grouper-users - Re: [grouper-users] creating an initial admin user :confused:
Subject: Grouper Users - Open Discussion List
List archive
- From: Rob Gorrell <>
- To: Chris Hyzer <>
- Cc: "" <>
- Subject: Re: [grouper-users] creating an initial admin user :confused:
- Date: Wed, 22 May 2013 16:13:10 -0400
- Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none
bingo, that was it! I was running gsh from a separate API installation on my UI server, not from within the UI WEB-INF/bin and as such, that grouper.properties wasn't configured to use the wheel group. as soon as I turned that on, I'm now seeing the admin options after logging into the UI. Thanks.
what is the relationship here? i thought I needed an instance of the API on the same box for the UI to work properly? is that not the case, is the UI using its own bundled bits and I could remove the API? I have a separate server with the API where I plan to run things like the Loader and Provisioning pieces.
Thanks gain for steering me on the right course!
-Rob
No, shouldn’t matter. So you can confirm you are running the GSH from the UI WEB-INF/bin, and not somewhere else, right? J Maybe bounce the UI and try again?
If nothing else works, I can suggest some debug stuff you could add into Grouper, rebuild, and try again. Remind me which version you are using. Also, send me a sanitized version of your grouper.properties from the UI’s WEB-INF/classes dir
Thanks,
Chris
From: [mailto:] On Behalf Of Rob Gorrell
Sent: Wednesday, May 22, 2013 1:36 PM
To:
Subject: Re: [grouper-users] creating an initial admin user :confused:
Does removing all the <security-contraint> tags from the web.xml in order to shibbolize the UI (as directed here: https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Protecting+UI+With+Shib) factor into potentially why i'm seeing admin functionality in the UI but grouper is reporting the privleges on my subject appear to be there?
-Rob
On Wed, May 22, 2013 at 12:11 PM, Rob Gorrell <> wrote:
even more confused... yes, that checks out....
(and to Peter's question, yes, the grouper.properties is the same on the UI server)
gsh 0% grouperSession = GrouperSession.startRootSession();edu.internet2.middleware.grouper.GrouperSession: 3c2b8e6df1c24d24a92691b826a0817d,'GrouperSystem','application'
gsh 1% subject = findSubject("");
subject: id='' type='person' source='jdbc' name='Robert Gorrell'
gsh 2% member = MemberFinder.findBySubject(grouperSession, subject);
member: id='' type='person' source='jdbc' uuid='29f041bb3e634a4c9ab92ef0cdf1b67a'
gsh 3% member.getGroups();
group: name='etc:sysadmingroup' displayName='etc:sysadmingroup' uuid='ee01997e28094b73acaf355353fab2ea'
gsh 4% PrivilegeHelper.isWheelOrRoot(subject);
true
-Rob
On Wed, May 22, 2013 at 11:52 AM, Chris Hyzer <> wrote:
Start GSH from your UI WEB-INF/bin, try to resolve the subject by id or identifier as whatever comes from shib, and see if that specific subject is an admin… J could be the config in the UI isn’t the same as another place?
[appadmin@lorenzo appadmin]$ locate gsh.sh
/opt/appserv/tomcat_2v/webapps/grouper/WEB-INF/bin/gsh.sh
/opt/appserv/tomcat_3b/webapps/grouperWs/WEB-INF/bin/gsh.sh
/opt/appserv/tomcat_3c/webapps/fastGrouperProdDaemon/WEB-INF/bin/gsh.sh
[appadmin@lorenzo bin]$ cd /opt/appserv/tomcat_2v/webapps/grouper/WEB-INF/bin
[appadmin@lorenzo bin]$ ./gsh
-bash: ./gsh: Permission denied
[appadmin@lorenzo bin]$ chmod +x gsh
[appadmin@lorenzo bin]$ dos2unix gsh
dos2unix: converting file gsh to UNIX format ...
[appadmin@lorenzo bin]$ ./gsh
Type help() for instructions
gsh 0% grouperSession = GrouperSession.startRootSession();
edu.internet2.middleware.grouper.GrouperSession: 32e27397920f480f88bd38938114cc32,'GrouperSystem','application'
gsh 1% subject = SubjectFinder.findByIdOrIdentifier("", true);
subject: id='10021368' type='person' source='pennperson' name='Michael Christopher Hyzer'
gsh 2% PrivilegeHelper.isWheelOrRoot(subject);
true
gsh 3% exit
From: [mailto:] On Behalf Of Gagné Sébastien
Sent: Wednesday, May 22, 2013 11:22 AM
To: Rob Gorrell; Earl Lewis
Cc:
Subject: RE: [grouper-users] creating an initial admin user :confused:
AFAIK you only need to be a member of the etc:sysadmingroup, maybe the problem is your shib authentication ? Could there be a subject source mismatch between the subject in the Group and the subject that’s logged in (doubtful) ?
The logged-in user in linux that is running Grouper doesn’t have any impact here
De : [] De la part de Rob Gorrell
Envoyé : 22 mai 2013 10:45
À : Earl Lewis
Cc :
Objet : Re: [grouper-users] creating an initial admin user :confused:
No, i'm not seeing that I guess furthur confirming I've not been successful in setting myself up as an admin. I guess what I'm confused about, beyond making myself a subject and putting myself into a etc:sysadmin group, how do I tell Grouper the sysadmin group (and thus its members) be granted admin access?
-Rob
On Wed, May 22, 2013 at 10:42 AM, Earl Lewis <> wrote:
Are you seeing the "Act as admin/Act as self" drop down control in the top right of the page? If so, then you are logged in as a user with admin rights. When you're logged in as an admin you should see a relatively short list of options on the left navigation pane (Explore, Search, etc…).
If you're logged in as a regular user, or acting as yourself using the "act as…" option in the UI, then you'll see additional options in the left sidebar for managing the things that you have access to within grouper. These don't show up for admin users because presumably they have access to everything within the UI.
On 5/22/13 6:42 AM, "Rob Gorrell" <> wrote:
So I've got my initial grouper api and ui setup going... even managed to shibbolize the ui to where I'm logging in and being mapped to a grouper subject using eppn (ie, )... but of course I'm winding up as a normal user in an otherwise empty grouper install. that leaves me next to figure out how to turn my only subject into an admin user. from the documentation, so far I've edit grouper.properties to:
configuration.autocreate.system.groups = true
groups.wheel.use = true
groups.wheel.group = etc:sysadmingroup
I've verified the etc:sysadmingroup is created and my subject () is indeed a member of it. I also see this reflected when I log into the UI. However, when I log into the UI, i don't see to have any special mojo to create groups or folders/stems in the root. from here, i'm not really sure where to go. I thought it was as merely adding a just to the group named in grouper.properties as the wheel group? am I having problems because my grouper subject () is not named the same as my linux user acct who's in the linux system's wheel group (rwgorrel)? where do i need to go to from here in getting my subject () setup as a full blown grouper admin?
Thanks
-Rob
--Robert W. Gorrell
Middleware Engineer, Identity and Access ManagementUniversity of NC at Greensboro
336-334-5954
--Robert W. Gorrell
Middleware Engineer, Identity and Access ManagementUniversity of NC at Greensboro
336-334-5954
--Robert W. Gorrell
Middleware Engineer, Identity and Access ManagementUniversity of NC at Greensboro
336-334-5954
--Robert W. Gorrell
Middleware Engineer, Identity and Access ManagementUniversity of NC at Greensboro
336-334-5954
--
Middleware Engineer, Identity and Access Management
336-334-5954
- [grouper-users] creating an initial admin user :confused:, Rob Gorrell, 05/22/2013
- Re: [grouper-users] creating an initial admin user :confused:, Earl Lewis, 05/22/2013
- Re: [grouper-users] creating an initial admin user :confused:, Rob Gorrell, 05/22/2013
- RE: [grouper-users] creating an initial admin user :confused:, Gagné Sébastien, 05/22/2013
- RE: [grouper-users] creating an initial admin user :confused:, Chris Hyzer, 05/22/2013
- Re: [grouper-users] creating an initial admin user :confused:, Rob Gorrell, 05/22/2013
- Re: [grouper-users] creating an initial admin user :confused:, Rob Gorrell, 05/22/2013
- RE: [grouper-users] creating an initial admin user :confused:, Chris Hyzer, 05/22/2013
- Re: [grouper-users] creating an initial admin user :confused:, Rob Gorrell, 05/22/2013
- RE: [grouper-users] creating an initial admin user :confused:, Chris Hyzer, 05/22/2013
- Re: [grouper-users] creating an initial admin user :confused:, Rob Gorrell, 05/22/2013
- Re: [grouper-users] creating an initial admin user :confused:, Rob Gorrell, 05/22/2013
- RE: [grouper-users] creating an initial admin user :confused:, Chris Hyzer, 05/22/2013
- RE: [grouper-users] creating an initial admin user :confused:, Gagné Sébastien, 05/22/2013
- Re: [grouper-users] creating an initial admin user :confused:, Peter DiCamillo, 05/23/2013
- Re: [grouper-users] creating an initial admin user :confused:, Rob Gorrell, 05/22/2013
- Re: [grouper-users] creating an initial admin user :confused:, Earl Lewis, 05/22/2013
Archive powered by MHonArc 2.6.16.