Skip to content
Permalink
Browse files

grouper 2.4a64 101/201 updates

  • Loading branch information
wgthom committed Jun 13, 2019
1 parent 7eb4a39 commit a5c7fdb549a5d03cac5cbd4ad59caa49fddfbf74
@@ -1,7 +1,7 @@
FROM tier/shib-idp:3.4.3_20190201 as idp

# Grouper version for the entire GTE
FROM tier/grouper:2.4.0-a47-u25-w5-p6-20190611
FROM tier/grouper:2.4.0-a64-u38-w6-p6-20190612-rc1

# Disable docker HEALTHCHECK inherited from tier/shib-sp
HEALTHCHECK NONE
@@ -23,3 +23,33 @@ groups.wheel.group = etc:sysadmingroup
# Used to allow Include Exclude groups
grouperIncludeExclude.use = true
grouperIncludeExclude.requireGroups.use = true

##################################
## Lockout groups. Could be used for other things, but used for policy group templates at least
## if there is no allowed group, then anyone could use it
##################################

# group name of a lockout group
# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.name\\.\\d+$"}
grouper.lockoutGroup.name.0 = ref:iam:global_deny

# allowed to use this lockout group. If not configured, anyone could use
# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.allowedToUse\\.\\d+$"}
# grouper.lockoutGroup.allowedToUse.0 = ref:lockoutCanUse

##################################
## Require groups. Could be used for other things, but used for policy group templates at least
## if there is no allowed group, then anyone could use it
##################################

# group name of a require group
# {valueType: "group", regex: "^grouper\\.requireGroup\\.name\\.\\d+$"}
grouper.requireGroup.name.0 = ref:iam:active

# group name of a require group
# {valueType: "group", regex: "^grouper\\.requireGroup\\.name\\.\\d+$"}
grouper.requireGroup.name.0 = ref:employee:fac_staff

# allowed to use this require group. If not configured, anyone could use
# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.requireGroup\\.\\d+$"}
# grouper.requireGroup.allowedToUse.0 = ref:activeCanUse
@@ -68,13 +68,6 @@ create a new structure for our VPN service policy.

.. figure:: ../figures/201-new-vpn-policy.png

TODO: Steps 5 through 8 should be replaced with policy template when ready

5. Create `app:vpn:vpn_access`.
6. Create `app:vpn:vpn_allow`.
7. Create `app:vpn:vpn_deny`.
8. Make `vpn_access` a composite of `vpn_allow` minus `vpn_deny`.

-------------------------------------------------------------------
Exercise 201.2.2 Create digital policy from natural language policy
-------------------------------------------------------------------
@@ -83,8 +76,8 @@ The natural language policy is "all faculty and staff have access to vpn,
unless denied by CISO or the account is in a closure state". Reference groups
are already available.

#. Add `ref:employee:fac_staff` to `vpn_allow`.
#. Add `ref:security:locked_by_ciso` to `vpn_deny`.
#. Add `ref:employee:fac_staff` to `vpn_access_allow`.
#. Add `ref:security:locked_by_ciso` to `vpn_access_deny`.
#. Add `ref:iam:closure` to `vpn_deny`.
#. Review the `vpn_access` policy definition
(vpn_access -> More actions -> Visualization)
@@ -106,7 +99,7 @@ account is in a closure state".

.. figure:: ../figures/201-jsmith-trace.png

4. View the audit log on `vpn_allow`. (vpn_allow -> More actions -> View audit
4. View the audit log on `vpn_access_allow`. (vpn_access_allow -> More actions -> View audit
log)

.. figure:: ../figures/201-vpn-allow-audit.png
@@ -125,7 +118,7 @@ controlled by security groups in `app:vpn:security`. Security groups are
essentially policy groups for Grouper access. Review the default privileges on
`vpn_allow`.

#. Naviage to `ref:app:vpn:service:policy:vpn_allow`.
#. Naviage to `ref:app:vpn:service:policy:vpn_access_allow`.
#. Click on the Privileges tab.

.. figure:: ../figures/201-vpn-allow-privileges.png
@@ -73,7 +73,7 @@ Exercise 201.3.1 Create app folder for eduPersonAffiliation values

.. figure:: ../figures/201-eduPersonAffiliation-app-template.png

#. Create the following policy groups in
#. Create the following groups in
`app:eduPersonAffiliation:service:policy:`

* `ePA_student`
@@ -118,19 +118,22 @@ Exercise 201.3.4 Configure PSPNG to reflect ePA values to LDAP
--------------------------------------------------------------

#. Configure PSPNG to sync group membership to LDAP values for
**eduPersonAffiliation**.
**eduPersonAffiliation**. The following is already configured for you in
grouper-loader.properties.

.. literalinclude:: examples/201-3-4.pspng-epa.grouper-loader.properties
:language: properties
:caption: grouper-loader.properties
:linenos:

#. Assign PSPNG *provision_to* attribute to `ePA_member` with a value of
**pspng_affiliations**.
**pspng_affiliations**. (ePA_member -> More actions -> Attribute assigments
-> + Assign attribute -> `etc:pspng:provision_to` -> Save) (provision_to ->
Actions -> Add value -> `pspng_affiliations` -> Submit)

.. figure:: ../figures/201-ePA-pspng.png

3. Review and "Run job now" the PSPNG affiliations change log consumer daemon
3. Review and execute "Run job now" for the PSPNG affiliations change log consumer daemon
job (Miscellaneous -> All daemon jobs)

.. figure:: ../figures/201-ePA-pspng-run.png
@@ -149,7 +152,8 @@ the demo SP. The relevant configuration is below:
:emphasize-lines: 9
:linenos:

1. Log in to https://localhost:8443/app with username `aclark706` and password `password`.
1. Open a private browser, and log in to https://localhost:8443/app with
username `aclark706` and password `password`.

.. figure:: ../figures/201-ePA-attribute-release.png

@@ -60,8 +60,8 @@ Exercise 201.4.2 Add reference groups to policy
access to the wiki. The natural language policy is, "All students have access
to the student wiki, unless they are in the global deny group".

#. Add `ref:student:students` to `app:wiki:service:policy:wiki_allow`.
#. Add `ref:iam:global_deny` to `app:wiki:service:policy:wiki_deny`.
#. Add `ref:student:students` to `app:wiki:service:policy:wiki_user_allow`.
#. `ref:iam:global_deny` was added to `wiki_user_deny` automatically by the template.
#. Review policy defintion (wiki_user -> More -> Visualization)

.. figure:: ../figures/201-wiki-policy.png
@@ -76,7 +76,7 @@ Exercise 201.4.3 Configure PSPNG to provision wiki_user to eduPersonEntitlement
.. figure:: ../figures/201-wiki-user-pspng.png

2. Configure PSPNG to convert membership to ePE value of http://sp.example.org/wiki
and review in LDAP. The relevent configuration is below:
and review in LDAP. The following has already been configured in grouper-loader.properties:

.. literalinclude:: examples/201-4-4.pspng-epe.grouper-loader.properties
:language: properties
@@ -103,7 +103,7 @@ is below:
:emphasize-lines: 17
:linenos:

1. Open a new browser to https://localhost:8443/app
1. Open a new private browser to https://localhost:8443/app
2. Log in with username `aclark706` and password `password`
3. Check eduPersonEntitlement value

@@ -30,7 +30,7 @@ defined at the target service. The policy indicating which subjects are mapped
to application roles (permissions sets) can be attribute based, a simple access
control list, or some combination of both.

In AC3, the policy adminstration point is split between Grouper and the target
In ACM3, the policy adminstration point is split between Grouper and the target
service. Policy decision point and policy enforcement point are with the target
service.

Binary file not shown.
BIN +95.4 KB (190%) docs/figures/201-ePA-pspng.png
Binary file not shown.
Binary file not shown.
BIN -2.41 KB (94%) docs/figures/201-vpn-access.png
Binary file not shown.
BIN +28.3 KB (220%) docs/figures/201-vpn-access2.png
Binary file not shown.
Binary file not shown.
BIN +17.5 KB (190%) docs/figures/201-wiki-policy.png
Binary file not shown.
@@ -7,6 +7,9 @@ addRootStem("app", "app");
addRootStem("org", "org");
addRootStem("test", "test");

addStem("ref", "iam", "iam");
addGroup("ref:iam", "active", "active");

// loader job for class year groups :ref:student:class2019, etc.
addGroup("etc","studentTermLoader", "studentTermLoader");
groupAddType("etc:studentTermLoader", "grouperLoader");
@@ -208,7 +211,6 @@ attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouper
attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
"Subjects denied access by CISO");

addStem("ref", "iam", "iam")
closure = addGroup("ref:iam", "closure", "closure")
AttributeAssign attributeAssign = closure.getAttributeDelegate().hasAttribute(typeMarker) ? closure.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : closure.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
@@ -7,6 +7,9 @@ addRootStem("app", "app");
addRootStem("org", "org");
addRootStem("test", "test");

addStem("ref", "iam", "iam");
addGroup("ref:iam", "active", "active");

// loader job for class year groups :ref:student:class2019, etc.
addGroup("etc","studentTermLoader", "studentTermLoader");
groupAddType("etc:studentTermLoader", "grouperLoader");
@@ -208,7 +211,6 @@ attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouper
attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
"Subjects denied access by CISO");

addStem("ref", "iam", "iam")
closure = addGroup("ref:iam", "closure", "closure")
AttributeAssign attributeAssign = closure.getAttributeDelegate().hasAttribute(typeMarker) ? closure.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : closure.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");

0 comments on commit a5c7fdb

Please sign in to comment.
You can’t perform that action at this time.