Permissions and PSU use case
Chris Hyzer
University of Pennsylvania
Agenda
•
•
•
•
•
Intro to Grouper
LDAP question
Use case
Demo
Explanation
•
•
•
•
Roles / permissions
Hierarchies
Allow/disallow
Roadmap
Intro to Grouper
•
•
•
•
•
•
Open source Internet2 project
Originally a groups management system
Evolved two years ago to include permissions
4 funded team members across the US
Contributors from across the world
Dozens of deployments at higher ed and
research institutions
Grouper features as of 1.6
•
•
•
•
•
•
•
•
•
Distributed group store
Delegates security
Multiple subject sources
Web Services (WS)
Admin UI, and more user-friendly lite UI
LDAP provisioning (ldappc)
GSH command line interface (CLI)
grouperClient (WS library and CLI)
Kuali rice integration
Grouper features as of 1.6 (continued)
• Notifications (change events, e.g. XMPP, WS,
or Java)
• Auditing (who did what action in Grouper)
• Composite groups (deprovision)
• Grouper loader (auto load from source)
Attribute framework (add attributes to Groups,
Folders, Memberships, etc)
• Permissions
• Hooks (Java logic run on Grouper event)
Grouper features for 2.0
• 2.0 to be released at end of summer 2011
• Rules: canned logic to run on Grouper events
• External federated subjects: manage subjects
not at your institution, can work with shib, etc
• Atlassian connector
• Permissions allow/disallow and limits
• Permissions UI
• Point in time auditing (PIT)
• Real time ldappc?
Grouper features for 2.1
•
•
•
•
•
Continue working on real world use cases
Attribute framework / permissions setup WS
Continue permissions allow/disallow PIT
Continue working on auditing and PIT in UI
etc
Permissions in Grouper
• Permissions are external system permissions,
Grouper has internal privileges as well
• Up and coming
• Duke uses it for Active Directory permissions
• Penn uses it for Access Control workflow, and
has plans to expand its use with
Allow/Disallow
• Others might be using it
• More will adopt with the UI in 2.0
LDAP question
• “I am also interested in hearing about
how and if they plan on provisioning
protected information to LDAP”
-Jimmy
LDAP answer from Tom Barton
• In process of changing uChicago ACLs
on ucIsMemberOf LDAP attribute to be
readable only by Self and by Agent
Accounts
• Agent accounts enabled applications to
access LDAP with elevated privs
• Helps with FERPA
LDAP answer from Tom Barton (continued)
• Do not have use case here that would
require a more sophisticated approach
• Do not have permissions LDAP use
case
• Permissions can be accessed directly in
grouper (WS) or be provisioned directly
into affected apps
LDAP answer from Penn
• Penn doesn’t use ldappc, we have perl
scripts to sync to OpenLDAP
• No memberOf, only hasMember
• hasMember has security to only let Grouper
READers (or ADMINs) see the group and
hasMember
LDAP answer from Penn (continued)
• Also, you have to be in ldapUsers to
authenticate to the LDAP
• Membership in ldapUsers for people or
service accounts requires form/workflow
• We do not have plans to put permissions in
LDAP, we will use WS
PennState use case
• “How can grouper be used to enforce
web permissions. Meaning can it be
used to say that a particular group of
users can read files in a distributed data
store somewhere”
- Jimmy
PennState use case (continued)
Create file
or folder
Act as various
users
Only show folders
user can create in
Link to Grouper’s
permission
management screen
Permissions are on
the folder level
Show folders (and
underlying files) the
user can read
PennState use case (continued)
•
•
•
•
•
•
•
•
DISCLAIMER:
Simple one-pager (two day’s effort)
Not production code
Grouper trunk is under development
Only works in mysql (i.e. no hibernate)
In srcPoc folder in grouperUi trunk
Code in presentation might be abbrev.
If you want enhancements, let me know
PennState use case (continued)
• Long youtube movie… anyone have
popcorn?
PennState use case session
• In the user’s session the permissions
are stored
• This is currently done with an API call,
though it could be WS
Set<PermissionEntry> permissionEntries =
new PermissionFinder().addSubject(subject)
.addPermissionDef(PSU_PERMISSION_DEFINITION_NAME)
.assignPermissionProcessor(PROCESS_LIMITS)
.findPermissions();
PennState use case session (continued)
• This means user must logout/login to
see updated permissions
• Though if the user creates a folder, it
will refresh them for that user
• In a non-POC, you might refresh every
few minutes
• Or Grouper should have permissions
notifications again in 2.1 for better
caching
PennState use case request scope
• Get all folders in the file mgr
• Match those with the session cached
Grouper permissions
• See which folders are readable and
which can have objects created inside
PennState use case create folder
• Validate the name (no special chars)
• Insert into file mgr db
• Create Grouper permission resource
• API 1.5, UI 2.0, planned for WS in 2.1
• Display extension: Root/folder/subfolder
• Sys extension: Root__folder__subfolder
new AttributeDefNameSave(
GrouperSession.staticGrouperSession(), permissionsDef)
.assignName(this.getGrouperSystemName())
.assignDisplayExtension(this.getGrouperDisplayExtension())
.save();
PennState use case create folder (continued)
• Note, the folders could be modeled as
folders in grouper
PennState use case create folder (continued)
• Insert into the local file mgr DB
HibernateSession.bySqlStatic()
.executeSql(
"insert into file_mgr_folder
(id, name, parent_folder_id) values (?, ?, ?)",
GrouperUtil.toListObject(this.id, this.name,
this.parentFolderId));
PennState use case create folder (continued)
• Link up containing folder to imply
permissions in this folder
• API in 1.5, UI 2.0, planned for WS in 2.1
AttributeDefName parentFolderPermissionName =
AttributeDefNameFinder.findByName(
this.parentFolder.getGrouperSystemName(), true);
parentFolderPermissionName
.getAttributeDefNameSetDelegate()
.addToAttributeDefNameSet(folderPermissionName);
PennState use case create folder (continued)
• Give CREATE/READ permissions to the
creator
• API in 1.5, UI 2.0, planned for WS in 2.1
user.getPermissionRoleDelegate()
.assignSubjectRolePermission(ACTION_CREATE,
folderPermissionName, subject, ALLOWED);
user.getPermissionRoleDelegate()
.assignSubjectRolePermission(ACTION_READ,
folderPermissionName, subject, ALLOWED);
PennState use case create file
• Permissions are only on folder, so just
insert file into file mgr DB
HibernateSession.bySqlStatic().executeSql(
"insert into file_mgr_file (id, name, folder_id)
values (?, ?, ?)",
GrouperUtil.toListObject(this.id, this.name,
this.folderId));
PennState use case init app
• Init application on startup. Make sure
Grouper objects exist
• Note, there should be a config to point
to the correct folder in Grouper per env
• Create the app folder
• This is API/UI 1.0, WS 1.4
new StemSave(GrouperSession.staticGrouperSession())
.assignCreateParentStemsIfNotExist(true)
.assignName(PSU_APPS_FILE_MANAGER_ROOT_STEM).save();
PennState use case init app (continued)
• Create the permission definition if not
already exists
• API in 1.5, UI 2.0, planned for WS in 2.1
new AttributeDefSave(
GrouperSession.staticGrouperSession())
.assignCreateParentStemsIfNotExist(true)
.assignName(PERMISSION_DEFINITION_NAME)
.assignAttributeDefType(AttributeDefType.perm)
.assignToEffMembership(true).assignToGroup(true)
.save();
PennState use case init app (continued)
• Configure the action list if not already
exists
• API in 1.5, UI 2.0, planned for WS in 2.1
permissionsDef.getAttributeDefActionDelegate()
.configureActionList(ACTION_READ + ","
+ ACTION_CREATE + "," + ACTION_ADMIN);
PennState use case init app (continued)
• Configure the action inheritance is not
exists
• API in 1.5, UI 2.0, planned for WS in 2.1
AttributeAssignAction adminAction =
permissionsDef.getAttributeDefActionDelegate()
.allowedAction(ACTION_ADMIN, true);
adminAction.getAttributeAssignActionSetDelegate()
.addToAttributeAssignActionSet(readAction);
adminAction.getAttributeAssignActionSetDelegate()
.addToAttributeAssignActionSet(createAction);
PennState use case init app (continued)
• Configure default role is not exists
• API in 1.5, UI 2.0, or in WS
new GroupSave(GrouperSession.staticGrouperSession())
.assignName(FILE_MANAGER_USER)
.assignCreateParentStemsIfNotExist(true)
.assignTypeOfGroup(TypeOfGroup.role)
.save();
Questions?