Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Problem with inherited Rights

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Problem with inherited Rights


Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: Tibor Rudas <>, " Mailing List" <>
  • Subject: RE: [grouper-users] Problem with inherited Rights
  • Date: Mon, 18 May 2020 15:34:43 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isc.upenn.edu; dmarc=pass action=none header.from=isc.upenn.edu; dkim=pass header.d=isc.upenn.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=51M9M60keQ/Mq7drwU568hEK2rVurXMnpVXvSewQrX4=; b=kKbpSB4DDCHueR+k0B0Bn9sU3TFpxSItd/0XY2RnzfEnYzR/BSYRfE7+nrSf3cnuKZ/nG/iDg7eycjS5djNlFJKJ19aINIuweoUrW6DfDrhTQOD5GUNeCnf+cYJo7fEejKcucAH6hPLqMSPR/9H4COZYtKRnRBh++8mlkphcWBuXukiZBSv9BfedNbccl4kzRjhJUfGNnU1KSglOCGZXbcQH6UjDAqhwMDAVS1f6D82k6f5ofZunLmxQwOym2lAjLf37OK23tJznMtNi3NqJ/Un6ZysP0BkKJWEVLxHKZRAtOgns44GastfXa8aGF4Oy1FS8gVVbWqqNyelhr+v4SQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BiVQEC7A/myYlSO5IkJmdbm9ZvWuwcOCjSfu+ang88NcaaWCmlN8RMsEJqWpvarUjqTdjPXgQ6jp/hBx3f2VsV3Adqb9IRNjTkngcTQtD0CYCp2IlrbHHK2U1R3Znc41p+QHywuUky5R2V+f3wiqo6xfWsap4RHW70o2H85CVi4NpiEz3l1iWjfAVeWiJQA82dXSMVfi2fpAH+9s+wDS6LIRZB9yGvSDA+I+fF1lwnp4kzPcPwdFzgdyi3stu5GLyjlXi3tf9yIK7uHXh+otyoOL7CKnCq/KfvD4kWMT47W3gD0g9rEP3KRd2JMMZmsKJy3kn6h8/b2p0PBitnsRRw==

2.5 can run in openshift, whats the issue? I would recommend going to 2.5.

If you have more to the stack I would be interested, but Id be more
interested if it were 2.5 😊

Thanks
Chris




-----Original Message-----
From: On Behalf Of Tibor Rudas
Sent: Monday, May 18, 2020 8:58 AM
To: Mailing List <>
Subject: [grouper-users] Problem with inherited Rights

Dear all!

Here @univie.ac.at we're still working up our way to take a lengthy
upgrade path up to 2.4 (we will go up to 2.5 once the containerized
version runs in OpenShift, but we don't want to reschedule the upgrade
as it is already quite overdue :) ).

We have run into another snag: As member of the sysadmin group all is
well... but when you try to use grouper as a 'normal' user you run into
problems creating a group in a folder where you should have create
group permissions...

I have traced is as far as that this only occurs when you get these
permissions due to inheritance - not if they are assigned directly to a
folder (regardless if the permissions are inherited for the
subject itself or a group the subject is a member of).

What happens is that the 'Privileges' tab will show you, that you have
permissions to create a group. The 'create new group' quickbutton as
well as the 'more actions' -> 'create new group' will offer you to
create a new group but fail to save it with the message:

Error creating group: Problem in HibernateSession: HibernateSession
(2dd5b9b5): notNew, notReadonly, READ_WRITE_NEW, activeTransaction,
session (5195560a), Problem in HibernateSession: HibernateSession
(29488279): new, notReadonly, READ_WRITE_NEW, notActiveTransaction,
session (5195560a), Problem saving group: <group-name-here>

A stacktrace can be found in the log identifying an
"edu.internet2.middleware.grouper.exception.InsufficientPrivilegeException"
as the root of all evil...

It can also be seen if one wants to see all inherited privileges as
shown in the wiki: 'Miscellaneous' -> 'Inherited privileges' - which
will result in:

Error: If stem is set, then stem scope must be set. If stem isnt set,
then stem scope must not be set: null, SUB, Problem calling method
globalInheritedPrivileges on
edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Main

Which seems to lead me to findAllByGroupOwnerOptions (+ -Helper) in
Hib3PITMembershipViewDAO.java... but from there on I'm lost as I can't
quickly find what passes in stem and stemScope and where they are
derived from...

The version I encountered this on is grouper 2.4 with patches applied up
to patch 96 (which should be current as of today).

(Another error I see frequently in the ui-log and daemon-log is: "ERROR
Attribute def not found: etc:attribute:attestation:attestation" - but I
think that is unrelated...)


I would be grateful for any pointers as to what causes this behaviour
and how to fix it, as this is a showstopper for our upgrade :)

Kind regards,
Tibor Rudas



Archive powered by MHonArc 2.6.19.

Top of Page