Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Enclosed script to clean up admin privs for wheel users

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Enclosed script to clean up admin privs for wheel users


Chronological Thread 
  • From: "Redman, Chad" <>
  • To: "" <>
  • Subject: [grouper-users] Enclosed script to clean up admin privs for wheel users
  • Date: Wed, 3 Oct 2018 19:27:00 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:y+66AxQrXSaZ4xgJhSGh8QDciNpsv+yvbD5Q0YIujvd0So/mwa67ZBSDt8tkgFKBZ4jH8fUM07OQ7/i/HzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba9wIRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KptVRTmijoINyQh/W/XlMJ+kb5brhyiqRx+34Hbb5qYO+Bicq/BZ94WWXZNUthXWidcAo28dYwPD+8ZMOpWs4fyuUYBrR6kCgmqHO/k1yFFhn/s0qIn3egqDAbL0xAgH90UrXvbtM/1O7kPXuCw1qbIyy7Ob+5Q2Tjh8oTHbA0uoeyVUL92bMHfx04vFwbfgVWRr4zoJyiV1vgTvGie6OphW+SvhHA9qw1rpDig3MIshZfRioIJylDL6zh5wJ0rKt2iUkJ7Z8SrEJ5OuC2COIt2Q98iQ2F1uCkh0LEJpZm7fC0SxJQo3R7fbOGHc5CP4hPtUuaePy14iGhjeL2lgha9706twfD/WMmsyFtHoTZJnsPRunwR1RHf8MqKR/Vn8kqh2DuDzx3f5+FaLUwui6bXMYMtzqIumpYJrEjOESz7lF34jKCIdUgo5u2l5uHlb7jiu5CTLYp5hRz8P6kshMCyBOs1PRQAX2WV/Omwyqbs8EP6TbhMk/Y4iLPWsIrAKsQevqO5AxFa0oIk6xunFzmrzNMWkWUHIV5cdhyJiIbkN0jJIP/jE/izmVOskCp3x//dOb3hH5PNIWXZnLf5Z7Z97FJcxxQvwtBD5pJUDbcBLOj0Wk/sqNzYChg5Mwu3w+r9FNp90YYeVXqOAq+fLqzSrUeF6+0zL+WWeYMZpDTwJ+In6vPgl3M0mV4QcbGs3ZQNaXC4GvpmI1+eYXrpmtoODWcKsRAjQ+Pykl2NTyNcZ3OoUKI6/Tw7FYSmApvZSo+znbOBwT+3HodKaWBeFlCMDXDoep2LW/cWbyKSP9dhnSIeVbS4Vo8hzg+htBXhy7d8KurU+zYYtY741NRr/eHTlBcy9SBqAMSH1WGCUX10kn0SSzAowa9/vB819lDWm6dihOFAGMYW+uhESBwSNJjAwvZ8BsyoHA/NY53BHFm8Rci+DCt0U8k82cQmYkBhFs+kgwyZmSemHulGuaaMAcl+yK/Q2nH3Y45Wy3/KnuF1hFkvTvxVOGGjj6hX6g7YQYPFjhPKxO6Raa0A0XuVpy+4xm2UsRQAClQiWLjZXX0ZekrdpMj44UWHVbK1FLA7KVUbm9WaJP5MbdvkxRVdSfHvNc6WQlr5mnz4RHPqjqiJcJKsfmwc2CvHD01RmAAa8UGcOAQ7DyGJvmTVSjFiCAGnbg==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

In Grouper 2.4.0, when new groups and stems are created, the creator is no longer added as an admin if they are in the wheel group. The explicit access is unnecessary since users in the wheel group automatically have admin access even without the permission. This script performs a cleanup of these permissions, looping through a defined list of subjects (mixed ids/identifiers), and removing the admin access from the groups and stems. This cleanup could remove many thousands of excess memberships from the database, possibly improving performance.

 

After completion, the number of groups and stems where specific users have direct admin privileges should be very low. These remaining privileges should be looked at. Normally you would want to put users into policy groups instead, instead of giving direct access.

 

Note that this could take an hour or two to run, depending on how many privileges you have.

 

Regards,

-Chad

 

 

https://gist.github.com/cer28/b143b36ac280da2ac0fb6d360898a298

 

/****

*

* removeDefaultOwnerPermissions.groovy

*

* In Grouper 2.4.0, when new groups and stems are created, the creator is no longer added as an admin

* if they are in the wheel group. The explicit access is unnecessary since users in the wheel group automatically

* have admin access even without the permission. This script performs a cleanup of these permissions, looping through

* a defined list of subjects (mixed ids/identifiers), and removing the admin access from the groups and stems.

* This cleanup could remove many thousands of excess memberships from the database, possibly improving performance.

*

* After completion, the number of groups and stems where specific users have direct admin privileges should be very

* low. These remaining privileges should be looked at. Normally you would want to put users into policy groups instead,

* instead of giving direct access.

*

 * TODO get the count and add a countdown

* TODO revoke from attribute privileges

*

* Chad Redman <>, 2018-10-03, Free for any use

****/

 

subjects = ["GrouperSystem", "other-ids-or-identifiers", "for-current-and-past-wheel-members", ]

 

gs = GrouperSession.startRootSession()

//me = SubjectFinder.findByIdentifierAndSource("myUid", "mySource", true)

//gs = GrouperSession.start(me)

 

import edu.internet2.middleware.grouper.cfg.GrouperConfig

import edu.internet2.middleware.grouper.internal.dao.QueryOptions

import edu.internet2.middleware.grouper.membership.MembershipType

 

GrouperConfig.retrieveConfig().propertiesOverrideMap().put("ws.getMemberships.maxResultSize", "300000")

 

subjects.each { subject ->

    try {

       

        theUser=SubjectFinder.findByIdOrIdentifier(subject, true)

        println "Revoking admin privs for ${subject} (${theUser.name})"

   

        // QueryOptions has side effects! Can't reuse between group/subject queries because the sort option sticks to it

        queryOptions = new QueryOptions()

        queryOptions.paging(500, 1, false)  // 500 is the max allowed?

       

        while (true) {

            x = new MembershipFinder().

              addSubject(theUser).

              assignFieldType(FieldType.ACCESS).

              assignEnabled(true).

              assignHasFieldForGroup(true).

              assignHasMembershipTypeForGroup(true).

              addField("admins").

              assignMembershipType(MembershipType.IMMEDIATE).

              assignQueryOptionsForGroup(queryOptions).

              findMembershipResult().

              getMembershipSubjectContainers()

       

            if (x.size() == 0) {

                break

            }

            println "\t${x.size()}"

       

            x.each { member ->

                println "\tRevoke " + subject + " from group " + member.groupOwner.name

                member.groupOwner.revokePriv(theUser, AccessPrivilege.ADMIN, false)

            }

        }

       

    

        queryOptions = new QueryOptions()

        queryOptions.paging(500, 1, false)  // 500 is the max allowed?

       

        while (true) {

            x = new MembershipFinder().

              addSubject(theUser).

              assignFieldType(FieldType.NAMING).

              assignEnabled(true).

              assignHasFieldForStem(true).

              assignHasMembershipTypeForStem(true).

              addField("stemAdmins").

              assignMembershipType(MembershipType.IMMEDIATE).

              assignQueryOptionsForStem(queryOptions).

              findMembershipResult().

              getMembershipSubjectContainers()

       

            if (x.size() == 0) {

                break

            }

            println "\t${x.size()}"

       

            x.each { member ->

                println "\tRevoke " + subject + " from stem " + member.stemOwner.name

                member.stemOwner.revokePriv(theUser, NamingPrivilege.STEM_ADMIN, false)

            }

        }

    } catch (Exception e) {

        println "*** Failed to revoke from user ${subject}: ${e}"

        e.printStackTrace()

    }

}

 

 

 

/**** Alternative to MembershipFinder?

* import edu.internet2.middleware.grouper.internal.dao.hib3.Hib3MembershipDAO

* H = new Hib3MembershipDAO().findAllImmediateByMemberAndField(gs.member.uuid, FieldFinder.find("admins", true), true)

*

 * H.each { membership ->

*     member.groupOwner.revokePriv(me, AccessPrivilege.ADMIN, false)

* }

****/

 

 

 

/**** Now that the direct admin list is much smaller, at some point you should look at subjects

      that have direct access, instead of indirect by policy group. This query will show counts and Subject Ids

 

select count(*) as num_objects, subject_id, subject_source

from grouper_memberships_v

where     list_type = 'access'

    and   list_name = 'admins'

    and   membership_type = 'immediate'

    and   subject_source != 'g:gsa'

group by subject_id, subject_source

order by count(*) desc;

 

*/

 



  • [grouper-users] Enclosed script to clean up admin privs for wheel users, Redman, Chad, 10/03/2018

Archive powered by MHonArc 2.6.19.

Top of Page