grouper-users - [grouper-users] RE: Enclosed script to clean up admin privs for wheel users
Subject: Grouper Users - Open Discussion List
List archive
- From: "Redman, Chad" <>
- To: "" <>
- Subject: [grouper-users] RE: Enclosed script to clean up admin privs for wheel users
- Date: Thu, 4 Oct 2018 13:43:12 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:5cahLR/oghvz7f9uRHKM819IXTAuvvDOBiVQ1KB+0+4eIJqq85mqBkHD//Il1AaPAd2Eraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HRbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDwULs6Wymt771zRRHolikJKiI5/m/UhMxxkK1UrwmsqAZjz4LIeoyZKOZycr3bcNgHRWRBRMFRVylZD4+yc4UAEfcOPeNCoIn7v1cFsAWzBQm2C+zyxDNDm3j70rE60+s7DA7JxBYgEMwTv3TRttr1MrwfUf2zzKbU1znMce5Z2Srk5YXObxsvr/aMXbdqfsrQz0kiDxjFjkmOpozgODOU2OINvHaB7+Z6U+KgkWsnpB9prjizxscjlJTJhpkLxVDe7yl5xpw6JdimR0Jjbt6kEYdQtyGHN4RtWM8tX2ZouCMixr0Jo567ezUKyIwgxx/RbfyIbZKI7gjlVOmLJDd3mnRoc6+8iRaq6UWs1PfzWtWp3FtPsyZJj8TAu3UD1xHc9sSLVv5w/km/1juAyw/e7+RJLEE6mKbGM5It3749moQJvUjdBCP6hVn6gLGMekk59eWl6PzrYrv4qZKfK4N5jwTzP6QzlsyxA+k1NwoDU3aV9Oii0bDs4Ez0TbZLg/AziKbUvozVKMYdq6WkGQFayJwj5Ay6Dzq+0NQXg30HLFVddRyfk4XnPE3CLf/hAfmim1qgjS5nx/fdMbL/GJnNKWXDkKv6crZ69k5czhc8wcpH55JODbEBPOz8VVPttNzZCR85NRa4w+H6CNVh0oMeXmWPAqyDPKzOtl+I4/ojI+iKZIALpDbwM+Yp6OTygXMknFIRYLSl0YYSZXC2EflqP1mVbH/igtgfHmoFog8zQenrhVCMTDJff3OyULg95jE/BoKmF4DDRoW1jbOd3Ce0BIBZaXhcCl+SDHjocp+LW/EXZSKPJM9ujiYIWqa8RI88zR2urhP1y6J7LurI/S0VrZ3j1MJy5+3OjRE96yZ0A92A02GWUW50hHgISiQy3KB+ukx91kyD3bZij/xZE9xT++1GUh08NZHC0+x2Fcr+VRzccdeUGx6aRYDsDis2U8o82ZoTeEtnAP2jiAzOxSynH+VTmrCWTtRg/bjbwmD8PYNg0Hvcz4EgiUUrWM1CKTfgi6JioVv9HYnMxg+jmqqvfKJYlAXN/WvJhT6FvEhUZxR9XaDMW1gCYECQoNjksBCRB4SyAKgqZ1MSgfWJLbFHP4Wz1wdPWevjNdLCYmm4h2a3A1OSy6iRaJbxJT9Pxz3TXU4DlQ1bvW2LMwQzHG+AmyrfF3QvcDCneEbw6a97oXK/QFUzylSBb0Rt4KC49hscg9SBTfhV074Z628s
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
|
Added to the script a query for direct admins of stems, to go along with the query for groups: select count(*), v.subject_id, v.subject_source, m.sort_string0, m.name from grouper_memberships_v v join grouper_members m on v.member_id = m.id where v.list_type = 'naming' and v.list_name like 'stemAdmins' and v.membership_type = 'immediate' and v.subject_source != 'g:gsa' group by v.subject_id, v.subject_source, m.sort_string0, m.name order by 1 desc; From: Redman, Chad In Grouper 2.4.0, when new groups and stems are created, the creator is no longer added as an admin if they are in the wheel group. The explicit access is unnecessary since users in the wheel group automatically have admin access even without
the permission. This script performs a cleanup of these permissions, looping through a defined list of subjects (mixed ids/identifiers), and removing the admin access from the groups and stems. This cleanup could remove many thousands of excess memberships
from the database, possibly improving performance. After completion, the number of groups and stems where specific users have direct admin privileges should be very low. These remaining privileges should be looked at. Normally you would want to put users into policy groups instead, instead
of giving direct access. Note that this could take an hour or two to run, depending on how many privileges you have. Regards, -Chad https://gist.github.com/cer28/b143b36ac280da2ac0fb6d360898a298 /**** * * removeDefaultOwnerPermissions.groovy * * In Grouper 2.4.0, when new groups and stems are created, the creator is no longer added as an admin * if they are in the wheel group. The explicit access is unnecessary since users in the wheel group automatically * have admin access even without the permission. This script performs a cleanup of these permissions, looping through * a defined list of subjects (mixed ids/identifiers), and removing the admin access from the groups and stems. * This cleanup could remove many thousands of excess memberships from the database, possibly improving performance. * * After completion, the number of groups and stems where specific users have direct admin privileges should be very * low. These remaining privileges should be looked at. Normally you would want to put users into policy groups instead, * instead of giving direct access. * * TODO get the count and add a countdown * TODO revoke from attribute privileges * * Chad Redman <>, 2018-10-03, Free for any use ****/ subjects = ["GrouperSystem", "other-ids-or-identifiers", "for-current-and-past-wheel-members", ] gs = GrouperSession.startRootSession() //me = SubjectFinder.findByIdentifierAndSource("myUid", "mySource", true) //gs = GrouperSession.start(me) import edu.internet2.middleware.grouper.cfg.GrouperConfig import edu.internet2.middleware.grouper.internal.dao.QueryOptions import edu.internet2.middleware.grouper.membership.MembershipType GrouperConfig.retrieveConfig().propertiesOverrideMap().put("ws.getMemberships.maxResultSize", "300000") subjects.each { subject -> try { theUser=SubjectFinder.findByIdOrIdentifier(subject, true) println "Revoking admin privs for ${subject} (${theUser.name})" // QueryOptions has side effects! Can't reuse between group/subject queries because the sort option sticks to it queryOptions = new QueryOptions() queryOptions.paging(500, 1, false) // 500 is the max allowed? while (true) { x = new MembershipFinder(). addSubject(theUser). assignFieldType(FieldType.ACCESS). assignEnabled(true). assignHasFieldForGroup(true). assignHasMembershipTypeForGroup(true). addField("admins"). assignMembershipType(MembershipType.IMMEDIATE). assignQueryOptionsForGroup(queryOptions). findMembershipResult(). getMembershipSubjectContainers() if (x.size() == 0) { break } println "\t${x.size()}" x.each { member -> println "\tRevoke " + subject + " from group " + member.groupOwner.name member.groupOwner.revokePriv(theUser, AccessPrivilege.ADMIN, false) } } queryOptions = new QueryOptions() queryOptions.paging(500, 1, false) // 500 is the max allowed? while (true) { x = new MembershipFinder(). addSubject(theUser). assignFieldType(FieldType.NAMING). assignEnabled(true). assignHasFieldForStem(true). assignHasMembershipTypeForStem(true). addField("stemAdmins"). assignMembershipType(MembershipType.IMMEDIATE). assignQueryOptionsForStem(queryOptions). findMembershipResult(). getMembershipSubjectContainers() if (x.size() == 0) { break } println "\t${x.size()}" x.each { member -> println "\tRevoke " + subject + " from stem " + member.stemOwner.name member.stemOwner.revokePriv(theUser, NamingPrivilege.STEM_ADMIN, false) } } } catch (Exception e) { println "*** Failed to revoke from user ${subject}: ${e}" e.printStackTrace() } } /**** Alternative to MembershipFinder? * import edu.internet2.middleware.grouper.internal.dao.hib3.Hib3MembershipDAO * H = new Hib3MembershipDAO().findAllImmediateByMemberAndField(gs.member.uuid, FieldFinder.find("admins", true), true) * * H.each { membership -> * member.groupOwner.revokePriv(me, AccessPrivilege.ADMIN, false) * } ****/ /**** Now that the direct admin list is much smaller, at some point you should look at subjects that have direct access, instead of indirect by policy group. This query will show counts and Subject Ids select count(*) as num_objects, subject_id, subject_source from grouper_memberships_v where list_type = 'access' and list_name = 'admins' and membership_type = 'immediate' and subject_source != 'g:gsa' group by subject_id, subject_source order by count(*) desc; */ |
- [grouper-users] RE: Enclosed script to clean up admin privs for wheel users, Redman, Chad, 10/04/2018
Archive powered by MHonArc 2.6.19.