[midPoint] Metarole and resourceRef inheritance
Wojciech Staszewski
wojciech.staszewski at diagnostyka.pl
Sat Dec 2 18:48:48 CET 2017
Unfortunately the expression with "getExtensionReferenceValue()" doesn't
work, I don't know why.
But this is working:
<resourceRef relation="org:default" type="c:ResourceType">
<filter>
<q:inOid>
<expression>
<script>
<code>
val = basic.getPropertyValue(immediateRole,
"extension/resourceRef");
return val;
</code>
</script>
</expression>
</q:inOid>
</filter>
<resolutionTime>run</resolutionTime>
</resourceRef>
So I'm happy.
This was the biggest obstacle at the moment to finish the most important
resource.
Best regards,
WS
W dniu 28.11.2017 o 13:01, Pavol Mederly pisze:
> Hello Wojciech,
>
> while it is true that query API was changed in 3.4, your code i.e.
>
> <resourceRef type="c:ResourceType">
> <filter>
> <q:inOid>
> <expression>
> <script>
> <code>
> val =
> basic.getExtensionReferenceValue(immediateRole,
> "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
> return val?.getOid()
> </code>
> </script>
> </expression>
> </q:inOid>
> </filter>
> <resolutionTime>run</resolutionTime>
> </resourceRef>
>
> should not be affected by it. It should work as before.
>
> Maybe you could try to log the value of variable "val" to see if it is
> filled-in correctly.
>
> Pavol Mederly
> Software developer
> evolveum.com
>
> On 28.11.2017 11:14, Wojciech Staszewski wrote:
>> I noticed, that since v 3.4 the query API was changed. Maybe this is
>> a problem because the example provided by Katka Valalikova was taken
>> from older version?
>> I assume that "filter:NONE" is the key and I have to construct
>> correct ObjectFilter in the new manner using QueryBuilder? Am I right?
>>
>> W dniu 27.11.2017 o 19:14, Wojciech Staszewski pisze:
>>> Hello!
>>>
>>> I'm just trying this solution and got some trouble.
>>>
>>> I have created role, lets call it "Master", this role have an extension
>>> attribute "resourceRef", and it induces basic resource account.
>>> Value of this attribute is my resource OID.
>>>
>>> Then I've created metarole with provided expression:
>>>
>>> <resourceRef type="c:ResourceType">
>>> <filter>
>>> <q:inOid>
>>> <expression>
>>> <script>
>>> <code>
>>> val =
>>> basic.getExtensionReferenceValue(focus,
>>> "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
>>> return val?.getOid()
>>> </code>
>>> </script>
>>> </expression>
>>> </q:inOid>
>>> </filter>
>>> <resolutionTime>run</resolutionTime>
>>> </resourceRef>
>>>
>>> This metarole is assigned to "Master". Master role creates an account
>>> with required basic attributes, and metarole gives the entitlements.
>>> But the metarole resourceRef expression does not resolve the resource
>>> OID from master role, the errors appear:
>>>
>>> Got no target from repository, filter:NONE, class:class
>>> com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType in
>>> resolving resource.
>>>
>>> I want this single metarole assign to any of dozens "master" roles
>>> which
>>> are assigning resource accounts in dozens identical systems and it must
>>> give entitlement with the same icfs:name in each resource (this is
>>> working already).
>>>
>>> Am I missing something? Thanks!
>>> WS
>>>
>>>
>>> W dniu 16.02.2017 o 09:16, Wojciech Staszewski pisze:
>>>> Thank you very much!
>>>> I'll try it. I can't promise that I'll try it today because I have
>>>> to use snapshots due to translation process.
>>>> And because of that I have some stability issues (stack overflow
>>>> error when applying changes on user and in reconciliation also),
>>>> but I'll check it if only these issues are fixed.
>>>>
>>>> Best regards!
>>>> WS
>>>>
>>>> W dniu 16.02.2017 o 08:53, Katka Valalikova pisze:
>>>>> Hi Wojciech,
>>>>>
>>>>> in one of my environment I have a similar situation (if I
>>>>> understood your problem correctly). I have hundreds of Unix
>>>>> systems where I manage groups, users and their memberships in
>>>>> groups. I use following configuration.
>>>>>
>>>>> 1. I have midPoint Role A - this role has assigned metarole M(x)
>>>>> which create a group (G) on target linux and after this Role A is
>>>>> assigned to the user, it adds this user as a member of unix group
>>>>> (G) created by the metarole M(x). In the Role A I have extension
>>>>> attribute which contains reference to the resource where all of
>>>>> this should happen.
>>>>> 2. The configuration for the "dynamically" resolved resource ref
>>>>> looks like following:
>>>>>
>>>>>
>>>>> <inducement id="1"> <!-- create an unix group on the target
>>>>> system referenced from the val.getOid() with the name from
>>>>> extension/ext:commonName-->
>>>>> <construction>
>>>>> <resourceRef type="c:ResourceType">
>>>>> <filter>
>>>>> <q:inOid>
>>>>> <expression>
>>>>> <script>
>>>>> <code>
>>>>> val =
>>>>> basic.getExtensionReferenceValue(focus,
>>>>> "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
>>>>> return val?.getOid()
>>>>> </code>
>>>>> </script>
>>>>> </expression>
>>>>> </q:inOid>
>>>>> </filter>
>>>>> <resolutionTime>run</resolutionTime>
>>>>> </resourceRef>
>>>>> <kind>entitlement</kind>
>>>>> <intent>unixGroup</intent>
>>>>> <attribute>
>>>>> <c:ref>icfs:name</c:ref>
>>>>> <matchingRule
>>>>> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
>>>>> <outbound>
>>>>> <source>
>>>>> <name>commonName</name>
>>>>> <c:path
>>>>> xmlns:ext="http://midpoint.evolveum.com/xml/ns/custom/roleext">extension/ext:commonName</c:path>
>>>>> </source>
>>>>> </outbound>
>>>>> </attribute>
>>>>> </construction>
>>>>> </inducement>
>>>>> <inducement id="2"> <!-- assign user to the group on the
>>>>> target system referenced from the val.getOid() -->
>>>>> <construction>
>>>>> <resourceRef type="c:ResourceType">
>>>>> <filter>
>>>>> <q:inOid>
>>>>> <expression>
>>>>> <script>
>>>>> <code>
>>>>> val =
>>>>> basic.getExtensionReferenceValue(immediateRole,
>>>>> "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
>>>>> return val?.getOid()
>>>>> </code>
>>>>> </script>
>>>>> </expression>
>>>>> </q:inOid>
>>>>> </filter>
>>>>> <resolutionTime>run</resolutionTime>
>>>>> </resourceRef>
>>>>> <kind>account</kind>
>>>>> <intent>default</intent>
>>>>> <association>
>>>>> <c:ref>ri:unixGroup</c:ref>
>>>>> <outbound>
>>>>> <strength>strong</strength>
>>>>> <expression>
>>>>> <associationFromLink>
>>>>> <projectionDiscriminator>
>>>>> <kind>entitlement</kind>
>>>>> <intent>unixGroup</intent>
>>>>> </projectionDiscriminator>
>>>>> </associationFromLink>
>>>>> </expression>
>>>>> </outbound>
>>>>> </association>
>>>>> </construction>
>>>>> <order>2</order>
>>>>> <focusType>UserType</focusType>
>>>>> </inducement>
>>>>>
>>>>> You can maybe use something like this. In general, there is a
>>>>> support for resolving references to the resource (even roles,
>>>>> services, orgs) dynamically using filter (and expression) instead
>>>>> of static reference (resourceRef, ...). Your expression can be
>>>>> modified according to your needs. However, keep in mind that this
>>>>> configuration can be used only if the target systems are the same
>>>>> and have the same schema. In my case, all of target systems are
>>>>> Linux distribution with the same configuration.
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Katarina Valalikova
>>>>> Java Developer
>>>>> evolveum.com
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Wojciech Staszewski" <wojciech.staszewski at diagnostyka.pl>
>>>>> To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
>>>>> Sent: Tuesday, February 14, 2017 10:26:33 AM
>>>>> Subject: [midPoint] Metarole and resourceRef inheritance
>>>>>
>>>>> Hello all!
>>>>>
>>>>> I have a question, maybe stupid or maybe not:
>>>>>
>>>>> - Why metarole must have "ResourceRef"? Can't it be inherited from
>>>>> "master" role?
>>>>> (I know the answer: "metarole is also a normal role..." etc.).
>>>>>
>>>>> This would be useful with large number of identical systems. I'd
>>>>> like to have 30 metaroles that I could assign to any of 200
>>>>> systems than have to maintain 30x200 metaroles.
>>>>> Access rights (roles, groups, privileges, "entitlements" in
>>>>> general) are identical in each system, they are replicated from
>>>>> central server.
>>>>> Any change causing necessity to edit 30x200 roles, it will be a
>>>>> nightmare to maintain.
>>>>>
>>>>> Best regards,
>>>>> Wojciech Staszewski
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
More information about the midPoint
mailing list