Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] default membership privileges for new members, setting default browser view and removing quick links

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] default membership privileges for new members, setting default browser view and removing quick links


Chronological Thread 
  • From: Jeff McCullough <>
  • To: Chris Hyzer <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] default membership privileges for new members, setting default browser view and removing quick links
  • Date: Wed, 25 Feb 2015 10:42:51 -0800
Okay. I’ll give a go. Thank you.

Jeff

On Feb 25, 2015, at 10:27 AM, Chris Hyzer <> wrote:

Note, this is a problem in the admin UI as well, I think we can just ignore that though…  it will remove the member, then you need to click a link to start over, not the end of the world.
 
Thanks,
Chris
 
 
<image002.png>
 
From: Chris Hyzer 
Sent: Monday, February 23, 2015 9:56 PM
To: Chris Hyzer; 'Jeff McCullough'
Cc: ''
Subject: RE: [grouper-users] default membership privileges for new members, setting default browser view and removing quick links
 
This leaving group revoking privs problem is fixed:
 
 
this is fixed in patch:
 
grouper_v2_2_1_ui_patch_11
 
commit:
 
 
Note, if you remove a membership, and then don’t have read or update, then you will be sent to the main grouper page.
 
Uh… just thought of another case where a user removes their own privs… need to get that case too:
 
 
thanks,
Chris
 
 
[appadmin@i2midev1 patches]$ java -jar grouperInstaller.jar
Do you want to 'install' a new installation of grouper, 'upgrade' an existing installation
  or 'patch' an existing installation
  (enter: 'install', 'upgrade', 'patch' or blank for the default) [install]: patch
Enter in a Grouper temp directory to download tarballs (note: better if no spaces or special chars) [/opt/grouper/2.2/patches]:
What do you want to patch?  api, ui, ws, or psp? [api]: ui
Where is the grouper UI installed? /opt/tomcats/tomcat_d/webapps/grouper_v2_2
What do you want to do with patches (install, revert, status)? [install]:
 
################ Checking patch grouper_v2_2_1_api_patch_0
Patch: grouper_v2_2_1_api_patch_0: was applied on: 2015/01/18 17:45:34
 
 
################ Checking patch grouper_v2_2_1_api_patch_1
Patch: grouper_v2_2_1_api_patch_1: was applied on: 2015/01/18 17:46:04
 
 
################ Checking patch grouper_v2_2_1_api_patch_2
Patch: grouper_v2_2_1_api_patch_2: was applied on: 2015/01/18 17:46:24
 
 
################ Checking patch grouper_v2_2_1_api_patch_3
Patch: grouper_v2_2_1_api_patch_3: was applied on: 2015/01/20 06:07:54
 
 
################ Checking patch grouper_v2_2_1_api_patch_4
Patch: grouper_v2_2_1_api_patch_4: was applied on: 2015/02/04 13:56:11
 
 
################ Checking patch grouper_v2_2_1_api_patch_5
Patch: grouper_v2_2_1_api_patch_5: was applied on: 2015/02/23 19:54:20
 
 
################ Checking patch grouper_v2_2_1_api_patch_6
 
There are no new API patches to install
 
 
################ Checking patch grouper_v2_2_1_ui_patch_0
Patch: grouper_v2_2_1_ui_patch_0: was applied on: 2015/01/18 17:46:18
 
 
################ Checking patch grouper_v2_2_1_ui_patch_1
Patch: grouper_v2_2_1_ui_patch_1: was applied on: 2015/01/18 17:46:20
 
 
################ Checking patch grouper_v2_2_1_ui_patch_2
Patch: grouper_v2_2_1_ui_patch_2: was applied on: 2015/01/18 17:46:22
 
 
################ Checking patch grouper_v2_2_1_ui_patch_3
Patch: grouper_v2_2_1_ui_patch_3: was applied on: 2015/01/18 18:12:10
 
 
################ Checking patch grouper_v2_2_1_ui_patch_4
Patch: grouper_v2_2_1_ui_patch_4: was applied on: 2015/01/18 17:46:30
 
 
################ Checking patch grouper_v2_2_1_ui_patch_5
Patch: grouper_v2_2_1_ui_patch_5: was applied on: 2015/01/18 17:46:31
 
 
################ Checking patch grouper_v2_2_1_ui_patch_6
Patch: grouper_v2_2_1_ui_patch_6: was applied on: 2015/01/18 19:55:29
 
 
################ Checking patch grouper_v2_2_1_ui_patch_7
Patch: grouper_v2_2_1_ui_patch_7: was applied on: 2015/01/20 06:07:59
 
 
################ Checking patch grouper_v2_2_1_ui_patch_8
Patch: grouper_v2_2_1_ui_patch_8: was applied on: 2015/02/04 13:56:19
 
 
################ Checking patch grouper_v2_2_1_ui_patch_9
Patch: grouper_v2_2_1_ui_patch_9: was applied on: 2015/02/23 19:54:26
 
 
################ Checking patch grouper_v2_2_1_ui_patch_10
Patch: grouper_v2_2_1_ui_patch_10: was applied on: 2015/02/24 02:25:38
 
 
################ Checking patch grouper_v2_2_1_ui_patch_11
Downloading from URL: http://software.internet2.edu/grouper/release/2.2.1/patches/grouper_v2_2_1_ui_patch_11.tar.gz to file: /opt/grouper/2.2/patches/grouper_v2_2_1_ui_patch_11.tar.gz
Unzipping: /opt/grouper/2.2/patches/grouper_v2_2_1_ui_patch_11.tar.gz
Expanding: /opt/grouper/2.2/patches/grouper_v2_2_1_ui_patch_11.tar
Patch grouper_v2_2_1_ui_patch_11 is low risk, is not a security patch
GRP-1111: if you leave a group via UI and leaving revokes view privs (or others), dont throw error
Would you like to install patch grouper_v2_2_1_ui_patch_11 (t|f)? [t]:
 
- added to end of property file: grouper_v2_2_1_ui_patch_11.date = 2015/02/24 02:38:16
This patch requires all processes that user Grouper to be stopped.
  Please stop these processes if they are running and press <enter> to continue...
 
Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Group$4.class
Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Group$3.class
Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Group$1.class
Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Group$RetrieveGroupHelperResult.class
Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Group$2.class
Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Group.java
Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Group.class
Applying file: /opt/tomcats/tomcat_d/webapps/grouper_v2_2/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/serviceLogic/UiV2Group$5.class
Patch successfully applied: grouper_v2_2_1_ui_patch_11
- added to end of property file: grouper_v2_2_1_ui_patch_11.state = applied
 
 
################ Checking patch grouper_v2_2_1_ui_patch_12
 
Since patches were applied, you should delete files in your app server work directory,
  in tomcat it is named 'work'.  Hit <enter> to continue:
[appadmin@i2midev1 patches]$
 
 
 
From: Chris Hyzer 
Sent: Friday, February 06, 2015 12:16 AM
To: Jeff McCullough
Cc: 
Subject: RE: [grouper-users] default membership privileges for new members, setting default browser view and removing quick links
 
Yeah, get a list from SQL, you can generate a GSH script from that list if you like.
 
Something like this (didnt test it):
 
grouperSession = GrouperSession.startRootSession();
 
group = GroupFinder.findByName(grouperSession, "the:group:name");
grantPriv(group.getName(), group.toSubject(), "read");
grantPriv(group.getName(), group.toSubject(), "update");
 
Regarding leaving the group, yeah, if someone leaves the group then they dont have privs anymore on the group, so the logic gets confused.  I can work on that one to make it more graceful (just end up on the main Grouper UI screen?)  I assume we only need to worry about it in the new UI.
 
 
Thanks,
Chris
 
 
From: Jeff McCullough [] 
Sent: Thursday, February 05, 2015 8:04 PM
To: Chris Hyzer
Cc: 
Subject: Re: [grouper-users] default membership privileges for new members, setting default browser view and removing quick links
 
Hi Chris,
 
This works beautifully. Thank you. There are two remaining questions. 
 
What to do for groups that already exist in that folder? Get a list via sql and cycle through them?
 
In addition to adding read, I tried adding “update” such that whoever is in the group can change the membership of the group. This works for adding people to the group. For deletion there is one issue. If the logged in user tries to remove themselves from the group by either the “revoke membership” or “leave group”, there is an error. Their account is removed from the group though. 
 
Error: Subject: Subject id: 212372, sourceId: ldap does not have view on group edu:berkeley:org:Calnet:test-for-update-folder:test-group-update, Problem calling method leaveGroup on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group
 
They can remove others with no issue, so it is just their own membership that is at issue. Is this expected behavior or a possible bug?. Here is the full error listing: (also attaching a screen shot of the privileges the account does have.)
 
2015-02-05 16:25:10,239: [http-8443-4] INFO  EventLog.info(156) -  - [6e748cf6c3684da389dac5fbdb5c10c8,'212372','person'] delete member: group='edu:berkeley:org:Calnet:test-for-update-folder:test-group-update' list='members' subject='212372'/'person'/'ldap' (19ms)
2015-02-05 16:25:10,316: [http-8443-4] INFO  EventLog.info(156) -  - [b9b4b9a868d54201a877069443a73f1c,'GrouperSystem','application'] session: start (0ms)
2015-02-05 16:25:10,335: [http-8443-4] ERROR GrouperUiRestServlet.doGet(321) -  - Problem calling reflection from URL: edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group.removeMember
 
edu.internet2.middleware.grouper.exception.InsufficientPrivilegeException: Subject: Subject id: 212372, sourceId: ldap does not have view on group edu:berkeley:org:Calnet:test-for-update-folder:test-group-update,
Problem calling method removeMember on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group
        at edu.internet2.middleware.grouper.userData.GrouperUserDataApi$5.callback(GrouperUserDataApi.java:864)
        at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:974)
        at edu.internet2.middleware.grouper.userData.GrouperUserDataApi.recentlyUsedGroupAdd(GrouperUserDataApi.java:852)
        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group.removeMember(UiV2Group.java:407)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:4002)
        at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:3953)
        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:288)
        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:160)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:110)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1015)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.jasig.cas.client.util.HttpServletRequestWrapperFilter.doFilter(HttpServletRequestWrapperFilter.java:75)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:201)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:558)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
        at java.lang.Thread.run(Thread.java:745)
 
Jeff
 
<image003.png>
On Feb 5, 2015, at 10:56 AM, Chris Hyzer <> wrote:
 
first of all, you wouldnt need a rule on each group, you just need to assign the group as a reader of itself.  However, using EL I was able to craft a rule to do this for all groups in a folder (on group create, assign the group to be a reader of itself, which means all members of the group can read the group).
The only thing you need to change is the folder name below.  Let me know how it goes :)
 
btw, this only assigns the priv is the group doesnt already have the priv, so if you have GrouperAll having READ/VEW on groups in your grouper config, then it wont work (and you wouldnt even need this rule!)  :)
 
Thanks,
Chris
 
grouperSession = GrouperSession.startRootSession();
folder = StemFinder.findByName(grouperSession, "testFolder");
AttributeAssign attributeAssign = folder.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate();
attributeValueDelegate.assignValue(RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa");
attributeValueDelegate.assignValue(RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem");
attributeValueDelegate.assignValue(RuleUtils.ruleCheckTypeName(), RuleCheckType.groupCreate.name());
attributeValueDelegate.assignValue(RuleUtils.ruleCheckStemScopeName(), Stem.Scope.SUB.name());
attributeValueDelegate.assignValue(RuleUtils.ruleThenElName(),"${ruleElUtils.assignGroupPrivilege(groupId, 'g:gsa', groupId, null, 'read')}");
 
 
<image001.png>
 
From: Jeff McCullough [] 
Sent: Wednesday, February 04, 2015 7:03 PM
To: Chris Hyzer
Cc: 
Subject: Re: [grouper-users] default membership privileges for new members, setting default browser view and removing quick links
 
The alternate I guess is creating a rule per group after the groups are created. Let’s say there are multiple thousands of groups, will there be an issue with having that many rules? If the group is deleted the other issue is that the rule no longer applies. Is there an issue there?
 
Jeff
 
On Feb 2, 2015, at 11:32 PM, Jeff McCullough <> wrote:
 
Interesting idea. The groups in question will all be in one folder. I can see how to use the method for groups that exist. Is it possible to do this on groups that have yet to be created given the view/read group needs to be specified when creating the rule in the inheritGroupPrivileges method?
 
Thanks,
Jeff
 
On Feb 2, 2015, at 8:30 PM, Chris Hyzer <> wrote:
 
 
> 1) I'd like to be able to change the default membership privileges
> that are presented when adding a new member of a group. The current
> default is simply “member”. We might like the default to add “view”
> and “read” for the members that are being added. There are the
 
> privileges that are set for the GrouperAll (groups.create.grant.all.*)
> when a group is created, but the case I’m interested in is just for
> members of the group not anyone on the system. I don’t see any
> properties in the properties files, but wonder if maybe a rule would work?
 
Do you want this for all groups, or just certain groups?  If it is just certain groups, where you want all members to be able to view/read the group, can you just make the group a reader of itself (which implies view)?
 
 
> 
> 2) I’d like the default browser view to be different than the root
> view. The property default.browse.stem=edu:berkeley works fine in
> the Admin UI, but the new UI “Browse Folders”  view on the main page
> doesn’t change. Is there a separate property for that? Given it is a
> tree view, the desired behavior would be to at least open the view to
> the default browse stem.
 
I added a jira for that. 
 
 
 
> 
> 3) The quick links menu is great, but I don’t want to display the links
> for the Admin UI and Lite UI. I see properties for display relating to
> the older UIs, but not for the new UI. It looks like I just need to
> remove the links from the JSP. Is that correct?
> 
 
I added a jira for that.  And in the meantime, just edit that JSP
 
 
Thanks,
Chris
 


Archive powered by MHonArc 2.6.16.

Top of Page