Remove rabbitmq

base/container_files/var-www-html/index.html

@@ -34,81 +34,70 @@ <h1>GTE jump page</h1>
 <tr>
 <th>Name</th>
 <th>Link</th>
-<th>Credentials</th>
 <th>Description</th>
+<th>Credentials</th>
 </tr>
 <tr>
 <td><a href="/grouper/">Grouper</a></td>
 <td>https://localhost:8443/grouper/</td>
+<td>Grouper UI application</td>
 <td>Admin: banderson / password<br/>
     Civilian: jsmith / password</td>
-<td>Grouper UI application</td>
 </tr>
 <tr>
 <td><a href="/phpmyadmin/">Database manager</a></td>
 <td>https://localhost:8443/phpmyadmin/</td>
-<td>root / &lt;no password&gt;</td>
 <td>Phpmyadmin Mysql database manager</td>
+<td>root / &lt;no password&gt;</td>
 </tr>
 <tr>
 <td><a href="/phpldapadmin/">LDAP manager</a></td>
 <td>https://localhost:8443/phpldapadmin/</td>
-<td>username: cn=root,dc=internet2,dc=edu<br />password: password</td>
 <td>Phpldapadmin LDAP administration</td>
+<td>username: cn=root,dc=internet2,dc=edu<br />password: password</td>
 </tr>
 <tr>
-<td><a href="/rabbitmq/">Messaging manager</a></td>
-<td>https://localhost:8443/rabbitmq/</td>
-<td>username: guest<br />password: guest</td>
-<td>Rabbitmq messaging administration<br />
-Start rabbit mq container with gte --rabbitmq &lt;lessonNumber&gt;</td>
-</tr>
-<tr>
-<td><a href="/app">Shibboleth attributes</a></td>
+<td><a href="/app">Shibboleth attributes app</a></td>
 <td>https://localhost:8443/app</td>
+<td>Simple Shibboleth-protected application to show login state</td>
 <td></td>
-<td>Simple screen to show login state</td>
 </tr>
 <tr>
 <td><a href="https://spaces.at.internet2.edu/display/Grouper/Grouper+Training+Environment">Grouper training wiki</a></td>
 <td></td>
+<td>Links to everything you need for the training.  Check Slack "pins" also.</td>
 <td></td>
-<td>Links to everything you need for the training.  Check slack "pins" also.</td>
 </tr>
 <tr>
 <td><a href="https://spaces.at.internet2.edu/display/Grouper/GTE+commands">GTE commands</a></td>
 <td></td>
-<td></td>
 <td>Commands that will start courses, shell into containers, etc</td>
+<td></td>
 </tr>
 <tr>
 <td><a href="https://spaces.at.internet2.edu/display/Grouper/Grouper+Training+Environment+-+text+to+copy+and+paste">Text to copy/paste</a></td>
 <td></td>
-<td></td>
 <td>Commands and configuration to copy and paste from slides for exercises</td>
+<td></td>
 </tr>
 <tr>
 <td><a href="https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide">Grouper Deployment Guide</a></td>
 <td></td>
-<td></td>
 <td>Grouper concepts, standards, and best practices</td>
+<td></td>
 </tr>
-
-<tr>
-  <td><a href="orgchart/org_chart_brief.svg">Org chart brief</a> | <a href="orgchart/org_chart_full.svg">Org chart full</a></td>
-  <td></td>
-  <td></td>
-  <td>Departmental org charts used in the example database</td>
-  </tr>
-
-<!--
 <tr>
+<td><a href="https://kahoot.it/">Kahoot</a></td>
 <td></td>
+<td>Online quiz site</td>
 <td></td>
+</tr>
+<tr>
+<td><a href="orgchart/org_chart_brief.svg">Org chart brief</a> | <a href="orgchart/org_chart_full.svg">Org chart full</a></td>
 <td></td>
+<td>Departmental org charts used in the example database</td>
 <td></td>
 </tr>
--->
 </table>
 </body>
 </html>

docs/copy-paste-markdown/401.1.md

@@ -0,0 +1,79 @@
+# Grouper Training Environment - text to copy and paste - 401.1
+
+# VPN Access Control part 1
+
+## Learning Objectives
+
+- Use group math and reference groups to analyze legacy authorization groups
+- Translate natural language policy into Grouper digital policy
+- Implement distributed access management
+- Use Grouper to answer access management questions such as “who” and “why”
+
+## Hands On
+
+### Analyze legacy VPN authorization group
+
+Gain insight into who has access to VPN based on the vpn_users LDAP group. We’ll do this by using well established reference groups for faculty, staff, and students. First review the legacy VPN authorization group in LDAP.
+
+* Log in to https://localhost:8443/phpldapadmin with username `cn=root,dc=internet2,dc=edu` and password `password`
+* Expand ou=groups, and click on cn=vpn_users. Note the multi-valued "member" field.
+* Create a `vpn` folder under the test folder.
+* Create a `vpn_legacy` group to load the ldap group
+* Add Loader settings to _vpn_legacy_ (More -> Loader -> Loader actions -> Edit loader configuration)
+    - Loader: Yes, has loader configuration
+    - Source Type: LDAP
+    - Loader type: LDAP_SIMPLE
+    - Server ID: demo
+    - LDAP filter: `(cn=vpn_users)`
+    - Subject attribute name: `member`
+    - Search base DN: `ou=groups,dc=internet2,dc=edu`
+    - Schedule: `0 * * * * ?`
+    - Subject source ID: eduLDAP - EDU Ldap
+    - Subject lookup type: subjectIdentifier
+    - Search scope: SUBTREE_SCOPE
+    - Priority:
+    - Subject expression: `${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}`
+    - Require members in other group(s):
+    - Schedule job: Yes, schedule and enable this job
+* Run Loader diagnostics (Loader actions -> Loader diagnostics -> Run loader diagnostics)
+* Run loader (Loader actions -> Run loader process to sync group)
+* Review loader logs. How many subjects were added? (Loader actions -> View loader logs)
+* Review _vpn_legacy_ members
+
+### Analyze legacy VPN members
+
+We will use test composite groups to gain insight into the type of cohorts in vpn_legacy by intersecting it with well known reference groups for faculty and staff.
+
+* Create group `test:vpn:vpn_facstaff` and make it a composite intersection of _ref:role:all_facstaff_ and _test:vpn:vpn_legacy_. This represents existing faculty/staff with VPN access
+* Create group `test:vpn:vpn_legacy_exceptions` and make it a complement group of _vpn_legacy_ minus _all_facstaff_. This shows users who have VPN access but are not faculty or staff
+
+Another way to get the non-Faculty/Staff users is to use a membership filter. Use advanced membership search Group filter on the _vpn_legacy_ group to only see subjects that are not faculty/staff.
+
+### Get a list of current exceptions
+
+Before going live with the new group, we want to have the current exceptions looked at
+
+* Export the membership of _test:vpn:vpn_legacy_exceptions_ (More actions -> Export Members)
+
+### Get a list of current exceptions (Extra)
+
+If the exception list is long, it will speed up review by listing the basis groups for each user
+
+* Run the SQL query from the Copy/paste to summarize basis groups for the exceptions
+
+
+```
+select distinct M.subject_id, M.subject_identifier0, M.name, group_concat(distinct G.display_extension) as "Basis Groups" from grouper_memberships_all_v V
+join grouper_members M on V.member_id = M.id
+join grouper_groups G on V.owner_group_id = G.id
+where (G.name like 'basis:hr:employee:dept:%' or G.name like 'basis:sis:prog_status:year:%')
+and M.subject_source = 'eduLDAP'
+and M.subject_id in (
+  select distinct subject_id from grouper_memberships_all_v V
+  join grouper_members M on V.member_id = M.id
+  join grouper_groups G on V.owner_group_id = G.id
+  where G.name = 'test:vpn:vpn_legacy_exceptions'
+  and M.subject_source = 'eduLDAP'
+) group by M.subject_id
+order by M.subject_id;
+```

docs/copy-paste-markdown/401.2.md

@@ -0,0 +1,112 @@
+# Grouper Training Environment - text to copy and paste - 401.2
+
+# VPN Access Control part 2
+
+## Hands On
+
+### Translate natural language policy to digital policy
+
+The natural language policy is "Faculty, staff, and some exceptions (students, contractors, etc)"
+
+* Use the application template and the policy group template to create a new `vpn` application folder
+* Create a policy group called `vpn_authorized`. Select the policy template option "create allow ad hoc group"
+* Add the _All Faculty/Staff_ group to _vpn_authorized_allow_
+
+### Review provisioner
+
+* Go to Miscellaneous > Provisioning->groupOfNames->Actions->Edit provisioner
+
+In this provisioner, a group will sync to a record in LDAP in the _ou=Groups_ tree. The _cn_ value will be the full group name. The _member_ attribute will be multi-valued, containing the LDAP Dn values for the groups' members
+
+### Review full sync provisioning job
+
+A full sync provisioner has already been created for you. Review its status
+
+* Go to Miscellaneous->Daemon jobs
+* Filter for job name `OTHER_JOB_groupOfNames_full_sync`
+* Click on Edit daemon
+
+### Provision vpn_authorized to OpenLDAP
+
+* Configure provisioning on _app:vpn:service:policy:vpn_authorized_
+* Run the full sync provisioner job
+* Log in to https://localhost:8443/phpldapadmin and navigate to _ou=groups_. Review your new Grouper managed vpn access control group!
+
+
+* Investigate exceptions and add to the ad-hoc group as needed
+* *Open a service ticket to have the network team switch the VPN config to use vpn_authorized.
+
+Some important goals have been accomplished:
+- Automatic provisioning/deprovisioning of VPN access for faculty and staff.
+- Natural language policy - clear and visible.
+- Exceptions management
+
+This is a huge improvement! However, we are still dealing with tickets to add and remove subjects (well at least to add!) to the ad-hoc group. There is no way to distinguish different exceptions, and it is not clear who is responsible for lifecycle and attestation.
+
+### Implement distributed exception management
+
+Each policy exception is represented by an application specific access control lists (ACL).
+
+* Create `app:vpn:service:policy:vpn_consultants`. This ACL will be managed by the IAM team.
+* Create `app:vpn:service:policy:vpn_wri250`. Management of this ACL will be delegated to a course instructor.
+* Add each of these ACLs to _vpn_authorized_allow_manual_
+
+Professor Jenkins (`kjenkins`) runs a special project for course WRI250 that includes various online resources that can only be accessed from the VPN. The professor should be able to control who is allowed to have VPN access for the purpose of accessing his project’s resources.
+
+We already created an access control list (ACL) _app:vpn:service:policy:vpn_wri250_ to represent subjects that will access resources related to the special project. In order to delegate management of this ACL to the course instructors, we must create a security group and grant it appropriate permissions:
+
+* Create `app:vpn:security:vpn_wri250_mgr`
+* Add the instructors for WRI250 to this security group (hint: there is a basis group for this)
+* Grant _vpn_wri250_mgr_ UPDATE and READ to _vpn_wri250_
+* Review the privileges on _vpn_wri250_
+
+* In a private browser window, log in to http://localhost:8443/grouper with username `kjenkins` and password `password`. You should be able to add and remove members from the _vpn_wri250_ ACL.
+* Add student `mwest` to _vpn_wri250_
+* Switch back to `banderson`. Find `mwest` in _vpn_authorized_ and trace membership
+
+### Implement additional policy constraints
+
+It is the IAM team’s responsibility to make sure that VPN access is granted to the correct subjects. Putting some limits in place can help make sure improper access is not granted. Attestation makes sure that access which was granted in the past is still appropriate.
+
+The ref:iam:global_deny reference group represents a broad cohort of subjects that should not be granted access. Subjects that fall into this category may include:
+- Termed with cause
+- Deceased
+- Other reasons
+
+ref:iam:global_deny was automatically added to the vpn_authorized_deny
+
+* As banderson, add 30 day attestation requirements to the _vpn_wri250_ ACL. (vpn_wri250 -> More actions -> Attestation -> Attestation actions -> Edit attestation settings…)
+* As `kjenkins`, review attestations (Miscellaneous -> Attestation)
+
+Consultant exceptions should expire automatically after 180 days. There are 2 techniques to accomplish this in Grouper. The first is to simply edit the membership end date after you have added a subject to a group. The second, and more reliable, is to have a rule that runs every time a subject is added which automatically sets the membership end date. Let’s implement the second approach.
+
+* Run ./gte-gsh to get a command prompt.
+* Paste into the gsh console
+
+```
+// Automatically expire vpn_consultant subject memberships in 180 days
+gs = GrouperSession.startRootSession();
+numberOfDays = 180;
+actAs = SubjectFinder.findRootSubject();
+vpn_consultants = GroupFinder.findByName(gs, "app:vpn:service:policy:vpn_consultants");
+attribAssign = vpn_consultants.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
+attribValueDelegate = attribAssign.getAttributeValueDelegate();
+attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectSourceIdName(), actAs.getSourceId());
+attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectIdName(), actAs.getId());
+attribValueDelegate.assignValue(RuleUtils.ruleCheckTypeName(), RuleCheckType.membershipAdd.name());
+attribValueDelegate.assignValue(RuleUtils.ruleThenEnumName(), RuleThenEnum.assignMembershipDisabledDaysForOwnerGroupId.name());
+attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg0Name(), numberOfDays.toString());
+attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg1Name(), "T");
+```
+
+* Add Ricardo Johnson (`rjohnso5`) to _vpn_consultants_
+* Review Enabled/Disabled status - Membership -> Filter for: -> Advanced -> Enabled/disabled
+
+### Answering Audit Questions - Does "jadams3" have access to VPN? When?
+
+The CISO is working on a investigation and wants to know if this particular NetID "jadams3" has access to the VPN now or in the past 90 days?
+
+* Navigate to _app:vpn:service:policy:vpn_authorized_
+* Search for `jadams3` and trace membership.
+
+Joseph currently has access since he is staff. The Point-In-Time (PIT) tables know if he’s had access in the last 90 days. These can be access using the advanced membership filter. This shows his earliest access date.

gte

@@ -4,11 +4,9 @@ REPOSITORY=tier/gte
 VERSION_TAG=202202
 
 EXTRA_ARGS=
-RABBITMQ_FL=
 
 show_help() {
-  echo "$0 [--rabbitmq] [--sql] [--ldap] [--fg|-it] [docker args ...] <gte lesson id> [container cmd ...]"
-  echo "    --rabbitmq:    also start up a rabbitmq container, and link it as name 'rabbitmq'"
+  echo "$0 [--sql] [--ldap] [--fg|-it] [docker args ...] <gte lesson id> [container cmd ...]"
   echo "    --sql:         Expose port 3306"
   echo "    --ldap:        Expose port 389"
   echo "    --fg:          Don't detach (i.e., don't run container with -d flag"
@@ -21,7 +19,6 @@ for arg in $*; do
   case $arg in
         --sql) EXTRA_ARGS="$EXTRA_ARGS -p 3306:3306"; shift;;
         --ldap) EXTRA_ARGS="$EXTRA_ARGS -p 389:389"; shift;;
-        --rabbitmq) EXTRA_ARGS="$EXTRA_ARGS --link rabbitmq:rabbitmq"; RABBITMQ_FL=1; shift;;
         --fg) is_foreground=1; shift;;
         -it) is_foreground=1; EXTRA_ARGS="$EXTRA_ARGS $1"; shift;;
         -h|--help) show_help; exit 0;;
@@ -32,7 +29,6 @@ done
 
 #echo args=$*
 #echo EXTRA_ARGS=$EXTRA_ARGS
-#echo RABBITMQ_FL=$RABBITMQ
 
 if [ "$is_foreground" != 1 ]; then
   EXTRA_ARGS="$EXTRA_ARGS -d"
@@ -62,19 +58,10 @@ if [ ! -z "$CONTAINERS" ]; then
   docker rm -f $CONTAINERS
 fi
 
-if [ "$RABBITMQ_FL" == 1 ]; then
-  echo Removing any old rabbitmq containers
-  docker rm -f rabbitmq 2> /dev/null
-  #DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-  #$DIR/start-rabbitmq.sh
-  echo "Starting container rabbitmq:management"
-  docker run -d -p 15672:15672 --env RABBITMQ_NODENAME=docker-rabbit --hostname rabbitmq --name=rabbitmq rabbitmq:management
-fi
-
 # lets see which 
 
 #docker stop "$1" 2> /dev/null
 #docker rm "$1" 2> /dev/null
-#docker run -d -p 8443:443 --link rabbitmq:rabbitmq --name $1 tier/gte:"$1"-202202
+#docker run -d -p 8443:443 --name $1 tier/gte:"$1"-202202
 echo "Starting container tier/gte:"$LESSON_ID"-$VERSION_TAG"
 docker run -p 8443:443 $EXTRA_ARGS --name $LESSON_ID tier/gte:"$LESSON_ID"-$VERSION_TAG $*

internal/mkstudent.sh

@@ -19,7 +19,7 @@ systemctl start docker
 docker pull "tier/gte:base-$GROUPER_GTE_DOCKER_BRANCH"
 docker pull "tier/gte:101.1.1-$GROUPER_GTE_DOCKER_BRANCH"
 docker pull "tier/gte:201.end-$GROUPER_GTE_DOCKER_BRANCH"
-docker pull rabbitmq:management
+docker pull "tier/gte:401.end-$GROUPER_GTE_DOCKER_BRANCH"
 
 
 # Who am i?
@@ -59,7 +59,6 @@ wget "https://github.internet2.edu/docker/grouper_training/raw/$GROUPER_GTE_BRAN
 wget "https://github.internet2.edu/docker/grouper_training/raw/$GROUPER_GTE_BRANCH/gte-gsh"
 wget "https://github.internet2.edu/docker/grouper_training/raw/$GROUPER_GTE_BRANCH/gte-logs"
 wget "https://github.internet2.edu/docker/grouper_training/raw/$GROUPER_GTE_BRANCH/gte-shell"
-wget "https://github.internet2.edu/docker/grouper_training/raw/$GROUPER_GTE_BRANCH/start-rabbitmq.sh"
 wget "https://github.internet2.edu/docker/grouper_training/raw/$GROUPER_GTE_BRANCH/README.md"
 
 chown student.student /home/student/*
@@ -68,8 +67,6 @@ chmod +x /home/student/gte
 chmod +x /home/student/gte-gsh
 chmod +x /home/student/gte-logs
 chmod +x /home/student/gte-shell
-chmod +x /home/student/start-rabbitmq.sh
-
 
 updatedb