Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] gsh addSubject issues v2.4.0

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] gsh addSubject issues v2.4.0


Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: "O'Dowd, Josh" <>, "Redman, Chad" <>, Shilen Patel <>
  • Cc: "" <>
  • Subject: RE: [grouper-users] gsh addSubject issues v2.4.0
  • Date: Tue, 26 Mar 2019 20:17:40 +0000

I would recommend apache passwords over tomcat... the passwords aren't stored
in clear text, and don't require a restart (tomcat might, not sure).

Here are some notes on how we have it working on the demo server:

https://spaces.at.internet2.edu/display/Grouper/Grouper+demo+Technical+Administration

Thanks
Chris

-----Original Message-----
From: O'Dowd, Josh <>
Sent: Tuesday, March 26, 2019 9:54 AM
To: Hyzer, Chris <>; Redman, Chad <>;
Shilen Patel <>
Cc:
Subject: RE: [grouper-users] gsh addSubject issues v2.4.0

Since these will be strictly for application type subjects that will access
only the REST endpoints on /grouper-ws, we currently just maintain the
passwords in tomcat-users.xml. I hadn't heard of Apache passwords before but
we do have Apaches in front of our tomcat's, doing SSL and Shib authn for the
UI.

I'll review the link you sent, maybe some light bulbs will come on.

Thanks so much for the help.

Josh
________________________________________
From: Hyzer, Chris []
Sent: Monday, March 25, 2019 10:41 PM
To: O'Dowd, Josh; Redman, Chad; Shilen Patel
Cc:
Subject: RE: [grouper-users] gsh addSubject issues v2.4.0

What authentication are you going to use? You can do Kerberos if you don't
want to manage passwords. Or LDAP passwords. Or apache passwords works
well, we do that on the demo server. OR tomcat passwords. Or something
else?

Here is Penn's method documentation

https://spaces.at.internet2.edu/display/Grouper/Penn+service+principals+from+kerberos+and+web+service+authentication

thanks
Chris



-----Original Message-----
From:
<> On Behalf Of O'Dowd, Josh
Sent: Tuesday, March 26, 2019 12:33 AM
To: Redman, Chad <>; Shilen Patel <>
Cc:
Subject: RE: [grouper-users] gsh addSubject issues v2.4.0

Thanks.

The problem may just be that I don't have a "jdbc" subject source defined in
sources.properties; just g:gsa, and ldap.

Chris, you mentioned that Penn was using a custom jdbc table, and offered an
example of that... Maybe I should go ahead and take you up on that offer.

Thanks all, for the time and efforts.

-Josh
________________________________________
From: Redman, Chad []
Sent: Monday, March 25, 2019 9:13 PM
To: O'Dowd, Josh; Shilen Patel
Cc:
Subject: RE: [grouper-users] gsh addSubject issues v2.4.0

Hi Josh,

Do you have a subject source defined that can query the subject and
subjectattribute tables? That may be what's missing. Look at the commented
"jdbc" source in subject.base.properties. You can just copy that to your
subject.properties, uncomment the subjectApi.source.jdbc.* lines, and set the
dbUrl, dbUser, and dbPwd properties to the same as your hibernate properties
(the dbDriver shouldn't need to be set, but you can if you want). I could
reproduce the same error you got without the jdbc source. After adding it, I
was able to find the subject:

groovy:000> findSubject("someApp")
===> Subject id: someApp, sourceId: jdbc, name: someApp


That's a good catch with the Object[] syntax. We'll need to update our
documentation there.

-Chad


-----Original Message-----
From:
[] On Behalf Of O'Dowd, Josh
Sent: Monday, March 25, 2019 7:00 PM
To: Shilen Patel <>
Cc:
Subject: RE: [grouper-users] gsh addSubject issues v2.4.0

Some clarity here...
The entire example script from the GSH doc web page is:

String principal = "someApp";
String email = null;
GrouperSession grouperSession = GrouperSession.startRootSession();
HibernateSession.bySqlStatic().executeSql("insert into subjectattribute
(subjectId, name, value, searchValue) values (?, ?, ?, ?)",
GrouperUtil.toListObject(new Object[]{principal, "description", principal,
principal.toLowerCase()}));
if (email != null){ HibernateSession.bySqlStatic().executeSql("insert into
subjectattribute (subjectId, name, value, searchValue) values (?, ?, ?, ?)",
GrouperUtil.toListObject(new Object[]{principal, "email", email,
email.toLowerCase()}));}
HibernateSession.bySqlStatic().executeSql("insert into subjectattribute
(subjectId, name, value, searchValue) values (?, ?, ?, ?)",
GrouperUtil.toListObject(new Object[]{principal, "loginid", principal,
principal}));
HibernateSession.bySqlStatic().executeSql("insert into subjectattribute
(subjectId, name, value, searchValue) values (?, ?, ?, ?)",
GrouperUtil.toListObject(new Object[]{principal, "name", principal,
principal}));

The error is occurring for the "new Object[]{principal}" constructor syntax.
I just found that since our gsh command line is groovy-based, I had to change
the syntax to "[principal] as Object[]", which is working.

Unfortunately, after running the above (in the correct groovy syntax),
findSubject("someApp") still produces a SubjectNotFound exception.

Josh
________________________________________
From: O'Dowd, Josh
Sent: Monday, March 25, 2019 4:21 PM
To: Shilen Patel
Cc:
Subject: RE: [grouper-users] gsh addSubject issues v2.4.0

Yes, that part is working, however if I then do findSubject("someApp"), I
get a subjectNotFound error. If I try to re-add the subject, using
addSubject(principal, "application", principal), I get a subject
"someApp/applicaiton/someApp" already exists!.
if I then do findSubject("someApp/application/someApp"), I once again get
subjectNotFound error. Very confusing?

Josh

________________________________________
From:
[] on behalf of Shilen Patel
[]
Sent: Monday, March 25, 2019 1:52 PM
To: O'Dowd, Josh
Cc:
Subject: Re: [grouper-users] gsh addSubject issues v2.4.0

Is this what and how you're running it? (This worked for me.)

groovy:000> String principal = "someApp";
===> someApp
groovy:000> String email = null;
===> null
groovy:000> GrouperSession grouperSession = GrouperSession.startRootSession();
===> ed3f25816f4c4383b4af07aa878851a9,'GrouperSystem','application'
groovy:000> addSubject(principal, "application", principal);
===> Subject id: someApp, sourceId: null, name: someApp

- Shilen

On 3/25/19, 1:57 PM, " on behalf of
O'Dowd, Josh" < on behalf of
> wrote:

Hi,

I am attempting to follow the docs at the wiki page,
https://urldefense.proofpoint.com/v2/url?u=https-3A__spaces.at.internet2.edu_pages_viewpage.action-3FpageId-3D14517859&d=DwIFAg&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=sWqutME58phurE0oO57Icg&m=XdgUsOLePLZaDCI62qgoAjRoV0RniKPYlPHfR1cunBk&s=S-zSvupCqKY6-axknwa777nPe-NtJUfyU-lqC1eBCRc&e=
, and following the "add a subject application principal with attributes
(GSH)" example on that page.

When running the example gsh, I am getting the error:
b523873ab73041e49c9eeccdf8710e1d,'GrouperSystem','application'
org.codehaus.groovy.control.MultipleCompilationErrorsException: startup
failed:
groovysh_parse: 2: unexpected token: principal @ line 2, column 171.
til.toListObject(new Object[]{principal,

My intent is to create an "application" type subject with a login id,
without having to add maintain a record in the main subject source, which is
LDAP directory. Then I want to privilege that subject with access to an
application group/folder area so that the subject can be authenticated via
GrouperClient into grouper-ws.

Any advice on the error, or how to go about it differently is much
appreciated.

Thanks,

Josh O'Dowd
University of Montana





Archive powered by MHonArc 2.6.19.

Top of Page