View
220
Download
0
Category
Tags:
Preview:
Citation preview
Mon, June13, 2005uPortal Conference, Baltimore, MD
Dan Ellentuck, Columbia University
Configuring uPortal Groups and Permissions
Mon, June13, 2005uPortal Conference, Baltimore, MD
Agenda
• Rationale and functions• Service structure• Composite Group Service configuration• Group service components configuration• Common services configuration• Permission service configuration• GAP Managers
Mon, June13, 2005uPortal Conference, Baltimore, MD
Overview
Configuration for
uPortal 2.4+ Possible to backport to uPortal 2.1+
Not applicable:
uPortal 3
Also note significant changes for uPortal 2.6
Mon, June13, 2005uPortal Conference, Baltimore, MD
Requirements
• Need for authorization• Role-based• Use widely-dispersed information• Model complex organization• Granular permissions
Mon, June13, 2005uPortal Conference, Baltimore, MD
AuthZ Functions in uPortal
3 Flavors:
• Framework• Individual Channels• Portlets
Mon, June13, 2005uPortal Conference, Baltimore, MD
AuthZ Functions in uPortal
Framework
Protect portal functions and content:
Access to publishing.
Right to subscribe/render a channel.
Mon, June13, 2005uPortal Conference, Baltimore, MD
AuthZ Functions in uPortal
Individual Channels
Protect functions and content private to the channel:
Must be an org.jasig.portal.IChannel.
Announcements Channel: Create Topic and Delete Announcement. Groups Manager Channel: Create, Delete, Select a specific group.
Mon, June13, 2005uPortal Conference, Baltimore, MD
AuthZ Functions in uPortal
Portlets
Protect functions and content via isUserInRole()
See: org.jasig.portal.container.servlet.ServletRequestImpl
.isUserInRole(String role)
Translates role and role-reference group key
Mon, June13, 2005uPortal Conference, Baltimore, MD
Group Functions in uPortal
Separation of concerns:• Group membership• Authorization
Current Responsibilities:• Supply user roles for authorization• Categorize portal entities (channel categories)• Customize content (AL, DL)
Mon, June13, 2005uPortal Conference, Baltimore, MD
Agenda
• Rationale and functions• Service structure• Common services configuration• Composite Group Service
configuration• Group service components
configuration• Permission service configuration• GAP Managers
Mon, June13, 2005uPortal Conference, Baltimore, MD
GAP Service Dependencies
uPortal services
Entity TypesGAP common
services
Properties
JDK + supporting libs
XML libsCommonsJDK etc…
RDBM Sequence etc…
Caching Locking
GAP servicesGroups
Permissions
Mon, June13, 2005uPortal Conference, Baltimore, MD
Group Service facade
Service api (simplified):
{
public IEntityGroup findGroup(String key);
public IEntity getEntity(String key, Class type);
public IEntityGroup newGroup(Class type, String serviceName);
public EntityIdentifier[] searchForEntities(String query, int method, Class type);
public EntityIdentifier[] searchForGroups(String query, int method, Class leaftype);
}
Mon, June13, 2005uPortal Conference, Baltimore, MD
Authorization service façade
3 separate façades:
• AuthorizationPrincipal• PermissionsManager• UpdatingPermissionsManager
Mon, June13, 2005uPortal Conference, Baltimore, MD
Authorization service façade
IAuthorizationPrincipal• Represents a user or group• Service api (simplified):
{
public IPermission[] getAllPermissions();
public IPermission[] getPermissions();
public boolean hasPermission(String owner, String activity, String target);
public boolean hasPermission(String owner, String activity,
String target, IPermissionPolicy policy);
}
Mon, June13, 2005uPortal Conference, Baltimore, MD
Authorization service façade
IPermissionManager• Represents a read-only application • Service api (simplified):
{
public IPermission[] getAllPermissions(IAuthorizationPrincipal principal,
String activity, String target);
public IAuthorizationPrincipal[] getAuthorizedPrincipals(String activity,
String target);
public IPermission[] getPermissions(String activity, String target);
public IPermission[] getPermissions(IAuthorizationPrincipal principal,
String activity, String target);
}
Mon, June13, 2005uPortal Conference, Baltimore, MD
Authorization service façade
IUpdatingPermissionManager
• Represents an updating application• Extends IPermissionManager• Service api (simplified):
{
public void addPermissions(IPermission[] permissions);
public IPermission newPermission(IAuthorizationPrincipal principal);
public void removePermissions(IPermission[] permissions);
public void updatePermissions(IPermission[] permissions);
}
Mon, June13, 2005uPortal Conference, Baltimore, MD
Agenda
• Rationale and functions• Service structure• Composite Group Service
configuration• Common services configuration• Group service components
configuration• Permission service configuration• GAP Managers
Mon, June13, 2005uPortal Conference, Baltimore, MD
Composite Group Service
uPortal
Person Directory
Composite Group Service
component “local”
Group 0 {local.1, dan, ben}
Group 1 {local.n, pags.1, ben}
…
Group n {…}
component “pags”
Group 0 {pags.1, pags.n}
Group 1 {…}
..
Group n {…}
component “other”
Group A {other.B, other.C}
Group B {don, pete}
Group C {…}
Group Service clients
GAP common services
other source
uPortal db
Mon, June13, 2005uPortal Conference, Baltimore, MD
Composite Group Service
compositeGroupServices.xml…
<servicelist
defaultService="local
"compositeFactory="org.jasig.portal…">
<service>
<name>local</name>
<service_factory>org.jasig...etc</service_factory>
<entity_store_factory>org.jasig...etc</entity_store_factory>
<group_store_factory>org.jasig...etc</group_store_factory>
<entity_searcher_factory>org.jasig...etc</entity_searcher_factory>
<internally_managed>true</internally_managed>
<caching_enabled>true</caching_enabled>
</service>
<service>
<name>pags</name>
<service_factory>org.jasig...etc</service_factory>
<entity_store_factory>org.jasig...etc</entity_store_factory>
<group_store_factory>org.jasig...etc</group_store_factory>
<entity_searcher_factory>org.jasig...etc</entity_searcher_factory>
<internally_managed>false</internally_managed>
<caching_enabled>true</caching_enabled>
</service>
...
</servicelist>
Composite Group Service
component “local”
Group 0 {local.1, dan, ben}
Group 1 {local.n, pags.1, ben}
…
Group n {…}
component “pags”
Group 0 {pags.1, pags.n}
Group 1 {…}
..
Group n {…}
component “other”
Group A {other.B, other.C}
Group B {don, pete}
Group C {…}
Mon, June13, 2005uPortal Conference, Baltimore, MD
Composite Group Service
Component Service Descriptor
<service>
<name>local</name>
<service_factory> org.jasig.portal.groups.ReferenceIndividualGroupServiceFactory </service_factory>
<entity_store_factory> org.jasig.portal.groups.ReferenceEntityStoreFactory </entity_store_factory>
<group_store_factory> org.jasig.portal.groups.ReferenceEntityGroupStoreFactory </group_store_factory>
<entity_searcher_factory> org.jasig.portal.groups.ReferenceEntitySearcherFactory </entity_searcher_factory>
<internally_managed>true</internally_managed> <caching_enabled>true</caching_enabled>
</service>
Mon, June13, 2005uPortal Conference, Baltimore, MD
Composite Group Service
Interface for IEntityGroupStore
{
public boolean contains(IEntityGroup group, IGroupMember member);
public void delete(IEntityGroup group);
public IEntityGroup find(String key);
public Iterator findContainingGroups(IGroupMember gm);
public Iterator findEntitiesForGroup(IEntityGroup group);
public ILockableEntityGroup findLockable(String key);
public String[] findMemberGroupKeys(IEntityGroup group);
public Iterator findMemberGroups(IEntityGroup group);
public IEntityGroup newInstance(Class entityType);
public EntityIdentifier[] searchForGroups
(String query, int method, Class leaftype);
public void update(IEntityGroup group);
public void updateMembers(IEntityGroup group);
}
Mon, June13, 2005uPortal Conference, Baltimore, MD
Composite Group Service
Component Service Descriptor
<service>
<name>local</name>
<service_factory> org.jasig.portal.groups.ReferenceIndividualGroupServiceFactory </service_factory>
<entity_store_factory> org.jasig.portal.groups.ReferenceEntityStoreFactory </entity_store_factory>
<group_store_factory> org.jasig.portal.groups.ReferenceEntityGroupStoreFactory </group_store_factory>
<entity_searcher_factory> org.jasig.portal.groups.ReferenceEntitySearcherFactory </entity_searcher_factory>
<internally_managed>true</internally_managed> <caching_enabled>true</caching_enabled>
</service>
Mon, June13, 2005uPortal Conference, Baltimore, MD
Composite Group Service
Interface for READ-ONLY IEntityGroupStore
{
public boolean contains(IEntityGroup group, IGroupMember member);
public IEntityGroup find(String key);
public Iterator findContainingGroups(IGroupMember gm);
public Iterator findEntitiesForGroup(IEntityGroup group);
public String[] findMemberGroupKeys(IEntityGroup group);
public Iterator findMemberGroups(IEntityGroup group);
public EntityIdentifier[] searchForGroups
(String query, int method, Class leaftype);
}
Mon, June13, 2005uPortal Conference, Baltimore, MD
Agenda
• Rationale and functions• Service structure• CompositeGroupService
configuration• Group service components
configuration• Common services configuration• Permission service configuration• GAP Managers
Mon, June13, 2005uPortal Conference, Baltimore, MD
Group components configuration
Available in baseline uPortal:• Local• PAGS• Filesystem• LDAP
Locally developed:• JitLDAP (University of Calgary, Matthew Ling)• SQL (Columbia University)
Mon, June13, 2005uPortal Conference, Baltimore, MD
Group components configuration
Common Conventions:• Config files in properties/groups• Xml document w/ <group-store> and <group> elements• <group> element contains membership rules• Except for local, READ-ONLY
Mon, June13, 2005uPortal Conference, Baltimore, MD
Group components configuration
“local” group service• In portal db• No configuration required• Supports read-write access
Mon, June13, 2005uPortal Conference, Baltimore, MD
Group components configuration
Person Attribute Group Service (“PAGS”)• Client of Person Directory• Tests value of IPerson attributes• Testers include String, regex comparisons• Tests can be combined with operators AND, OR• Read-Only (but will be updatable in 2.6)
Mon, June13, 2005uPortal Conference, Baltimore, MD
Group components configuration
Person Attribute Group Service (“PAGS”) <group> <group-key>2</group-key> <group-name>Short First Names</group-name> <group-description> Portal users whose first names are between 1 and 5 characters long </group-description> <selection-test> <test-group> <test> <attribute-name>givenName</attribute-name> <tester-class>org.jasig.portal.groups.pags.testers.RegexTester</tester-class> <test-value>^.{1,5}$</test-value> </test> </test-group> </selection-test> <members> <member-key>3</member-key> </members> </group>
Mon, June13, 2005uPortal Conference, Baltimore, MD
Group components configuration
Filesystem Group Service• Groups are files and directories• Read-only• Files contain lists of member keys• Component Service descriptor:
<service groupsRoot="C:/groups">
<name>filesystem</name>
<service_factory>...</service_factory>
<entity_store_factory>...</entity_store_factory>
<group_store_factory>...</group_store_factory>
<entity_searcher_factory>...</entity_searcher_factory>
<internally_managed>false</internally_managed>
<caching_enabled>false</caching_enabled>
</service>
Mon, June13, 2005uPortal Conference, Baltimore, MD
Group components configuration
Entity-testing vs. Group-testingGroup-testing (filesystem)
Tom
Paul
Mary
/mydir/.../myGroup
filesystem.myGroup.getMembers()
returns {Tom, Paul, Mary}
Mon, June13, 2005uPortal Conference, Baltimore, MD
Group components configuration
Entity-testing vs. Group-testing
Entity-testing (PAGS)
<group> <group-key>myGroup</group-key> <group-name>PAGS Test Users</group-name> <group-description> Users whose user names equal Tom, Paul or Mary </group-description> <selection-test> <test-group> <test> <attribute-name>uid</attribute-name> <tester-class> org.jasig.portal.groups.pags.testers.RegexTester </tester-class> <test-value>Tom|Paul|Mary</test-value> </test> </test-group> </selection-test> </group>
PAGS.myGroup.getMembers()
returns {}
Mon, June13, 2005uPortal Conference, Baltimore, MD
Agenda
• Rationale and functions• Service structure• CompositeGroupService
configuration• Group service components
configuration• Common services configuration• Permission service configuration• GAP Managers
Mon, June13, 2005uPortal Conference, Baltimore, MD
Common Service configuration
Concurrency properties:
portal.properties
. . .
# Concurrency Services settings:## multiServer (true/false) indicates if the portal will run in multiple jvms.## clockTolerance (in milliseconds) sets a fudge factor to account for system clocks# on different hosts. Only used when org.jasig.portal.concurrency.multiServer=true.## Defaults: multiServer=false# clockTolerance=5000#org.jasig.portal.concurrency.multiServer=falseorg.jasig.portal.concurrency.clockTolerance=5000
Mon, June13, 2005uPortal Conference, Baltimore, MD
Common Service configuration
Multi-Server=true/false
• Entity locks in memory/in db• Cache invalidations
Mon, June13, 2005uPortal Conference, Baltimore, MD
Common Service configuration
Locking properties:
portal.properties
. . .
# Entity Lock Service settings:
#
# * defaultLockDuration sets the default lock duration in seconds. Locks can also be
# requested for specific durations.
#
# Defaults: defaultLockDuration=300
#
org.jasig.portal.concurrency.IEntityLockServiceFactory=org.jasig.portal.concurrency.
locking.ReferenceEntityLockServiceFactory
org.jasig.portal.concurrency.IEntityLockService.defaultLockDuration=300
Mon, June13, 2005uPortal Conference, Baltimore, MD
Common Service configuration
Caching properties:
portal.properties
. . .
# Entity Caching Service settings:
#
# * defaultMaxCacheSize - the default value for maximum number of entries in a
# cache.
# * defaultSweepInterval - the default value in seconds for the interval between
# cache sweeps.
# * defaultMaxIdleTime - the default value in seconds for the time after which a
# cache entry may be purged if it has not been accessed.
#
#
org.jasig.portal.concurrency.IEntityCachingService.defaultMaxCacheSize=1000
org.jasig.portal.concurrency.IEntityCachingService.defaultSweepInterval=60
org.jasig.portal.concurrency.IEntityCachingService.defaultMaxIdleTime=1800
Mon, June13, 2005uPortal Conference, Baltimore, MD
Agenda
• Rationale and functions• Service structure• CompositeGroupService
configuration• Group service components
configuration• Common services configuration• Permission service configuration• GAP Managers
Mon, June13, 2005uPortal Conference, Baltimore, MD
Permission service configuration
2 ways to configure:
• Custom permissions policy• Permissions store
Mon, June13, 2005uPortal Conference, Baltimore, MD
Permission Service Configuration
Service configuration:
portal.properties
. . .
# Authorization Service settings:
#
# * IPermissionStore.implementation is the permission store.
# * IPermissionPolicy.defaultImplementation is the permission policy used when not
# overridden at runtime (see IAuthorizationPrincipal.hasPermission()).
# * IAuthorizationService.cachePermissions sets if permissions will be cached by
# the entity caching service. (Default=true).
#
org.jasig.portal.security.IPermissionStore.implementation=
org.jasig.portal.security.provider.RDBMPermissionImplorg.jasig.portal.security.IPermissionPolicy.defaultImplementation=
org.jasig.portal.security.provider.DefaultPermissionPolicy
org.jasig.portal.security.IAuthorizationService.cachePermissions=true
Mon, June13, 2005uPortal Conference, Baltimore, MD
Permission Service Configuration
IPermissionPolicy interface
• Alternate default permission policy• Overloaded IAuthorizationPrincipal.hasPermission()
{
public boolean doesPrincipalHavePermission
(IAuthorizationService service,
IAuthorizationPrincipal principal,
String owner,
String activity,
String target)
}
Mon, June13, 2005uPortal Conference, Baltimore, MD
Agenda
• Rationale and functions• Service structure• CompositeGroupService
configuration• Group service components
configuration• Common services configuration• Permission service configuration• GAP Managers
Mon, June13, 2005uPortal Conference, Baltimore, MD
Manager Channels
• Manager Channels are service clients
• Transactional state in service
• Alternate managers
Mon, June13, 2005uPortal Conference, Baltimore, MD
Manager Channels
Groups Manager channel
Mon, June13, 2005uPortal Conference, Baltimore, MD
Manager Channels
Groups Manager configuration:
portal.properties
. . .
# Retrieval limits for Groups Manager.
# Limit the number of group members that should be enumerated when the Groups Manager
# generates an XML representation of the groups hierarchy
#
org.jasig.portal.channels.groupsmanager.wrappers.GroupWrapper.limitRetrievals=true
org.jasig.portal.channels.groupsmanager.wrappers.GroupWrapper.retrievalLimit=25
Mon, June13, 2005uPortal Conference, Baltimore, MD
GAP Resources
Groups and Permissions wiki:http://jasigch.princeton.edu:9000/display/GAP/Home
uPortal mailing lists:• jasig-portal@unm.edu
– Discuss anything related to uPortal• jasig-dev@unm.edu
– Membership restricted to uPortal framework developers– Coordination of development work
Mon, June13, 2005uPortal Conference, Baltimore, MD
Speaker: Dan Ellentuck
Presentation Title: Configuring Groups and Permissions
Date: 6/13/2005
Time: 2:00 PM – 3:00 PM
Speaker Info:
The End
Questions ?
Recommended