diff --git a/base/Dockerfile b/base/Dockerfile index b1a8222..083101c 100644 --- a/base/Dockerfile +++ b/base/Dockerfile @@ -1,7 +1,7 @@ FROM tier/shib-idp:3.4.3_20190201 as idp # Grouper version for the entire GTE -FROM tier/grouper:2.4.0-a47-u25-w5-p6-20190611 +FROM tier/grouper:2.4.0-a64-u38-w6-p6-20190612-rc1 # Disable docker HEALTHCHECK inherited from tier/shib-sp HEALTHCHECK NONE diff --git a/base/container_files/conf/grouper.properties b/base/container_files/conf/grouper.properties index c931287..bbe01c7 100644 --- a/base/container_files/conf/grouper.properties +++ b/base/container_files/conf/grouper.properties @@ -23,3 +23,33 @@ groups.wheel.group = etc:sysadmingroup # Used to allow Include Exclude groups grouperIncludeExclude.use = true grouperIncludeExclude.requireGroups.use = true + +################################## +## Lockout groups. Could be used for other things, but used for policy group templates at least +## if there is no allowed group, then anyone could use it +################################## + +# group name of a lockout group +# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.name\\.\\d+$"} +grouper.lockoutGroup.name.0 = ref:iam:global_deny + +# allowed to use this lockout group. If not configured, anyone could use +# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.allowedToUse\\.\\d+$"} +# grouper.lockoutGroup.allowedToUse.0 = ref:lockoutCanUse + +################################## +## Require groups. Could be used for other things, but used for policy group templates at least +## if there is no allowed group, then anyone could use it +################################## + +# group name of a require group +# {valueType: "group", regex: "^grouper\\.requireGroup\\.name\\.\\d+$"} +grouper.requireGroup.name.0 = ref:iam:active + +# group name of a require group +# {valueType: "group", regex: "^grouper\\.requireGroup\\.name\\.\\d+$"} +grouper.requireGroup.name.0 = ref:employee:fac_staff + +# allowed to use this require group. If not configured, anyone could use +# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.requireGroup\\.\\d+$"} +# grouper.requireGroup.allowedToUse.0 = ref:activeCanUse \ No newline at end of file diff --git a/docs/201/201.2.rst b/docs/201/201.2.rst index fac71dd..fd85f41 100644 --- a/docs/201/201.2.rst +++ b/docs/201/201.2.rst @@ -68,13 +68,6 @@ create a new structure for our VPN service policy. .. figure:: ../figures/201-new-vpn-policy.png -TODO: Steps 5 through 8 should be replaced with policy template when ready - -5. Create `app:vpn:vpn_access`. -6. Create `app:vpn:vpn_allow`. -7. Create `app:vpn:vpn_deny`. -8. Make `vpn_access` a composite of `vpn_allow` minus `vpn_deny`. - ------------------------------------------------------------------- Exercise 201.2.2 Create digital policy from natural language policy ------------------------------------------------------------------- @@ -83,8 +76,8 @@ The natural language policy is "all faculty and staff have access to vpn, unless denied by CISO or the account is in a closure state". Reference groups are already available. -#. Add `ref:employee:fac_staff` to `vpn_allow`. -#. Add `ref:security:locked_by_ciso` to `vpn_deny`. +#. Add `ref:employee:fac_staff` to `vpn_access_allow`. +#. Add `ref:security:locked_by_ciso` to `vpn_access_deny`. #. Add `ref:iam:closure` to `vpn_deny`. #. Review the `vpn_access` policy definition (vpn_access -> More actions -> Visualization) @@ -106,7 +99,7 @@ account is in a closure state". .. figure:: ../figures/201-jsmith-trace.png -4. View the audit log on `vpn_allow`. (vpn_allow -> More actions -> View audit +4. View the audit log on `vpn_access_allow`. (vpn_access_allow -> More actions -> View audit log) .. figure:: ../figures/201-vpn-allow-audit.png @@ -125,7 +118,7 @@ controlled by security groups in `app:vpn:security`. Security groups are essentially policy groups for Grouper access. Review the default privileges on `vpn_allow`. -#. Naviage to `ref:app:vpn:service:policy:vpn_allow`. +#. Naviage to `ref:app:vpn:service:policy:vpn_access_allow`. #. Click on the Privileges tab. .. figure:: ../figures/201-vpn-allow-privileges.png diff --git a/docs/201/201.3.rst b/docs/201/201.3.rst index 3a13939..52ad162 100644 --- a/docs/201/201.3.rst +++ b/docs/201/201.3.rst @@ -73,7 +73,7 @@ Exercise 201.3.1 Create app folder for eduPersonAffiliation values .. figure:: ../figures/201-eduPersonAffiliation-app-template.png -#. Create the following policy groups in +#. Create the following groups in `app:eduPersonAffiliation:service:policy:` * `ePA_student` @@ -118,7 +118,8 @@ Exercise 201.3.4 Configure PSPNG to reflect ePA values to LDAP -------------------------------------------------------------- #. Configure PSPNG to sync group membership to LDAP values for - **eduPersonAffiliation**. + **eduPersonAffiliation**. The following is already configured for you in + grouper-loader.properties. .. literalinclude:: examples/201-3-4.pspng-epa.grouper-loader.properties :language: properties @@ -126,11 +127,13 @@ Exercise 201.3.4 Configure PSPNG to reflect ePA values to LDAP :linenos: #. Assign PSPNG *provision_to* attribute to `ePA_member` with a value of - **pspng_affiliations**. + **pspng_affiliations**. (ePA_member -> More actions -> Attribute assigments + -> + Assign attribute -> `etc:pspng:provision_to` -> Save) (provision_to -> + Actions -> Add value -> `pspng_affiliations` -> Submit) .. figure:: ../figures/201-ePA-pspng.png -3. Review and "Run job now" the PSPNG affiliations change log consumer daemon +3. Review and execute "Run job now" for the PSPNG affiliations change log consumer daemon job (Miscellaneous -> All daemon jobs) .. figure:: ../figures/201-ePA-pspng-run.png @@ -149,7 +152,8 @@ the demo SP. The relevant configuration is below: :emphasize-lines: 9 :linenos: -1. Log in to https://localhost:8443/app with username `aclark706` and password `password`. +1. Open a private browser, and log in to https://localhost:8443/app with + username `aclark706` and password `password`. .. figure:: ../figures/201-ePA-attribute-release.png diff --git a/docs/201/201.4.rst b/docs/201/201.4.rst index a65093b..cd3d8b0 100644 --- a/docs/201/201.4.rst +++ b/docs/201/201.4.rst @@ -60,8 +60,8 @@ Exercise 201.4.2 Add reference groups to policy access to the wiki. The natural language policy is, "All students have access to the student wiki, unless they are in the global deny group". -#. Add `ref:student:students` to `app:wiki:service:policy:wiki_allow`. -#. Add `ref:iam:global_deny` to `app:wiki:service:policy:wiki_deny`. +#. Add `ref:student:students` to `app:wiki:service:policy:wiki_user_allow`. +#. `ref:iam:global_deny` was added to `wiki_user_deny` automatically by the template. #. Review policy defintion (wiki_user -> More -> Visualization) .. figure:: ../figures/201-wiki-policy.png @@ -76,7 +76,7 @@ Exercise 201.4.3 Configure PSPNG to provision wiki_user to eduPersonEntitlement .. figure:: ../figures/201-wiki-user-pspng.png 2. Configure PSPNG to convert membership to ePE value of http://sp.example.org/wiki - and review in LDAP. The relevent configuration is below: + and review in LDAP. The following has already been configured in grouper-loader.properties: .. literalinclude:: examples/201-4-4.pspng-epe.grouper-loader.properties :language: properties @@ -103,7 +103,7 @@ is below: :emphasize-lines: 17 :linenos: -1. Open a new browser to https://localhost:8443/app +1. Open a new private browser to https://localhost:8443/app 2. Log in with username `aclark706` and password `password` 3. Check eduPersonEntitlement value diff --git a/docs/201/201.5.rst b/docs/201/201.5.rst index 4fdaab3..922304d 100644 --- a/docs/201/201.5.rst +++ b/docs/201/201.5.rst @@ -30,7 +30,7 @@ defined at the target service. The policy indicating which subjects are mapped to application roles (permissions sets) can be attribute based, a simple access control list, or some combination of both. -In AC3, the policy adminstration point is split between Grouper and the target +In ACM3, the policy adminstration point is split between Grouper and the target service. Policy decision point and policy enforcement point are with the target service. diff --git a/docs/figures/201-ePA-member-vis.png b/docs/figures/201-ePA-member-vis.png index e302e27..7a9bbb4 100644 Binary files a/docs/figures/201-ePA-member-vis.png and b/docs/figures/201-ePA-member-vis.png differ diff --git a/docs/figures/201-ePA-pspng.png b/docs/figures/201-ePA-pspng.png index 6805bb4..803532c 100644 Binary files a/docs/figures/201-ePA-pspng.png and b/docs/figures/201-ePA-pspng.png differ diff --git a/docs/figures/201-new-vpn-policy.png b/docs/figures/201-new-vpn-policy.png new file mode 100644 index 0000000..acfb4aa Binary files /dev/null and b/docs/figures/201-new-vpn-policy.png differ diff --git a/docs/figures/201-vpn-access.png b/docs/figures/201-vpn-access.png index f6d79c5..af620d5 100644 Binary files a/docs/figures/201-vpn-access.png and b/docs/figures/201-vpn-access.png differ diff --git a/docs/figures/201-vpn-access2.png b/docs/figures/201-vpn-access2.png index 71a382c..dd6a74f 100644 Binary files a/docs/figures/201-vpn-access2.png and b/docs/figures/201-vpn-access2.png differ diff --git a/docs/figures/201-vpn-allow-privileges.png b/docs/figures/201-vpn-allow-privileges.png index 38ec2a1..3523f00 100644 Binary files a/docs/figures/201-vpn-allow-privileges.png and b/docs/figures/201-vpn-allow-privileges.png differ diff --git a/docs/figures/201-wiki-policy.png b/docs/figures/201-wiki-policy.png index 43d81ee..c12a4ed 100644 Binary files a/docs/figures/201-wiki-policy.png and b/docs/figures/201-wiki-policy.png differ diff --git a/ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh b/ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh index 0176602..1aad87a 100644 --- a/ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh +++ b/ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh @@ -7,6 +7,9 @@ addRootStem("app", "app"); addRootStem("org", "org"); addRootStem("test", "test"); +addStem("ref", "iam", "iam"); +addGroup("ref:iam", "active", "active"); + // loader job for class year groups :ref:student:class2019, etc. addGroup("etc","studentTermLoader", "studentTermLoader"); groupAddType("etc:studentTermLoader", "grouperLoader"); @@ -208,7 +211,6 @@ attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouper attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", "Subjects denied access by CISO"); -addStem("ref", "iam", "iam") closure = addGroup("ref:iam", "closure", "closure") AttributeAssign attributeAssign = closure.getAttributeDelegate().hasAttribute(typeMarker) ? closure.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : closure.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); diff --git a/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh index e785b77..b5bd117 100644 --- a/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh @@ -7,6 +7,9 @@ addRootStem("app", "app"); addRootStem("org", "org"); addRootStem("test", "test"); +addStem("ref", "iam", "iam"); +addGroup("ref:iam", "active", "active"); + // loader job for class year groups :ref:student:class2019, etc. addGroup("etc","studentTermLoader", "studentTermLoader"); groupAddType("etc:studentTermLoader", "grouperLoader"); @@ -208,7 +211,6 @@ attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouper attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", "Subjects denied access by CISO"); -addStem("ref", "iam", "iam") closure = addGroup("ref:iam", "closure", "closure") AttributeAssign attributeAssign = closure.getAttributeDelegate().hasAttribute(typeMarker) ? closure.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : closure.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");