Скачать презентацию Penn Groups Penn Groups Central Authorization System June Скачать презентацию Penn Groups Penn Groups Central Authorization System June

4d3bbb0b3da0f927aa8104c6087e1d0a.ppt

  • Количество слайдов: 25

Penn Groups Penn. Groups Central Authorization System June 2009 Penn Groups Penn. Groups Central Authorization System June 2009

Penn Groups Penn. Groups } Penn. Groups is derived from the Internet 2 open Penn Groups Penn. Groups } Penn. Groups is derived from the Internet 2 open source Grouper initiative } Has been adopted and deployed at many other universities (Brown, Cornell, Yale) } Penn has a programmer on the Grouper development team to enhance the baseline product (UI, web services, SQL loaded groups) – Better meets the needs of Penn – Provides additional useful functionality to other grouper users } Penn. Groups will be managed by ISC-Data Administration – Transition from dev team and definition of service level is in progress } There is no additional charge to use Penn. Groups including consulting from ISC 3/17/2018 Central Authorization at the University of Pennsylvania 2

Penn Groups Penn. Groups Internet 2 Grouper } Open source group management } Internet Penn Groups Penn. Groups Internet 2 Grouper } Open source group management } Internet 2 has been working on group management for 8 years } Generally used in educational institutions, but could be anywhere } Funded by Internet 2 3/17/2018 University of Pennsylvania 3

Penn Groups Penn. Groups Why use Penn. Groups? } } } Instead of apps Penn Groups Penn. Groups Why use Penn. Groups? } } } Instead of apps managing own groups Reuse group lists Central place to see which groups a person is in Central auditing of group and membership actions Central management of authorization Security: – Who can view/edit groups and memberships – Opt-in/Opt-out – Delegate authority } Automatic or manual membership management } Composite groups for group match: and / or / minus } Groups of groups 3/17/2018 University of Pennsylvania 4

Penn Groups Penn. Groups How It Works } Authorization by application } After authentication Penn Groups Penn. Groups How It Works } Authorization by application } After authentication the application can interrogate Penn. Groups for access to group membership data – Web services – LDAP } Changes to group membership are reflected automatically and propagate to the application dynamically 3/17/2018 Central Authorization at the University of Pennsylvania 5

Penn Groups Penn. Groups Managing Penn. Groups } Two modes for creating and managing Penn Groups Penn. Groups Managing Penn. Groups } Two modes for creating and managing groups – Automated • Web services - build and run a query from your data store and send group membership information to Penn. Groups via the web service API • SQL loaded groups– Configure a SQL query within the Penn. Groups UI to run on a scheduled basis to modify group membership – Manual • UI – log onto the Penn. Groups UI to manually manage your group membership – You cannot manually add members to or remove members from a group that is managed in an automated fashion – You can simulate this with include/exclude composite groups 3/17/2018 Central Authorization at the University of Pennsylvania 6

Penn Groups Penn. Groups Hierarchy 3/17/2018 Central Authorization at the University of Pennsylvania 7 Penn Groups Penn. Groups Hierarchy 3/17/2018 Central Authorization at the University of Pennsylvania 7

Penn Groups Penn. Groups in a Decentralized Environment } When School/Center is integrating with Penn Groups Penn. Groups in a Decentralized Environment } When School/Center is integrating with Penn. Groups – LSP (local support provider)/ application developer contacts ISC: penngroups-help@lists. upenn. edu – LSP/developer and ISC collaborate to: • Establish authorization use cases for the specific application • Determine access method (LDAP or Web Services) • Determine best approach for group creation and maintenance – School/Center fills out access forms – ISC consults with LSP/developer on group hierarchy structure 3/17/2018 Central Authorization at the University of Pennsylvania 8

Penn Groups Penn. Groups Use Cases } PTO – Paid Time Off – – Penn Groups Penn. Groups Use Cases } PTO – Paid Time Off – – – Self service system used to request/track vacation/sick time Penn Groups provides the flexibility so that the user selects their approver for time off. Time off can be routed and approved by other than a direct supervisor } Warehouse Apps – Only active employess in certains orgs are allowed to access the application } Secure Share – Can share files with a group of collaborators } Email lists (coming soon) } Facilities Website – Only facilities employees or contractors can access the facilities website 3/17/2018 Central Authorization at the University of Pennsylvania 9

Penn Groups Penn. Groups architecture 3/17/2018 Central Authorization at the University of Pennsylvania 10 Penn Groups Penn. Groups architecture 3/17/2018 Central Authorization at the University of Pennsylvania 10

Penn Groups Grouper user interface (continued) 3/17/2018 Central Authorization at the University of Pennsylvania Penn Groups Grouper user interface (continued) 3/17/2018 Central Authorization at the University of Pennsylvania 11

Penn Groups Grouper web services } Penn/Internet 2 spent a lot of effort in Penn Groups Grouper web services } Penn/Internet 2 spent a lot of effort in winter/spring 2008 to help create the Grouper web services } They can be REST or SOAP } They can be simple “Lite” calls, or batched } REST accepts formats: XML, XHTML, JSON, HTTP params } There a dozen operations exposed, including managing: – Groups – Memberships – Permissions – Folders } Penn uses HTTP credentials sent to kerberos and penn: etc: web. Service. Users group required for authorization 3/17/2018 ISC, ASTT 12

Penn Groups Grouper web services (continued) 3/17/2018 Central Authorization at the University of Pennsylvania Penn Groups Grouper web services (continued) 3/17/2018 Central Authorization at the University of Pennsylvania 13

Penn Groups Grouper web services (continued) 3/17/2018 Central Authorization at the University of Pennsylvania Penn Groups Grouper web services (continued) 3/17/2018 Central Authorization at the University of Pennsylvania 14

Penn Groups Grouper web services (continued) 3/17/2018 Central Authorization at the University of Pennsylvania Penn Groups Grouper web services (continued) 3/17/2018 Central Authorization at the University of Pennsylvania 15

Penn Groups Penn. Groups LDAP } There is a Grouper LDAP provisioning connector called Penn Groups Penn. Groups LDAP } There is a Grouper LDAP provisioning connector called LDAPPC, though Penn does not use this } We have some simple triggers in Oracle which add records to a change log } Then a process pulls records off of that table to sends diffs to open. LDAP (runs every 10 minutes) } Daily all records are refreshed } Only users in penn: etc: ldap. Users can login to ldap } Users can only read group membership lists they have privileges to read in Grouper 3/17/2018 Central Authorization at the University of Pennsylvania 16

Penn Groups Grouper client } LDAP and web services are low level } Grouper Penn Groups Grouper client } LDAP and web services are low level } Grouper client exposes Grouper LDAP and web services to a command line API or a Java library } It can also be used to generate custom web service samples (can log requests and responses) } Institutions can customize the client before distributing so the LDAP config is done (e. g. Penn allows ID lookups) } Callers aren’t tied to output, they can tell the client the output format that is expected 3/17/2018 Central Authorization at the University of Pennsylvania 17

Penn Groups Grouper client (continued) 3/17/2018 Central Authorization at the University of Pennsylvania 18 Penn Groups Grouper client (continued) 3/17/2018 Central Authorization at the University of Pennsylvania 18

Penn Groups Grouper client (continued) } Sample command line web service call: c: grouper> Penn Groups Grouper client (continued) } Sample command line web service call: c: grouper> java -jar grouper. Client. jar --operation=get. Members. Ws --group. Names=a. Stem: a. Group --output. Template=${index}: ${subject. id} 0: 12345 1: 23456 c: grouper> } Sample Java web service call: Ws. Add. Member. Results ws. Add. Member. Results = new Gc. Add. Member(). assign. Group. Name("a. Stem: a. Group"). add. Subject. Id("12345"). execute(); 3/17/2018 Central Authorization at the University of Pennsylvania 19

Penn Groups Grouper loader } Penn contributed the “Grouper loader” in spring 2008 } Penn Groups Grouper loader } Penn contributed the “Grouper loader” in spring 2008 } This keeps groups in sync with results of sql queries 3/17/2018 Central Authorization at the University of Pennsylvania 20

Penn Groups Grouper loader (continued) 3/17/2018 Central Authorization at the University of Pennsylvania 21 Penn Groups Grouper loader (continued) 3/17/2018 Central Authorization at the University of Pennsylvania 21

Penn Groups Grouper loader (continued) SQL> select * from authz_employee_active_v where rownum < 10 Penn Groups Grouper loader (continued) SQL> select * from authz_employee_active_v where rownum < 10 PENN_ID -----12345 12346 12347 12348 12349 12350 12351 12352 12353 3/17/2018 PENN_NAME ------------jsmith asmith bsmith rjohnson sjohnson tjohnson ajones bjones cjones Central Authorization at the University of Pennsylvania 22

Penn Groups Grouper loader (continued) 3/17/2018 Central Authorization at the University of Pennsylvania 23 Penn Groups Grouper loader (continued) 3/17/2018 Central Authorization at the University of Pennsylvania 23

Penn Groups Grouper loader (continued) SQL> select * from employee_org_groups_v where rownum < 10 Penn Groups Grouper loader (continued) SQL> select * from employee_org_groups_v where rownum < 10 SUBJECT_ID -----12345 12346 12347 12348 12349 12350 12351 12352 12353 3/17/2018 GROUP_NAME ------------penn: community: employee: orgs: employee. Org 123 penn: community: employee: orgs: employee. Org 124 penn: community: employee: orgs: employee. Org 128 Central Authorization at the University of Pennsylvania 24

Penn Groups Penn. Groups More Information } For technical documentation see the Internet 2 Penn Groups Penn. Groups More Information } For technical documentation see the Internet 2 Grouper wiki at: – Penn. Groups site: • http: //www. upenn. edu/computing/penngroups/ – Penn. Groups wiki: • http: //prowiki. isc. upenn. edu/wiki/Penn. Groups – Grouper product • https: //wiki. internet 2. edu/confluence/display/Grouper. WG/Grouper+Project – Grouper project • https: //wiki. internet 2. edu/confluence/display/Grouper. WG/Grouper+Project – Web services info • 3/17/2018 https: //wiki. internet 2. edu/confluence/display/Grouper. WG/Grouper+-+Web+Services Central Authorization at the University of Pennsylvania 25