Role dynamic memberships do not work after importing MasterContent
Hi, I use syncope 2.1.7 I have exported then imported a MasterContent.xml on a new platform. On this new platform, after deployment, I see that every role has dynamic membership set (using GROUP_MEMBERSHIP IN) as expected. Then I add my users (using the REST API) with the right group memberships as it was previously. Finally I log-in with my users just added, but I see that nobody has any role, it seems that role dynamic memberships are not taken into account somehow. This is checked by viewing "members" for every role. No role has a member. In order to workaround this, it seems necessary to "reload" roles by "edit -> finish" on every role. After that, users have their roles as planned. hope it helps Thanks.
Re: How to remove a group from a user using the Java API
Any idea ??
Did I do something wrong there ?
De : te...@net-c.com
À : user@syncope.apache.org
Sujet : How to remove a group from a user using the Java API
Date : 23/10/2020 11:25:19 Europe/Paris
Hi all,
I try to implement in the user lifecycle a check about its groups between state
'create' and 'activate'.
In the Flowable process definition, I added a service task implemented as a
Java Delegate class as following ("currentProfile" is one of the user groups
set on creation).
After the execution of this service task, all groups seems to be always
associated to the user.
Can you help me ? Am I using a wrong API ?
Thanks for your help !
Christophe
@Component
public class RemoveProfile extends FlowableServiceTask {
@Autowired
private UserDataBinder dataBinder;
@Override
protected void doExecute(final DelegateExecution execution) {
MembershipTO currentProfile = execution.getVariable("currentProfile",
MembershipTO.class);
System.out.println("Profile courant à retirer: " + currentProfile);
User user = execution.getVariable(FlowableRuntimeUtils.USER,
User.class);
UserPatch userPatch = new UserPatch();
MembershipPatch membershipPatch = new MembershipPatch();
membershipPatch.setGroup(currentProfile.getGroupName());
membershipPatch.setOperation(PatchOperation.DELETE);
userPatch.getMemberships().add(membershipPatch);
dataBinder.update(user, userPatch);
}
}
language and label edition regression in 2 =?UTF-8?Q?.1.7=20when=20having=20"_"=20??=
HI all,
in 2.1.7, language id having a "_" in their name (like "fr_CA") makes schemas
not editable and leads to an exception:
In the same way, impossible to create a label for these languages.
java.lang.ArrayIndexOutOfBoundsException: 2
at org.apache.syncope.common.lib.to.SchemaTO.toLocale(SchemaTO.java:63)
at
org.apache.syncope.client.console.panels.SchemaTypeWizardBuilder$Labels.lambda$new$0(SchemaTypeWizardBuilder.java:139)
at java.util.LinkedHashMap.forEach(LinkedHashMap.java:684)
at
org.apache.syncope.client.console.panels.SchemaTypeWizardBuilder$Labels.(SchemaTypeWizardBuilder.java:138
It works well in 2.1.6.
When trying to add a label for these kind of language the REST payload looks
weird like:
{"@class":"org.apache.syncope.common.lib.to.PlainSchemaTO","key":"test","anyTypeClass":null,"labels":{"fr;CA;":"test"},"type":"String","mandatoryCondition":"false","multivalue":false,"uniqueConstraint":false,"readonly":false,"conversionPattern":null,"validator":null,"enumerationValues":"","enumerationKeys":"","secretKey":null,"cipherAlgorithm":null,"mimeType":null}
How to remove a group from a user using the Java API
Hi all,
I try to implement in the user lifecycle a check about its groups between state
'create' and 'activate'.
In the Flowable process definition, I added a service task implemented as a
Java Delegate class as following ("currentProfile" is one of the user groups
set on creation).
After the execution of this service task, all groups seems to be always
associated to the user.
Can you help me ? Am I using a wrong API ?
Thanks for your help !
Christophe
@Component
public class RemoveProfile extends FlowableServiceTask {
@Autowired
private UserDataBinder dataBinder;
@Override
protected void doExecute(final DelegateExecution execution) {
MembershipTO currentProfile = execution.getVariable("currentProfile",
MembershipTO.class);
System.out.println("Profile courant à retirer: " + currentProfile);
User user = execution.getVariable(FlowableRuntimeUtils.USER,
User.class);
UserPatch userPatch = new UserPatch();
MembershipPatch membershipPatch = new MembershipPatch();
membershipPatch.setGroup(currentProfile.getGroupName());
membershipPatch.setOperation(PatchOperation.DELETE);
userPatch.getMemberships().add(membershipPatch);
dataBinder.update(user, userPatch);
}
}
Re: custom reportlet and reportletConf do not appear on console
Indeed, surely something is wrong because it fails to get the domainHolder :(
09:31:51.508 ERROR
org.apache.syncope.core.provisioning.java.job.report.ReportJob - While
executing report bdd0ab2b-411f-4755-90ab-2b411f0755c2
org.quartz.JobExecutionException:
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name
'org.apache.syncope.core.provisioning.java.job.report.myReportlet': Unsatisfied
dependency expressed through field 'domainHolder'; nested exception is
org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying
bean of type 'org.apache.syncope.core.persistence.api.DomainHolder' available:
expected at least 1 bean which qualifies as autowire candidate. Dependency
annotations:
{@org.springframework.beans.factory.annotation.Autowired(required=true)}
at
org.apache.syncope.core.provisioning.java.job.report.DefaultReportJobDelegate.execute(DefaultReportJobDelegate.java:208)
~[syncope-core-provisioning-java-2.1.7.jar:2.1.7]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_265]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:1.8.0_265]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_265]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_265]
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
~[spring-aop-5.1.17.RELEASE.jar:5.1.17.RELEASE]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
~[spring-aop-5.1.17.RELEASE.jar:5.1.17.RELEASE]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
~[spring-aop-5.1.17.RELEASE.jar:5.1.17.RELEASE]
at
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:295)
~[spring-tx-5.1.17.RELEASE.jar:5.1.17.RELEASE]
at
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98)
~[spring-tx-5.1.17.RELEASE.jar:5.1.17.RELEASE]
at
org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:60)
~[syncope-core-persistence-jpa-2.1.7.jar:2.1.7]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
~[spring-aop-5.1.17.RELEASE.jar:5.1.17.RELEASE]
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
~[spring-aop-5.1.17.RELEASE.jar:5.1.17.RELEASE]
at com.sun.proxy.$Proxy193.execute(Unknown Source) ~[?:?]
at
org.apache.syncope.core.provisioning.java.job.report.ReportJob.lambda$execute$0(ReportJob.java:67)
~[syncope-core-provisioning-java-2.1.7.jar:2.1.7]
at
org.apache.syncope.core.spring.security.AuthContextUtils.execWithAuthContext(AuthContextUtils.java:117)
~[syncope-core-spring-2.1.7.jar:2.1.7]
at
org.apache.syncope.core.provisioning.java.job.report.ReportJob.execute(ReportJob.java:64)
~[syncope-core-provisioning-java-2.1.7.jar:2.1.7]
at org.quartz.core.JobRunShell.run(JobRunShell.java:202) ~[quartz-2.3.2.jar:?]
at
org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
~[quartz-2.3.2.jar:?]
Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException:
Error creating bean with name
'org.apache.syncope.core.provisioning.java.job.report.myReportlet': Unsatisfied
dependency expressed through field 'domainHolder'; nested exception is
org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying
bean of type 'org.apache.syncope.core.persistence.api.DomainHolder' available:
expected at least 1 bean which qualifies as autowire candidate. Dependency
annotations:
{@org.springframework.beans.factory.annotation.Autowired(required=true)}
at
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:598)
~[spring-beans-5.1.17.RELEASE.jar:5.1.17.RELEASE]
at
org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:90)
~[spring-beans-5.1.17.RELEASE.jar:5.1.17.RELEASE]
at
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessProperties(AutowiredAnnotationBeanPostProcessor.java:376)
~[spring-beans-5.1.17.RELEASE.jar:5.1.17.RELEASE]
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1402)
~[spring-beans-5.1.17.RELEASE.jar:5.1.17.RELEASE]
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:591)
~[spring-beans-5.1.17.RELEASE.jar:5.1.17.RELEASE]
at
Re: Role layouts does not work when using dynamic membership
Thanks Francesco, much appreciated. De : Francesco Chicchiriccò À : user@syncope.apache.org Sujet : Re: Role layouts does not work when using dynamic membership Date : 22/10/2020 09:57:42 Europe/Paris On 22/10/20 09:30, Francesco Chicchiriccò wrote: Hi, layout information is fetched by the Realm page [1] via AnyLayoutUtils#fetch [2]. As you can see from [2]: 1. only static Roles (not dynamic Roles) are currently considered 2. the first non-null layout associated to an owned Role is taken About (1), I think it would not be difficult to include dynamic Roles as well. FYI: https://github.com/apache/syncope/commit/d146706121e6fb8d05e8fff09b9ef6e676f5e178 About (2), I don't think it's easy to merge different AnyLayout information coming from different Roles Hope this clarifies. Regards. [1] https://github.com/apache/syncope/blob/syncope-2.1.7/client/console/src/main/java/org/apache/syncope/client/console/panels/Realm.java#L166-L167 [2] https://github.com/apache/syncope/blob/syncope-2.1.7/client/console/src/main/java/org/apache/syncope/client/console/layout/AnyLayoutUtils.java#L73-L96 On 20/10/20 15:36, te...@net-c.com wrote: Another thing which could go in the same topic is when a user belongs to multiple roles each having its different layout and domains. It seems that only the first role layout (by order in the selection list) is applied anyway the domain where the action is done. De : te...@net-c.com À : user@syncope.apache.org Sujet : Role layouts does not work when using dynamic membership Date : 20/10/2020 12:08:12 Europe/Paris Hi, I use syncope 2.1.7 I defined wizard builder layouts for all of my roles. For each role I use dynamic membership in order to set the role to users member of some groups. I see that when I use dynamic role membership, the builder wizard layouts defined for the role are not applied to my users in, but if I set like statically the role to my users then the layouts work properly. Is it a normal behavior ? Thanks. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: custom reportlet and reportletConf do not appear on console
Hi, Finally found how to do it. For those having same troubles: You need to place your Conf in: core/src/main/java/org/apache/syncope/common/lib/report/myReportletConf.java AND IN console/src/main/java/org/apache/syncope/common/lib/report/myReportletConf.java Then your reportlet in core/src/main/java/org/apache/syncope/core/provisioning/java/job/report/myReportlet.java Then finally you also need to have (it does not build if it is not here) core/src/main/java/org/apache/syncope/core/persistence/api/DomainHolder.java Whom the content can be taken on github Enjoy. De : te...@net-c.com À : user@syncope.apache.org Sujet : custom reportlet and reportletConf do not appear on console Date : 21/10/2020 19:37:36 Europe/Paris Hi, I developed my own reportlet class and reportletConf that I put in: core/src/main/java/org/apache/syncope/core/provisioning/java/job/report/myReportlet.java core/src/main/java/org/apache/syncope/common/lib/report/myReportletConf.java Maven build runs well and I see my classes like: ./core/target/syncope/WEB-INF/classes/org/apache/syncope/core/provisioning/java/job/report/myReportlet.class ./core/target/syncope/WEB-INF/classes/org/apache/syncope/common/lib/report/myReportletConf.class However, no way to see them on console when I go to Configuration -> implementation -> reportlets -> [add] Did I miss something ?? Thanks
custom reportlet and reportletConf do not appear on console
Hi, I developed my own reportlet class and reportletConf that I put in: core/src/main/java/org/apache/syncope/core/provisioning/java/job/report/myReportlet.java core/src/main/java/org/apache/syncope/common/lib/report/myReportletConf.java Maven build runs well and I see my classes like: ./core/target/syncope/WEB-INF/classes/org/apache/syncope/core/provisioning/java/job/report/myReportlet.class ./core/target/syncope/WEB-INF/classes/org/apache/syncope/common/lib/report/myReportletConf.class However, no way to see them on console when I go to Configuration -> implementation -> reportlets -> [add] Did I miss something ?? Thanks
Re: Role layouts does not work when using dynamic membership
Another thing which could go in the same topic is when a user belongs to multiple roles each having its different layout and domains. It seems that only the first role layout (by order in the selection list) is applied anyway the domain where the action is done. De : te...@net-c.com À : user@syncope.apache.org Sujet : Role layouts does not work when using dynamic membership Date : 20/10/2020 12:08:12 Europe/Paris Hi, I use syncope 2.1.7 I defined wizard builder layouts for all of my roles. For each role I use dynamic membership in order to set the role to users member of some groups. I see that when I use dynamic role membership, the builder wizard layouts defined for the role are not applied to my users in, but if I set like statically the role to my users then the layouts work properly. Is it a normal behavior ? Thanks.
Role layouts does not work when using dynamic membership
Hi, I use syncope 2.1.7 I defined wizard builder layouts for all of my roles. For each role I use dynamic membership in order to set the role to users member of some groups. I see that when I use dynamic role membership, the builder wizard layouts defined for the role are not applied to my users in, but if I set like statically the role to my users then the layouts work properly. Is it a normal behavior ? Thanks.
Re: User group membership in Realm / sub-realm
Hi francesco, It clarifies what I already read and know, but not really why this way and not the opposite (member of parent realm group instead of child realm one, by simple curiosity) and not how I could achieve what I try to explain above. Thanks, An. De : Francesco Chicchiriccò À : user@syncope.apache.org Sujet : Re: User group membership in Realm / sub-realm Date : 25/09/2020 12:35:56 Europe/Paris On 25/09/20 11:48, te...@net-c.com wrote: > Hi all, > > I'm actually trying to setup a simple apache syncope environment with > hierarchy realms tree. > > I use groups in each realm in order to manages roles. Then I would be able, > using group membership, to apply the right privileges easily for each realm > specifically. > > I created a bunch of users in root realm thinking that it would be possible > to set them in groups of different sub-realm. But no way to see the realms > group when I try give them membership. > > For exemple, I have two branches like : /A/B1 and /A/B2 > For each of these realms, I have a group "Support" > I would like my user j...@doe.com to be the support guy of both realm (of > course applying for those member of the group a bunch of entitlements, roles, > etc. for the realm) > How ? I thought first that to create the user in /A or in / would be > enough... but nope, I cannot create membership for sub-real m on user panel. > > The question is, is it possible for a User in realm / to be member of groups > in /sub-realms ? > > Indeed, I see that a user in /A/B/C can be part of any group of parent realms > (And this is written this way in the doc). I'am a bit confused, maybe > thinking too much in an "ldap" way... but as /A/B belongs to /A which belongs > to / I would think the opposite way (A user can belong to any sub-realm > group). > > Do you an an Idea of how should I do this kind of scenario ? Hi, you might want to have a look at http://syncope.apache.org/docs/2.1/reference-guide.html#realms More specifically: A User or an Any Object can be members of Groups in the same realm or in one of the parent realms. Hope this clarifies. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
User group membership in Realm / sub-realm
Hi all, I'm actually trying to setup a simple apache syncope environment with hierarchy realms tree. I use groups in each realm in order to manages roles. Then I would be able, using group membership, to apply the right privileges easily for each realm specifically. I created a bunch of users in root realm thinking that it would be possible to set them in groups of different sub-realm. But no way to see the realms group when I try give them membership. For exemple, I have two branches like : /A/B1 and /A/B2 For each of these realms, I have a group "Support" I would like my user j...@doe.com to be the support guy of both realm (of course applying for those member of the group a bunch of entitlements, roles, etc. for the realm) How ? I thought first that to create the user in /A or in / would be enough... but nope, I cannot create membership for sub-realm on user panel. The question is, is it possible for a User in realm / to be member of groups in /sub-realms ? Indeed, I see that a user in /A/B/C can be part of any group of parent realms (And this is written this way in the doc). I'am a bit confused, maybe thinking too much in an "ldap" way... but as /A/B belongs to /A which belongs to / I would think the opposite way (A user can belong to any sub-realm group). Do you an an Idea of how should I do this kind of scenario ? Thanks a lot. An.
Identity management and custom LDAP schema
Hi, I'm actually assessing some open source software being able to manage workflows, identities, etc. Syncope looks great and I've started to read the documentation to have a better view of features and possibilities. One question comes to me, if you are able to give me more hints about, I would be really thankful. Managing objects stored in an openLDAP seems to lean on a java connector using connId API with attributes and object mapping properties. Correct ? The connId for LDAP included into bundles and the architecture of Syncope looks able to manage identities (user) and groups memberships by default (with some others stuff like AnyObject, memberships...). However, openLDAP gives many more possibilities with its schema by writing custom classes, attributes and elaborating complex tree hierarchy where relationships can be imagined between users and custom structures (organizationalUnit-like) thanks to custom attributes for example. I just wonder if it is possible to handle such a complex LDAP directory tree with Syncope ? Extending the question, is it possible to handle and manage through Syncope any kind of ldap schema and directory tree ? Thanks a lot. And thanks for you work. Anthony.
