[GRP-1198] incorporate John Gaspers hook to assign admin read privilege based on attribute Created: 16/Sep/15 Updated: 16/Sep/15 |
|
Status: | Open |
Project: | Grouper |
Component/s: | API |
Affects Version/s: | 2.2.1 |
Fix Version/s: | 2.2.2, 2.3.0 |
Type: | New Feature | Priority: | Minor |
Reporter: | Chris Hyzer (upenn.edu) | Assignee: | Chris Hyzer (upenn.edu) |
Resolution: | Unresolved | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Description |
Have an attribute on folder that will assign READ to a readonly admin group. This attribute cant be removed unless the group is deleted. Cache the attribute assignments for an hour and clear the cache if there is an attribute assignment or removal in this jvm. |
Comments |
Comment by mchyzer [ 16/Sep/15 ] |
package edu.internet2.middleware.subject.provider; import edu.internet2.middleware.grouper.GrouperSession; /**
private final static Logger log = LoggerFactory.getLogger(PrivilegedAwareGrouperJndiSourceAdapter.class); /** privileged (special employees) group name */ @Override GrouperSession grouperSession = GrouperSession.staticGrouperSession(); MembershipResult groupMembershipResult = new MembershipFinder() //see if the user is privileged log.debug("Is 'search' caller ({}) privileged? {}", new Object[] {grouperSession.getMember().getName(), grouperSessionIsPrivileged}); if (grouperSessionIsPrivileged) { log.error("'privilegedSearch' is not defined in sources.xml for the {} type", this.getClass().getName()); package edu.nd.middleware.grouper; import edu.internet2.middleware.grouper.GrouperSession; import java.util.LinkedHashSet; import org.apache.commons.lang.StringUtils; /**
/** protected (students) group name */ /** privileged (special employees) group name */ /** attribute name to use for the users display name */ /** attribute name to show "(restricted)" */ /** attribute value to show instead of "(restricted)" */ /**
//nothing to do if no results //get results in one query //see if the user is privileged //if so, we are done, they can see stuff //loop through the subjects and see which are protected, set their name to be their netId, with no other attributes but cn marked as "restricted". if (groupMembershipResult.hasGroupMembership(PROTECTED_GROUP_NAME, subject)) { final String netId = subject.getAttributeValue(UID_ATTRIBUTE, false); final Subject replacementSubject = new SubjectImpl(subject.getId(), netId, "", subject.getTypeName(), subject.getSourceId()); replacementSubject.getAttributes(false).put(RESTRICTED_ATTRIBUTE_NAME, GrouperUtil.toSet(RESTRICTED_ATTRIBUTE_VALUE)); results.add(replacementSubject); }else { results.add(subject); }} return results; } |