Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Letting wheel group members to access the Miscellaneous page

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Letting wheel group members to access the Miscellaneous page


Chronological Thread 
  • From: Olivier Salaün <>
  • To: "" <>
  • Subject: [grouper-users] Letting wheel group members to access the Miscellaneous page
  • Date: Thu, 14 May 2020 11:05:29 +0200

Hello,

We are running Grouper 2.4.0, patched up to grouper_v2_4_0_ui_patch_55.

We recently noticed that Grouper admins (members of the groups.wheel.group and groups.wheel.readonly.group) don't see the "Miscellaneous" link in the navigation bar.

That's strange because:

  • members of the groups.wheel.readonly.group only do see the "Miscellaneous" link,
  • on our staging server (same Grouper version, same configuration), we don't have the issue.

I tried directly accessing the UiV2Main.index?operation=UiV2Main.miscellaneous page and I get this error message :

Erreur: Not allowed to read privilege inheritance! Subject id: p-salaun, sourceId: openldap, Problem calling method miscellaneous on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Main

Attached are our grouper.properties and grouper-ui.properties files, if it can help.

We did not override the default "uiV2.showMiscellaneousLink = true" property.


What is wrong with our read privilege inheritance? A property to adjust?

I'd like to check the privilege inheritance in GSH to compare my staging and production environments; but I could not find a GSH example to run isCanReadPrivilegeInheritance(). Anyone could help?


Thanks.

-- 
Olivier Salaün
DSI / pôle SI / équipe SNUM
Tel : 02 23 23 74 54
#
# Grouper UI configuration
# $Id: grouper.client.example.properties,v 1.24 2009-12-30 04:23:02 mchyzer
Exp $
#

# The grouper-ui.properties uses Grouper Configuration Overlays (documented
on wiki)
# By default the configuration is read from grouper-ui.base.properties
# (which should not be edited), and the grouper-ui.properties overlays
# the base settings. See the grouper-ui.base.properties for the possible
# settings that can be applied to the grouper-ui.properties

## Configuration Grouper UI pour Univ Rennes 1

## Ajout d'une feuille css
css.additional=../../grouperExternal/public/assets/css/ur1-custom.css

## modification logo
image.organisation-logo=grouperExternal/public/assets/images/ur1-logo.png

# number of folders on index page
# {valueType: "integer", required: true}
uiV2.treeStemsOnIndexPage = 100

# number of groups on index page
# {valueType: "integer", required: true}
uiV2.treeGroupsOnIndexPage = 100

# When browsing or searching the UI will present lists of various objects.
The following settings
# allow sites to control default page sizes and a list of user-selectable
page sizes
# {valueType: "integer", required: true}
pager.pagesize.default=100

# {valueType: "string", required: true}
pager.pagesize.selection=100 500

# if this is true, users do not need to be able to read/update rules
attribute definitions to be
# able to read/update inherited privileges rules
grouper-ui.base.properties:uiV2.privilegeInheritanceDoesntRequireRulesPrivileges
= true

# require admin (GrouperSysAdmin or wheel group) to read inherited privileges
uiV2.privilegeInheritanceReadRequireGroup = etc:administration:globalReaders

# require admin (GrouperSysAdmin or wheel group) to update inherited
privileges
uiV2.privilegeInheritanceUpdateRequireGroup = etc:administration:superAdmin


#
# Copyright 2014 Internet2
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

#
# Grouper Configuration
# $Id: grouper.example.properties,v 1.48 2009-12-16 06:02:30 mchyzer Exp $
#

# Grouper uses Grouper Configuration Overlays (documented on wiki)
# By default the configuration is read from grouper.base.properties
# (which should not be edited), and the grouper.properties overlays
# the base settings. See the grouper.base.properties for the possible
# settings that can be applied to the grouper.properties

ettings that can be applied to the grouper.properties

grouper.env.name = PROD

# A wheel group allows you to enable non-GrouperSystem subjects to act
# like a root user when interacting with the registry.
groups.wheel.use = true

# Set to the name of the group you want to treat as the wheel group.
# The members of this group will be treated as root-like users.
groups.wheel.group = etc:administration:superAdmin


# A readonly wheel group allows you to enable non-GrouperSystem subjects to
act
# like a root user when reading the registry.
groups.wheel.readonly.use = true

# Set to the name of the group you want to treat as the readonly wheel group.
# The members of this group will be treated as root-like users when reading
objects.
groups.wheel.readonly.group =
etc:administration:globalReaders


# A viewonly wheel group allows you to enable non-GrouperSystem subjects to
act
# like a root user when viewing the registry.
# {valueType: "boolean", required: true}
groups.wheel.viewonly.use = true

# Set to the name of the group you want to treat as the viewonly wheel group.
# The members of this group will be treated as root-like users when viewing
objects.
# {valueType: "group", required: true}
groups.wheel.viewonly.group =
etc:administration:globalViewers

# if grouper should check to see if utf-8 works on startup in files
configuration.detect.utf8.file.problems = false

#if grouper should try and detect and log configuration errors on startup
#in general this should be true, unless the output is too annoying or if it
is causing a problem
configuration.detect.errors = true

# langue par défaut
grouper.text.defaultBundleIndex = 1

# language for this bundle
grouper.text.bundle.1.language = fr

# country for this bundle
grouper.text.bundle.1.country = fr

# filename in the package grouperText that is before the .base.properties,
and .properties
grouper.text.bundle.1.fileNamePrefix = grouperText/grouper.text.fr.fr


###################################
## security settings
###################################

# If set to _true_, the ALL subject will be granted that privilege on
# each new group that is created. Note, you can override the default
# checkboxes on screen of UI in media.properties.
groups.create.grant.all.optin = false
groups.create.grant.all.optout = false
groups.create.grant.all.read = false
groups.create.grant.all.view = false
groups.create.grant.all.groupAttrRead = false

# If set to _true_, the ALL subject will be granted that privilege on
# each new stem that is created.
stems.create.grant.all.create = false
stems.create.grant.all.stem = false
stems.create.grant.all.stemAttrRead = false
stems.create.grant.all.stemAttrUpdate = false

# If set to _true_, the ALL subject will be granted that privilege on
# each new attributeDef that is created.
attributeDefs.create.grant.all.attrAdmin = false
attributeDefs.create.grant.all.attrOptin = false
attributeDefs.create.grant.all.attrOptout = false
attributeDefs.create.grant.all.attrRead = false
attributeDefs.create.grant.all.attrUpdate = false
attributeDefs.create.grant.all.attrView = false
attributeDefs.create.grant.all.attrDefAttrRead = false
attributeDefs.create.grant.all.attrDefAttrUpdate = false

################################################################"
## Grouper include / exclude and requireGroups
## If enabled, will make sure the Type is installed, and when that type is
## applied to a group, it will auto-create the other groups needed to manage
the include and exclude lists
## see: https://bugs.internet2.edu/jira/browse/GRP-178
## the naming settings below are only used when the type is applied to a
group, will not affect
## existing include/exclude groups
###################################

#if the addIncludeExclude and requireInGroups should be enabled, and if the
type(s) should be
#auto-created, and used to auto create groups to facilitate include and
exclude lists, and require lists
grouperIncludeExclude.use = true
grouperIncludeExclude.requireGroups.use = true

# Conf pour autoriser suppression des zombies au-delà de 200
usdu.failsafe.maxUnresolvableSubjects = 1000

# For Grouper 2.3.0 patch 72+, GSH is built on GroovyShell.
# For older versions of Grouper, it is built on Java BeanShell.
# The legacy BeanShell version is now deprecated,
# but you can switch back to it by using one of the options:
# Can also be enabled on command-line : gsh.sh -forceLegacyGsh
# gsh.useLegacy = true



  • [grouper-users] Letting wheel group members to access the Miscellaneous page, Olivier Salaün, 05/14/2020

Archive powered by MHonArc 2.6.19.

Top of Page