Skip to content
Jump to bottom

201906 201 updates #22

Merged
merged 4 commits into from Jun 8, 2019
+298 −139
Merged

201906 201 updates #22

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
95c7d3b
401.3 content and gte updates
wgthom Jun 8, 2019
cd4cb48
401.5.7 updates
wgthom Jun 8, 2019
6cefbad
updates for 401.3
wgthom Jun 8, 2019
2adc619
updates for 401.3
wgthom Jun 8, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
323 changes: 209 additions & 114 deletions docs/401/401.3.rst
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion docs/401/examples/401.3.2-grouper-loader.properties
View file
Open in desktop
Expand Up @@ -94,7 +94,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps
changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_entitlements.ldapPoolName = demo
changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement
changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : (group.name.equalsIgnoreCase('app:boardeffect:boardeffect_authorized') ? 'https://college.boardeffect.com/' : 'urn:mace:example.edu:' + group.extension) }
changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : (group.name.equalsIgnoreCase('app:board_effect:service:policy:board_effect_access') ? 'https://college.boardeffect.com/' : 'urn:mace:example.edu:' + group.extension) }
changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu
changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id}
changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=*
Expand Down
Binary file added docs/figures/401-board-effect-ann-admin-priv.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-board-effect-ann-privs.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-board-effect-ann-updated-privs.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-board-effect-app.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-board-effect-final-privs.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-board-effect-finance-committee.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-board-effect-finance-privs-admin.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-board-effect-my-groups.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-board-effect-rabbitmq.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-board-effect-ref-board-privs.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-board-effect-trace-ann-updaters.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-board-effect-workroom-helpers.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/figures/401-board-effect-workroom.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion ex401/ex401.1.1/container_files/grouper-loader.properties
View file
Open in desktop
Expand Up @@ -94,7 +94,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps
changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_entitlements.ldapPoolName = demo
changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement
changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:service:policy:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension}
changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:service:policy:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : (group.name.equalsIgnoreCase('app:board_effect:service:policy:board_effect_access') ? 'https://college.boardeffect.com/' : 'urn:mace:example.edu:' + group.extension)}
changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu
changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id}
changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=*
Expand Down
2 changes: 2 additions & 0 deletions ex401/ex401.3.1/container_files/seed-data/bootstrap.gsh
View file
Open in desktop
@@ -1 +1,3 @@
gs = GrouperSession.startRootSession();
delStem("401.2.end")
addRootStem("401.3.1", "401.3.1")
2 changes: 1 addition & 1 deletion ex401/ex401.3.end/Dockerfile
View file
Open in desktop
@@ -1,5 +1,5 @@
ARG VERSION_TAG
FROM tier/gte:401.3.7-$VERSION_TAG
FROM tier/gte:401.3.1-$VERSION_TAG

LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
Vendor="TIER" \
Expand Down
100 changes: 84 additions & 16 deletions ex401/ex401.3.end/container_files/seed-data/bootstrap.gsh
View file
Open in desktop
@@ -1,26 +1,94 @@
gs = GrouperSession.startRootSession();
delStem("401.3.1")
addRootStem("401.3.end", "401.3.end")

addStem("ref", "board", "board");
// 401.3.1
parent_stem_path = "app";
app_extension = "board_effect";
app_name = "board_effect";

group = GroupFinder.findByName(gs, "app:boardeffect:ref:cmt_fin", true);
stem = StemFinder.findByName(gs, "ref:board", true);
group.move(stem);
stem = addStem(parent_stem_path, app_extension, app_name);
security = addStem(stem.name, "security", "security");
service = addStem(stem.name, "service", "service");
policy = addStem(service.name, "policy", "policy");
ref = addStem(service.name, "ref", "ref");

admin_group_name = "${app_extension}Admins";
admin_group = addGroup(security.name, admin_group_name, admin_group_name);
mgr_group_name = "${app_extension}Updaters";
mgr_group = addGroup(security.name, mgr_group_name, mgr_group_name);
view_group_name = "${app_extension}Readers";
view_group = addGroup(security.name, view_group_name, view_group_name);

addGroup("app:board_effect:service:policy", "board_effect_access", "board_effect_access");
addGroup("app:board_effect:service:policy", "board_effect_access_allow", "board_effect_access_allow");
addGroup("app:board_effect:service:policy", "board_effect_access_deny", "board_effect_access_deny");
addComposite("app:board_effect:service:policy:board_effect_access", CompositeType.COMPLEMENT, "app:board_effect:service:policy:board_effect_access_allow", "app:board_effect:service:policy:board_effect_access_deny");

// 401.3.2
addGroup("app:board_effect:service:policy", "workroom_finance", "workroom_finance");
addGroup("app:board_effect:service:policy", "workroom_finance_allow", "workroom_finance_allow");
addGroup("app:board_effect:service:policy", "workroom_finance_deny", "workroom_finance_deny");
addComposite("app:board_effect:service:policy:workroom_finance", CompositeType.COMPLEMENT, "app:board_effect:service:policy:workroom_finance_allow", "app:board_effect:service:policy:workroom_finance_deny");
addMember("app:board_effect:service:policy:board_effect_access_allow", "app:board_effect:service:policy:workroom_finance");

// 401.3.3 nothing to do
// 401.3.4 nothing to do

addStem("ref:board", "etc", "etc");
group2 = addGroup("ref:board:etc", "board_managers", "board_managers");
// 401.3.5
addGroup("app:board_effect:service:ref", "finance_committee", "finance_committee");
grantPriv("app:board_effect:service:ref:finance_committee", "app:board_effect:security:board_effectAdmins", AccessPrivilege.ADMIN);
addMember("app:board_effect:service:policy:workroom_finance_allow", "app:board_effect:service:ref:finance_committee");
addMember("app:board_effect:security:board_effectAdmins", "amartinez410");

addMember("ref:board:etc:board_managers", "ref:roles:president_assistant");
GrouperSession.start(findSubject("amartinez410"))
addMember("app:board_effect:service:ref:finance_committee", "ksmith3")
gs = GrouperSession.startRootSession();

// 401.3.6
addGroup("app:board_effect:service:ref", "finance_committee_helpers", "finance_committee_helpers");
addMember("app:board_effect:service:policy:workroom_finance_allow", "app:board_effect:service:ref:finance_committee_helpers");
addGroup("app:board_effect:service:ref", "workroom_helpers", "workroom_helpers");
addMember("app:board_effect:service:policy:workroom_finance_allow", "app:board_effect:service:ref:workroom_helpers");

group_name = "app:board_effect:service:ref:workroom_helpers";
workroom_helpers = GroupFinder.findByName(gs, group_name);
numDays = 3;
actAs = SubjectFinder.findRootSubject();
attribAssign = workroom_helpers.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
attribValueDelegate = attribAssign.getAttributeValueDelegate();
attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectSourceIdName(), actAs.getSourceId());
attribValueDelegate.assignValue(RuleUtils.ruleRunDaemonName(), "F");
attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectIdName(), actAs.getId());
attribValueDelegate.assignValue(RuleUtils.ruleCheckTypeName(), RuleCheckType.membershipAdd.name());
attribValueDelegate.assignValue(RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.thisGroupHasImmediateEnabledNoEndDateMembership.name());
attribValueDelegate.assignValue(RuleUtils.ruleThenEnumName(), RuleThenEnum.assignMembershipDisabledDaysForOwnerGroupId.name());
attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg0Name(), numDays.toString());
attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg1Name(), "T");

// 401.3.7
addStem("ref", "role", "role");
addGroup("ref:role", "president_assistant", "president_assistant");
addMember("ref:role:president_assistant", "amartinez410");
addMember("app:board_effect:security:board_effectUpdaters", "ref:role:president_assistant");
delMember("app:board_effect:security:board_effectAdmins", "amartinez410");

grantPriv("ref:board:cmt_fin", group2.toSubject().id, AccessPrivilege.UPDATE);
grantPriv("ref:board:cmt_fin", group2.toSubject().id, AccessPrivilege.READ);
// 401.3.8
addStem("ref", "board", "board");
group = GroupFinder.findByName(gs, "app:board_effect:service:ref:finance_committee", true);
stem = StemFinder.findByName(gs, "ref:board", true);
group.move(stem);

boardeffect_admins = GroupFinder.findByName(gs, "app:boardeffect:etc:boardeffect_admins", true);
boardeffect_mgr = GroupFinder.findByName(gs, "app:boardeffect:etc:boardeffect_mgr", true);
boardeffect_viewers = GroupFinder.findByName(gs, "app:boardeffect:etc:boardeffect_viewers", true);
addStem("ref:board", "security", "security");
group2 = addGroup("ref:board:security", "boardUpdaters", "boardUpdaters");
grantPriv("ref:board:finance_committee", group2.toSubject().id, AccessPrivilege.UPDATE);
grantPriv("ref:board:finance_committee", group2.toSubject().id, AccessPrivilege.READ);
addMember("ref:board:security:boardUpdaters", "ref:role:president_assistant");

revokePriv("ref:board:cmt_fin", boardeffect_admins.toSubject().id, AccessPrivilege.ADMIN);
revokePriv("ref:board:cmt_fin", boardeffect_mgr.toSubject().id, AccessPrivilege.UPDATE);
revokePriv("ref:board:cmt_fin", boardeffect_mgr.toSubject().id, AccessPrivilege.READ);
boardeffectAdmins = GroupFinder.findByName(gs, "app:board_effect:security:board_effectAdmins", true);
boardeffectUpdaters = GroupFinder.findByName(gs, "app:board_effect:security:board_effectUpdaters", true);

revokePriv("ref:board:cmt_fin", boardeffect_viewers.toSubject().id, AccessPrivilege.READ);
revokePriv("ref:board:finance_committee", boardeffectAdmins.toSubject().id, AccessPrivilege.ADMIN);
revokePriv("ref:board:finance_committee", boardeffectUpdaters.toSubject().id, AccessPrivilege.UPDATE);
revokePriv("ref:board:finance_committee", boardeffectUpdaters.toSubject().id, AccessPrivilege.READ);

6 changes: 0 additions & 6 deletions ex401/manualBuild.sh
View file
Open in desktop
Expand Up @@ -5,12 +5,6 @@ docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.1-${VER
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.1-${VERSION_TAG} ex401.2.1 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.end-${VERSION_TAG} ex401.2.end \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.1-${VERSION_TAG} ex401.3.1 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.2-${VERSION_TAG} ex401.3.2 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.3-${VERSION_TAG} ex401.3.3 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.4-${VERSION_TAG} ex401.3.4 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.5-${VERSION_TAG} ex401.3.5 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.6-${VERSION_TAG} ex401.3.6 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.7-${VERSION_TAG} ex401.3.7 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.end-${VERSION_TAG} ex401.3.end \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.4.1-${VERSION_TAG} ex401.4.1 \
&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.4.end-${VERSION_TAG} ex401.4.end
Expand Down