[midPoint] Metarole and resourceRef inheritance
Wojciech Staszewski
wojciech.staszewski at diagnostyka.pl
Mon Dec 4 21:12:32 CET 2017
I was happy untimely...
The entitlement assignment from this role works only with intent marked
as "default".
Can I use expression to calculate the intent?
In the documentation, in every example intent is statically declared only.
I tried to create an intent filter expression but I got errors:
/Internal object inconsistence, probably a parser bug: Neither value,
expression nor raw element specified in property value PPV(null)
(inducement/[2]/construction/intent in role: *******)/
Regards!
WS
W dniu 02.12.2017 o 18:48, Wojciech Staszewski pisze:
> Unfortunately the expression with "getExtensionReferenceValue()" doesn't
> work, I don't know why.
>
> But this is working:
>
> <resourceRef relation="org:default" type="c:ResourceType">
> <filter>
> <q:inOid>
> <expression>
> <script>
> <code>
> val = basic.getPropertyValue(immediateRole,
> "extension/resourceRef");
> return val;
> </code>
> </script>
> </expression>
> </q:inOid>
> </filter>
> <resolutionTime>run</resolutionTime>
> </resourceRef>
>
> So I'm happy.
> This was the biggest obstacle at the moment to finish the most important
> resource.
>
> Best regards,
> WS
>
> W dniu 28.11.2017 o 13:01, Pavol Mederly pisze:
>> Hello Wojciech,
>>
>> while it is true that query API was changed in 3.4, your code i.e.
>>
>> <resourceRef type="c:ResourceType">
>> <filter>
>> <q:inOid>
>> <expression>
>> <script>
>> <code>
>> val =
>> basic.getExtensionReferenceValue(immediateRole,
>> "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
>> return val?.getOid()
>> </code>
>> </script>
>> </expression>
>> </q:inOid>
>> </filter>
>> <resolutionTime>run</resolutionTime>
>> </resourceRef>
>>
>> should not be affected by it. It should work as before.
>>
>> Maybe you could try to log the value of variable "val" to see if it is
>> filled-in correctly.
>>
>> Pavol Mederly
>> Software developer
>> evolveum.com
>>
>> On 28.11.2017 11:14, Wojciech Staszewski wrote:
>>> I noticed, that since v 3.4 the query API was changed. Maybe this is
>>> a problem because the example provided by Katka Valalikova was taken
>>> from older version?
>>> I assume that "filter:NONE" is the key and I have to construct
>>> correct ObjectFilter in the new manner using QueryBuilder? Am I right?
>>>
>>> W dniu 27.11.2017 o 19:14, Wojciech Staszewski pisze:
>>>> Hello!
>>>>
>>>> I'm just trying this solution and got some trouble.
>>>>
>>>> I have created role, lets call it "Master", this role have an extension
>>>> attribute "resourceRef", and it induces basic resource account.
>>>> Value of this attribute is my resource OID.
>>>>
>>>> Then I've created metarole with provided expression:
>>>>
>>>> <resourceRef type="c:ResourceType">
>>>> <filter>
>>>> <q:inOid>
>>>> <expression>
>>>> <script>
>>>> <code>
>>>> val =
>>>> basic.getExtensionReferenceValue(focus,
>>>> "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
>>>> return val?.getOid()
>>>> </code>
>>>> </script>
>>>> </expression>
>>>> </q:inOid>
>>>> </filter>
>>>> <resolutionTime>run</resolutionTime>
>>>> </resourceRef>
>>>>
>>>> This metarole is assigned to "Master". Master role creates an account
>>>> with required basic attributes, and metarole gives the entitlements.
>>>> But the metarole resourceRef expression does not resolve the resource
>>>> OID from master role, the errors appear:
>>>>
>>>> Got no target from repository, filter:NONE, class:class
>>>> com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType in
>>>> resolving resource.
>>>>
>>>> I want this single metarole assign to any of dozens "master" roles
>>>> which
>>>> are assigning resource accounts in dozens identical systems and it must
>>>> give entitlement with the same icfs:name in each resource (this is
>>>> working already).
>>>>
>>>> Am I missing something? Thanks!
>>>> WS
>>>>
>>>>
>>>> W dniu 16.02.2017 o 09:16, Wojciech Staszewski pisze:
>>>>> Thank you very much!
>>>>> I'll try it. I can't promise that I'll try it today because I have
>>>>> to use snapshots due to translation process.
>>>>> And because of that I have some stability issues (stack overflow
>>>>> error when applying changes on user and in reconciliation also),
>>>>> but I'll check it if only these issues are fixed.
>>>>>
>>>>> Best regards!
>>>>> WS
>>>>>
>>>>> W dniu 16.02.2017 o 08:53, Katka Valalikova pisze:
>>>>>> Hi Wojciech,
>>>>>>
>>>>>> in one of my environment I have a similar situation (if I
>>>>>> understood your problem correctly). I have hundreds of Unix
>>>>>> systems where I manage groups, users and their memberships in
>>>>>> groups. I use following configuration.
>>>>>>
>>>>>> 1. I have midPoint Role A - this role has assigned metarole M(x)
>>>>>> which create a group (G) on target linux and after this Role A is
>>>>>> assigned to the user, it adds this user as a member of unix group
>>>>>> (G) created by the metarole M(x). In the Role A I have extension
>>>>>> attribute which contains reference to the resource where all of
>>>>>> this should happen.
>>>>>> 2. The configuration for the "dynamically" resolved resource ref
>>>>>> looks like following:
>>>>>>
>>>>>>
>>>>>> <inducement id="1"> <!-- create an unix group on the target
>>>>>> system referenced from the val.getOid() with the name from
>>>>>> extension/ext:commonName-->
>>>>>> <construction>
>>>>>> <resourceRef type="c:ResourceType">
>>>>>> <filter>
>>>>>> <q:inOid>
>>>>>> <expression>
>>>>>> <script>
>>>>>> <code>
>>>>>> val =
>>>>>> basic.getExtensionReferenceValue(focus,
>>>>>> "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
>>>>>> return val?.getOid()
>>>>>> </code>
>>>>>> </script>
>>>>>> </expression>
>>>>>> </q:inOid>
>>>>>> </filter>
>>>>>> <resolutionTime>run</resolutionTime>
>>>>>> </resourceRef>
>>>>>> <kind>entitlement</kind>
>>>>>> <intent>unixGroup</intent>
>>>>>> <attribute>
>>>>>> <c:ref>icfs:name</c:ref>
>>>>>> <matchingRule
>>>>>> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
>>>>>> <outbound>
>>>>>> <source>
>>>>>> <name>commonName</name>
>>>>>> <c:path
>>>>>> xmlns:ext="http://midpoint.evolveum.com/xml/ns/custom/roleext">extension/ext:commonName</c:path>
>>>>>> </source>
>>>>>> </outbound>
>>>>>> </attribute>
>>>>>> </construction>
>>>>>> </inducement>
>>>>>> <inducement id="2"> <!-- assign user to the group on the
>>>>>> target system referenced from the val.getOid() -->
>>>>>> <construction>
>>>>>> <resourceRef type="c:ResourceType">
>>>>>> <filter>
>>>>>> <q:inOid>
>>>>>> <expression>
>>>>>> <script>
>>>>>> <code>
>>>>>> val =
>>>>>> basic.getExtensionReferenceValue(immediateRole,
>>>>>> "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
>>>>>> return val?.getOid()
>>>>>> </code>
>>>>>> </script>
>>>>>> </expression>
>>>>>> </q:inOid>
>>>>>> </filter>
>>>>>> <resolutionTime>run</resolutionTime>
>>>>>> </resourceRef>
>>>>>> <kind>account</kind>
>>>>>> <intent>default</intent>
>>>>>> <association>
>>>>>> <c:ref>ri:unixGroup</c:ref>
>>>>>> <outbound>
>>>>>> <strength>strong</strength>
>>>>>> <expression>
>>>>>> <associationFromLink>
>>>>>> <projectionDiscriminator>
>>>>>> <kind>entitlement</kind>
>>>>>> <intent>unixGroup</intent>
>>>>>> </projectionDiscriminator>
>>>>>> </associationFromLink>
>>>>>> </expression>
>>>>>> </outbound>
>>>>>> </association>
>>>>>> </construction>
>>>>>> <order>2</order>
>>>>>> <focusType>UserType</focusType>
>>>>>> </inducement>
>>>>>>
>>>>>> You can maybe use something like this. In general, there is a
>>>>>> support for resolving references to the resource (even roles,
>>>>>> services, orgs) dynamically using filter (and expression) instead
>>>>>> of static reference (resourceRef, ...). Your expression can be
>>>>>> modified according to your needs. However, keep in mind that this
>>>>>> configuration can be used only if the target systems are the same
>>>>>> and have the same schema. In my case, all of target systems are
>>>>>> Linux distribution with the same configuration.
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Katarina Valalikova
>>>>>> Java Developer
>>>>>> evolveum.com
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "Wojciech Staszewski" <wojciech.staszewski at diagnostyka.pl>
>>>>>> To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
>>>>>> Sent: Tuesday, February 14, 2017 10:26:33 AM
>>>>>> Subject: [midPoint] Metarole and resourceRef inheritance
>>>>>>
>>>>>> Hello all!
>>>>>>
>>>>>> I have a question, maybe stupid or maybe not:
>>>>>>
>>>>>> - Why metarole must have "ResourceRef"? Can't it be inherited from
>>>>>> "master" role?
>>>>>> (I know the answer: "metarole is also a normal role..." etc.).
>>>>>>
>>>>>> This would be useful with large number of identical systems. I'd
>>>>>> like to have 30 metaroles that I could assign to any of 200
>>>>>> systems than have to maintain 30x200 metaroles.
>>>>>> Access rights (roles, groups, privileges, "entitlements" in
>>>>>> general) are identical in each system, they are replicated from
>>>>>> central server.
>>>>>> Any change causing necessity to edit 30x200 roles, it will be a
>>>>>> nightmare to maintain.
>>>>>>
>>>>>> Best regards,
>>>>>> Wojciech Staszewski
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171204/00d41bb6/attachment.htm>
More information about the midPoint
mailing list