grouper-users - RE: [grouper-users] web service user READ only, ALL groups
Subject: Grouper Users - Open Discussion List
List archive
- From: "O'Dowd, Josh" <>
- To: "Redman, Chad" <>, "Black, Carey M." <>, "Hyzer, Chris" <>
- Cc: "" <>, "Robinson, Justin S" <>
- Subject: RE: [grouper-users] web service user READ only, ALL groups
- Date: Fri, 27 Jul 2018 14:02:23 +0000
- Accept-language: en-US
- Ironport-phdr: 9a23:Aehx8xC+n3tJYHFWZpbrUyQJP3N1i/DPJgcQr6AfoPdwSPX/osbcNUDSrc9gkEXOFd2Cra4c1ayO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhTexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRsZfWTJcDIOgYYUBDOQBMuRZr4bhqFUBogCzBRW1BO711jNEmmP60K083u88EQ/GxgsgH9cWvXjatdv5N6kcUee7zabV1TnIcvdY2TDm6IjIfBwqvPaBU7Z3ccrKyUkjDRrLglaep4ziMTKay/8As22A7+pnT+6vlmsnqx1rrjex28gsl5DEi4QIwV7H7SV02Js5KN2kREJhfNKpHoZcuzuEO4doTM4uWXxktScixrAJu5O3ZiYHxZY9yxPfdfCLaZWE7g/7WOafPzh1h25pdbe6ihqv7EetxeLxW8yq31tFrydInNzBu3MJ2hHc5cWKT/V980e91juB0Q3Y9/tKLloulaXBLp4s2r4wmYQXsUTEBiL2hUD2jKiQdkU45uSk9v7rYqjjpp+ALYN7lBzxMrk2lsy+B+Q3LBQOUnCG9em8yLHv51D1TbtXgvEsjKXVrp7XKd4GqqO4GwNV15ws6xe7DzeoytQYmnwHIUpBdhKAlIjpO0vCLun7AfmxhFStnipkyuvDPr36BZXBNGXDkLL9fbpn9UFT1RczwchF551IErEBPO7zWkjpudzXFB85NBG0w/75B9Vnz48eRHmPDbGDMKPJqlKI4uMvI/KQZI8OpjrxMfkl5/jyjXAng18de7em3YcJZHyiAPtpPliZMjLQhYJLK2oGuwM4CKTBiFSOG3YHbHa7U5Um6z0+AYSOEIHIAI2hnerFlG2RGpRdZSQOIVmWHGagUsPOE6MGbCuZIYk4yGcsUqO8DYItyEfq/EXa2qhqNK6c0S0CtImpnIxw7O3Chxwo3T1vBIKAy2yLSSd5kn5eFBEs26Uq62sy5lCc3ewwoftDFZYbs9FOSQd8EtHwyPN2I9XpXUTce8vPRVq7FIb1SQotR848loddK312HM+v21Wah3Kn
Chad,
Those are good ideas, thanks. Another, which I have been considering, since
we authn UI with Shibboleth is to leverage grouper to authorize authn into
grouper-ui. That is actually one of the reasons I originally asked the
global READ only accounts, so that I can give Shibboleth one to use for
checking membership of a grouper-ui-user group. We are going to restrict UI
access to app admins and system admins, for the most part, and stop any
non-authorized at login.
-Josh
________________________________________
From: Redman, Chad
[]
Sent: Friday, July 27, 2018 7:45 AM
To: Black, Carey M.; Hyzer, Chris
Cc:
;
O'Dowd, Josh; Robinson, Justin S
Subject: RE: [grouper-users] web service user READ only, ALL groups
I don't know if this helps your setup. What we have is that both people and
service accounts are in LDAP. But our people are in the ou=people branch, and
service accounts are in ou=applications. Shibboleth only looks in ou=people,
so it doesn't authenticate service accounts. That effectively keeps them out
of Grouper. Our WS setup goes directly against Kerberos, so works with both
people and service accounts.
Also, if they are different subject types in Grouper, there is also a UI
setting:
```
# comma separated source ids that the authenticating user must be in to
authenticate (if blank accept all)
grouper.ui.authentication.sourceIds =
```
We aren't using this, but we do have different subject sources for them, so
we could if SSO wasn't effective enough. This option is available as of UI
2.3.0 patch 14.
And there is an analogous property for WS to limit source types too. We do
use this just to lock it down to the sources we have the best control of.
-Chad
-----Original Message-----
From:
[mailto:]
On Behalf Of Black, Carey M.
Sent: Friday, July 27, 2018 7:34 AM
To: Hyzer, Chris
<>
Cc:
;
O'Dowd, Josh
<>;
Robinson, Justin S
<>
Subject: RE: [grouper-users] web service user READ only, ALL groups
Chris,
What if that requirement was desired ONLY in the Web Services interface?....
But I also guess it might also depend on the Authentication source(s) used
for the UI vs WS too.....
I tend to think of "non-human" accounts using WebServices (WS) and
humans using the UI.
Could an installation use two tomcat instances. ( one for the UI and a
separate one for WS )
( Which you really should do anyways. )
Then the UI could not use that setting.
And the WebServices instanced could.
That way WebServices users could "enjoy" that setting only via the WS calls
and not exposing it to "UI users"?
Just a thought...
--
Carey Matthew
-----Original Message-----
From:
<>
On Behalf Of Hyzer, Chris
Sent: Friday, July 27, 2018 2:27 AM
To: O'Dowd, Josh
<>;
Robinson, Justin S
<>
Cc:
Subject: RE: [grouper-users] web service user READ only, ALL groups
There is a way to do a global READ or VIEW or whatever priv without the
overhead of the inherited privs copying to every object:
(from grouper.base.properties)
# A readonly wheel group allows you to enable non-GrouperSystem subjects to
act
# like a root user when reading the registry.
groups.wheel.readonly.use = false
# Set to the name of the group you want to treat as the readonly wheel group.
# The members of this group will be treated as root-like users when reading
objects.
groups.wheel.readonly.group =
$$grouper.rootStemForBuiltinObjects$$:sysadminReadersGroup
-----Original Message-----
From:
[mailto:]
On Behalf Of O'Dowd, Josh
Sent: Thursday, July 26, 2018 1:01 PM
To: Robinson, Justin S
<>
Cc:
Subject: Re: [grouper-users] web service user READ only, ALL groups
Thanks for that Justin. I will give that a shot once I understand what its
doing, exactly. But your example gives me points of reference to learn more
about. Very kind.
Thank You!
-Josh
On Jul 26, 2018, at 10:55 AM, Robinson, Justin S
<<mailto:>>
wrote:
Hi Josh,
There are probably other (possibly better) ways to achieve this - but one way
is to use the RuleApi and GSH to inherit privileges. The example below should
do it:
grouperSession = GrouperSession.startRootSession();
someStem = StemFinder.findByName(grouperSession, "stem:path");
webServiceClientUsers = GroupFinder.findByName(grouperSession,
"etc:webServiceClientUser");
RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), someStem,
Stem.Scope.SUB, webServiceClientUsers.toSubject(),
Privilege.getInstances("read"));
RuleApi.runRulesForOwner(someStem);
Thanks,
Justin Robinson
Indiana University
On Jul 26, 2018, at 12:42 PM, O'Dowd, Josh
<<'>>
wrote:
Hi,
I am wondering if it is possible to give an etc:webServiceClientUsers group
member READ(not ADMIN) privilege for ALL groups(including any new), instead
of having to add that privilege to each group individually? More of a global
group READ privilege, similar to what the etc:sysadmingroup has with the
ADMIN priv for all groups is what we are looking for.
Any help is much appreciated.
Thanks.
-Josh O’Dowd
University of Montana
- [grouper-users] web service user READ only, ALL groups, O'Dowd, Josh, 07/26/2018
- Re: [grouper-users] web service user READ only, ALL groups, Robinson, Justin S, 07/26/2018
- Re: [grouper-users] web service user READ only, ALL groups, O'Dowd, Josh, 07/26/2018
- RE: [grouper-users] web service user READ only, ALL groups, Hyzer, Chris, 07/27/2018
- RE: [grouper-users] web service user READ only, ALL groups, Black, Carey M., 07/27/2018
- RE: [grouper-users] web service user READ only, ALL groups, Redman, Chad, 07/27/2018
- RE: [grouper-users] web service user READ only, ALL groups, O'Dowd, Josh, 07/27/2018
- RE: [grouper-users] web service user READ only, ALL groups, O'Dowd, Josh, 07/27/2018
- RE: [grouper-users] web service user READ only, ALL groups, Redman, Chad, 07/27/2018
- RE: [grouper-users] web service user READ only, ALL groups, Hyzer, Chris, 07/30/2018
- RE: [grouper-users] web service user READ only, ALL groups, Redman, Chad, 07/27/2018
- RE: [grouper-users] web service user READ only, ALL groups, Black, Carey M., 07/27/2018
- RE: [grouper-users] web service user READ only, ALL groups, Hyzer, Chris, 07/27/2018
- Re: [grouper-users] web service user READ only, ALL groups, O'Dowd, Josh, 07/26/2018
- Re: [grouper-users] web service user READ only, ALL groups, Robinson, Justin S, 07/26/2018
Archive powered by MHonArc 2.6.19.