Versions Compared

Old Version 195

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version 196

changes.mady.by.user Tom Zeller

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To provision in real-time triggered by the Grouper change log, enable the psp consumer in grouper-loader.properties and run the loader via

bin/gsh.sh -loader

Real-Time Provisioning Example : Add Membership

The psp change log consumer is like any other grouper change log consumer in that it processes change log entries. A change log entry consists of name value pairs, for example groupName = stem:group.

Code Block

PspChangeLogConsumer.processChangeLogEntry(513) -  - PSP Consumer 'psp' - Change log entry 'ChangeLogEntry[timestamp=2012-05-31 11:59:56.321,sequence=344,category=membership,actionname=addMembership,contextId=161defd31dcc4215a475c7ab1a72317e,id=0348b083893a460199229de0be4dc2fe,fieldName=members,subjectId=test.subject.1,sourceId=ldap,membershipType=flattened,groupId=a8808e71e3b34a4992a6a06d61356f13,groupName=edu:groupA,memberId=a456b05597884251ae4351665229acd9,fieldId=7ab712e6d9a747fba9771467d74e4e14]'

The psp change log consumer determines the change log category (in this example "membership") and change log action ("addMembership") and either ignores or processes the change log entry. Supported change log categories and actions are coded in the psp change log consumer, take a look at the EventType enum.

Processing an "addMembership" change log entry results in a psp calc request, where the identifier to be calculated is the change log sequence number.

Code Block
xml
xml

<psp:calcRequest returnData='everything'>
  <psp:id ID='change_log_sequence_number:344'/>
</psp:calcRequest>

The change log data connectors know how to retrieve a change log entry from grouper via the change log sequence number, and return attributes to the attribute resolver representing the change log entry. In general, the change log data connectors convert a grouper change log entry into (shibboleth attribute resolver) attributes.

Code Block

'groupObjectclass' : top
'groupObjectclass' : groupOfNames
'groupObjectclass' : eduMember
'changeLogMembershipGroupDn' : org.openspml.v2.msg.spml.PSOIdentifier@e6acf477
'memberObjectclass' : eduMember
'changeLogMembershipMemberDn' : org.openspml.v2.msg.spml.PSOIdentifier@97ebeb3b
'changeLogMembershipGroupName' : edu:groupA
'changeLogMembershipSubjectName' : test.subject.1
'changeLogMembershipLdapSubjectId' : test.subject.1

The next step is to resolve the identifier for 'test.subject.1' for the 'member' object. The identifier for the 'member' object is the 'memberDn' attribute. The member data connector returns the 'dn' of the subject with identifier 'test.subject.1', either by lookup or by cache.

Code Block

<psp:calcRequest returnData='identifier'>
  <psp:id ID='test.subject.1'/>
  <psp:schemaEntity targetID='ldap' entityName='member'/>
</psp:calcRequest>

<psp:calcResponse status='success'>
  <psp:id ID='test.subject.1'/>
  <psp:pso entityName='member'>
    <psoID ID='uid=test.subject.1,ou=people,dc=example,dc=edu' targetID='ldap'/>
  </psp:pso>
</psp:calcResponse>

foo

Real-Time Provisioning Beta-Testing : Grouper Subject Sources

...