Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] RE: Priv Hook?

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] RE: Priv Hook?


Chronological Thread 
  • From: John Gasper <>
  • To: Chris Hyzer <>, grouper-users <>
  • Subject: Re: [grouper-users] RE: Priv Hook?
  • Date: Thu, 24 Sep 2015 09:40:31 -0700

Thanks Chris.

-- 
John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef


From: <> on behalf of Chris Hyzer <>
Date: Wednesday, September 16, 2015 at 8:25 AM
To: John Gasper <>, grouper-users <>
Subject: RE: [grouper-users] RE: Priv Hook?

I tweaked and added your two hooks into 2.2.2+, and there is a method to easily see if a group is being deleted, and a method to walk up the folders to check to see if an attribute is assigned and cache the results.  Included is some GSH to easily test this out.

 

Assign self opt out priv

https://bugs.internet2.edu/jira/browse/GRP-1197

 

Assign self read priv

https://bugs.internet2.edu/jira/browse/GRP-1198

 

I would like to hold off on the subject customizer though I put in a note to revisit that…

https://bugs.internet2.edu/jira/browse/GRP-1199

 

 

 

Thanks,

Chris

 

From: [] On Behalf Of Chris Hyzer
Sent: Wednesday, September 02, 2015 11:24 PM
To: John Gasper; grouper-users
Subject: RE: [grouper-users] RE: Priv Hook?

 

I think we would need a patch for this… assuming that delete group is the only case you need J  want to add a jira?

 

From: John Gasper []
Sent: Tuesday, September 01, 2015 8:02 PM
To: John Gasper; Chris Hyzer; grouper-users
Subject: Re: [grouper-users] RE: Priv Hook?

 

So ran into an issue. The Veto Hook that prevents the OptOut priv’s removal is blocking the group from being deleted. Is there anyway for the membershipPreRemoveMember() hook code to determine whether the delete is independent or if it is being removed by another action?

 

Thanks,

John

-- 

John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

 

 

From: <> on behalf of John Gasper <>
Date: Tuesday, September 1, 2015 at 3:43 PM
To: Chris Hyzer <>, grouper-users <>
Subject: Re: [grouper-users] RE: Priv Hook?

 

Hi Chris,

 

The basic/essential code is here:

package net.unicon.middleware.grouper.groupHooks;

import
edu.internet2.middleware.grouper.Group;
import
edu.internet2.middleware.grouper.GroupFinder;
import
edu.internet2.middleware.grouper.GrouperSession;
import
edu.internet2.middleware.grouper.hooks.GroupHooks;
import
edu.internet2.middleware.grouper.hooks.beans.GrouperContextTypeBuiltIn;
import
edu.internet2.middleware.grouper.hooks.beans.HooksContext;
import
edu.internet2.middleware.grouper.hooks.beans.HooksGroupBean;
import
org.slf4j.Logger;
import
org.slf4j.LoggerFactory;

/**
* AssignSelfOptOutPrivilege adds opt-out privilege for the newly created groups to self (this group's subject)
*/
public class AssignSelfOptOutPrivilege extends GroupHooks {

   
private final static Logger logger = LoggerFactory.getLogger(AssignSelfOptOutPrivilege.class);

   
@Override
   
public void groupPostCommitInsert(HooksContext hooksContext, HooksGroupBean postCommitInsertBean) {
       
//only care about this if not grouper loader
       
if (GrouperContextTypeBuiltIn.GROUPER_LOADER.equals(hooksContext.getGrouperContextType())) {
           
return;
       
}

       
try {
            Group thisGroup = GroupFinder.findByUuid(GrouperSession.startRootSession()
, postCommitInsertBean.getGroup().getId(), false);
            
logger.debug("The Group: {}", thisGroup);
           
logger.debug("Group's subject {} ", thisGroup.toSubject());
           
//Set of priv flags. That one flag set represents 'opt out' priv
           
thisGroup.addMember(thisGroup.toSubject(), false, false, false,
                    false, false, false, false, true, false,
                    false, null, null, false
);
       
}
       
catch (Throwable e) {
           
logger.error("OPT OUT Hook error: ", e);
       
}
    }
}

And

package net.unicon.middleware.grouper.membershipHooks;

import
edu.internet2.middleware.grouper.Field;
import
edu.internet2.middleware.grouper.Group;
import
edu.internet2.middleware.grouper.exception.GroupNotFoundException;
import
edu.internet2.middleware.grouper.hooks.MembershipHooks;
import
edu.internet2.middleware.grouper.hooks.beans.HooksContext;
import
edu.internet2.middleware.grouper.hooks.beans.HooksMembershipChangeBean;
import
edu.internet2.middleware.grouper.hooks.logic.HookVeto;
import
org.slf4j.Logger;
import
org.slf4j.LoggerFactory;

public class
SelfOptOutPrivilegeRevocationVeto extends MembershipHooks {

   
private final static Logger logger = LoggerFactory.getLogger(SelfOptOutPrivilegeRevocationVeto.class);

    private static final
String OPTOUTS_FIELD_NAME = "optouts";

   
@Override
   
public void membershipPreRemoveMember(HooksContext hooksContext, HooksMembershipChangeBean preDeleteMemberBean) {
       
try {
            Field field = preDeleteMemberBean.getMembership().getField()
;

            if
(OPTOUTS_FIELD_NAME.equals(field.getName())) {
                Group thisGroup = preDeleteMemberBean.getGroup()
;
               
Group membershipGroup = preDeleteMemberBean.getMember().toGroup();

                if
(thisGroup.getUuid().equals(membershipGroup.getUuid())) {
                   
throw new HookVeto("self.optout.remove.veto", "Cannot remove self-assigned OptOut privilege.");
               
}
            }
        }
catch (GroupNotFoundException e) {
           
logger.error("Member is not a Group. Moving on...: ", e);
       
}
    }
}

Still need to add the code to limit to a stem or use attributes to identify stems, but that is trivial… I think.

 

— 

 

John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

 

 

From: Chris Hyzer <>
Date: Wednesday, August 26, 2015 at 2:50 PM
To: John Gasper <>, grouper-users <>
Subject: RE: [grouper-users] RE: Priv Hook?

 

I think a generic hook (or rule)/attribute for this would be a good idea.  Did you end up implementing this?  Is there code you can share?

 

Thanks

Chris

 

From: John Gasper []
Sent: Monday, August 03, 2015 11:20 AM
To: Chris Hyzer; grouper-users
Subject: Re: [grouper-users] RE: Priv Hook?

 

One more similar scenario that I’d like to get your thoughts on.

 

By using an attribute at the stem (and essentially be inherited by all child stems) level or on a group, grant the groups opt out to “self”, so users within this part of the tree can always remove themselves from a group. We were going to using a hook to add the “optout” for self priv to the group if the stem or any part of the its tree has the attribute, and a second hook that prevents an group admin from removing the priv.

 

Thoughts on that?

 

I think what we are seeing from schools is a desire to apply inherited permissions that can’t be changed by a stem or group admin. Similar to how the Windows permissions can work.

 

Thanks,

John

 

-- 

John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

 

 

From: <> on behalf of John Gasper <>
Date: Monday, August 3, 2015 at 8:04 AM
To: Chris Hyzer <>, grouper-users <>
Subject: Re: [grouper-users] RE: Priv Hook?

 

Yes, I think we can commit to doing testing with this.

 

Thanks,

John

 

-- 

John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

 

 

From: <> on behalf of Chris Hyzer <>
Date: Friday, July 31, 2015 at 3:23 PM
To: John Gasper <>, grouper-users <>
Subject: RE: [grouper-users] RE: Priv Hook?

 

If you have READ then you automatically have VIEW, so you don’t have to assign both.

Also, I think you might have performance problems with this on large registries… I looked in the code and to add the ability to have a READONLY and VIEWONLY wheel group would not be a lot of changes.  I can do some testing, but if you can also test that would be great.  Is that something you are interested in?

 

Thanks,

Chris

 

From: John Gasper []
Sent: Friday, July 31, 2015 3:02 PM
To: Chris Hyzer; grouper-users
Subject: Re: [grouper-users] RE: Priv Hook?

 

At the end of the day, we want a read-only “wheel” group… In other words a group whose members can view, but not change all groups and their memberships. The proposed method of implementation is to use a post hook at give “view" and “read" to a newly created group… and prevent “view" and “read" from being removed from a group (except perhaps by someone in the Wheel group).

 

-- 

John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

 

 

From: <> on behalf of Chris Hyzer <>
Date: Friday, July 31, 2015 at 11:53 AM
To: John Gasper <>, grouper-users <>
Subject: RE: [grouper-users] RE: Priv Hook?

 

You should be able to use a membership hook, since privileges are implemented at memberships.  The list type is “access”, and you can see which priv it is, and who is removing it, and veto it.  If you write up exactly what you are doing I can look into making the grouper “rules” more full featured since these types of things should be easily accomplished with rules.

 

Thanks,

Chris

 

 

 

From: John Gasper []
Sent: Friday, July 31, 2015 2:26 PM
To: Chris Hyzer; grouper-users
Subject: Re: [grouper-users] RE: Priv Hook?

 

There specific case I’m working on is this… We are assigning privs (allow specific group to read and view) to new created groups via a hook. That part is great. We don’t want Group Admins to be able to remove that priv.

 

-- 

John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

 

 

From: <> on behalf of Chris Hyzer <>
Date: Friday, July 31, 2015 at 11:05 AM
To: John Gasper <>, grouper-users <>
Subject: [grouper-users] RE: Priv Hook?

 

Yes, can you tell me more info about what you want to do?  J

 

Thanks,

Chris

 

From: [] On Behalf Of John Gasper
Sent: Friday, July 31, 2015 1:07 PM
To: grouper-users
Subject: [grouper-users] Priv Hook?

 

Is there a hook to veto the assignment/deletion of a privilege?

 

-- 

John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

 




Archive powered by MHonArc 2.6.16.

Top of Page