spaces.at.internet2.edu has been upgraded to Confluence 6.15.10. If you have any questions and/or concerns, please contact us at techsupport@internet2.edu
Grouper
Child pages
  • Grouper integration with Kuali Rice
3 more child pages
Skip to end of metadata
Go to start of metadata

Wiki Home

Download Grouper

Grouper Guides

Community Contributions

Developer Resources

Grouper Website

 This topic is discussed in the "Grouper Connectors" training video.

Grouper Integration with Kuali Rice

This section descibes the efforts to integrate Kuali Rice with Grouper.  Kuali Rice KIM (Kuali Identity Management) has a Groups implementation and service, but Grouper offers different features which might scale and distribute better in an organization.  For instance Grouper has unlimited folder levels, whereas Rice only has a namespace one level deep.  Grouper can delegate control over folders and grouper.  Also, Grouper can make composite groups so if someone stops being an active employee, they will fall out of other groups.  Etc.  If you wanted to run Kuali Rice and delegate some operations to Grouper, you can use the Grouper-Rice connector.

grouperKualiRice

Installation of groups service

Get the grouper client, (note, this currently requires grouperClient v1.6+ unzip it or checkout and build):

[appadmin@lukes grouper]$ /usr/bin/svn export http://anonsvn.internet2.edu/svn/i2mi/trunk/grouper-misc/grouperClient
[appadmin@lukes grouper]$ cd grouperClient
[appadmin@lukes grouperClient]$ ant
[appadmin@lukes grouperClient]$ cd ../..

Checkout the Grouper Kim connector:

[appadmin@lukes grouper]$ /usr/bin/svn export http://anonsvn.internet2.edu/svn/i2mi/trunk/grouper-misc/grouperKimConnector
[appadmin@lukes grouper]$ cd grouperKimConnector/
[appadmin@lukes grouperKimConnector]$ cp build.example.properties build.properties
     --- edit build.properties, set where the grouperClient.jar was unzipped to, e.g.
     grouperClient.jar.name=../grouperClient/dist/grouperClient.jar
[appadmin@lukes grouperKimConnector]$ export JAVA_HOME=/opt/jdk1.6.0_16
[appadmin@lukes grouperKimConnector]$ export PATH=/opt/jdk1.6.0_16/bin:$PATH
     -- NOTE: you need Java 1.6 to build, but 1.5+ to run
[appadmin@lukes grouperKimConnector]$ ant

Copy grouperClient.jar and grouperKimConnector.jar to kr-dev/WEB-INF/lib (or whatever the Kuali rice webapp dir is if not kr-dev)

Copy grouper.client.properties to kr-dev/WEB-INF/classes (or whatever the Kuali rice webapp dir is if not kr-dev)

Edit the grouper.client.properties and set the WS connect string to the Grouper WS at your institution, include the user/pass or however you authenticate

Also insert and customize the grouperKimConnector settings in the grouper.client.properties file

Make a kr-dev/WEB-INF/classes/grouperKimOverride.xml

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:aop="http://www.springframework.org/schema/aop"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                           http://www.springframework.org/schema/tx
                           http://www.springframework.org/schema/tx/spring-tx-2.0.xsd
                           http://www.springframework.org/schema/aop
                           http://www.springframework.org/schema/aop/spring-aop-2.0.xsd">
  <bean id="kimGroupService" class="edu.internet2.middleware.grouperKimConnector.group.GrouperKimGroupServiceImpl"/>
</beans>

Identify that file to Spring in Rice in rice-config.xml

<param name="rice.additionalSpringFiles">classpath:grouperKimOverride.xml</param>

If you are using the Rice sample data, you need to make sure whatever subject you are using exists in Grouper via GSH

addSubject("admin", "person", "admin");
addSubject("1", "person", "kr");

Whatever stem is configured in grouper.client.properties for kim should be created

kim.stem = kim

GSH setup:

grouperSession = GrouperSession.startRootSession();
new StemSave(grouperSession).assignName("kim").assignSaveMode(SaveMode.INSERT_OR_UPDATE).assignCreateParentStemsIfNotExist(true).save();

If you are doing the eDocLite example, create those users and groups in GSH

addSubject("user1", "person", "user1");
addSubject("user2", "person", "user2");
addSubject("user3", "person", "user3");
addSubject("user4", "person", "user4");
new GroupSave(GrouperSession.staticGrouperSession()).assignSaveMode(SaveMode.INSERT_OR_UPDATE).assignName("kim:KUALI:eDoc.Example1.IUB.Workgroup").assignCreateParentStemsIfNotExist(true).save();
new GroupSave(GrouperSession.staticGrouperSession()).assignSaveMode(SaveMode.INSERT_OR_UPDATE).assignName("kim:KUALI:eDoc.Example1.IUPUI.Workgroup").assignCreateParentStemsIfNotExist(true).save();
addMember("kim:KUALI:eDoc.Example1.IUB.Workgroup", "user1");
addMember("kim:KUALI:eDoc.Example1.IUB.Workgroup", "user2");
addMember("kim:KUALI:eDoc.Example1.IUPUI.Workgroup", "user3");
addMember("kim:KUALI:eDoc.Example1.IUPUI.Workgroup", "user4");
new GroupSave(GrouperSession.staticGrouperSession()).assignSaveMode(SaveMode.INSERT_OR_UPDATE).assignName("etc:webServiceUsers").assignCreateParentStemsIfNotExist(true).save();
addMember("etc:webServiceUsers", "GrouperSystem");

Installation of identity service

Follow the initial install instructions above.  In the grouperKimOverride.xml, include this:

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:aop="http://www.springframework.org/schema/aop"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                           http://www.springframework.org/schema/tx
                           http://www.springframework.org/schema/tx/spring-tx-2.0.xsd
                           http://www.springframework.org/schema/aop
                           http://www.springframework.org/schema/aop/spring-aop-2.0.xsd">
  <bean id="kimGroupService" class="edu.internet2.middleware.grouperKimConnector.group.GrouperKimGroupServiceImpl"/>
  <bean id="kimIdentityService" class="edu.internet2.middleware.grouperKimConnector.identity.GrouperKimIdentityServiceImpl"/>
</beans>

Note that you need an email address subject attribute.  Here is an example for the jdbc2 source in the Grouper sources.xml

<init-param>
       <param-name>subjectAttributeCol1</param-name>
       <param-value>email</param-value>
     </init-param>
     <init-param>
       <param-name>subjectAttributeName1</param-name>
       <param-value>EMAIL</param-value>
     </init-param>

Then you need to identify the email attribute in the grouper.client.properties

##############################
## Kuali Identity settings
##############################

kuali.identity.source.id.0 = pennperson
kuali.identity.source.nameAttribute.0 = name
kuali.identity.source.identifierAttribute.0 = PENNNAME
kuali.identity.source.emailAttribute.0 = EMAIL
kuali.identity.source.entityTypeCode.0 = PERSON

# separate a sourceId from a subjectId or sourceId
kuali.identity.sourceSeparator = ::::

# if there is this subjectId from grouper, dont untranslate to put sourceId::::subjectId
# multiple, comma separated
kuali.identity.ignoreSourceAppend.subjectIds = admin


# if the user has no email address, routing will have problems, use this default one
kuali.identity.defaultEmailAddress = idmProblems@institution.edu

Configure the grouper-ws.properties to send back those subject attributes:

# subject result attribute names when extended data is requested (comma separated)
# default is name, description
# note, these will be in addition to ws.subject.result.attribute.names
ws.subject.result.detail.attribute.names = name, description, PENNNAME, EMAIL

sd

  • No labels