Grouper Users - Open Discussion List

[Chris Hyzer <>]

The UI (or the WS) is self contained in a webapp.  To build it you need the API, but to run it you don’t (well, its in there)

 

Thanks,

Chris

 

From: Rob Gorrell [mailto:]
Sent: Wednesday, May 22, 2013 4:13 PM
To: Chris Hyzer
Cc:
Subject: Re: [grouper-users] creating an initial admin user :confused:

 

bingo, that was it! I was running gsh from a separate API installation on my UI server, not from within the UI WEB-INF/bin and as such, that grouper.properties wasn't configured to use the wheel group. as soon as I turned that on, I'm now seeing the admin options after logging into the UI. Thanks.

what is the relationship here? i thought I needed an instance of the API on the same box for the UI to work properly? is that not the case, is the UI using its own bundled bits and I could remove the API? I have a separate server with the API where I plan to run things like the Loader and Provisioning pieces.

Thanks gain for steering me on the right course!
-Rob

On Wed, May 22, 2013 at 3:37 PM, Chris Hyzer <> wrote:

No, shouldn’t matter.  So you can confirm you are running the GSH from the UI WEB-INF/bin, and not somewhere else, right?  J  Maybe bounce the UI and try again?

 

If nothing else works, I can suggest some debug stuff you could add into Grouper, rebuild, and try again.  Remind me which version you are using.  Also, send me a sanitized version of your grouper.properties from the UI’s WEB-INF/classes dir

 

Thanks,

Chris

 

 

 

 

From: [mailto:] On Behalf Of Rob Gorrell
Sent: Wednesday, May 22, 2013 1:36 PM
To:
Subject: Re: [grouper-users] creating an initial admin user :confused:

 

Does removing all the <security-contraint> tags from the web.xml in order to shibbolize the UI (as directed here: https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Protecting+UI+With+Shib) factor into potentially why i'm seeing admin functionality in the UI but grouper is reporting the privleges on my subject appear to be there?

-Rob

On Wed, May 22, 2013 at 12:11 PM, Rob Gorrell <> wrote:

even more confused... yes, that checks out....
(and to Peter's question, yes, the grouper.properties is the same on the UI server)

gsh 0% grouperSession = GrouperSession.startRootSession();

edu.internet2.middleware.grouper.GrouperSession: 3c2b8e6df1c24d24a92691b826a0817d,'GrouperSystem','application'
gsh 1% subject = findSubject("");
subject: id='' type='person' source='jdbc' name='Robert Gorrell'
gsh 2% member = MemberFinder.findBySubject(grouperSession, subject);
member: id='' type='person' source='jdbc' uuid='29f041bb3e634a4c9ab92ef0cdf1b67a'
gsh 3%  member.getGroups();
group: name='etc:sysadmingroup' displayName='etc:sysadmingroup' uuid='ee01997e28094b73acaf355353fab2ea'
gsh 4% PrivilegeHelper.isWheelOrRoot(subject);
true

-Rob

 

On Wed, May 22, 2013 at 11:52 AM, Chris Hyzer <> wrote:

Start GSH from your UI WEB-INF/bin, try to resolve the subject by id or identifier as whatever comes from shib, and see if that specific subject is an admin…  J  could be the config in the UI isn’t the same as another place?

 

[appadmin@lorenzo appadmin]$ locate gsh.sh

/opt/appserv/tomcat_2v/webapps/grouper/WEB-INF/bin/gsh.sh

/opt/appserv/tomcat_3b/webapps/grouperWs/WEB-INF/bin/gsh.sh

/opt/appserv/tomcat_3c/webapps/fastGrouperProdDaemon/WEB-INF/bin/gsh.sh

[appadmin@lorenzo bin]$ cd /opt/appserv/tomcat_2v/webapps/grouper/WEB-INF/bin

[appadmin@lorenzo bin]$ ./gsh

-bash: ./gsh: Permission denied

[appadmin@lorenzo bin]$ chmod +x gsh

[appadmin@lorenzo bin]$ dos2unix gsh

dos2unix: converting file gsh to UNIX format ...

[appadmin@lorenzo bin]$ ./gsh

Type help() for instructions

gsh 0% grouperSession = GrouperSession.startRootSession();

edu.internet2.middleware.grouper.GrouperSession: 32e27397920f480f88bd38938114cc32,'GrouperSystem','application'

gsh 1% subject = SubjectFinder.findByIdOrIdentifier("", true); 

subject: id='10021368' type='person' source='pennperson' name='Michael Christopher Hyzer'

gsh 2% PrivilegeHelper.isWheelOrRoot(subject);

true

gsh 3% exit

 

 

 

From: [mailto:] On Behalf Of Gagné Sébastien
Sent: Wednesday, May 22, 2013 11:22 AM
To: Rob Gorrell; Earl Lewis
Cc:
Subject: RE: [grouper-users] creating an initial admin user :confused:

 

AFAIK you only need to be a member of the etc:sysadmingroup, maybe the problem is your shib authentication ? Could there be a subject source mismatch between the subject in the Group and the subject that’s logged in (doubtful) ?

 

The logged-in user in linux that is running Grouper doesn’t have any impact here

 

 

De : [] De la part de Rob Gorrell
Envoyé : 22 mai 2013 10:45
À : Earl Lewis
Cc :
Objet : Re: [grouper-users] creating an initial admin user :confused:

 

No, i'm not seeing that I guess furthur confirming I've not been successful in setting myself up as an admin. I guess what I'm confused about, beyond making myself a subject and putting myself into a etc:sysadmin group, how do I tell Grouper the sysadmin group (and thus its members) be granted admin access?

 

-Rob

 

On Wed, May 22, 2013 at 10:42 AM, Earl Lewis <> wrote:

Are you seeing the "Act as admin/Act as self" drop down control in the top right of the page? If so, then you are logged in as a user with admin rights. When you're logged in as an admin you should see a relatively short list of options on the left navigation pane (Explore, Search, etc…). 

 

If you're logged in as a regular user, or acting as yourself using the "act as…" option in the UI, then you'll see additional options in the left sidebar for managing the things that you have access to within grouper. These don't show up for admin users because presumably they have access to everything within the UI.

 

Earl

801-581-3635 (office)

801-554-3596 (mobile)

 

On 5/22/13 6:42 AM, "Rob Gorrell" <> wrote:

 

So I've got my initial grouper api and ui setup going... even managed to shibbolize the ui to where I'm logging in and being mapped to a grouper subject using eppn (ie, )... but of course I'm winding up as a normal user in an otherwise empty grouper install. that leaves me next to figure out how to turn my only subject into an admin user. from the documentation, so far I've edit grouper.properties to:

configuration.autocreate.system.groups = true
groups.wheel.use = true
groups.wheel.group = etc:sysadmingroup

I've verified the etc:sysadmingroup is created and my subject () is indeed a member of it. I also see this reflected when I log into the UI. However, when I log into the UI, i don't see to have any special mojo to create groups or folders/stems in the root. from here, i'm not really sure where to go. I thought it was as merely adding a just to the group named in grouper.properties as the wheel group? am I having problems because my grouper subject () is not named the same as my linux user acct who's in the linux system's wheel group (rwgorrel)? where do i need to go to from here in getting my subject () setup as a full blown grouper admin?

Thanks
-Rob

--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954

--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954

--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954

--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954

--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954