Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Grouper and "Service accounts"

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Grouper and "Service accounts"


Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: "Black, Carey M." <>, "" <>
  • Subject: [grouper-users] RE: Grouper and "Service accounts"
  • Date: Sat, 27 May 2017 18:51:28 +0000
  • Accept-language: en-US
  • Authentication-results: osu.edu; dkim=none (message not signed) header.d=none;osu.edu; dmarc=none action=none header.from=isc.upenn.edu;
  • Ironport-phdr: 9a23:I5XKJxDlR4i9p30cmzSgUyQJP3N1i/DPJgcQr6AfoPdwSP37pc6wAkXT6L1XgUPTWs2DsrQf2rWQ6PCrADdYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjSwbLdwIRmsowjctcYajZZsJ6ot1xDEvmZGd+NKyG1yOFmdhQz85sC+/J5i9yRfpfcs/NNeXKv5Yqo1U6VWACwpPG4p6sLrswLDTRaU6XsHTmoWiBtIDBPb4xz8Q5z8rzH1tut52CmdIM32UbU5Uims4qt3VBPljjoMOiUn+2/LlMN/kKNboAqgpxNhxY7UfJqVP+d6cq/EYN8WWXZNUsNXWidcAI2zcpEPAvIBM+hGsof9u1UAoxiwBQauBePg1jBHi2Ts0qEmz+gsCx3K0BA+E98IrX/arM/1NKAXUe2twqXGzzXCbvJI1jfn8ITDbw4sofGWXbJxasrdx1QkGgTAjlqMqYzkPzKU2foXs2WA7upgTv6gh3Q6qwFpvDevwMEshpPXiY0I11DJ7CN0y5s7K92/TU50e9+kEJ1IuiGbMYt2Xt0tQ3tuuCkk1r0Kp4S3czYXx5Q6wRPUdv+Jc5CQ7x79TumdPSp0iXd4dL6imhq/9Eagx+LgWsWo1VtHrDRKn9bSun0I0hHf9NSLRudl8ku81zuDyxrf5+VZLUwui6bXNposzqQtmpcRsEnOGDL9ll/sg6+MbEok//Cl6+T5bbXioZ+RL5d6hx35PKgyh8CzGPk1PQoQU2SC/uSzz6Ps8Vf+QLVXkv05ia7ZsI3cJcsGvKK5GxVV0oE/6xmhEzimzNUYnX4BLF5ffxKHkpTpO1XJIPD/DvezmUijkDBux/zeP73hBIvCLmTbnbv/Z7lx91NQxQ8uwdxC+p5ZD78BLf3vVkPtsdHVDAE2PgOqz+viDdhxyJ8SVX6XDq+cKqzSsFuI5uw1I+mLYY8YoDP9JOQl5//ujH42h0UdcLKo3ZsMdH+0BOlmI12HbnrqhNcNC3kFsRcjTODykl2NTSZTZ2quX6I7/jw7B5imDYDeRoC1nrOBxj63HoBNZm9YEFCMCmzld4GFW/cXdCKSOdFtniYFVbinV48uywuutAnkxLp7MObY4DMXuo/+1Is92+qG3zs2/Dd3S4y22nuAXilR2ClAEzUy1at85xUnkX+EyrU+jvBFQ5gbrfxTVRoiOISZ0vd3EcvaWwTdc82PRUr8BNiqHHt5Gt0rxMIWblw4Bs6vlAvr3iy2DqUTmqDRQpE47/SP8WL2IpM362fU2bNlx3ImWMpUfyXyg6V/5hreHabIiE7fir6nc6Ja0SLQojTQhVGStV1VBVYjGZ7OWmoSMw6P9Yz0
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

 

> I have been trying to wrap my head around how Grouper deals with “local

> subjects”. Specifically for the use case of “Service Accounts”. Specifically

> for WebService clients to get data from Grouper.

>                 Note: I am not talking about how the authentication is done in

>                 this inquiry. Just how the “username”(AKA: Subject ID ?) is

>                 managed for this class of accounts.

>                 Note: I think I am getting wrapped around “old docs” and “old

>                 term in different contexts”

> ..

>

>

> I think I have stumbled into a confusion on my part and I am hopful that someone

> can answer a few questions for me.

>                 REF: https://spaces.internet2.edu/display/Grouper/Grouper+local+entities

>                 REF: https://spaces.internet2.edu/pages/viewpage.action?pageId=14517859   ( GSH page)

>

>

> I think there are two ways to make a “Local Subject” in grouper.

> 1)        Lite UI “Create or edit groups / roles / local entities”

> a.         Which looks like the result from the gsh EntitySave()

> .. functions

 

Yeah

 

>

> 2)        gsh via the “addSubject” (function?)

 

You could, though I think most people delete that subject source and make their own.  You can use it if you want.

 

At penn we have our own table and own subject source.  I wrote this up here:

 

https://spaces.internet2.edu/display/Grouper/Penn+service+principals+from+kerberos+and+web+service+authentication

 

 

>

>

> However, these two paths appear to result in rather different things. (Thus my confusion.)

>

> Option 1 appears to produce an object that is visible in Grouper( via the

> Grouper “new” UI ). However, it uses icons/language that implies that the

> thing that is created is a “Group” or some other type of object than a

> “person”.  ( The GSH output indicates this: type='application' )

>                 Example: I created a  Entity

 

Yeah, the icons probably aren’t consistent, but an entity is a “thing” (could be person or service or something), but not a group in this case

 

 

>

>

> Entity testEntity = new EntitySave(rsess).assignCreateParentStemsIfNotExist(true).assignName("

> :TEST-AGAIN").save();

> findSubject("

> :TEST-AGAIN");

> subject: id='734731

> ..ee9b' type='application' source='grouperEntities' name='

> :TEST-AGAIN'

>

>

> Option 2 appears to produce an object that is NOT visible in Grouper( via the

> Grouper “new” UI ). However, it (the New UI) uses icons/language that implies

> that it is a “person”. (more like a “real subject from a Subject API”.)

>                 Example: I “addSubject”’ed a user called “WS-TESTING” and I

>                 get this back from GSH

>                                 findSubject("

> :WS-TESTING");

>                                 id='

> :WS-TESTING’ type='person' source='jdbc' name='WS-TESTING”

>

>

>

>

>

> Personally I like the idea of the service accounts being a “first class citizen”

> (in the Grouper UI, AKA Option 1) but I am concerned that there is some subtle thing

> that I am not anticipating that will make me want to have gone the other way later.

> Due to the type value, or some other hang up down the road.

 

Yes, in the first way they are in the grouper folder namespace.  In the second way they are not.  If you want to search for something and not in a namespace, then option 1 might limit you.  In this case option2 or 3 (penns way) might be best.

 

 

>

>

> Can any one explain why one path would be better than the other?

> Can any one explain why these two paths appear to be so different?

 

The option 1 allows non grouper admins to have entities in their namespace

 

> Can anyone explain how to remove an entry that was added with “addSubject”?

 

Delete from database J

 

> (Since they are not “first class objects” in the Grouper UI I have not found

> the “delete/remove” gsh function/code yet.

 

We can add something for this if you like, those subject tables were for quick start which is why they are not fully fleshed out…  also, if you don’t delete them then they are never unresolvable J

 

Thanks

Chris




Archive powered by MHonArc 2.6.19.

Top of Page