:uiUsers", as
: expected. If I login to the Lite UI with "bkftest", my browser (Safari)
: throws up a dialog box wiht the message:
:
: Error: LoadXML
: Description: Incorrect XML
:
: but if I dismiss it, it appears to leave me in the LiteUI. The mMain menu
: link appears to be disabled this time. I also find this entry in the log,
but
: I'm not sure it's relevant (maybe it's just reflecting the fact that it's
: keeping me out of the Admin UI?).
:
: 2012-08-23 15:41:57,477: [http-0.0.0.0-8443-3] ERROR
GrouperUiFilter.ensureUserAllowedInSection(318) - - Error, user Subject id:
12345678, sourceId: UH test LDAP needs to be in one of the following groups:
etc:uiUsers
:
: Aloha,
: -baron
:
: On Thu, Aug 23, 2012 at 05:01:26AM +0000, Chris Hyzer wrote:
: : No, I don't think so, though when I created this, we used this feature at
Penn, and now the UI is used embedded in other apps via lite ui, and people
are delegating access to the main UI without the central Grouper staff
knowing, so we don't use it anymore and didn't realize it doesn't work.
: :
: : Its fixed though, can you incorporate a fix into the source code and
redploy and see how it goes?
: :
: :
: : Thanks,
: : Chris
: :
: : https://bugs.internet2.edu/jira/browse/GRP-840
: :
: : GrouperUiFilter.java:
: :
: : FROM: (doFilter())
: :
: :
: : filterChain.doFilter(httpServletRequest, response);
: :
: : TO:
: :
: : Subject subjectLoggedIn = retrieveSubjectLoggedIn();
: : UiSection uiSection = uiSectionForRequest();
: : ensureUserAllowedInSection(uiSection, subjectLoggedIn);
: :
: : filterChain.doFilter(httpServletRequest, response);
: :
: :
: : And media.properties:
: :
: : FROM:
: :
: : #users must be in this group to be able to login to the UI
: : require.group.for.logins=
: :
: : #users must be in this group to be able to login to the lite membership
update UI
: : require.group.for.membershipUpdateLite.logins=
: :
: : #users must be in this group to be able to login to the subjectPicker UI
: : require.group.for.subjectPicker.logins=
: :
: : #users must be in this group to invite external users to grouper
: : require.group.for.inviteExternalSubjects.logins=
: :
: : #users must be in this group to assign/create/etc attributes in the UI
(new attribute framework)
: : require.group.for.attributeUpdateLite.logins=
: :
: : TO:
: :
: : #users must be in this group to be able to login to the UI
: : #note: if they are in the this group, then they can use the lite ui too
: : require.group.for.logins=
: :
: : #users must be in this group to be able to login to the lite membership
update UI (if not in require.group.for.logins)
: : require.group.for.membershipUpdateLite.logins=
: :
: : #users must be in this group to be able to login to the subjectPicker UI
(if not in require.group.for.logins or
require.group.for.membershipUpdateLite.logins)
: : require.group.for.subjectPicker.logins=
: :
: : #users must be in this group to invite external users to grouper
: : require.group.for.inviteExternalSubjects.logins=
: :
: : #users must be in this group to assign/create/etc attributes in the UI
(new attribute framework) (if not in require.group.for.logins)
: : require.group.for.attributeUpdateLite.logins=
: :
: : -----Original Message-----
: : From:
[mailto:]
On Behalf Of Baron Fujimoto
: : Sent: Wednesday, August 22, 2012 5:17 PM
: : To:
: : Subject: Re: [grouper-users] Restricting access to Grouper
: :
: : Since I'm still confused, perhaps I should have asked, is this the
expected
: : behavior? I expected some sort of more explicit "You don't have
permission
: : to use Grouper" type error message or page.
: :
: : Aloha,
: : -baron
: :
: : On Tue, Aug 21, 2012 at 02:26:27PM -1000, Baron Fujimoto wrote:
: : : Thanks for the pointer to media.properties.
: : :
: : : In grouper.properties, I have the following:
: : :
: : : configuration.autocreate.group.name.1 = etc:uiUsers
: : : configuration.autocreate.group.description.1 = users allowed to log in
to the UI
: : : configuration.autocreate.group.subjects.1 = teststaf
: : :
: : : and in grouper-ui/conf/resources/grouper/media.properties I've set
: : :
: : : require.group.for.logins=etc:uiUsers
: : :
: : : If I log in to Grouper as a user that is not in etc:uiUsers (or wheel
type
: : : group), I still seem to have access to the UI. Although I don't appear
: : : to have any create, etc. type privileges, I can still perform searches
and
: : : browse from the "../grouper/doSearchSubjects.do" URL.
: : :
: : :
: : : On Tue, Aug 21, 2012 at 04:10:08AM +0000, Chris Hyzer wrote:
: : : : The grouper.properties can autocreate the UI / WS groups. You make
the UI be restricted to a group, you should be able to use the
media.properties to specify the group, and in the WS, its the
grouper-ws.properties where you specify it. Let me know how it goes.
: : : :
: : : : Thanks,
: : : : Chris
: : : :
: : : : ________________________________________
: : : : From:
[]
on behalf of Baron Fujimoto
[]
: : : : Sent: Monday, August 20, 2012 11:12 PM
: : : : To:
: : : : Subject: [grouper-users] Restricting access to Grouper
: : : :
: : : : We'd like to be able to restrict access to the Grouper API (via the UI
: : : : or WS) to a specified group of users. What is the recommended way to
: : : : accomplish this using Grouper?
: : : :
: : : : grouper.example.properties includes some commented out entries that
: : : : hint at a starting point to achieve this, but I wasn't able to find
: : : : further examples or documentation on where to go from there; i.e.
given
: : : : this group, how to restrict the access?
: : : :
: : : : #configuration.autocreate.group.name.0 = etc:uiUsers
: : : : #configuration.autocreate.group.description.0 = users allowed to log
in to the UI
: : : : #configuration.autocreate.group.subjects.0 = johnsmith
: : : :
: : :
: : : --
: : : Baron Fujimoto
<>
:: UH Information Technology Services
: : : minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
: :
: : --
: : Baron Fujimoto
<>
:: UH Information Technology Services
: : minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
:
: --
: Baron Fujimoto
<>
:: UH Information Technology Services
: minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
Baron Fujimoto
<>
:: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
- RE: [grouper-users] Restricting access to Grouper, Chris Hyzer, 09/08/2012
Archive powered by MHonArc 2.6.16.