Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-899

wheel group members should be able to edit any rules



    • Improvement
    • Resolution: Fixed
    • Minor
    • 2.1.4
    • 2.1.3
    • API
    • None


      If I dropped and recreated the rule it was valid. When I tried to change a value in the UI, that’s when (I think) that the rule becomes invalid. Changing a value seems to trigger “validate” using the current user as the “creator” of the rule

      The new error message I get is :
      INVALID: Subject: Subject id: gagns, sourceId: ldap cannot act as subject: Subject id: GrouperSystem, sourceId: g:isa based on grouper.properties: rules.act.as.group

      Gagns is my currently logged in user/subject. It’s a member of etc:sysadmingroup.

      Why does the rule tries if my account can act as GrouperSystem ? I thought that rules ran in the background using the GrouperSystem account, not the current user. Maybe it should be modified that when GrouperSystem is the ruleActAsSubjectId the user should only require “isWheelAccount” ? Or even simpler, if the current user is Wheel, don’t check if it can ActAs another subject.

      De : Chris Hyzer
      Envoyé : 22 avril 2013 13:37
      À : Gagné Sébastien
      Cc : grouper-core
      Objet : RE: Leftover privileges

      You should never change the value of ruleValid, that is managed by grouper when the rule is valid or not.

      Yes, the design of the function is that any group that you are in (immediate or effective) will get the privs if that is why you got the privs, so if you have cyclic group admin memberships, then the behavior you see is correct. 

      There is a tweak to an error message that is hiding the underlying problem I think… can you make this tweak and drop and add the rule and see if it becomes invalid and what the error is?


      FROM: (line 195)

      if (!allowedToActAs(ruleDefinition, currentSubject, subject))

      { return "Subject: " + GrouperUtil.subjectToString(GrouperSession.staticGrouperSession().getSubject()) + " cannot act as subject: " + GrouperUtil.subjectToString(subject) + " based on grouper.properties: " + " rules.act.as.group"; }


      if (!allowedToActAs(ruleDefinition, currentSubject, subject))

      { return "Subject: " + GrouperUtil.subjectToString(currentSubject) + " cannot act as subject: " + GrouperUtil.subjectToString(subject) + " based on grouper.properties: " + " rules.act.as.group"; }


      From: Gagné Sébastien
      Sent: Monday, April 22, 2013 1:19 PM
      To: Chris Hyzer
      Cc: grouper-core@internet2.edu
      Subject: RE: Leftover privileges

      Here’s a little more information :
      If I remove, then re-add the rule, it seems fine and works as intented.

      BUT, if I modify ruleValid (from ‘T’ to ‘T’) using my wheel group user, it then switches to the error message “INVALID: Subject: Subject id: GrouperSystem, sourceId: g:isa cannot act as subject: Subject id: GrouperSystem, sourceId: g:isa based on grouper.properties: rules.act.as.group”

      Also there might be a “problem” when admins are in cylic admin memberships. We could also say that the problem is using cyclic memberships in the first place (we don’t plan to in production, but I was testing some stuff)
      deptA-adm is member of All-Admins
      deptB-adm is member of All-Admins
      All-Admins is member of deptA-adm

      If I create a group in deptB, my personal privs will be removed (ok), privs to deptB-admin will be added (ok), but privs to deptA-adm and All-Admins will ALSO be added (not ok)

      De : Chris Hyzer
      Envoyé : 20 avril 2013 00:54
      À : Gagné Sébastien
      Cc :
      Objet : RE: Leftover privileges

      I don’t really understand what happened here. I changed the test case to add a group as GrouperSystem, and it worked fine. Also, the message below shouldn’t be printed out if the subjects are equal or if the subject doing the work is GrouperSystem… I verified that here:

      assertTrue(RuleSubjectActAs.allowedToActAs(null, SubjectFinder.findRootSubject(), new SubjectImpl("GrouperSystem", null, null, null, "g:isa")));

      So who created your rule? What are the attribute values for it? It is valid until a group is created by GrouperSystem? Is it possible for you to give me more specifics to reproduce this, or more log stacks or whatever?





            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            0 Vote for this issue
            1 Start watching this issue