Child pages
  • Managing unix commands with Grouper permissions example
Skip to end of metadata
Go to start of metadata

Summary

In this example from University of Pennsylvania, Grouper manages permissions for actions used in Linux commands.  The Grouper permissions are exported to a text file and kept in sync (batch and real time) via the grouperClient on the linux server.

Using

For someone to restart a tomcat, call a script that uses sudo to call the command to restart a tomcat:

[mchyzer@lukes clusterLinux]$ clusterTomcat tomcat_directory restart

To onboard someone, add a user to the sudoers file.  e.g. allow user mchyzer to restart tomcats (that are allowed in Grouper). 

mchyzer ALL=(appadmin) /opt/appserv/binMgmt/clusterTomcatHelper.sh *

Maybe this should be a wildcard so anyone can do this since permissions are in Grouper and you dont have to do this for each user... either way

ALL ALL=(appadmin) /opt/appserv/binMgmt/clusterTomcatHelper.sh *

At this point the user is not allowed to do anything, since they have no permissions in Grouper, and clusterTomcatHelper.sh (below) uses Grouper permissions to decide if the user can perform the action.

Go to the Grouper permissions screen, and add the user to the role for this server



Assign permissions to the user.  Note, the resource is which tomcat the user is allowed to perform actions on



Wait max two minutes, and the permissions file on the server will be updated, e.g.

[appadmin@server clusterLinux]$ more  /opt/appserv/binMgmt/clusterLinux/clusterLinuxRules.sh
# File automatically generated from PennGroups...

clusterLinux__mchyzer__app_directory__all=true
clusterLinux__mchyzer__app_directory__restart=true
clusterLinux__mchyzer__app_directory__start=true
clusterLinux__mchyzer__app_directory__status=true
clusterLinux__mchyzer__app_directory__stop=true
clusterLinux__mchyzer__app_fastUnit__status=true
[appadmin@lukes clusterLinux]$

Note the file is concerned with the user, resource (which tomcat), and action (start|stop|restart|status).  If there are other rollup actions (e.g. "all") then it will be ignored by the calling script since you cant perform "all" on the tomcat service.

Architecture

Diagram of permissions in use, cron updates, and XMPP real time updates

clusterLinuxCommandPermissions

One-time setup on the server where the permissions are needed

Create a permission definition:



Add action inheritance so "all" implies the others



Create a role for an environment



Add permission names for each application, in this case prefix the real app name with "app_"



Assign permissions to a user in the role



Permissions client real time and daemon process

Here is the source file:

/**
 * @author mchyzer
 * $Id: ClusterLinuxLogic.java,v 1.4 2012/05/21 17:01:24 mchyzer Exp $
 */
package edu.upenn.isc.clusterLinux;

import java.io.File;
import java.sql.Timestamp;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
import java.util.TreeSet;

import org.jivesoftware.smack.packet.Message;
import org.quartz.Job;
import org.quartz.JobExecutionContext;
import org.quartz.JobExecutionException;
import org.quartz.StatefulJob;

import edu.internet2.middleware.grouperClient.api.GcGetPermissionAssignments;
import edu.internet2.middleware.grouperClient.api.GcGetSubjects;
import edu.internet2.middleware.grouperClient.collections.MultiKey;
import edu.internet2.middleware.grouperClient.util.GrouperClientUtils;
import edu.internet2.middleware.grouperClient.ws.beans.WsGetPermissionAssignmentsResults;
import edu.internet2.middleware.grouperClient.ws.beans.WsGetSubjectsResults;
import edu.internet2.middleware.grouperClient.ws.beans.WsPermissionAssign;
import edu.internet2.middleware.grouperClient.ws.beans.WsSubject;
import edu.internet2.middleware.grouperClient.ws.beans.WsSubjectLookup;
import edu.internet2.middleware.grouperClientExt.org.apache.commons.logging.Log;
import edu.internet2.middleware.grouperClientExt.xmpp.GrouperClientXmppMain;
import edu.internet2.middleware.grouperClientExt.xmpp.GrouperClientXmppMessageHandler;

/**
 *
 */
public class ClusterLinuxLogic implements Job, StatefulJob {

  /**
   * @param args
   */
  public static void main(String[] args) {
    
    log.debug("Starting cluster linux permissions daemon");
    
    //schedule full refresh job on startup
    performFullRefresh();
    
    scheduleQuartzJob();
    
    //do xmpp loop
    xmppLoop();
    
  }
 
  /**
   * schedule the full refresh job, e.g. nightly
   */
  private static void scheduleQuartzJob() {

    String jobName = "clusterLinuxFullRefreshJob";

    String quartzCronString = GrouperClientUtils.propertiesValue("clusterLinux.fullRefreshQuartzCron", false);
    
    log.debug("Scheduling cluster linux permissions daemon for quartzCron string: " + quartzCronString);
    
    GrouperClientXmppMain.scheduleJob(jobName, quartzCronString, ClusterLinuxLogic.class);
    
  }

  /** timer */
  private static Timer timer = null;

  /** timer scheduled for */
  private static long timerScheduledFor = -1;
 
  /**
   * do a full refresh in one minute (batch subsequent requests)
   */
  public static synchronized void scheduleFullRefresh() {

    //if it is already scheduled, then we are all good
    if (timer != null) {

      log.debug("Job is already scheduled at " + new Date(timerScheduledFor).toString() + ", exiting");

      return;
    }
    timer = new Timer(true);

    int timeInFuture = 1000*60;

    timerScheduledFor = System.currentTimeMillis() + timeInFuture;

    //schedule in 60 seconds
    timer.schedule(new TimerTask() {
      
      @Override
      public void run() {
        performFullRefresh();
      }
    }, timeInFuture);
  }
 
  /**
   * base folder for grouper
   * @return the folder, e.g. school:apps:clusterLinux
   */
  public static String grouperFolderBase() {
    return GrouperClientUtils.propertiesValue("clusterLinux.grouperFolderBase", true);
  }
 
  /**
   * do a full refresh in one minute (batch subsequent requests)
   */
  public static synchronized void performFullRefresh() {
    
    try {
      //let another timer be scheduled, whether from schedule or xmpp
      timer = null;
      
      String nameOfAttributeDef = grouperFolderBase() + ":permissions:tomcats:tomcatPermissionDef";
      
      String theRoleName = grouperFolderBase() + ":clusterLinuxRoles:"
          + GrouperClientUtils.propertiesValue("clusterLinux.environmentRoleExtension", true);
      
      WsGetPermissionAssignmentsResults wsGetPermissionAssignmentsResults =
        new GcGetPermissionAssignments().addAttributeDefName(nameOfAttributeDef)
          .addRoleName(theRoleName).addSubjectAttributeName("PENNNAME").execute();

      WsSubject[] wsSubjects = wsGetPermissionAssignmentsResults.getWsSubjects();
      
      //note, there is a bug where subjects arent returned...  go get them
      wsSubjects = ClusterLinuxLogic.retrieveSubjectsFromServer(wsGetPermissionAssignmentsResults);
      
      //lets make the permissions file
      StringBuilder fileContents = new StringBuilder("# File automatically generated from PennGroups...\n\n");
      
      //lets sort these so they are easier to manage
      Set<String> lines = new TreeSet<String>();
      
      if (log.isDebugEnabled()) {
        log.debug("Received "
            + GrouperClientUtils.length(wsGetPermissionAssignmentsResults.getWsPermissionAssigns())
            + " permission entries from Grouper");
      }

      for (WsPermissionAssign wsPermissionAssign : GrouperClientUtils.nonNull(
          wsGetPermissionAssignmentsResults.getWsPermissionAssigns(), WsPermissionAssign.class)) {
        
        //only worried about personal access at this time
        if (!GrouperClientUtils.equals(wsPermissionAssign.getSourceId(), "pennperson")) {
          continue;
        }
        
        //get the subject
        WsSubject wsSubject = ClusterLinuxLogic.retrieveSubject(
            wsSubjects, wsPermissionAssign.getSourceId(),
            wsPermissionAssign.getSubjectId());
        
        if (wsSubject == null) {
          throw new RuntimeException("Why is wsSubject null??? " + wsPermissionAssign.getSourceId()
            + wsPermissionAssign.getSubjectId());
        }
        
        String pennname = GrouperClientUtils.subjectAttributeValue(wsSubject,
            wsGetPermissionAssignmentsResults.getSubjectAttributeNames(), "PENNNAME");
        
        //not sure why there wouldnt be a pennname, but if not, then skip
        
        if (GrouperClientUtils.isBlank(pennname)) {
          continue;
        }

        //ok, we have pennname, extension, action, lets write the line
        String extension = GrouperClientUtils.extensionFromName(wsPermissionAssign.getAttributeDefNameName());
        String action = wsPermissionAssign.getAction();
        
        lines.add("clusterLinux__" + pennname + "__" + extension + "__" + action + "=true");
        
      }
      
      for (String line : lines) {
        fileContents.append(line).append("\n");
      }

      if (log.isDebugEnabled()) {
        log.debug("Generated file has "
            + GrouperClientUtils.length(lines)
            + " lines");
      }

      File fileToSave = new File(GrouperClientUtils.propertiesValue("clusterLinux.fileToSave", true));
      
      //save this to file (try 3 times)
      for (int i=0;i<3;i++) {
        
        try {
          
          boolean updated = GrouperClientUtils.saveStringIntoFile(fileToSave, fileContents.toString(), true, true);
          if (updated) {
            log.debug("File: " + fileToSave.getAbsolutePath() + " was saved since there were updates from Grouper");
          } else {
            log.debug("File: " + fileToSave.getAbsolutePath() + " was not saved since there were no changes from Grouper");
          }
          
          //we are done
          break;
        } catch (Exception e) {
          log.error("Error saving file", e);
        }
        GrouperClientUtils.sleep(2000);
        
      }
       
    } catch (Exception e) {
      log.error("Error in full refresh", e);
    }
    
  }

  /**
   * logger
   */
  private static Log log = GrouperClientUtils.retrieveLog(ClusterLinuxLogic.class);

  /**
   * this will be run when the quertz nightly job fires
   * @see org.quartz.Job#execute(org.quartz.JobExecutionContext)
   */
  // @Override
  public void execute(JobExecutionContext context) throws JobExecutionException {
    
    String jobName = null;
    try {
      jobName = context.getJobDetail().getName();
      if (log.isDebugEnabled()) {
        log.debug("Scheduling full refresh on job: " + jobName);
      }
      ClusterLinuxLogic.scheduleFullRefresh();
    } catch (RuntimeException re) {
      log.error("Error in job: " + jobName, re);
      throw re;
    }

  }

  /**
   * connect to xmpp, listen for messages from a certain sender (the grouper server)
   */
   private static void xmppLoop() {
     
     GrouperClientXmppMain.xmppLoop(new GrouperClientXmppMessageHandler() {
      
      @Override
      public void handleMessage(Message message) {
        
        log.debug("Received message: " + message.getBody());
        
        //whatever message we get, we know it is from the right sender based on
        //config, so just schedule a full refresh a minute from now if its not already scheduled
        scheduleFullRefresh();

      }
    });

   }


   /**
    * lookup a subject by subject id and source id
    * @param subjects
    * @param sourceId
    * @param subjectId
    * @return probably shouldnt be null, but if cant be found, then will be null
    */
   public static WsSubject retrieveSubject(WsSubject[] subjects, String sourceId, String subjectId) {
   
     for (WsSubject wsSubject : GrouperClientUtils.nonNull(subjects, WsSubject.class)) {
       if (GrouperClientUtils.equals(sourceId, wsSubject.getSourceId())
           && GrouperClientUtils.equals(subjectId, wsSubject.getId())) {
         return wsSubject;
       }
     }
     return null;
   }

   /**
    * until Penn is upgraded to Grouper 2.1, we need another query to get subjects based on bug in grouper.
    * Once this is fixed this wont be needed, the subjects will be in the permissions response
    * @param wsGetPermissionAssignmentsResults
    * @return subjects
    */
   public static WsSubject[] retrieveSubjectsFromServer(WsGetPermissionAssignmentsResults wsGetPermissionAssignmentsResults) {
     
     //make sure no dupes
     Set<MultiKey> subjectSourceAndIds = new HashSet<MultiKey>();
     
     for (WsPermissionAssign wsPermissionAssign : wsGetPermissionAssignmentsResults.getWsPermissionAssigns()) {
       if (GrouperClientUtils.equals("pennperson", wsPermissionAssign.getSourceId())) {
         subjectSourceAndIds.add(new MultiKey(wsPermissionAssign.getSourceId(), wsPermissionAssign.getSubjectId()));
       }
     }
     GcGetSubjects gcGetSubjects = new GcGetSubjects().addSubjectAttributeName("PENNNAME");
     
     //add those to the get subjects request
     for (MultiKey subjectSourceAndId : subjectSourceAndIds) {
       gcGetSubjects.addWsSubjectLookup(new WsSubjectLookup((String)subjectSourceAndId.getKey(1),
           (String)subjectSourceAndId.getKey(0), null));
     }
     
     WsGetSubjectsResults wsGetSubjectsResults = gcGetSubjects.execute();
     
     return wsGetSubjectsResults.getWsSubjects();
     
   }


}

Compile that into a jar:

<project name="clusterLinux" default="build" basedir=".">
 
  <!-- declare the ant-contrib tasks -->
  <taskdef resource="net/sf/antcontrib/antlib.xml" />

  <!-- copy build.properties if not there already -->
  <if><not><available file="build.properties" /></not>
    <then><copy file="build.example.properties" tofile="build.properties" /></then>
  </if>

  <!-- Grouper Global Build Properties -->
  <property file="${basedir}/build.properties"/>

  <target name="build" description="full build" depends="init,clean,compile,jarPrepare,jar">
  </target>

  <target name="init">
    <tstamp />

    <property name="main.source" value="src" />

    <property name="main.lib" value="lib" />

    <property name="main.bin" value="dist/bin" />
    <property name="main.outputDir" value="dist" />

    <property name="main.appName" value="clusterLinux" />
    <property name="main.jarFile" value="${main.outputDir}/${main.appName}.jar" />

    <path id="main.classpath">
      <fileset dir="${main.lib}">
        <include name="**/*.jar" />
      </fileset>
    </path>

  </target>

  <target name="clean" depends="init">
    <mkdir dir="${main.bin}" />
    <delete dir="${main.bin}" />
    <mkdir dir="${main.bin}" />

  </target>
 
  <target name="compile">
    <mkdir dir="${main.outputDir}" />
    <mkdir dir="${main.bin}" />

    <javac  target="1.6"
      srcdir="${main.source}" destdir="${main.bin}" debug="true" >
      <classpath refid="main.classpath" />    
    </javac>
 
  </target>

  <target name="jarPrepare">
    <mkdir dir="${main.bin}" />

    <copy todir="${main.bin}">
      <fileset dir="${main.source}">
        <include name="**/*.java"/>      <!-- source -->
      </fileset>
    </copy>
    
    <mkdir dir="${main.bin}/clusterLinux" />
    
    <copy todir="${main.bin}/clusterLinux" file="build.xml" />
    
  </target>

  <target name="jar">
    <tstamp>
        <format property="the.timestamp" pattern="yyyy/MM/dd HH:mm:ss" />
    </tstamp>
    <jar jarfile="${main.jarFile}" duplicate="fail">
      <fileset dir="${main.bin}" />
      <manifest>
        <attribute name="Built-By"                value="${user.name}"/>
        <attribute name="Implementation-Vendor"   value="Penn"/>
        <attribute name="Implementation-Title"    value="clusterLinux"/>
        <attribute name="Build-Timestamp"         value="${the.timestamp}"/>
      </manifest>
     </jar>
     <echo message="Output is: ${main.jarFile}" />
   </target>
 
 
</project>

Put that jar, and the other required jars from the grouper client for XMPP and quartz cron into a dir on the server:

[appadmin@lukes clusterLinux]$ ls -lat
total 6964
-rw-r--r-- 1 appadmin users      11099 May 21 14:29 clusterLinux.jar
drwxrwxr-x 2 appadmin appadmin    4096 May 21 14:04 .
-rw-r--r-- 1 appadmin users     173783 May 21 14:04 commons-beanutils.jar
-rw-r--r-- 1 appadmin users     570463 May 21 14:04 commons-collections.jar
-rw-r--r-- 1 appadmin users     468109 May 21 14:04 commons-lang.jar
-rw-r--r-- 1 appadmin users     131078 May 21 14:04 commons-logging.jar
-rw-r--r-- 1 appadmin users      86542 May 21 14:04 ezmorph.jar
-rw-r--r-- 1 appadmin users    2649669 May 21 14:04 grouperClient.jar
-rw-r--r-- 1 appadmin users     255813 May 21 14:04 json-lib.jar
-rw-r--r-- 1 appadmin users       8374 May 21 14:04 jta.jar
-rw-r--r-- 1 appadmin users     391834 May 21 14:04 log4j.jar
-rw-r--r-- 1 appadmin users     792769 May 21 14:04 quartz.jar
-rw-r--r-- 1 appadmin users    1381464 May 21 14:04 smack.jar
-rw-r--r-- 1 appadmin users        753 May 21 13:48 log4j.properties
-rw-r--r-- 1 appadmin users      17402 May 21 13:47 grouper.client.properties
-rw-r--r-- 1 appadmin users      17390 May 21 13:46 grouper.client.properties~
-rwxr-xr-x 1 appadmin users       3124 May 21 13:44 clusterLinuxPermissions
-rwxr-xr-x 1 appadmin users        306 May 21 13:41 clusterLinuxCommand.sh

Have a log4j.properties

## Grouper API error logging
log4j.appender.grouper_error                            = org.apache.log4j.RollingFileAppender
log4j.appender.grouper_error.File                       = /opt/appserv/local/clusterLinux/clusterLinux.log
log4j.appender.grouper_error.MaxFileSize                = 1000KB
log4j.appender.grouper_error.MaxBackupIndex             = 1
log4j.appender.grouper_error.layout                     = org.apache.log4j.PatternLayout
log4j.appender.grouper_error.layout.ConversionPattern   = %d{ISO8601}: [%t] %-5p %C{1}.%M(%L) - %x - %m%n

# Loggers

## Default logger; will log *everything*
log4j.rootLogger  = ERROR, grouper_error

## All Internet2 (warn to grouper_error per default logger)
#log4j.logger.edu.internet2.middleware = WARN
log4j.logger.edu.upenn.isc.clusterLinux = DEBUG

Configure the grouper.client.properties to point to the Grouper WS, XMPP, and configuration for this daemon (here are snippets)

########################################
## Web service Connection settings
########################################

# url of web service, should include everything up to the first resource to access
# e.g. http://groups.school.edu:8090/grouperWs/servicesRest
# e.g. https://groups.school.edu/grouperWs/servicesRest
grouperClient.webService.url = https://grouper.school.edu/grouperWs/servicesRest

# kerberos principal used to connect to web service
# e.g. name/server.whatever.upenn.edu
grouperClient.webService.kerberosPrincipal = clusterLinuxGrouper/school.edu

# password for shared secret authentication to web service
# or you can put a filename with an encrypted password
grouperClient.webService.password = XXXXXXXXXXX

...

################################
## XMPP client settings
## Note: you need the smack.jar in your classpath, see the grouper xmpp wiki for usage
## https://spaces.at.internet2.edu/display/Grouper/Grouper+XMPP+notifications+v1.6.0
################################


## general xmpp configuration
grouperClient.xmpp.server.host = jabber.school.edu
grouperClient.xmpp.server.port = 5222
grouperClient.xmpp.user = clusterLinuxProcess@school.edu
# note, pass can be in an external file with morphstring
grouperClient.xmpp.pass = xxxxxxxxxxxxx
grouperClient.xmpp.resource = clusterLinuxTest
# note, you need the exact id and resource here or it wont match
grouperClient.xmpp.trustedMessagesFromJabberIds = grouperjabber@school.edu/grouperServer



################################
## Cluster linux settings
################################

# when should the full refresh kick off
clusterLinux.fullRefreshQuartzCron = 0 0 4 * * ?

# cluster linux base folder in grouper
clusterLinux.grouperFolderBase = XXXXXXXX:apps:fast:clusterLinux

# must be a role in the clusterLinuxRoles folder under the base for this env
clusterLinux.environmentRoleExtension = cloudTestenvUser

# file that holds the BASH env variables
clusterLinux.fileToSave = /somefolder/clusterLinuxPermissions.sh

Here is the init.d script (which is symlinked to the real location): /opt/appserv/binMgmt/clusterLinux/clusterLinuxPermissions

#!/bin/sh
#
# Startup script for the Tomcat Server
#
# chkconfig: - 86 14
# description: Cluster Linux Permissions
# processname:
# pidfile:
# config:
# Tomcat
# description: Keeps Grouper permissions in sync with file on linux server

runningUser=`/usr/bin/whoami`

# we only want appadmin or root to be able to do this
if [ "$runningUser" != "appadmin" ]; then

  if [ "$runningUser" != "root"  ]; then

    echo "ERROR: only user appadmin or root can run administer the clusterLinuxPermissions service: '$runningUser'"
    echo
    exit 0
    
  fi

fi

case "$1" in
  start)

    echo -n "Starting Cluster linux permissions service: "
    echo

    #if there is a pid file, then stop this service
    if [ -f /opt/appserv/local/clusterLinux/clusterLinuxDaemon.pid ]; then
      $0 stop
      sleep 5      
    fi
    
    # if not appadmin, then we must be root
    if [ ! "$runningUser" == "appadmin" ]; then
      su appadmin -c /opt/appserv/binMgmt/clusterLinux/clusterLinuxCommand.sh
    else
      # if not root then we must be appadmin
      /opt/appserv/binMgmt/clusterLinux/clusterLinuxCommand.sh
    fi
    echo
    ;;
  stop)

      pid=`cat /opt/appserv/local/clusterLinux/clusterLinuxDaemon.pid`
      /bin/kill $pid

    #loop until the program is dead
    waitingForExit=true
    iterator=1

    while [ "$waitingForExit" == "true" ]; do

      processId=`/bin/ps -fp $pid | grep java | cut -c10-15`
      if [ -n "$processId" ]; then
        echo Waiting for exit...
      else
        waitingForExit=false
      fi
      
      if [ "$iterator" -gt "10" ]; then
        waitingForExit=false
      fi
      
      let "iterator += 1"    
      sleep 1
    done

      rm /opt/appserv/local/clusterLinux/clusterLinuxDaemon.pid

    echo
    ;;
  status)
    if [ -f /opt/appserv/local/clusterLinux/clusterLinuxDaemon.pid ]; then
      pid=`cat /opt/appserv/local/clusterLinux/clusterLinuxDaemon.pid`
      processId=`/bin/ps -fp $pid | grep java | cut -c10-15`
      if [ -n "$processId" ]; then
        echo "clusterLinuxPermissions is running under process ID $processId"
      else
        echo "clusterLinuxPermissions is not running"
      fi
    else
      echo "clusterLinuxPermissions is not running"
    fi

    ;;
  restart)
    echo -n "Restarting clusterLinuxPermissions: "
    $0 stop
    sleep 5
    $0 start
    echo "done."
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|status}"
    exit 1
esac

Symlink to init.d

[root@server init.d]# ln -s /opt/appserv/binMgmt/clusterLinux/clusterLinuxPermissions clusterLinuxPermissions
[root@server init.d]# chkconfig --add clusterLinuxPermissions
[root@server init.d]# chkconfig --levels 345 clusterLinuxPermissions on

Start the process:

[appadmin@server clusterLinux]$ /sbin/service clusterLinuxPermissions start
Starting Cluster linux permissions service:

[appadmin@server clusterLinux]$ more /opt/appserv/local/clusterLinux/clusterLinuxDaemon.pid
25507
[appadmin@server clusterLinux]$ ps -ef | grep clusterLinux | grep -v "grep"
appadmin 25507     1  4 17:06 pts/9    00:00:04 /opt/appserv/common/java6/bin/java -cp /opt/appserv/binMgmt/clusterLinux:/opt/appserv/binMgmt/clusterLinux/* edu.upenn.isc.clusterLinux.ClusterLinuxLogic
[appadmin@server clusterLinux]$

Stop the process:

[appadmin@lukes clusterLinux]$ /sbin/service clusterLinuxPermissions stop
Waiting for exit...
[appadmin@lukes clusterLinux]$ more /opt/appserv/local/clusterLinux/clusterLinuxDaemon.pid
/opt/appserv/local/clusterLinux/clusterLinuxDaemon.pid: No such file or directory
[appadmin@lukes clusterLinux]$ ps -ef | grep clusterLinux | grep -v "grep"
[appadmin@lukes clusterLinux]$

At this point the permissions file should exist

[appadmin@server clusterLinux]$ more  /opt/appserv/binMgmt/clusterLinux/clusterLinuxRules.sh
# File automatically generated from PennGroups...

clusterLinux__mchyzer__app_directory__all=true
clusterLinux__mchyzer__app_directory__restart=true
clusterLinux__mchyzer__app_directory__start=true
clusterLinux__mchyzer__app_directory__status=true
clusterLinux__mchyzer__app_directory__stop=true
clusterLinux__mchyzer__app_fastUnit__status=true
[appadmin@lukes clusterLinux]$

That script is what the end user script calls

[mchyzer@lukes clusterLinux]$ clusterTomcat tomcat_directory restart

The command should sudo su as another user:

/usr/bin/sudo -u appadmin /somedir/whatever/clusterTomcatHelper.sh $1 $2

Another shell script (clusterTomcatHelper.sh) can be coded to use the rules from the permissions file:

#!/bin/bash

# this script *must* run as appadmin or root

runningUser=`/usr/bin/whoami`

# sudo should set this variable
loggedInUser=$SUDO_USER

if [ "$runningUser" != "appadmin" ]; then
  echo "ERROR: only user appadmin can run this command: '$runningUser'"
  echo
  exit 0
fi

# this script will start / stop / get status of tomcat

if [[ $# -ne "2" && $# -ne "3" ]]; then
  echo
  echo "ERROR: pass in the tomcat or application to affect (appName, tomcat_b, ... etc) and"
  echo "an argument to tomcat as the command line arg"
  echo "e.g. status, start, stop, restart"
  echo "optionally you can give a server to run on, or blank for all in cluster"
  echo "or 'all' to run on all nodes in every cluster (if tomcat has changed clusters)"
  echo "e.g. clusterTomcatHelper.sh tomcat_b status"
  echo "e.g. clusterTomcatHelper.sh secureShare status theprince"
  echo
  exit 1
fi

argAppName=$1
argAction=$2
argServer=$3

# make sure the argument has no spaces or special chars
function validateArg() {
  if [[ "${1}" == "" ]]; then
    return;
  fi
  #echo checking "'$1'"

  if [[ ! $1 =~ ^[a-zA-Z0-9_-]*$ ]]; then
    echo "Invalid arg '$1'"
    exit 1;
  fi
}  

validateArg "$argAppName"
validateArg "$argAction"
validateArg "$argServer"



# convert the arg to the application name, e.g. secureShare
appName=`/opt/appserv/common/binGroovy/clusterGetApplicationName.groovy $argAppName`
#echo "'$appName'"

appTomcatName=tomcat_"$appName"
#echo $appTomcatName

# get the env var name
# e.g. clusterLinux__mchyzer__app_directory__all=true
securityVarName=clusterLinux__"$loggedInUser"__app_"$appName"__"$argAction"
#echo $securityVarName

# see if it is set, if it is, it is a security problem since the ACL file should set it
eval securityVarValue=\$$securityVarName

if [[ ! "${securityVarValue}" == "" ]]; then
  echo "Why is this set? $securityVarValue???"
  exit 1;
fi

source /opt/appserv/binMgmt/clusterLinuxRules.sh

eval securityVarValue=\$$securityVarName

if [[ ! "$securityVarValue" == "true" ]]; then
  echo "User is not allowed to run the command, contact the sysadmin to get permission: $loggedInUser, $appName, $argAction"
  exit 1
fi

# ok, we are allowed to execute the command, go for it

...

sdf


Change log consumer

This is the part that is a jar installed in the Grouper loader and an edit in the grouper-loader.properties to send permissions to XMPP

/**
 * @author mchyzer
 * $Id: ClusterLinuxChangeLogConsumer.java,v 1.2 2012/05/21 17:01:24 mchyzer Exp $
 */
package edu.upenn.isc.clusterLinuxClc;

import java.util.List;

import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;

import edu.internet2.middleware.grouper.app.loader.GrouperLoaderConfig;
import edu.internet2.middleware.grouper.changeLog.ChangeLogConsumerBase;
import edu.internet2.middleware.grouper.changeLog.ChangeLogEntry;
import edu.internet2.middleware.grouper.changeLog.ChangeLogLabels;
import edu.internet2.middleware.grouper.changeLog.ChangeLogProcessorMetadata;
import edu.internet2.middleware.grouper.changeLog.ChangeLogTypeBuiltin;
import edu.internet2.middleware.grouper.util.GrouperUtil;
import edu.internet2.middleware.grouper.xmpp.XmppConnectionBean;


/**
 * change log consumer to listen for specific gruoper actions that should tell linux to refresh
 * their permissions
 */
public class ClusterLinuxChangeLogConsumer extends ChangeLogConsumerBase {

  /** */
  private static final Log LOG = GrouperUtil.getLog(ClusterLinuxChangeLogConsumer.class);

  /**
   * @see edu.internet2.middleware.grouper.changeLog.ChangeLogConsumerBase#processChangeLogEntries(java.util.List, edu.internet2.middleware.grouper.changeLog.ChangeLogProcessorMetadata)
   */
  @Override
  public long processChangeLogEntries(List<ChangeLogEntry> changeLogEntryList,
      ChangeLogProcessorMetadata changeLogProcessorMetadata) {
    
    //identifies which config is running, multiple could be running
    String consumerName = changeLogProcessorMetadata.getConsumerName();
    
    long currentId = -1;

    XmppConnectionBean xmppConnectionBean = null;
    String recipient = null;

    String grouperFolderBase = null;

    {
      String grouperFolderBaseConfigName = "changeLog.consumer." + consumerName + ".clusterLinux.grouperFolderBase";

      grouperFolderBase = GrouperLoaderConfig.getPropertyString(grouperFolderBaseConfigName, true);
    }

    boolean sendMessage = false;
    
    for (ChangeLogEntry changeLogEntry : changeLogEntryList) {

      //try catch so we can track that we made some progress
      try {

        currentId = changeLogEntry.getSequenceNumber();
        
        //only need to send once
        if (sendMessage) {
          continue;
        }

        //this might be a little aggressive, but basically if a permission or member changes in the clusterLinux folder of
        //grouper then send a refresh message
        //note: not using constants for permissions so it works in 2.0 and 2.1...
        if (StringUtils.equals("permission", changeLogEntry.getChangeLogType().getChangeLogCategory())
            && (StringUtils.equals("addPermission", changeLogEntry.getChangeLogType().getActionName())
                || StringUtils.equals("deletePermission", changeLogEntry.getChangeLogType().getActionName()))) {
          
          String permissionName = changeLogEntry.retrieveValueForLabel("attributeDefNameName");
          
          if (permissionName != null && permissionName.startsWith(grouperFolderBase)) {
            sendMessage = true;
          }          
          if (LOG.isDebugEnabled()) {
            LOG.debug("Processing changeLog #" + currentId + ", permissionName: " + permissionName
                + ", grouperFolderBase: " + grouperFolderBase
                + ", message: "
                + changeLogEntry.getChangeLogType().getChangeLogCategory() + "."
                + changeLogEntry.getChangeLogType().getActionName() + ", sendMessage: " + sendMessage
                );
          }
        } else if (changeLogEntry.equalsCategoryAndAction(ChangeLogTypeBuiltin.MEMBERSHIP_ADD)
            || changeLogEntry.equalsCategoryAndAction(ChangeLogTypeBuiltin.MEMBERSHIP_DELETE)
            || changeLogEntry.equalsCategoryAndAction(ChangeLogTypeBuiltin.MEMBERSHIP_UPDATE)) {
          
          String roleName = changeLogEntry.retrieveValueForLabel(ChangeLogLabels.MEMBERSHIP_ADD.groupName);

          if (roleName != null && roleName.startsWith(grouperFolderBase)) {
            sendMessage = true;
          }
          if (LOG.isDebugEnabled()) {
            LOG.debug("Processing changeLog #" + currentId + ", roleName: " + roleName
              + ", grouperFolderBase: " + grouperFolderBase
              + ", message: "
              + changeLogEntry.getChangeLogType().getChangeLogCategory() + "."
              + changeLogEntry.getChangeLogType().getActionName() + ", sendMessage: " + sendMessage
              );
          }
          
        } else if (StringUtils.equals("permission", changeLogEntry.getChangeLogType().getChangeLogCategory())
            && StringUtils.equals("permissionChangeOnRole", changeLogEntry.getChangeLogType().getActionName())) {
          
          //note, this is 2.1+
          
          String roleName = changeLogEntry.retrieveValueForLabel("roleName");

          if (roleName != null && roleName.startsWith(grouperFolderBase)) {
            sendMessage = true;
          }
          if (LOG.isDebugEnabled()) {
            LOG.debug("Processing changeLog #" + currentId + ", roleName: " + roleName
              + ", grouperFolderBase: " + grouperFolderBase
              + ", message: "
              + changeLogEntry.getChangeLogType().getChangeLogCategory() + "."
              + changeLogEntry.getChangeLogType().getActionName() + ", sendMessage: " + sendMessage
              );
          }
        } else {
          if (LOG.isDebugEnabled()) {
            LOG.debug("Processing changeLog #" + currentId + ", "
              + changeLogEntry.getChangeLogType().getChangeLogCategory() + "."
              + changeLogEntry.getChangeLogType().getActionName() + ", sendMessage: " + sendMessage
              );
          }
        }          
          
        //is there something to send?
        if (sendMessage) {
          
          String message = "Update permissions";
          
          if (xmppConnectionBean == null) {

            recipient = GrouperLoaderConfig.getPropertyString("changeLog.consumer."
                + consumerName + ".publisher.recipient", "");

            String xmppServer = GrouperLoaderConfig.getPropertyString("xmpp.server.host");
            int port = GrouperLoaderConfig.getPropertyInt("xmpp.server.port", -1);
            String username = GrouperLoaderConfig.getPropertyString("xmpp.user", "");
            String password = GrouperLoaderConfig.getPropertyString("xmpp.pass", "");
            String resource = GrouperLoaderConfig.getPropertyString("xmpp.resource", "");

            xmppConnectionBean = new XmppConnectionBean(xmppServer, port, username, resource, password);
            
          }
          
          xmppConnectionBean.sendMessage(recipient, message);

        }
      } catch (Exception e) {
        //we unsuccessfully processed this record... decide whether to wait, throw, ignore, log, etc...
        LOG.error("problem with id: " + currentId, e);
        changeLogProcessorMetadata.setHadProblem(true);
        changeLogProcessorMetadata.setRecordException(e);
        changeLogProcessorMetadata.setRecordExceptionSequence(currentId);
        //stop here
        return currentId;
        //continue
      }
    }

    return currentId;
  }

}

Build that consumer into a jar:

<project name="clusterLinuxChangeLogConsumer" default="build" basedir=".">

  <!-- declare the ant-contrib tasks -->
  <taskdef resource="net/sf/antcontrib/antlib.xml" />

  <!-- copy build.properties if not there already -->
  <if><not><available file="build.properties" /></not>
    <then><copy file="build.example.properties" tofile="build.properties" /></then>
  </if>

  <!-- Grouper Global Build Properties -->
  <property file="${basedir}/build.properties"/>

  <target name="build" description="full build" depends="init,clean,compile,jarPrepare,jar">
  </target>

  <target name="init">
    <tstamp />

    <property name="main.sourceChangeLogDir" value="../sourceChangeLogConsumer" />

    <property name="main.lib" value="../lib" />

    <property name="main.binChangeLogDir" value="../dist/binChangeLog" />
    <property name="main.outputDir" value="../dist" />

    <property name="main.appName" value="clusterLinuxChangeLog" />
    <property name="main.jarFileChangeLog" value="${main.outputDir}/${main.appName}.jar" />

    <path id="main.changeLogClasspath">
      <fileset dir="${main.lib}">
        <include name="**/*.jar" />
      </fileset>
      <fileset file="${grouper.jar.location}" />
    </path>

  </target>

  <target name="clean" depends="init">
    <mkdir dir="${main.binChangeLogDir}" />
    <delete dir="${main.binChangeLogDir}" />
    <mkdir dir="${main.binChangeLogDir}" />

  </target>

  <target name="compile">
    <mkdir dir="${main.outputDir}" />
    <mkdir dir="${main.binChangeLogDir}" />

    <javac  target="1.6"
      srcdir="${main.sourceChangeLogDir}" destdir="${main.binChangeLogDir}" debug="true" >
      <classpath refid="main.changeLogClasspath" />    
    </javac>
 
  </target>

  <target name="jarPrepare">
    <mkdir dir="${main.binChangeLogDir}" />

    <copy todir="${main.binChangeLogDir}">
      <fileset dir="${main.sourceChangeLogDir}">
        <include name="**/*.java"/>      <!-- source -->
      </fileset>
    </copy>
    
    <mkdir dir="${main.binChangeLogDir}/clusterLinux" />
    
    <copy todir="${main.binChangeLogDir}/clusterLinux" file="build.xml" />
    
  </target>

  <target name="jar">
    <tstamp>
        <format property="the.timestamp" pattern="yyyy/MM/dd HH:mm:ss" />
    </tstamp>
    <jar jarfile="${main.jarFileChangeLog}" duplicate="fail">
      <fileset dir="${main.binChangeLogDir}" />
      <manifest>
        <attribute name="Built-By"                value="${user.name}"/>
        <attribute name="Implementation-Vendor"   value="Penn"/>
        <attribute name="Implementation-Title"    value="clusterLinuxChangeLog"/>
        <attribute name="Build-Timestamp"         value="${the.timestamp}"/>
      </manifest>
     </jar>
     <echo message="Output is: ${main.jarFileChangeLog}" />
   </target>
 
 
</project>

If you want to log the change log, add this to the log4j.properties:

log4j.logger.edu.upenn.isc.clusterLinuxClc.ClusterLinuxChangeLogConsumer = DEBUG

If you need more debugging, try these:

log4j.logger.edu.internet2.middleware.grouper.changeLog = DEBUG

log4j.logger.edu.internet2.middleware.grouper.app.loader = DEBUG

Make the jar with ant, copy to the grouper loader lib dir, and edit the grouper-loader.properties

#####################################
## CLUSTER LINUX CONSUMER
#####################################

changeLog.consumer.clusterLinuxTest.class = edu.upenn.isc.clusterLinuxClc.ClusterLinuxChangeLogConsumer

changeLog.consumer.clusterLinuxTest.publisher.recipient = someuser@school.edu/clusterLinuxTest, anotheruser@school.edu, someuser@school.edu/clusterLinuxTestLegacy

changeLog.consumer.clusterLinuxTest.clusterLinux.grouperFolderBase = xxxxxxx:apps:fast:clusterLinux

changeLog.consumer.clusterLinuxTest.quartzCron =

Restart the loader and add/remove someone from the role, or change permissions, see an XMPP message being sent

(4:35:01 PM) PennGroups: Update permissions

Note, the body of the message isn't important... if the message comes from Grouper and goes to the grouperClient keeping the file in sync, then it will do a 1 minute delay full refresh if one isnt already scheduled (to batch up multiple changes)

If you have DEBUG logging on for the change log consumer, you will see entries like this:

120521 163500.260 [DefaultQuartzScheduler_Worker-5] DEBUG edu.upenn.isc.clusterLinuxClc.ClusterLinuxChangeLogConsumer -
Processing changeLog #3593567, permissionName: XXXXXXXXX:apps:fast:clusterLinux:permissions:tomcats:app_directory,
grouperFolderBase: XXXXXXXXX:apps:fast:clusterLinux, message: attributeAssign.deleteAttributeAssign, sendMessage: true

sdf

  • No labels