diff --git a/base/Dockerfile b/base/Dockerfile index 91b4de2..4c3c856 100644 --- a/base/Dockerfile +++ b/base/Dockerfile @@ -83,7 +83,8 @@ COPY container_files/var-www-html/ /var/www/html/ RUN cp /opt/tier-support/grouper.xml /opt/tier-support/grouper-ws.xml /opt/tomcat/conf/Catalina/localhost/ \ && chown -R tomcat /opt/shibboleth-idp/ \ && chmod -R 700 /opt/shibboleth-idp/ \ - && chmod +rx /var/www/html/app/index.py + && chmod +rx /var/www/html/app/index.py \ + && /opt/shibboleth-idp/bin/build.sh EXPOSE 389 3306 4443 diff --git a/base/container_files/shibboleth-idp/edit-webapp/images/Grouper_204px.png b/base/container_files/shibboleth-idp/edit-webapp/images/Grouper_204px.png new file mode 100644 index 0000000..6bc874f Binary files /dev/null and b/base/container_files/shibboleth-idp/edit-webapp/images/Grouper_204px.png differ diff --git a/base/container_files/shibboleth-idp/messages/messages.properties b/base/container_files/shibboleth-idp/messages/messages.properties new file mode 100644 index 0000000..d3a48de --- /dev/null +++ b/base/container_files/shibboleth-idp/messages/messages.properties @@ -0,0 +1,6 @@ +# You can define message properties here to override messages defined in +# system/messages/ or to add your own messages. +idp.title = InCommon Trusted Access Platform - Grouper Training Environment +idp.logo = /images/Grouper_204px.png +idp.logo.alt-text = Grouper +idp.footer = InCommon Trusted Access Platform - Grouper Training Environment diff --git a/docs/201/201.1.rst b/docs/201/201.1.rst index d7a207d..115970e 100644 --- a/docs/201/201.1.rst +++ b/docs/201/201.1.rst @@ -57,13 +57,13 @@ to students. Exercise 201.1.1 All students reference group --------------------------------------------- -*Create an all student reference group to be used in access policy and the all -students mailing list* +Create an all student reference group to be used in access policy and the "all +students" mailing list. -Reference groups for student by class year already exist. These are being used -for class year mailing lists. Membership in the class year groups are updated -automatically by the studentTermLoader job. The loader job queries the student -information system. +Reference groups for students by class year already exist in `ref:student`. +These are being used for class year mailing lists. Membership in the class year +groups are updated automatically by the studentTermLoader job. The loader job +queries the student information system. 1. Create a new group named `ref:student:students`. (+ Create new group) @@ -75,7 +75,7 @@ information system. .. figure:: ../figures/201-add-ref-students.png -3. Add the following class year reference groups to `..:students`. +3. Add the following class year reference groups to `students`. (Members -> + Add members -> ...) * `ref:student:class2020` @@ -84,7 +84,7 @@ information system. * `ref:student:class2023` 4. Filter for: Has direct membership. This shows all the reference groups that - contribute to the '..:students' group. + contribute to the `students` group. .. figure:: ../figures/201-students-direct-membership.png @@ -140,14 +140,16 @@ Exercise 201.1.4 Transfer Students Students who transfer to your campus often need access to systems well ahead of SIS data being fully updated. -#. Create a new basis group, `basis:student:transfer_student`. +#. Create a new basis group `basis:student:transfer_student` and add it to + `students` + #. Add the following accounts to `transfer_student`: - * agrady901 - * alee467 - * ascott776 +* pmartinez921 +* cthompson287 +* agrady901 -#. Check how many students there are now. The number of students did not go +3. Check how many students there are now. The number of students did not go up by 3 as you might have expected. Why? One of the transfer students was already a member of `students`. Trace the membership on each of the transfer students to determine which accounts already had the `students` @@ -157,8 +159,8 @@ of SIS data being fully updated. Exercise 201.1.5 Change of Status --------------------------------- -Students who leave for a variety of reasons are given a 32 day grace period -during which they retain student access. Basis groups for these already exist. +Students who leave for a variety of reasons are given a 32 day grace period, +during which they retain student access. Basis groups for these already exist. They include: * `basis:student:expelled_32_days` @@ -167,6 +169,8 @@ They include: #. Add these basis groups to `students`. How many students are there now? +.. figure:: ../figures/201-students-change-of-status.png + ------------------------------------------ Exercise 201.1.6 Leave of Absence Students ------------------------------------------ diff --git a/docs/201/201.2.rst b/docs/201/201.2.rst index e3d027b..fac71dd 100644 --- a/docs/201/201.2.rst +++ b/docs/201/201.2.rst @@ -63,19 +63,17 @@ create a new structure for our VPN service policy. 3. Navigate to the `app:vpn:service:policy` folder -4. Create a new vpn_authorized policy group using the Policy Group Template +4. Create a new vpn_access policy group using the Policy Group Template (More actions -> New template) .. figure:: ../figures/201-new-vpn-policy.png -[ this should be replaced with policy template when ready ] +TODO: Steps 5 through 8 should be replaced with policy template when ready -5. Create `app:vpn:vpn_authorized`. +5. Create `app:vpn:vpn_access`. 6. Create `app:vpn:vpn_allow`. 7. Create `app:vpn:vpn_deny`. -8. Make `vpn_authorized` a composite of `vpn_allow` minus `vpn_deny`. - -.. figure:: ../figures/201-vpn-composite.png +8. Make `vpn_access` a composite of `vpn_allow` minus `vpn_deny`. ------------------------------------------------------------------- Exercise 201.2.2 Create digital policy from natural language policy @@ -88,10 +86,10 @@ are already available. #. Add `ref:employee:fac_staff` to `vpn_allow`. #. Add `ref:security:locked_by_ciso` to `vpn_deny`. #. Add `ref:iam:closure` to `vpn_deny`. -#. Review the `vpn_authorized` policy definition - (vpn_authorized -> More actions -> Visualization) +#. Review the `vpn_access` policy definition + (vpn_access -> More actions -> Visualization) -.. figure:: ../figures/201-vpn-authorized.png +.. figure:: ../figures/201-vpn-access.png ---------------------------------------------------------------------------- Exercise 201.2.3 Update policy to include institutional review board members @@ -103,7 +101,7 @@ account is in a closure state". #. Add `org:irb:ref:irb_members` to `vpn_allow`. #. Add *jsmith* to `org:irb:ref:irb_members`. -#. Trace membership for *jsmith* from `vpn_authorized`. (jsmith -> Choose +#. Trace membership for *jsmith* from `vpn_access`. (jsmith -> Choose action -> Actions -> Trace membership) .. figure:: ../figures/201-jsmith-trace.png @@ -113,10 +111,10 @@ account is in a closure state". .. figure:: ../figures/201-vpn-allow-audit.png -5. Review policy definition for `vpn_authorized`. - (vpn_authorized -> More actions -> Visualization) +5. Review policy definition for `vpn_access`. + (vpn_access -> More actions -> Visualization) -.. figure:: ../figures/201-vpn-authorized2.png +.. figure:: ../figures/201-vpn-access2.png ------------------------------------------------------------ Exercise 201.2.4 Review Application template security groups diff --git a/docs/201/201.3.rst b/docs/201/201.3.rst index 9165f65..3a13939 100644 --- a/docs/201/201.3.rst +++ b/docs/201/201.3.rst @@ -108,7 +108,7 @@ The eduPerson object class specification states: faculty, staff and students. #. Create `app:eduPersonAffiliation:ePA_member`. -#. Add `...:ePA_faculty | staff | student` to `...:ePA_member`. +#. Add `ePA_faculty`, `ePA_staff`, and `ePA_student` to `ePA_member`. #. Review `ePA_member` defintion (ePA_member -> More actions -> Visualization) .. figure:: ../figures/201-ePA-member-vis.png diff --git a/docs/201/201.4.rst b/docs/201/201.4.rst index 18bf290..a65093b 100644 --- a/docs/201/201.4.rst +++ b/docs/201/201.4.rst @@ -19,16 +19,16 @@ Lab Components * OpenLDAP * Shibboleth * `Grouper Deployment Guide`_ -* `eduPerson Object Class Specification`_ +* `eduPerson Object Class Specification`_ -------- Overview -------- `Grouper Deployment Guide`_ access control model 2 (ACM2) is all about -attribute based access control (ABAC) as defined in `NIST SP 800-162`_. ACM2 is -applicable across a broad range of services where access control policy can be -based on subject attributes, policy decisions can be precomputed, and simple +attribute based access control (ABAC) as defined in `NIST SP 800-162`_. ACM2 +is applicable across a broad range of services where access control policy can +be based on subject attributes, policy decisions can be precomputed, and simple subject attributes are sufficient to drive the policy enforcement point. In cases where the SAML Service Provider will accept an @@ -49,20 +49,11 @@ Exercise 201.4.1 Create policy for wiki application .. figure:: ../figures/201-wiki-app.png -[ use new policy template to create wiki_user] -`app:wiki:service:policy:wiki_authorized|allow|deny`. -Edit composite `wiki_authorized` to make it `wiki_allow` minus `wiki_deny`. - ---------------------------------------------------- -Exercise 201.4.2 Review application security groups ---------------------------------------------------- - -`app:wiki:security` - -.. figure:: ../figures/201-wiki-security.png +3. Navigate to `app:wiki:service:policy:` and use the new policy template to + create `wiki_user` ----------------------------------------------- -Exercise 201.4.3 Add reference groups to policy +Exercise 201.4.2 Add reference groups to policy ----------------------------------------------- `wiki_user` is an application-secific role. Subjects in this role have general @@ -76,7 +67,7 @@ to the student wiki, unless they are in the global deny group". .. figure:: ../figures/201-wiki-policy.png ------------------------------------------------------------------------------- -Exercise 201.4.4 Configure PSPNG to provision wiki_user to eduPersonEntitlement +Exercise 201.4.3 Configure PSPNG to provision wiki_user to eduPersonEntitlement ------------------------------------------------------------------------------- #. Assign PSPNG attribute, **provision_to** to `wiki_user` with a value @@ -92,13 +83,13 @@ Exercise 201.4.4 Configure PSPNG to provision wiki_user to eduPersonEntitlement :caption: grouper-loader.properties :linenos: -2. Run CHANGE_LOG_consumer_pspng_entitlements +3. Run CHANGE_LOG_consumer_pspng_entitlements (Miscellaneous -> All daemon jobs -> Job actions -> Run job now) .. figure:: ../figures/201-pspng-entitlements-run-job.png --------------------------------------------------------------- -Exercise 201.4.5 Configure Shib to release ePE value for our SP +Exercise 201.4.4 Configure Shib to release ePE value for our SP --------------------------------------------------------------- The demo Shibboleth IdP has been configured to release the @@ -119,7 +110,7 @@ is below: .. figure:: ../figures/201-ePE-value.png ---------------------------------------------------------------- -Exercise 201.4.6 Thought exercise! Create accounts at target SP? +Exercise 201.4.5 Thought exercise! Create accounts at target SP? ---------------------------------------------------------------- Can we use policy groups to create/manage accounts at target SP? diff --git a/docs/201/201.5.rst b/docs/201/201.5.rst index e4afc12..4fdaab3 100644 --- a/docs/201/201.5.rst +++ b/docs/201/201.5.rst @@ -46,8 +46,11 @@ Exercise 201.5.1 Create a `congos` application folder and group set 1. Use the Application template to create the `cognos` application folder and group set in the `app` folder. -2. Use the Policy template to create two new policy groups in - `app:cognos:service` +2. Use the Policy template to create two new policy groups in + `app:cognos:service:policy` + +* `app:cognos:service:policy:cg_fin_report_reader` +* `app:cognos:service:policy:cp_fin_report_writer` ------------------------------------------------------ Exercise 201.5.2 Implement Report Reader Access Policy @@ -66,10 +69,10 @@ Exercise 201.5.3 Implement Report Writer Access Policy Only employees authorized by the Finance Manager have access to write reports -This policy will require an application specific reference group the we will -use as an access control list managed by the Finanance Manager. +This policy will require an application specific reference group. It will be +will used as an access control list managed by the Finanance Manager. -1. Create a `app:congos:service:ref:finance_report_writer` group. +1. Create reference group `app:congos:service:ref:finance_report_writer`. 2. Add `finance_report_writer` to `cg_fin_report_write_allow`. .. figure:: ../figures/201-fin-report-writer.png @@ -114,10 +117,10 @@ Exercise 201.5.4 Add attestation for finance_report_writer ABAC policy groups are kept in sync automatically as subject attributes change in the underlying business systems. Access control lists, on the otherhand, tend to drift as soon as they are created. Grouper provides an attestation -feature that reminds group managers and owners to review group memberships and +feature that reminds group managers and owners to review group memberships, and keeps an audit of attestation actions. -#. Add attestation requirement for `advancement_report_writer`. +#. Add attestation requirement for `finance_report_writer`. (finance_report_writer -> More actions -> Attestation -> Attestation actions -> Edit attestation settings) @@ -137,6 +140,6 @@ keeps an audit of attestation actions. Congrats! Your Congos access policy is clear, consistent, automated, delegated, auditable, and attestable! -Welcome to Grouper Guru Level 7! :) +Welcome to Grouper Guru Level 2! :) .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program diff --git a/docs/401/401.4-example-solution.rst b/docs/401/401.4-example-solution.rst index 42679d4..6403836 100644 --- a/docs/401/401.4-example-solution.rst +++ b/docs/401/401.4-example-solution.rst @@ -23,4 +23,4 @@ scholars reference group. .. figure:: ../figures/401-lms-solution.png -Congrats! You are now a certified Grouper Guru associate level 1! +Congrats! You are now a certified Grouper Guru level 4! diff --git a/docs/figures/201-jsmith-trace.png b/docs/figures/201-jsmith-trace.png index 0898c24..b3e3ff4 100644 Binary files a/docs/figures/201-jsmith-trace.png and b/docs/figures/201-jsmith-trace.png differ diff --git a/docs/figures/201-students-change-of-status.png b/docs/figures/201-students-change-of-status.png new file mode 100644 index 0000000..7b0ebf9 Binary files /dev/null and b/docs/figures/201-students-change-of-status.png differ diff --git a/docs/figures/201-vpn-access.png b/docs/figures/201-vpn-access.png new file mode 100644 index 0000000..f6d79c5 Binary files /dev/null and b/docs/figures/201-vpn-access.png differ diff --git a/docs/figures/201-vpn-access2.png b/docs/figures/201-vpn-access2.png new file mode 100644 index 0000000..71a382c Binary files /dev/null and b/docs/figures/201-vpn-access2.png differ diff --git a/docs/figures/201-vpn-authorized.png b/docs/figures/201-vpn-authorized.png deleted file mode 100644 index f8774c4..0000000 Binary files a/docs/figures/201-vpn-authorized.png and /dev/null differ diff --git a/docs/figures/201-vpn-authorized2.png b/docs/figures/201-vpn-authorized2.png deleted file mode 100644 index 533e954..0000000 Binary files a/docs/figures/201-vpn-authorized2.png and /dev/null differ diff --git a/docs/figures/201-vpn-composite.png b/docs/figures/201-vpn-composite.png deleted file mode 100644 index 08b54bf..0000000 Binary files a/docs/figures/201-vpn-composite.png and /dev/null differ diff --git a/docs/figures/201-wiki-security.png b/docs/figures/201-wiki-security.png deleted file mode 100644 index eb4535d..0000000 Binary files a/docs/figures/201-wiki-security.png and /dev/null differ diff --git a/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh index 5d44b4c..e785b77 100644 --- a/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh @@ -182,3 +182,66 @@ attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouper addMember("basis:student:loa_4_years","jprice704"); addMember("basis:student:loa_4_years","aprice705"); addMember("basis:student:loa_4_years","aclark706"); + +// setup for 201.2 +// should be a loader job? +addStem("ref", "employee", "employee") +fac_staff = addGroup("ref:employee", "fac_staff", "fac_staff") + +// Set ref object type on fac_staff reference group +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = fac_staff.getAttributeDelegate().hasAttribute(typeMarker) ? fac_staff.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : fac_staff.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", +"HR and Provost Office"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"All faculty and staff"); + +addStem("ref", "security", "security") +locked_by_ciso = addGroup("ref:security", "locked_by_ciso", "locked_by_ciso") +AttributeAssign attributeAssign = locked_by_ciso.getAttributeDelegate().hasAttribute(typeMarker) ? locked_by_ciso.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : locked_by_ciso.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", +"CISO"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Subjects denied access by CISO"); + +addStem("ref", "iam", "iam") +closure = addGroup("ref:iam", "closure", "closure") +AttributeAssign attributeAssign = closure.getAttributeDelegate().hasAttribute(typeMarker) ? closure.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : closure.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", +"IAM"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Accounts in the process of being closed"); + +addStem("org", "irb", "irb") +addStem("org:irb", "ref", "ref") +irb_members = addGroup("org:irb:ref", "irb_members", "irb_members") +AttributeAssign attributeAssign = irb_members.getAttributeDelegate().hasAttribute(typeMarker) ? irb_members.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : irb_members.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", +"Institutional Review Board"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Members of the IRB"); + +// setup for 201.4 +global_deny = addGroup("ref:iam", "global_deny", "global_deny"); +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = global_deny.getAttributeDelegate().hasAttribute(typeMarker) ? global_deny.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : global_deny.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", +"Identity and Access Management"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Global deny group"); + +// setup for 201.5 +// should be a loader job? +addStem("ref", "dept", "dept") +addGroup("ref:dept", "finance", "finance") +addMember("ref:dept:finance", "asmith989") \ No newline at end of file diff --git a/ex201/ex201.1.1/container_files/seed-data/sisData.sql b/ex201/ex201.1.1/container_files/seed-data/sisData.sql index 53103d6..9c90392 100644 --- a/ex201/ex201.1.1/container_files/seed-data/sisData.sql +++ b/ex201/ex201.1.1/container_files/seed-data/sisData.sql @@ -3324,7 +3324,6 @@ INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','ACCT101' INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','ENGL101','80000902'); INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','MATH100','80000902'); INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','HIST101','80000902'); -INSERT INTO SIS_STUDENT_TERMS (id, term) VALUES ('80000902','2019'); INSERT INTO SIS_STUDENT_TERMS (id, term) VALUES ('80000902','2022'); INSERT INTO HR_PEOPLE(id, surname, givenName) VALUES ('80000903','Gasper','Mark'); INSERT INTO HR_PEOPLE_ROLES(id, role) VALUES ('80000903','staff'); diff --git a/ex201/ex201.2.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.2.1/container_files/seed-data/bootstrap.gsh index 4d92526..22e0ba1 100644 --- a/ex201/ex201.2.1/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.2.1/container_files/seed-data/bootstrap.gsh @@ -1,49 +1,3 @@ GrouperSession.startRootSession() delStem("201.1.end") addRootStem("201.2.1", "201.2.1") - -// should be a loader job? -addStem("ref", "employee", "employee") -fac_staff = addGroup("ref:employee", "fac_staff", "fac_staff") - -// Set ref object type on fac_staff reference group -AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); -AttributeAssign attributeAssign = fac_staff.getAttributeDelegate().hasAttribute(typeMarker) ? fac_staff.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : fac_staff.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", -"HR and Provost Office"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", -"All faculty and staff"); - -addStem("ref", "security", "security") -locked_by_ciso = addGroup("ref:security", "locked_by_ciso", "locked_by_ciso") -AttributeAssign attributeAssign = locked_by_ciso.getAttributeDelegate().hasAttribute(typeMarker) ? locked_by_ciso.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : locked_by_ciso.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", -"CISO"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", -"Subjects denied access by CISO"); - -addStem("ref", "iam", "iam") -closure = addGroup("ref:iam", "closure", "closure") -AttributeAssign attributeAssign = closure.getAttributeDelegate().hasAttribute(typeMarker) ? closure.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : closure.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", -"IAM"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", -"Accounts in the process of being closed"); - -addStem("org", "irb", "irb") -addStem("org:irb", "ref", "ref") -irb_members = addGroup("org:irb:ref", "irb_members", "irb_members") -AttributeAssign attributeAssign = irb_members.getAttributeDelegate().hasAttribute(typeMarker) ? irb_members.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : irb_members.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", -"Institutional Review Board"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", -"Members of the IRB"); - diff --git a/ex201/ex201.2.end/container_files/seed-data/bootstrap.gsh b/ex201/ex201.2.end/container_files/seed-data/bootstrap.gsh index c06c515..82075a7 100644 --- a/ex201/ex201.2.end/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.2.end/container_files/seed-data/bootstrap.gsh @@ -9,16 +9,20 @@ addStem("app:vpn:service", "policy", "policy") addStem("app:vpn:service", "ref", "ref") addStem("app:vpn:service", "attributes", "attributes") -addGroup("app:vpn:service:policy", "vpn_authorized", "vpn_authorized") +addGroup("app:vpn:service:policy", "vpn_access", "vpn_access") addGroup("app:vpn:service:policy", "vpn_allow", "vpn_allow") addGroup("app:vpn:service:policy", "vpn_deny", "vpn_deny") -addComposite("app:vpn:service:policy:vpn_authorized", CompositeType.COMPLEMENT, "app:vpn:service:policy:vpn_allow", "app:vpn:service:policy:vpn_deny") +addComposite("app:vpn:service:policy:vpn_access", CompositeType.COMPLEMENT, "app:vpn:service:policy:vpn_allow", "app:vpn:service:policy:vpn_deny") addGroup("app:vpn:security", "vpnAdmins", "vpnAdmins") addGroup("app:vpn:security", "vpnReaders", "vpnReaders") addGroup("app:vpn:security", "vpnUpdaters", "vpnUpdaters") grantPriv("app:vpn", "app:vpn:security:vpnAdmins", NamingPrivilege.STEM) +grantPriv("app:vpn:service:policy:vpn_allow", "app:vpn:security:vpnAdmins", AccessPrivilege.ADMIN) +grantPriv("app:vpn:service:policy:vpn_allow", "app:vpn:security:vpnUpdaters", AccessPrivilege.UPDATE) +grantPriv("app:vpn:service:policy:vpn_allow", "app:vpn:security:vpnReaders", AccessPrivilege.READ) + //ex 201.2.2 addMember("app:vpn:service:policy:vpn_allow", "ref:employee:fac_staff") addMember("app:vpn:service:policy:vpn_deny", "ref:security:locked_by_ciso") diff --git a/ex201/ex201.4.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.4.1/container_files/seed-data/bootstrap.gsh index 1d2a9ac..f67a79a 100644 --- a/ex201/ex201.4.1/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.4.1/container_files/seed-data/bootstrap.gsh @@ -1,13 +1,3 @@ gs = GrouperSession.startRootSession() delStem("201.3.end") addRootStem("201.4.1", "201.4.1") - -global_deny = addGroup("ref:iam", "global_deny", "global_deny"); -AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); -AttributeAssign attributeAssign = global_deny.getAttributeDelegate().hasAttribute(typeMarker) ? global_deny.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : global_deny.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", -"Identity and Access Management"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", -"Global deny group"); \ No newline at end of file diff --git a/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh index 7d156d3..eaeeb76 100644 --- a/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh @@ -1,9 +1,3 @@ GrouperSession.startRootSession() delStem("201.4.end") addRootStem("201.5.1", "201.5.1") - -// should be a loader job? -addStem("ref", "dept", "dept") -addGroup("ref:dept", "finance", "finance") -addMember("ref:dept:finance", "asmith989") - diff --git a/gte-gsh b/gte-gsh new file mode 100755 index 0000000..46cad26 --- /dev/null +++ b/gte-gsh @@ -0,0 +1,9 @@ +#! /bin/bash + +if [ -z "$1" ] + then + docker ps --format "{{.Names}} {{.Image}} {{.Status}}" + exit 0 +fi + +docker exec -it "$1" /opt/grouper/grouper.apiBinary/bin/gsh 2> /dev/null diff --git a/gte-shell b/gte-shell new file mode 100755 index 0000000..28d01c8 --- /dev/null +++ b/gte-shell @@ -0,0 +1,9 @@ +#! /bin/bash + +if [ -z "$1" ] + then + docker ps --format "{{.Names}} {{.Image}} {{.Status}}" + exit 0 +fi + +docker exec -it "$1" /bin/bash 2> /dev/null