Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] creating an initial admin user :confused:

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] creating an initial admin user :confused:


Chronological Thread 
  • From: Rob Gorrell <>
  • To: "" <>
  • Subject: Re: [grouper-users] creating an initial admin user :confused:
  • Date: Wed, 22 May 2013 13:35:31 -0400
  • Authentication-results: sfpop-ironport07.merit.edu; dkim=neutral (message not signed) header.i=none

Does removing all the <security-contraint> tags from the web.xml in order to shibbolize the UI (as directed here: https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Protecting+UI+With+Shib) factor into potentially why i'm seeing admin functionality in the UI but grouper is reporting the privleges on my subject appear to be there?

-Rob


On Wed, May 22, 2013 at 12:11 PM, Rob Gorrell <> wrote:
even more confused... yes, that checks out....
(and to Peter's question, yes, the grouper.properties is the same on the UI server)


gsh 0% grouperSession = GrouperSession.startRootSession();
edu.internet2.middleware.grouper.GrouperSession: 3c2b8e6df1c24d24a92691b826a0817d,'GrouperSystem','application'
gsh 1% subject = findSubject("");
subject: id='' type='person' source='jdbc' name='Robert Gorrell'
gsh 2% member = MemberFinder.findBySubject(grouperSession, subject);
member: id='' type='person' source='jdbc' uuid='29f041bb3e634a4c9ab92ef0cdf1b67a'
gsh 3%  member.getGroups();
group: name='etc:sysadmingroup' displayName='etc:sysadmingroup' uuid='ee01997e28094b73acaf355353fab2ea'
gsh 4% PrivilegeHelper.isWheelOrRoot(subject);
true

-Rob



On Wed, May 22, 2013 at 11:52 AM, Chris Hyzer <> wrote:

Start GSH from your UI WEB-INF/bin, try to resolve the subject by id or identifier as whatever comes from shib, and see if that specific subject is an admin…  J  could be the config in the UI isn’t the same as another place?

 

[appadmin@lorenzo appadmin]$ locate gsh.sh

/opt/appserv/tomcat_2v/webapps/grouper/WEB-INF/bin/gsh.sh

/opt/appserv/tomcat_3b/webapps/grouperWs/WEB-INF/bin/gsh.sh

/opt/appserv/tomcat_3c/webapps/fastGrouperProdDaemon/WEB-INF/bin/gsh.sh

[appadmin@lorenzo bin]$ cd /opt/appserv/tomcat_2v/webapps/grouper/WEB-INF/bin

[appadmin@lorenzo bin]$ ./gsh

-bash: ./gsh: Permission denied

[appadmin@lorenzo bin]$ chmod +x gsh

[appadmin@lorenzo bin]$ dos2unix gsh

dos2unix: converting file gsh to UNIX format ...

[appadmin@lorenzo bin]$ ./gsh

Type help() for instructions

gsh 0% grouperSession = GrouperSession.startRootSession();

edu.internet2.middleware.grouper.GrouperSession: 32e27397920f480f88bd38938114cc32,'GrouperSystem','application'

gsh 1% subject = SubjectFinder.findByIdOrIdentifier("", true); 

subject: id='10021368' type='person' source='pennperson' name='Michael Christopher Hyzer'

gsh 2% PrivilegeHelper.isWheelOrRoot(subject);

true

gsh 3% exit

 

 

 

From: [mailto:] On Behalf Of Gagné Sébastien
Sent: Wednesday, May 22, 2013 11:22 AM
To: Rob Gorrell; Earl Lewis
Cc:
Subject: RE: [grouper-users] creating an initial admin user :confused:

 

AFAIK you only need to be a member of the etc:sysadmingroup, maybe the problem is your shib authentication ? Could there be a subject source mismatch between the subject in the Group and the subject that’s logged in (doubtful) ?

 

The logged-in user in linux that is running Grouper doesn’t have any impact here

 

 

De : [] De la part de Rob Gorrell
Envoyé : 22 mai 2013 10:45
À : Earl Lewis
Cc :
Objet : Re: [grouper-users] creating an initial admin user :confused:

 

No, i'm not seeing that I guess furthur confirming I've not been successful in setting myself up as an admin. I guess what I'm confused about, beyond making myself a subject and putting myself into a etc:sysadmin group, how do I tell Grouper the sysadmin group (and thus its members) be granted admin access?

 

-Rob

 

On Wed, May 22, 2013 at 10:42 AM, Earl Lewis <> wrote:

Are you seeing the "Act as admin/Act as self" drop down control in the top right of the page? If so, then you are logged in as a user with admin rights. When you're logged in as an admin you should see a relatively short list of options on the left navigation pane (Explore, Search, etc…). 

 

If you're logged in as a regular user, or acting as yourself using the "act as…" option in the UI, then you'll see additional options in the left sidebar for managing the things that you have access to within grouper. These don't show up for admin users because presumably they have access to everything within the UI.

 

Earl

801-581-3635 (office)

801-554-3596 (mobile)

 

On 5/22/13 6:42 AM, "Rob Gorrell" <> wrote:

 

So I've got my initial grouper api and ui setup going... even managed to shibbolize the ui to where I'm logging in and being mapped to a grouper subject using eppn (ie, )... but of course I'm winding up as a normal user in an otherwise empty grouper install. that leaves me next to figure out how to turn my only subject into an admin user. from the documentation, so far I've edit grouper.properties to:

configuration.autocreate.system.groups = true
groups.wheel.use = true
groups.wheel.group = etc:sysadmingroup

I've verified the etc:sysadmingroup is created and my subject () is indeed a member of it. I also see this reflected when I log into the UI. However, when I log into the UI, i don't see to have any special mojo to create groups or folders/stems in the root. from here, i'm not really sure where to go. I thought it was as merely adding a just to the group named in grouper.properties as the wheel group? am I having problems because my grouper subject () is not named the same as my linux user acct who's in the linux system's wheel group (rwgorrel)? where do i need to go to from here in getting my subject () setup as a full blown grouper admin?

Thanks
-Rob

--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954




--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954




--
Robert W. Gorrell
Middleware Engineer, Identity and Access Management
University of NC at Greensboro
336-334-5954



--
Robert W. Gorrell
Middleware Engineer, Identity and Access Management
University of NC at Greensboro
336-334-5954



Archive powered by MHonArc 2.6.16.

Top of Page