Central Authorization System

Download Report

Transcript Central Authorization System 

Penn
Groups
PennGroups
Central Authorization System
June 2009
Penn Groups
PennGroups
PennGroups
 PennGroups is derived from the Internet2 open source
Grouper initiative
 Has been adopted and deployed at many other universities
(Brown, Cornell, Yale)
 Penn has a programmer on the Grouper development team to
enhance the baseline product (UI, web services, SQL loaded
groups)
– Better meets the needs of Penn
– Provides additional useful functionality to other grouper users
 PennGroups will be managed by ISC-Data Administration
– Transition from dev team and definition of service level is in progress
 There is no additional charge to use PennGroups including
consulting from ISC
7/21/2015
Central Authorization at the University of Pennsylvania
2
Penn Groups
PennGroups
Internet2 Grouper
 Open source group management
 Internet2 has been working on group management for 8 years
 Generally used in educational institutions, but could be
anywhere
 Funded by Internet2
7/21/2015
University of Pennsylvania
3
Penn Groups
PennGroups
Why use PennGroups?






Instead of apps managing own groups
Reuse group lists
Central place to see which groups a person is in
Central auditing of group and membership actions
Central management of authorization
Security:
– Who can view/edit groups and memberships
– Opt-in/Opt-out
– Delegate authority
 Automatic or manual membership management
 Composite groups for group match: and / or / minus
 Groups of groups
7/21/2015
University of Pennsylvania
4
Penn Groups
PennGroups
How It Works
 Authorization by application
 After authentication the application can
interrogate PennGroups for access to group
membership data
– Web services
– LDAP
 Changes to group membership are reflected
automatically and propagate to the
application dynamically
7/21/2015
Central Authorization at the University of Pennsylvania
5
Penn Groups
PennGroups
Managing PennGroups
 Two modes for creating and managing groups
– Automated
• Web services - build and run a query from your data store and
send group membership information to PennGroups via the web
service API
• SQL loaded groups– Configure a SQL query within the
PennGroups UI to run on a scheduled basis to modify group
membership
– Manual
• UI – log onto the PennGroups UI to manually manage your group
membership
– You cannot manually add members to or remove members from a
group that is managed in an automated fashion
– You can simulate this with include/exclude composite groups
7/21/2015
Central Authorization at the University of Pennsylvania
6
Penn Groups
PennGroups
PennGroups Hierarchy
7/21/2015
Central Authorization at the University of Pennsylvania
7
Penn Groups
PennGroups
PennGroups in a Decentralized Environment
 When School/Center is integrating with PennGroups
– LSP (local support provider)/ application developer
contacts ISC: [email protected]
– LSP/developer and ISC collaborate to:
• Establish authorization use cases for the specific application
• Determine access method (LDAP or Web Services)
• Determine best approach for group creation and maintenance
– School/Center fills out access forms
– ISC consults with LSP/developer on group hierarchy
structure
7/21/2015
Central Authorization at the University of Pennsylvania
8
Penn Groups
PennGroups
Use Cases

PTO – Paid Time Off
–
–
–
Self service system used to request/track vacation/sick time
Penn Groups provides the flexibility so that the user selects their approver for time off.
Time off can be routed and approved by other than a direct supervisor
 Warehouse Apps
–
Only active employess in certains orgs are allowed to access the application
 Secure Share
–
Can share files with a group of collaborators
 Email lists (coming soon)
 Facilities Website
–
Only facilities employees or contractors can access the facilities website
7/21/2015
Central Authorization at the University of Pennsylvania
9
Penn Groups
PennGroups architecture
7/21/2015
Central Authorization at the University of Pennsylvania
10
Penn Groups
Grouper user interface (continued)
7/21/2015
Central Authorization at the University of Pennsylvania
11
Penn Groups
Grouper web services
 Penn/Internet2 spent a lot of effort in winter/spring 2008 to help
create the Grouper web services
 They can be REST or SOAP
 They can be simple “Lite” calls, or batched
 REST accepts formats: XML, XHTML, JSON, HTTP params
 There are a dozen operations exposed, including managing:
– Groups
– Memberships
– Permissions
– Folders
 Penn uses HTTP credentials sent to kerberos and
penn:etc:webServiceUsers group required for authorization
7/21/2015
ISC, ASTT
12
Penn Groups
Grouper web services (continued)
7/21/2015
Central Authorization at the University of Pennsylvania
13
Penn Groups
Grouper web services (continued)
7/21/2015
Central Authorization at the University of Pennsylvania
14
Penn Groups
Grouper web services (continued)
7/21/2015
Central Authorization at the University of Pennsylvania
15
Penn Groups
PennGroups LDAP
 There is a Grouper LDAP provisioning connector
called LDAPPC, though Penn does not use this
 We have some simple triggers in Oracle which add
records to a change log
 Then a process pulls records off of that table to sends
diffs to openLDAP (runs every 10 minutes)
 Daily all records are refreshed
 Only users in penn:etc:ldapUsers can login to ldap
 Users can only read group membership lists they
have privileges to read in Grouper
7/21/2015
Central Authorization at the University of Pennsylvania
16
Penn Groups
Grouper client
 LDAP and web services are low level
 Grouper client exposes Grouper LDAP and web
services to a command line API or a Java library
 It can also be used to generate custom web service
samples (can log requests and responses)
 Institutions can customize the client before distributing
so the LDAP config is done (e.g. Penn allows ID
lookups)
 Callers aren’t tied to output, they can tell the client the
output format that is expected
7/21/2015
Central Authorization at the University of Pennsylvania
17
Penn Groups
Grouper client (continued)
7/21/2015
Central Authorization at the University of Pennsylvania
18
Penn Groups
Grouper client (continued)
 Sample command line web service call:
c:\grouper> java -jar grouperClient.jar --operation=getMembersWs
--groupNames=aStem:aGroup --outputTemplate=${index}: ${subject.id}
0: 12345
1: 23456
c:\grouper>
 Sample Java web service call:
WsAddMemberResults wsAddMemberResults =
new GcAddMember().assignGroupName("aStem:aGroup")
.addSubjectId("12345").execute();
7/21/2015
Central Authorization at the University of Pennsylvania
19
Penn Groups
Grouper loader
 Penn contributed the “Grouper loader” in spring 2008
 This keeps groups in sync with results of sql queries
7/21/2015
Central Authorization at the University of Pennsylvania
20
Penn Groups
Grouper loader (continued)
7/21/2015
Central Authorization at the University of Pennsylvania
21
Penn Groups
Grouper loader (continued)
SQL> select * from authz_employee_active_v where rownum < 10
PENN_ID
---------12345
12346
12347
12348
12349
12350
12351
12352
12353
7/21/2015
PENN_NAME
-----------------------jsmith
asmith
bsmith
rjohnson
sjohnson
tjohnson
ajones
bjones
cjones
Central Authorization at the University of Pennsylvania
22
Penn Groups
Grouper loader (continued)
7/21/2015
Central Authorization at the University of Pennsylvania
23
Penn Groups
Grouper loader (continued)
SQL> select * from employee_org_groups_v where rownum < 10
SUBJECT_ID
---------12345
12346
12347
12348
12349
12350
12351
12352
12353
7/21/2015
GROUP_NAME
-----------------------penn:community:employee:orgs:employeeOrg123
penn:community:employee:orgs:employeeOrg123
penn:community:employee:orgs:employeeOrg123
penn:community:employee:orgs:employeeOrg124
penn:community:employee:orgs:employeeOrg124
penn:community:employee:orgs:employeeOrg124
penn:community:employee:orgs:employeeOrg128
penn:community:employee:orgs:employeeOrg128
penn:community:employee:orgs:employeeOrg128
Central Authorization at the University of Pennsylvania
24
Penn Groups
PennGroups
More Information
 For technical documentation see the Internet2 Grouper wiki
at:
– PennGroups site:
•
http://www.upenn.edu/computing/penngroups/
– PennGroups wiki:
•
http://prowiki.isc.upenn.edu/wiki/PennGroups
– Grouper product
•
https://wiki.internet2.edu/confluence/display/GrouperWG/Grouper+Project
– Grouper project
•
https://wiki.internet2.edu/confluence/display/GrouperWG/Grouper+Project
– Web services info
•
7/21/2015
https://wiki.internet2.edu/confluence/display/GrouperWG/Grouper+-+Web+Services
Central Authorization at the University of Pennsylvania
25